 which will be it's yeah it's already 215 so I think we can start this talk will also be live streamed so we'll post questions from YouTube or to here. Hi Zainab, one quick question so this will be the recorded version right? Yeah the recorded version will also be live streamed and played on YouTube so your talk is being streamed so we stream one talk a day or this today is your talk streamed so we'll also pick questions from YouTube and post it here so that you can answer them live. So I can just be on standby right? Yes that's right. I am in the middle I'm trying to also coordinate with Vikal and Kipra for the further session. Okay. Okay. Should I start the video? Yes we can start now. Moving on insecurity. My name is Shruvan Kaur and I'm the founder of Bandage. Bandage is a cybersecurity startup based out of Kolkata. We work on building a secure mesh Wi-Fi product. We also provide data bridge consulting and security training to organizations. In some we work on cybersecurity anonymity and privacy issues. I have been working on software for the last 15 years. I've spent ten years working in companies like Katel XC and Adobe and I've built almost everything from device drivers to web applications. I am an alumnus of HSC Paris and IAST shipbook and you can reach out to me via email at contact at bandage.com or via Twitter at twitter.com slash bandage. So today I would like to talk about user experience and how great user experience makes security easy. So this is what I want to go through over the next few slides and before we start I just want to make sure that this is not an UI-UX design tutorial per se and not is it a tutorial on how to do net banking. This presentation is going to be very interesting to you if you work on user experience or if you work on security or even if you are a heavy net banking user. All right so before we start just a couple of things I want to point out. Security is a fast-moving field and there's a lot of research that's going on and and it's very exciting and it really helps to keep up with the research that's going on right now. In fact we are going to refer to a number of research items in our presentation today as well so you'll see why it's important. So that's the first thing you should keep in mind when designing for security and the other thing that you should keep in mind is of course the standards that are there. There are two kinds of standards. One are the ones that are paid for example ISR will come up with standards that you have to buy to deed and you know implement and then there are standards like the one that you see on your screen right now. This one is from NISD. Think of it as the US's standard setting organization. This particular standard is about digital identity guidelines and it's going to be very useful if you are trying to design user authentication and application management. In fact we are going to refer to this document a few times especially the authentication and lifecycle management volume in our presentation today and you'll see why it's so useful. And with that let's get started with our examples. So the first thing I want to talk about is outdated advice that banks typically give out to their consumers and remember this advice comes in two different forms. One is implicit advice in what you can and cannot do on the website and explicit advice. So for example when you try to copy paste your username or password you probably see a prompt that comes up that says copy pasting is disallowed. So that's an implicit limitation right. That's an implicit advice that they will give you. On the other hand there are explicit advice that they give out like you know like the ones you see here. For example they'll tell you to change your password regularly. They'll ask you to use the on-screen keyboard and they'll ask you not to click on them at length and attachment. Let's pause for a moment and think through these advices. Is it really possible for someone who's working in let's say HR or sales to not click on links? No that's really part of the job right. So you see that this sort of advice really is not useful. What about the other ones? Okay. Using passwords that expire frequently adds to the user's cognitive burden and it really does not serve any purpose per se. Research shows that there is no added benefit if you just keep getting the password every 15 days. Also the fact that you don't specify how frequently users should change their passwords makes it even more confusing and which is exactly why the NISD standard says that don't do it. Don't ask users to change their password's frequency. On the other hand they do say that you should allow users to use copy paste. Why is that? So that you can use password managers and why use password managers? Because they make it extremely easy for you to not just manage passwords across all the hundreds of accounts that you have today but also to create complex passwords. Okay. The last other advice that we had on the screen was virtual keyboards. Let's take a look at virtual keyboards as well in detail. And before we go on, let's take a look at how virtual keyboards look on, let's say a mobile phone. Here's what you would see if you go to state bank of India's net banking website and this is how it would look on your mobile phone, the virtual keyboard. For scale I have Gmail's login screen on the same mobile screen and you can see there's a huge difference in legibility. Why does legibility matter? Because legibility allows a user to log in in one go so that users will not be making any mistakes when they start typing in. Why is that important? Because if you make too many mistakes when you're logging in, you're probably going to get locked out of your account. Considering banking being an extremely important function, getting locked out because the design is not correct is probably not a good idea. And this is exactly what the NISD standard law says, right? And you should design keeping in mind the form factor in which the user is going to use that site in. Unfortunately, what we see is that most net banking sites in India do not give that in mind. And that makes using virtual keyboards extremely difficult. The other problem, of course, is the fact that these virtual keyboards are probably not as secure as the banks make them out to be. For example, there's this Malaysian researcher called Raymond who found out that and he looked at 12 commercial paid dealers. What he found out was that almost all of them had no trouble bypassing virtual keyboards and running past them. So why ask users to use something that's not secure enough, right? That's probably not a good idea. Now let's come back to another thing that banks use very frequently, security questions. And here is PNB's net banking screen where you can go and set security questions. Now you see that they ask you to set seven security questions. Is it a good idea? Well, a security feature is cool depending on how easy it is to find whether it's used judiciously or not. And if there is a demonstrable security benefit to it or not. Security questions fail on all three fronts. For example, PNB is confused what they want to call security questions. Because if you look at their menu, they call it enroute for challenge. Users have no clue what a challenge is, right? Users get confused. So definitely not good. The other thing is they're asking you to set at least seven questions. Now that is a lot to ask your users for. And demonstrable benefits. Well, researchers from Google looked at security questions back in 2015 and what they found out was that users either set answers that are extremely easy to guess. They said complex answers that they themselves forget when the time comes. And both