I got a call from my bank, HSBC, the other morning. The call started something like this.
Rob: ‘Hi, this is Rob from HSBC. Before I can continue this conversation I need to confirm some security details with you. Can you tell me your date of birth please’.
Leisa: ‘You must be kidding Rob. I have no reason to believe that you really work for HSBC. Why on earth would I just hand over my personal information like that?’
Now, I don’t know whether Rob was just improvising, or whether this is an official HSBC script, but it is wrong, wrong, wrong. What Rob and HSBC are doing here is treating people to NOT take care with their personal information. What is this going to do for HSBC and their customers? It’s going to make them both much more likely to get stung by fraudsters, and to both lose time and money for no good reason.
Surely HSBC should be going out of their way to educate their customers NOT to hand over personal information whenever some random person calls up asking for it.
Either way, Rob was not impressed. He did have a backup plan (I give him part of the information and he confirms the rest… which is slightly better), but he took *that* tone with me for the rest of the call. You know, that ‘you’re an irritating customer’ tone. Not a great start to the day.
You know what it reminds me of? And it’s something that more and more of us are guilty of participating in – especially those of use who are designing applications that support social networks. It reminds me of this:
This is the ‘find friends’ feature that we’re seeing on more and more sites (this one is taken from Facebook) where we are blithely asked to put in the full log in information for our email accounts, or our IM accounts or our other social network site accounts – and, more often than not – we do!
Now, clearly there is a big incentive to do so because these kinds of applications work well only when you’ve managed to connect with the people you know and care about, and using existing information like the contacts from your email or IM account makes this reasonably painless. The application does most of the work for you.
But do we really realise what we’re handing over when we give this log in information away? Do we realise how much we are trusting Facebook, for example, to play nicely with that information? Think of all the email and IM conversations you’ve had that are accessible using these login credentials… now think about the level of security at somewhere like, say, HM Revenue & Customs (where they recently ‘lost’ the personal information of millions of UK taxpayers), and now think whether somewhere like Facebook would have better or worse security… both now, and potentially in the future.
Sure, they *say* they’re not going to store or use that information… but are you really willing to take them at their word? Are you willing to TRUST Facebook (or any other site) that much?
We don’t really think much about this when we’re giving away our username and password, do we?
And why not? Because, just like Rob at HSBC, it’s almost as though we’re being pressured into just handing over the information otherwise we’ll get inferior service (and/or an attitude). We’re actually being trained to believe that handing over this information is the RIGHT thing to do.
Brian Suda calls this ‘Find Friends’ form an anti-pattern. He says in a recent Sitepoint article:
Another pitfall that you’ll want to avoid is sites that ask for the login details for your email account. This is a huge security hole. By handing over this information, you’re giving a random provider access to all your emails and friends, not to mention access to APIs through which they could edit and delete your information. And, as none of us want to admit, we often use the same passwords for many different services. Provide your email password to a site, and its owners can not only get into your email, but possibly your bank accounts (and a bunch of other services) as well. You should never give your password to anyone! Creating assurances of privacy lulls us into a false sense of security — it relaxes us into thinking everyone can be trusted and everything will be safe. This bad behaviour is exactly what phishers love to prey upon.
Enter design ethics. If ethics plays any part in the way that you’re designing your application or website, then this should be raising hairs on the back of your neck… you should be thinking that this is not right and that there is probably something you should be doing about this.
In fact, there are at least TWO somethings that I think we should be doing in this situation.
- The first is that we should be doing our best to help our customers/users/members to protect themselves. We should be educating them about the risks of handing over this kind of information and we should NOT be normalising this kind of behaviour.
- The second is that we should be looking for and encouraging alternatives to this ‘find friend’ functionality and we should be encouraging our clients/companies to opt for implementations that help our customers/users/members be more secure.
The kind of alternative that we should probably be looking for is something like OAuth which is an open protocol to allow secure API authentication in a simple and standard method from desktop and web applications. It is designed to help you get the information you need to give your end users a good experience without asking them to hand over personal information, like a username and password. Check out this demo of the current user experience. As far as I know, OAuth is not live on the web anywhere yet, but its cousin, OpenID is starting to be more widely adopted.
