This is Citibank’s login page.
For the sake of security, Citibank thought it was a better idea to click on a keypad rather than the good old style of typing in a password for authentication.
This seemed like a neat concept if I had Private Banking in mind (Banking in Citibank Kiosks or someplace like that) But I don’t think this is really secure considering I’m at open cyber cafe and clicking on this keypad (giving anyone crossing my desk to take a peek at my monitor and guess my password).
Wasn’t typing the password using a keyboard a better idea?? Considering my hands is covering the keyboard reducing the chances for anyone to guess my password.
Citibank has a feature “View and Pay”. This feature helps make paying monthly utility bills a lot easier. The bill account details need to be entered once and then a message and email is sent to the user every month for a payment confirmation.
It’s pretty convenient, but there is no way of canceling a payment.
For example, I have my telecom provider registered with Citibank. I pay the bill through the website every time. But, this one time, I paid the bill when I was at the Telecom store and not through the website. After the payment was done, it did not reflect on my website. It still asked me to pay my bill I had already paid for. If a user makes a payment through the website once, they assume that he is going to do the same every time, not handling multiple payment methods.
Do you guys have any comments???
(Written after discussion and inputs from Nikhil Chandran)
4 comments:
Would they have done this to prevent spyware that catches keystokes?
BTW, are they forcing you to use that keyboard? Does you normal keyboard not work?
Another minor observation. The label under the password field says "Internet Password is not case sensitive"
Observations
1. Internet passowrd? password to internet? Why not call it banking password? or account password?
2. Case sensitive. is this well understoon? Should they have shown an example?
3. Now that we are talking about case, why is the P in password capitalized? :)
The actual idea behind this kind of a virtual keyword is to tackle Key Logger softwares which can be installed in the internet cafe/unknown/shared machines. A key logger software captures anything you type using the Key Board and mails it to the person who installed it after you leave. This gives him your password.
But of course it doesnt help coz of the problem you have explained here. as we have to click on the alphabets and numbers anyone overlooking can easily find out our password. no need of a keylogger to do that.
The good old keyboard would have been better in this case and also a warning not to login to the bank account from shared or unknown machines. Even after that someone wants to login from an internet cafe, its at his own risk.
@Sunil "Internet Password is not case sensitive". Before getting to the terminology i have another question. If the user is supposed to use only the virtual keyword, what difference does it make? Even if he wants to change the case there is no way he can do it. That line is not helping anyone.
Post a Comment