of these things make security questions completely useless. In fact, the researchers also looked at the fact what happens if you increase the number of questions. What they found out was that if you increase the number of questions that users had to set in years, the probability that users are going to forget them increases by a lot more. So in a nutshell, security questions are an absolutely bad idea. And yet we see this being implemented across most of the banks in India. In fact, the NISD standard actually says that you should not ask users to use security questions, right? The other thing that I've noted happens quite often is the fact that banks would throw up detailed error messages. For example, there's one that P&P threw up. And it's a bad idea. Why? Because it really doesn't tell users what to do now, right? Once a user, you know, and users really have no use for such detailed information. In fact, people who actually are going to use it are probably not very nice people because they're going to use that information to attack your website, right? And banks should keep that in mind. They should not be throwing up such detailed error messages. The noted security researcher, Troy Hunt, looked at this about 10 years back and he wrote about this exact problem. And he shows how easy it is to fix. It's essentially a single line. There's no reason why production code of a banking website will not have this. So don't throw up error messages. Don't confuse users and, you know, give users something tangible to work on. Why tangible? Because, and we're talking about to get really interested in giving users enough things so that they can make an informed decision about what's best in terms of security. And that's where the usability angle comes in. And this is where I want to focus on State Bank of India. State Bank of India understands that it's important to figure out what your customer wants, what the customer wants, and they want to run surveys. Unfortunately, what they do is they run surveys when you're trying to log out. This is what happens when you log out, when you at least click on the log out button. They'll throw you, they'll throw up a modal dialogue, which has two options continuum. So, you know, you're going to go ahead with the survey or maybe later. Neither option tells you that you are going to be logged out that your account is going to be secure. Now, again, this leaves users at a loss. They don't really know what's going to happen. And that makes this extremely bad from an usability perspective. So don't do that. Don't confuse users. Now, I talked about a number of things that net banking websites are doing it all, but not all of them are doing everything incorrectly. So there's some hope and I want to end with one small example. For example, what you see here right now is an email that HSBC sent out to its customers something back. And this was when they were managing two factor authentication for customers using their mobile banking app. So what's interesting about this particular email is that it does three things correct. One, it communicates the fact that they are upgrading the security mechanism in concisely and in a very simple language. Two, it calls out the fact that 200,000 people are already using it. So, you know, that shift is not particularly difficult for the average user. And third, they're throwing in a deal sweetener. They're saying that if you do this fast enough, so, you know, if you upgrade within three or more days, you get get a chance to win an e-gift card. So, so you have, you know, a brief concise communication on what is happening, what you need to do, and what you win if you do that. So all of which are essentially small nudges that push the user towards a better security experience. So I would say, you know, more banks should try to be emulating such efforts. So I think we're almost done with our presentation and I understand I might have left you with more questions than answers. And I'll be happy to take them. Please reach out to me via email or Twitter, whatever works for you. And before I say goodbye, I'd like to take a moment to thank the ASCII team for giving me this opportunity to reach out to you and talk about user experience and security. And for guiding me and you know, making sure that everything goes well and for doing road comp. And with that, thank you and bye bye. Thank you, Suman for doing this talk and for being at the risk of saying it again, one of the most enthusiastic people I've been interacting with during this conference. We get questions of Suman, and we have about five minutes of questions. I'll also check if we have any on YouTube. Let's see. Suman, do you have anything to add in terms of this, you know, what got to working on this, plus the fact that you also worked on the loan apps research along with Shikant, which sort of saw quite a bit of an outcome. Where do you see all of this sort of going and, you know, what could be concretely also kind of done in terms of giving feedback to some of these institutions? That's actually three questions, I think. Okay, so let me take them on by one. I think the first thing is, okay, so something that I missed in my presentation was that the samples I've taken were clear cut, right, so you can say that this is good and this is bad. But when it comes to your experience and because the research is moving all the time, you know, that distinction between what's right and what's not right changes over time, right. So, you know, in some cases, you know, what people would think that is working well right now might not be the best idea five years down the line. So, you know, you have to upgrade your update your product accordingly, right. So that's one thing to keep in mind. The second thing is, of course, I think we as users and practitioners both we need to reach out to companies and tell them that, you know, what works and what doesn't work. I mean, not telling them will probably never get them fixed, right. So, so yeah, I mean, the first thing is, of course, you know, to reach out to like-minded people. So for example, in the way I pitch out to Srikanth or, you know, Srikanth and you reached out back to me and, you know, all these things have been going on. So I think that's a very positive thing that we are talking about it and we're discussing it. And I'm sure that, you know, there would be a ripple effect where, you know, people would see what we're talking about and then more and more as more and more people join in in the conversation. We'd probably see, hi, hello. So we'd probably see, you know, we'd probably see that product designers take note of the issues that we're talking about and then, you know, start working on that. Does that answer your question? Yeah, I think to some extent, yeah, it does. Let's see, maybe we can wait for a half a minute to see if there are any more questions. Otherwise, we could launch in the Birds of Feather session. The other thing, yes. And, you know, one thing I'd forgotten was you mentioned to me earlier that, you know, we should probably document all the issues that we are seeing with net banking right now. And maybe a group of us can probably send a joint report of sorts to some of the banks or maybe, you know, even the RBI. That might be one more thing that we can do. That can be a key takeaway from this conference, right? No, absolutely. I think it's really important to give that feedback so that I think there's also an awareness of the consumer sentiment plus the fact that, you know, I mean, if banks have to kind of work with developers, they have to take some of these things into account. Yeah. Okay, I think what we can do is we can launch into the Birds of Feather session and we