I can't paste my Online user Id into Bank Of Ireland's online banking website. This is dumb and here's why.
Here's my experience with Banking 365, Bank Of Ireland's online banking:
- I don't use it often, so rather than memorising my online Id, I have it stored in a secure password safe.
- Visit Bank of Ireland Site.
- Launch my password safe, and access it using my fignerprint
- Retrieve my online id from my password safe
- Attempt to paste it into my online banking.
Which fails.
This lack-of-allowing-the-user-to-paste is usually billed as a security feature. The argument goes like this:
- If a fraudster wanted to try to access bank accounts, they need to try lots of online user Ids.
- So they script the process of trying different ones.
- And they run scirpts in browsers to paste them in one at a time.
- But our FRAUDBUSTER2000 anti-pasting feature will scupper them!
The problem is this is untrue.
As a software developer, it took me about 5 minutes to find how the paste was prevented. I was going to spend another few minutes working on a bypass. Except, I realised - I bet someone has solved this already. So, I spent 2 minutes looking for a browser extension, by googling "Chrome Extension allow paste". The second link brought me to the appropriately named Don't f**k with Paste. I installed it, enabled it on the browser and voila, I can now paste my online Id into my online banking.
So, what's my point?
Well, I'm not a fraudster. But, I think that fraudsters are likely more talented as website trickery than I, so the feature DOESN'T stop them. The only effect of this is it prevents those with a legitimate reason to need paste from accessing their bank in a way consistent with their everyday use of their own computer.
Yeah, but now I have an extension, why complain?
Hey. I didn't say I'm keeping the extension. I'm not. Think I trust some random plugin off the internet - I certainly do not! So, I'll still be hampered by this UX anti-pattern. And worse - the anti-pattern encourages people to install extensions like this because people hate inconvenience. What if the extension is a keylogger ? The Anti-pattern can contribute to fraud, not prevent it.
By not allowing me to paste my Online Id into my banking portal, they've made the portal less secure not more. Convince me if you think I am wrong
Photo Credit: Elisa Ventur on Unsplash
Thanks for reading the Tapadoo blog. We've been building iOS and Android Apps since 2009. If your business needs an App, or you want advice on anything mobile, please get in touch