Shostack + Friends Blog


Usable Security Matters

Usable security matters A person screaming into a phone

Well, I didn’t need any coffee this morning, because my bank sent me email:

Phone number changed
You changed your phone number on your account Profile.
If you made this change, you don’t need to do anything.
If you did not make this change, please call us immediately at #

No one in my household made that change. And the message is awful.

Both the message and the experience could be improved by usability engineering. This isn’t a matter of me looking at it and suggesting changes, it’s a simple matter of usability testing.

First, don’t say it was my account if it wasn’t. Say exactly whose account it was. Say which account it was, in this case an IRA. If there’s a privacy concern, have that information available to the first account rep I reach at the number you gave me. The second CSR, Matt, was very helpful, and believed that he knew which account was the cause, but frankly, that’s not as reassuring as I’d like. I’d like to know that someone knows precisely the cause of the alert.

At least the phone number they included in the alert was one that’s on their website. But the reason I care about usable security is at the end of the day, it’s people I hope to protect.

As it turns out, it was not a phone number on my account, but a new IRA being set up, and the phone number on it was a phone number on other accounts. I’m not naming the bank, because I learned a long time ago: praise specifically, criticize generally.

Photo: Alex Green, Pexels