Now, I understand the need for online security –after all I worked in the area for over 5 years at Baltimore Technologies. However Ulster Bank’s Bankline has the most frustrating levels of security I have ever seen. The following four items are posted out to the customer:
- A smartcard reader
- A separate letter with the actual smartcard
- A separate letter with a onetime pin for the
smartcard - A separate letter with a onetime 10 digit activation
code for the service
Now, it may seem sensible to post these all out separately, so that if an individual package was intercepted, not all the information would be available. However, it doesn’t make any sense if they all arrive on your doorstep at the same time, as they did in my case.
In addition to the above, you then need to:
- Change the pin on the smartcard
- Enter your customer ID
- Enter your user ID
- Enter 3 random digits from a different pin
- Enter 3 random letters from a different password
- Enter a new pin
- Enter a new password
- Enter your activation code
Give how insanely complex and lengthy this process is, you would have thought that the Ulster Bank team would have pulled out all the stops to get the usability perfect. But alas no. When entering pins or passwords, the system does not automatically progress to next input box. So you need to enter one
digit followed by tab, then the next digit. To make matters worse, it asks for the PIN in a random order.
Unsurprisingly I didn’t get through the entire process successfully and locked myself out. However 10 minutes on the phone on Monday morning with a very helpful Ulster Bank employee got me up and running. I still haven’t figured out how to transfer money and have a running wager as to the number of pins, passwords and devices that it will require.
If the same levels of security were applied to their branches in the real world, then you would be forced to ait as they flew a military plane to a secret location on the other side of the planet to bring back the money!
There has to be a balance between usability and security. Normally, security gets in the
way of what the user wants to do. Therefore, if you need a highly secure system you have to be prepared to put in the extra time and effort required in order to make it usable.
May Update
After one month of using it they have forced me to change my password. I can only hope that they are not going to do this every month. Changing passwords this frequency can only result in users writting them down thus reducing the overall effectiveness of the security.
I’ve seen (and been involved with ) Banks create systems with great security and LOW usability.
The UI/usabilty aspect forget about the ‘user on their own’ installation issues and the QA dept says everything works fine (as they follow the instructions 2 the letter) BUT…
your average user is <= average and hence = LOW usage/uptake
any banks then wonder why their system isn’t used that well.
Same for IVR’s and call center’s … but thats another discussion!
Hi, I got onto to Ulsterbank late 08 about all these issues and more. Its a total disaster of a system. Its open to forgery (yes you can in fact re use the password reset form again and again… with some photo shop know how its easy to change things and email or fax for great effect).
The operators on the help line easily breach basic user security offering services outside the remit of their roll and yet the user support / helpline is awful. The standard password 28 auto reset which you might not be aware is totally daft. I have also had to resort to writing down all my details as its to complex to remember anything.
I also warned ulsterbank/rbs/bankline that eventually people would publish their frustration on the Internet and expose the poor UI and over the top security which makes the whole experience unusable.
Its happened I have now found at least 4 disgruntled users so how many more are sitting out their very pissed off including this site.
Once I was told 90% of their customers where happy with their level of new security and I said well its pointless listening to the happy people as its the 10% unhappy who have probably spotted problems and security issues and you are ignoring them at your peril and that of the general user base. I am sure many users who are supposedly “happy” are writing their password on paper on their desk or stickies. Its normal human behavior and this system invokes all the wrong behaviors. People will adapt and if the system is this shit it becomes totally insecure by this process. I think every one has figured that out.
I’ve written to them and received a lengthy and unconvincing response.
IMHO I believe Bankline should desist in telling people their system is secure.
Lets not get started on the usability …. i.e. what usability.
I’ve wasted days and hours and had to reset my password many many times even after writing it down. Its too easy to mess it up as its too complex in terms of user interaction.
I am able to remember complex combination and long passwords over over 30 characters if I need to. You could never guess them unless you could read my mind. They are totally secure and I use this technique on multiple websites since we all have to remember zillions of password. I never use the same one.
I’ve been doing it for over a decade and yet Bankline is the only website I’ve never been able to access trouble free.I know who had the problem and its not me its the awful Bankline design end of story.
If employees of Ulsterbank/RBS are reading this it means you haven’t done your job and millions has probably been wasted on a totally failed website.
Longterm its a deal breaker when it comes to moving my account. I haven’t done it yet but in future online banking will be my primary concern when it comes to ease of use and Bankline is not on my list its a testament to their Dublin staff that I am still with the Bank. They are powerless to help me in my efforts to convince Bankline they are force feeding a bad bad system.
it took me about 3/4 months to actually get any real customer care. Its take a while to figure out how to get past the robots on the helpline eventually I got someone how I think saw I wasn’t nuts and passed me along. This is no way to run helpline. I was only trying to flag serious issues and now I find other on the net with exactly the same problem and concerns.
Ok. that me done for now!
And I thought I was frustrated … Actually I’ve gotten the hang of bankline now and my current frustrations are the regular, weekend long maintenance periods. This is totally unacceptable even in a non-vital trivial application and unforgivable in a banking system
Well I managed to get a hold on it after writing it down (and concentrating even harder) but today I lost that bit of paper and I am once again in a rage after a months of calm. Its a stupid stupid system, I have other online banks accounts and I never have once been locked out.
