My UK banker is Citibank UK, from whom I've had nothing but trouble. Setting up an account with them was like pulling teeth, despite my existing accounts with Citibank in Canada and the USA. Then it turned out that Citibank UK won't allow Paypal transfers in and out of their accounts. Now comes this ridiculous "security measure" — a DHTML-based "screen keyboard" with which you are required to enter your password when you login to their online banking system, and then every time you do any transaction thereafter. This is supposed to guard against keyloggers, by ensuring that your password isn't entered via your actual keyboard.
This is broken for many reasons. Here are a few:
* Citibank UK online spawns a small window all its own, regardless of the size of your screen. This window is too small to accommodate both the little toy keyboard and the login screen, so that the keyboard is always overtop of some key piece of information. Here you can see it almost completely obscuring the Login button. It would be reasonable for Citibank to let me choose the size of my online banking window, but if they've decided that I'm not old enough to make that kind of decision for myself, the least they could do is not throw unnecessary interface clutter at me.
* The DHTML keyboard doesn't work in some browsers. In Safari, all but the last row of keys is offscreen, with no way to move the keyboard.
* By not allowing me to use my keyboard to enter my password, the system precludes my using long, impossible-to-guess (and impossible-to-remember) passwords that I store in an encrypted password locker. Instead, I have to choose a much weaker, human-memorable password.
* Finally, this thing can't possibly be usable by blind people or people with physical disabilities that make fine mouse-movements difficult. The fact that you need to use their toy keyboard every time you complete a transaction makes this doubly/triply obnoxious.
Having gone through the legendary bullshit involved in opening a bank account in the UK, I'm loathe to try to terminate my Citibank account in favor of another UK banker, but if they keep on reducing the usability of their Internet service, I might just brave it.
Update: Emmet adds, "One of the way this little on-screen keyboard make the password less secure is that it do not seems to allow for mixed case passwords nor it allow to enter accented letters. This mean that the actual key space is greatly reduced and will make guessing password easier."
Update 2: Joe sez, "Typing a password
on a keyboard is secure because it's very difficult to observe the
movements of ten fingers at the same time. Following a single mouse
pointer on the screen is much easier. I suspect that the rate of key
logging attacks is much lower than rate of observed password attacks."
Update 3: Brian points out that Bermuda's Butterfield Direct has an even more abusive toy keyboard, requiring you to enter both your login and password with it, and masking every character as you type it. Kevin adds, "To make matters worse, if you have to type/click a double character (such as 'ss') in Bermuda's Butterfield Direct, the second click will produce two characters ('sss') if you click too quickly. Because the characters are masked, you can almost never catch this activity and are consequently told by the website that your username or password is incorrect."
Update 4: Kelly sez, "I have similar so-called security frustrations with my ING Direct savings bank account. They have this similarly tedious and user unfriendly design for their PIN code
entry. It is an on-screen numerical keyboard, with the numbers randomly
assigned to each key. Thus, instead of the top line being 7 8 9 it might well
be 4 9 0."