Of course, if we all had portable social networks, then that would also make things an awful lot simpler and more secure but it all seems quite a way off yet… why so far off you ask? Well…
So far, however, the drive to develop and promote these more secure alternatives is very much being driven by the more technical people on the web. There are lots of scary sounding discussions around exactly how these methods should work. Designers are, for the best part, not to be found in these conversations.
This is problematic from couple of perspectives.
- Firstly – if anyone is going to be able to drive the uptake of something like OpenID or OAuth, then it is going to be UX people, the people who are designing the experiences and making recommendations about what constitutes a good experience. Unfortunately, too often by the time the techies get a look in, all the functional decisions have been made and it’s too late to retrofit what would potentially be a much better solution for our end users. We have a responsibility to know about these things and to promote them.
- Secondly – from a user experience perspective, there are a lot of challenges to be found in OpenID and OAuth, primarily because you need to educate people about what is going on and also because you are typically moving them through quite a complex flow – including from one site or application to another and then back again. At the moment, the user experience of OpenID and OAuth are far from ideal, but rather than using this as a reason not to work with them, we should be seeing this as an opportunity to engage with these design problems and to use our experience and expertise to help get the user experience as good as it can be.
At any rate – looking after the security of our end users is now very much a part of the responsibility of the designer – whether it is through helping to educate those end users not to hand over information irresponsibly, or by guiding our clients/companies to use methods that better protect our end users. We need to be engaging in these discussions and helping to guide them both from the perspective of the businesses we’re working with as well as in the ongoing technical discussions about how these technologies work.
I think we have a responsibility to help protect our end user, even from themselves. To ignore this responsibility is unethical.
Spot on Leisa, in fact I’m a customer of the same bank and also think it’s quite ludicrous. I do have high hopes for OAuth to go some way to righting these wrongs, but you’re right that it’s us as designers who must take this forward. It won’t happen without people making a fuss.
Be interested to hear your opinion of SecureCode, if you’ve been exposed to it yet: http://tinyurl.com/2enua9 – I know HSBC have started to use it, not sure about others. For me, it defies belief that on one hand banks are trying to condition customers to never surrender personal information to dodgy-looking websites/emails, while offering up an awfully similar ‘solution’ that a) breaks that conditioning and b) further impedes the UX of the checkout process. But then, without wishing to be too bitchy, have banks ever really been enlightened about the customer experience…?
I get calls from CIBC where they do that as well, and there’s just no way I’m going to give them my authentication details sight unseen like that.
That said, there is a distinction bewteen the way OpenID does it and the way the bank does it. I at least know the address of my authentication service, which I do not know the bank’s phone number.
And I have also learned to be careful online. Email phishing attacks have exactly the same logic – they route you to a page where you’re asked to authenticate.
People who really wanted to protect themselves from phishing in Open ID could simply refuse to allow any redirects to authenticate. What they would do is begin an online session by logging in, and allowing their cookies to manage the logins thereafter. No request for an additional login via redirect would be honoured.
!00% agree with you.
That HSBC script needs changing as soon as possible. I’m incredulous that he had a problem with you because of your reaction. What he was doing is in fact Lesson 1 part one in Hacking – ‘social engineering’.
Any hacker knows this approach. Here’s how it works:
Hacker – calls up office worker in target organization
Employee: “Hi, how can I help”
Hacker: “Hi, this is the IT department. We’re running some network tests. How is your network today?”
Employee: “Umm, its a bit slow”
Hacker: “Ok, keep an eye out and I’ll call back”
Hang up, wait 1/2 hour, call back
Hacker: “Hi, its IT again, did you notice any changes to the network?”
Employee: “No, sorry”
Hacker: (sounding puzzled) “Hmmm strange, what username and password were you using to connect to the network?”
It works. The call-back builds trust and the focus on network performance is distracting from security.
As far as you know, the ‘HSBC employee’ could have been doing exactly the same thing.
I’ve had no less than 3 banks do this same thing to me. (And none of them HSBC) So this seems to be an acceptable practice in the industry.
Last time it happened was about a year ago when WellS Fargo called me about my mortgage. The operator on the other end of the phone started off just like “Rob” and I told her there was no chance in hell that I was going to give these details to some random caller.