Bankline is sent form IT Hell as far as I can see.
Someone on twitter mentioned that it was a 3rd party application. That means that it’s been sold into other banks. Imagine that
Christine,
I could not agree with you more. The Bankline web site is a complete retrograde step and is way over developed. I have made my feelings known many times to Ulster Bank as the system is a nightmare to use. I run a business in Dublin and am now meeting with AIB (where I also bank) to move my full banking requirments to them. Thier on line system is far more efficient.
Any web site that uses terminology like ” super user” makes me nervous.
PS. I heard that Bankline cost in the region of €10 million. GO FIGURE !!.
Do you know who? Do you have a link?
Disagree chaps…I want my online banking site to be as secure as possible. I’m glad Ulster have introduced this new security…really it’s not to hard to remember your password and the system allows you to control your password reset frequency. Seems to me Ulster have raised the security bar and it is big step up from the old Anytime system. The smartcard and reader are also a great job and offer greater security. Coupled with the use of roles allows my own business to have multiple different users with different roles and responsibilities. I’m definitely not one for defending banks…and yes it takes a little bit of getting used to …but have to say we’re happy with the system.
Hi Ronan
I didn’t know there was a password reset frequency setting. Thanks for mentioning it, I’ll hunt it down tomorrow.
I’ve gotten used to the poor usability and my main gripe these days is the long periods of downtime.
Despite having used the system for months. Little things still annoy me and cause error and I use the service almost daily.
For example – why do they ask for the PIN numbers and password characters in random orders? Why doesn’t the cursor automatically progress to the next field upon entry?
These are just the security related ones, I have also never managed to do payroll without it losings all my entries and forcing me to restart (this may just be me).
I agree that it is better than Anytime but just on a functionality scorecard not a usability one . It the most confusing web application that I have used in the last 5 years. BTW does hitting the back button log you out as well, or is this just me?
Dave Concannon has written a much better piece of analysis than I ever could (as usual) – here http://www.apeofsteel.com/167/security-usability-and-customer-service
Hi Caelen…I suspect the random stuff is all down to prevent hacking and removes/reduces the threat of auto key logging software…if it asked for the same characters all the time then this would be definitely be a risk and this could be easily captured….a few other internet banking sites have had this issue. Not automatically moving to the next field probably prevents persistent computerised attacks etc…but it is annoying.
The payroll one I have seen myself..I think you must put the date and totals in 1st…after that it was fine…it you don’t the values get reset as the totals must all add up.
The back button seesms to be a common feature on all banking sites…again I think there are security considerations here. I use a few banking sites and really they all steer you away from using the back button…most open in new browser windows and try to hide the back button from users….depending on your operating system and browsers
Hi Ronan
I spent a good while poking around trying to find the setting for password frequency but no no avail. Do you know where it is of the top of your head? It’s not in preferences and you help doesn’t seem to have a search function.
The back button issue seems to be resolved.
I spent 5 years in online security so I know a little about this area (although I haven’t kept myself up to date). You are correct that asking for random digits of password makes good sense, the typical attack this prevents is shoulder surfing and it would certainly be a guard against a key word logger. Asking for the digits in a random order adds further permutations for an auto-key loggers and I accept that this does add some security.
As regards advancing the cursor, this is just lazy coding. Any automatic attack wouldn’t use the human interface.
This weekend though I’m just happy that the system is up and running and not in maintenance. There have been 6 weekend long maintenance windows since the middle of July. At least this weekend I can settle down and reconcile the week’s invoices. You’d think no one worked the weekends.
And another full weekend’s outage coming up.
“Due to essential system maintenance, Bankline will not be available between Friday 16th October 2009 2200pm to Saturday 17th October 2009 1900pm”
And again. Are they taking the piss
Bankline will be unavailable between 18.30 Friday 30 October and 07.00 Monday 02 November while we update the service.
Well once again I am locked out whats this now the 12th time? I think I have lost count at this stage. No matter how many times I write down the password + pin code + reg code + name its still possible to fuck it up as insecure as this is I have no choice as the system is impossible to work, maybe its because I was forced to change my password and didn’t update my notes, maybe. Not my fault, no its not my fault i have to write down all the security information to remember it.
Excuse the language but as a small business owner under serious pressure BANKLINE from Bank of Scotland / Ulster bank is bad bad bad. I strongly advise anyone thinking of opening an account with any of the RBS groups banks thats use BANKLINE to stop and think again. You are making a big mistake. I am 100% frustrated with this piss poor design.
I’ll say it again I have never with any of my other online bank accounts 30 other online services that have security requirements do I have the same problems, nothing has every been hacked to date either with much lesser security provisions.
You can take it from me and i’ve spent over 8 months trying to get through to the people who provide support and care they do not want to know and can not do anything to change this awful design. So don’t waste your time. I have now no other choice than to contact the head man in charge of this project which I dont’ have the time to do right now.
