August 27th, 2007


My feedback to Westpac

The sign-in page for Westpac Online Banking has red message saying "Security Update: [today's date]". Here's the unsolicited feedback I sent to them:

Internet users typically become blind to ads ("banner blindness"). The villagers stopped believing the boy who cried "wolf!". How long till people stop using the "Security Update" link on the Westpac Online Sign-In page?

The warning lies: it ALWAYS displays today's date, implying that a NEW security risk has been identified TODAY. But that's not the case. I follow the link and get an update from another date. Then I think "that was a waste", and I learn to ignore the message. Even the gullible people whom your security warnings need to reach are going to stop falling for this little trick after a while.

It might seem like good CYA security: if someone falls for a hoax, you can say "we warned you - every day in fact!", but wouldn't it be better to highlight each new security threat or hoax as it comes along? You want people to think "oh, there's a new warning - what's it about?" instead of "been there, clicked that". Another way to highlight warnings is to display a little snippet of it on the sign-in page, with a "Read More" link. That would both convey information, and be visually different from one warning to the next, reducing the chance that it will blend into the background.