At least she gave me the option of calling them back on one of the numbers listed on my statement so I would know who I was getting in touch with.
Spot on Leisa. I’m with Barclays and get this rubbish too – at the same time they’ve now spent a fortune sending everyone “PinSentry” readers which we all have to use every time we want to log into the Ibank. Not a massively integrated approach really.
Last time I went to my bank physically (I hadn’t been there in a dozen years!, since I left the city and I can do almost everything from their web interface), I got an appointment with a new guy and saw that new guy the next day without ever showing any proof of ID beyond my name and account number. Fright #1: someone could have pretended to be me with the sole knowledge of my account number.
At the end of the appointment with the new guy, he told me I could e-mail him about changes to be done with my bank accounts if it’s more convenient than phone for me. Fright #2: someone could forge an e-mail from me.
So I told him that it is indeed more convenient for me to e-mail him rather than phone him, but that as a matter of security I’d like him to phone me anytime he receives an e-mail from me, to insure that I was the one who sent him an e-mail.
I so wanted to add “anyway, what proof do you have that I am Michel Valdrighi?”, but I didn’t want to freak him more than I did with my little explanations on basic security…
I closed an account with HSBC for the same reason as your ‘Rob’ conversation.
Sorry, random-person-who-just-phoned-me, I’m not going to give you any personal information at all, and I’m frankly staggered that you think it’s a good way to teach your customers about security. As soon as it was obvious I wasn’t going to be bullied into it (“but this is for your own security, and you have to appreciate that we may have to give you important information” doesn’t cut it) the representative got into a very snippy “this is irritating me” attitude, and I phoned back to close the account. My new bank (Smile, the online branch of the Co-Operative bank) has never used such stupid tactics, and also treats me much better on the phone generally.
The Facebook analogy is a good one, Leisa. I have friends who don’t use Facebook at all (not just that feature. At all.) because they don’t like the idea of a site that asks for your webmail username and password as part of its sing up process.
I’m sure you’ve seen it, but just in case…
Adam Greenfeld’s “All watched over by machines of loving grace” article on Boxes and Arrows is a good article on a sort of best practices derived from design ethics.
Ack! Typo on Adam’s last name. Should be Greenfield, not Greenfeld.
Ahh that article :) It’s very good overall, but is too narrow in my opinion. Here is a criticism / analysis I wrote of it:
http://ollywright.org/2007/03/on-adam-greenfields-ethical-guidelines.html
I think perhaps Rob was a particularly poor HSBC representative as I opened up a new account with them this week. Being a current customer they asked for the same questions but automatically gave me part of the answer and asked me to fill in the gaps.
However your article has really made me think about the information I am giving away to the likes of Facebook, I have become conditioned to think it is okay. I will certainly try and be a bit more web safe savvy in future as you are so very right, phishing sites are getting a lot more clever and one false move and well, we all know the outcome…
[…] Edit: please don’t make us give our LinkedIn password to import data. Giving away passwords a bad thing to teach your users. Encourage responsible behaviour instead. […]
[…] The entire genesis of the subject was the realisation by Leisa Reichelt that the way that social networking sites ask you for your e-mail account details and password are similar to the phishing attempts to get your banking or credit card details. In short, they are asking for hightly sensitive details which it seems that people are a little too happy to hand over. In short they are encouraging irresponsible behaviour, and encouraging identity theft. […]
[…] This was picked up back on disambiguity in November: But do we really realise what we’re handing over when we give this log in information away? Do we realise how much we are trusting Facebook, for example, to play nicely with that information? Think of all the email and IM conversations you’ve had that are accessible using these login credentials… now think about the level of security at somewhere like, say, HM Revenue & Customs (where they recently ‘lost’ the personal information of millions of UK taxpayers), and now think whether somewhere like Facebook would have better or worse security… both now, and potentially in the future. […]
Helifted his bunghole over, eva angelina facial she had a porn movie.
[…] password anti-pattern (ie, asking people for the password to their e-mail). It’s high time for design to encourage responsible behaviour instead. As the discussion at WebCamp shows, we all agree that solutions need to be […]
[…] was picked up back on disambiguity in November: But do we really realise what we’re handing over when we give this log in […]