I’m left with few options at this stage. Since anytime was gotten rid of I haven’t had a functioning online bank facility as far as I am concerned.
BANKLINE is crap BANKLINE is insecure BANKLINE is broken BANKLINE is anti user BANKLINE is bad BANKLINE is a waste of time
just one question. what do you mean you have a system for remembering passwords/codes, and that this system doesn’t work with ulster bank? why? if you can remember any password, any number? just makes me very curious
It a system of memory recall. Inspired by how some memory experts work to remember the order of a deck of cards tailored to my own needs here is an example and not the one I use.
Pick a number and always use that – component A
Pick a word and always use that – component B
Pick a symbol or symbol set – component C
Pick an association based on a rule or context – component D
Set a rule on what order these are combined.
Its very easy to remember many passwords as you are not so much remembering it but constructing it from a set routine which you remember but each password is essentially unqiue.
Most people rightly find it easier to use the same pin for all credit cards and passwords for lots of websites this is the same but the end result is a uniquely generated password and thus fits both needs ease of use and security.
It generally works most of the time. Yea I do forget the odd one but often I get it right and if I get it really wrong I do reset but with bankline you simply can’t do it as you are not ever asked for you password but random pieces of your password. I’ve told Bankline I could remember 3 or more unique passwords that couldn’t be any less secure than there own system but they don’t give me the choice.
In the case of banklline even when I have written it down I have still screwed up. I am once again locked out since last week.
I wonder how many people have their Bankline pin, password and other details written down for easy recall. There is nothing easy to lend simple recall to their system.
The human mind is a lot more powerful if engaged properly and thus security is less an issue as its behavior that ultimately undermines the best efforts of security.
To summarise it a simple routine that can generate unique passwords.
Let us not forget humans can memorise poems, stories, entire movie scripts and more so why engage the same ability when creating a security system. You can’t change people its costly and always fails but you can create system that engages them more efficiently and this is a classic example of a system that is suspicious of peoples ability to be intelligent and secure and thus encourages people to do stupid things therfore undermining its core goal.
I should write a paper on this methinks at this stage.
Just wanted to add my voice to the discussion. I fall somewhere in the middle. While I appreciate UBs attempt to increase security with Bankline, I feel they have gone too far. There needs to be a balance between security and usability but I feel usability has taken a firm back seat with this application. It’s bad enough that I will probably end up moving my account to another bank….
Listening, Ulster Bank?
I have to agree with all the other disgruntled users. It’s a joke, it’s completely overkill for small business. I never had one bit of hassle with anytime for 8 yrs, it did everything I wanted to with not one breach or bit of hassle, The whole process has been designed to put the onus on the user and not the bank to apply ( which took 3 times in my case) I of course forgot some details after i registered, Moved house and couldn’t find all the paperwork – inevitably I got locked out, which brings me to another point. I filled out one piece of paper when I started anytime and that was it for over 8 yrs, I have so far between adding other accounts and re-applying for an authorisation codes and applying in the fir place (3 times!) used about 30 sheets of paper which is not much but I only use about 100 sheets of paper in an entire year in my office so multiply this by the 10’000′s of users doing this!!! it’s a joke security or not with no regard for the customer and is quite simply LAZY! Bad bank!!
I am seriously looking at swapping banks over it… nightmare!
guys , this system is soooooooooooooooooo frustrating, woke up one morning , i was locked out! why i asked ? o you have been accessing the website from a drop down menu or favorites..? have you? well yes i said ,thats the problem the SITE DOES NOT SUPPORT THAT! you have to get a fresh browser and type in the address manually all the time …. THATS THE ONLY WAY TO AVOID BEEN LOCKED OUT. now you have to request a new pin by .
1.downloading a form 2 fill it up 3 fax back to us and we will send your activation pin ,
now 3 hours later no pin….ha its too early said one, no its your yahoo filters said another , sorry you have to refax another form as we cant resend the pin again . i did still no pin.ahhhhhhhhhhhhhhhhhh
ok i calm down after 1 hour and call again , we are in the process of changing email address…. you guys dont want to know what that takes now , maybe i should just jump in the river… bye
It would be a pleasure to get locked out, that would mean that you actually got it to work in the 1st place?
and yes I have half the Brazilian rainforest coming through my letterbox
probably going to give up and ring in for the balance like the old days…..
I’m glad to see I’m not the only one who thinks Bankline is a disaster re usability. Today have suceeded in locking out my smartcard. Got confused as to which pin was which. This system is a nightmare for anybody like me who has trouble remembering my phone number.
I used Ulsterbank Anytime without a hitch and use Rabo direct without probs.
Seriously thinking of moving banks.
Are BOI or AIB any better ?
Bankline is still crap. It remains to be crap after all this time but then RBS are a bust Bank. So why do we bother?
I don’t understand how people are complaining on this blog about their business accounts online being so secure?!?! I am happy the security is so high! The last thing I want is somebody hacking my bank account.
It is not difficult for me to remember a 4 digit PIN code and an 8 digit password. My password expiry is never so I don’t have to change it and my smartcard PIN iss the same as my log in.