Code Away

Traditionally, the most convenient way for web developers to buzz the user with a message has been the javascript alert() pop-up. It is convenient to code and ensures that the user doesn’t miss the message (no way to go back to the page till the user clicks OK or whatever prompts you’ve coaxed in)

Today this very pop-up is a major hassle for users, just because in multi-tabbed interfaces, the user cannot switch between tabs when an alert is displayed to him. So you have an irritated user who wants to urgently book a flight in the next page, but is stuck on your tab because you have provided some text for him to understand and press OK.

This is still ok when the alert is shown on the press of a button. There is a higher probability of the user being still focussed on your page. But alerts on page load, notifying “Successfully performed operation” are nothing but rot.

To grab user attention while user is on your page, a far more elegant way is the use of div based message boxes. This keeps the user interface consistent with the remaining website and also grants user space for some other (possibly precious) activity. The new CSS opacity attributes also let you gray-out the page background whilst displaying your error — pretty neat.

While you are proceeding towards unobtrusive interfaces like a good kid, why not also give a thought to what ought to be the messages warranting a pop-up? Oracle ADF, which we use for development, has 3 levels of messages:

• Info, Warning: Display at the top of the page with appropriate icon
• Error: Display as a div based pop-up to the user, gray out the remaining page, ensuring the user cannot perform any activity till he selects an option to handle or acknowledge the error.

The good part is that the behavior of messages is built into the framework. So if tomorrow a usability test suggests that warning messages better be shown as a popup so the user doesn’t miss them, there’s a 3 line change in the framework to enable this. Clean, easy, cool. That’s the way we want it.

“Use plastic money” is supposedly the advice floating around. Safe, secure, instant transactions – all marinated, cooked and ready to eat. Facilitates the banks, vendor and client. All in one. Fantastic.

Yet, the security provided in CCs is pathetic. Let me start my rant with the “industry standard” security that ought to be provided for anything that costs you money, be it Re. 1 or Rs. 1 lakh.

Say you have a bank account and password which serves as identity proof as well as payment proof. How does the bank verify that someone has not stolen your password from password.txt conveniently stored in your notebook?

So the smart banks like ICICI develop a system wherein you need to enter some randomly requested numbers which can be seen at the back of your bank debit card.

The ICICI funds transfer requires you to login, then provide the transaction-specific password (2nd level of security) and in addition, some digits on the back of your debit card. This “some digits” security feature is really good, because the position of numbers requested changes for every transaction.

The security explained above is known as Multifactor Authentication (in this case, two-factor authentication).

Compare this against the current security provided in case of Credit Cards. What is the “password” you use for online transactions? Its the CVV number which is printed on the back of the CC. So anyone who has stolen a CC effectively has access to all the information he ever needed to perform an online transaction. And while we’re at it, why think of only thieves? We don’t even know whether websites retain your credit card information in their database or not. A response from ICICI CC help: “No sir, they cannot retain your CVV number, because it comes in password field, right? It is not displayed on screen, and thus they can’t even store it if they wanted to!”

I nearly died laughing.

Okay, so the security issue is present only for online transactions? Not really. What happened last time you paid for dinner at the restaurant? You slipped the CC, the waiter was kind enough to swipe the card, get the Merchant Copy, Customer Copy, and bring it back to you after a good 5 minutes.

Did he verify the signature you made on the bill against the one on Credit Card? If not, then anyone who finds your card (or steals it) can go to a restaurant and sign as per his will. Will the credit card company pay the restaurant if they see that the signature is incorrect? Of course they will! I discussed this with ICICI bank. The fellow at their helpcenter stressed that it is the duty of the vendor to verify your signature against the one on the back of the card! Well, I’ve never come across any such vendor in my four years with CCs.

Lets go back to the restaurant scenario. The waiter came back after quite a while. It takes around 10 seconds to note all the information on your CC onto a piece of paper. How do you know the waiter didn’t do it? Of course, if he performs any transaction with this information, he can be easily tracked, innit? Oh, but what if he sits in an internet cafe and pays to some shady porn site hosted in South East Asia? Transaction is over, bank has paid them in a few hours and only you stand to be the loser.

So, if CC security is really this screwed up, shouldn’t there be a lot of fraud already happening around here?

The cost of credit card fraud reaches into billions of dollars annually. In 2006, fraud in the United Kingdom alone was estimated at £428 million, or US$750-830 million at prevailing 2006 exchange rates.

After all this, you’d think that some CC provider would want to pep up security measures. Na-aa! In fact, if you try booking any flight via telephone today, the executive at the other end happily notes down all the information required, including your CVV number. This, according to banks, is wrong. Yet, I don’t see any action against this practice.

All in all, credit cards are hardly secure. What can we do in this case? Well there are a few basic measures for us

• Wherever you pay by credit card, ensure the credit card is never out of your sight.
• Never pay by credit card on phone.
• Write more about this on your blogs, spread the message
• Protect your wallet like crazy. If there’s hundred bucks, you would lose just hundred bucks. With cards, you lose a lot more than what you’d like to carry around with you
• Have emergency bank numbers in your phone, pocket, wadrobe, just about everywhere. In case of theft, don’t lose any time in contacting the bank.

Well, it would all be easier if credit card companies followed some more security measures. CC 2.0?

• Have some passwords or PIN numbers for us please!
• Have payment gateways for telephone payments. Use automated systems for users to press CC number and PIN from their telephone. Prevent human interaction.
• Stop printing the CVV on the card. Its not a secret if its on the card! Everyone knows where to find it!