Thursday, November 12, 2009

Why online security isn't

Razorwire For various reasons, over the last few weeks I've had to observe quite a lot of young people (ages 16-21) setting up online accounts for various services from banking to social networks. And in nearly every case, the user experience was crap and worked strongly against online security.

The minimum level of online security is, quite reasonably, create a username and password (of questionable strength) and confirm details via an email link. But in so many cases, it's so much worse than that. With great regret, we're dumping the fabulous delicious as a component of our first year PLE module next year because now that registration for delicious has switched to Yahoo, the system is so f*cked up and unfriendly that's it's untenable to continue with this useful service.

I watched a young person struggle with the O2 website, being asked screen after screen of "security" questions, multiple PIN numbers and passwords, and responding by generating throwaway details they had no intention of remembering just to navigate the maze required to get to their objective. And I just set up a new online bank account which required me to:
  • Fill in an online application form with my details.
  • Wait 7-10 days for a confirmation letter which asked me to send off a number of identification documents (originals, not copies).
  • Wait 10-14 days for online account details which I failed to enter into a website so badly designed that I couldn't find the right section because it kept redirecting me to the credit card section, necessitating two calls to the helpline, in order to:
  • Order a card reader necessary to withdraw or transfer money and
  • Wait up to 15 days for card reader to arrive.
And if one link in the chain breaks, one digit is typed wrongly or one letter goes astray, all bets are off. This isn't security. This is the opposite of security, encouraging people to cut corners, take risks and lie.