Bad UX design could lead to security holes (BPI Express Case)

How bad UX design could lead to security holes (BPI Express Online Case Study)

Like most banks in the Philippines, the Bank of the Philippine Islands (BPI) is a major cause of migraine for customers. Its user experience design (UX) is badly done and the web service is unreliable. Both of these headaches lead to a third, much bigger problem: security holes. This probably explains why some BPI customers recently fell victim to phishing scams where unwitting victims divulged their passwords to a website pretending to be the BPI's online service. 

BPI's UX design problems 

Due to a badly designed user experience, the BPI website creates problems that punish the user. Forgot your password? You would have to call customer service to get a password reset. Maybe they think that this is more secure than doing the password reset online, but really, it's the same thing or even worse -- the human to whom I'm giving my details could jot down my credentials.

Let's discuss the first issue: bad UX. By this I mean not only the clunky design of its user interface that confuses users but also the general lack of empathy with the customer especially in times when the site is down.  

As I write this, the BPI website is, yet again, under maintenance. The screenshot below is the usual message that customers get when that happens (and all too frequently at that, if I may add).

There is no information on how long the maintenance will take. Should I just keep clicking the refresh button?

In the homepage, it turns out that there's an inconspicuous and cryptic message saying "Electronic Channels Upgrade Advisory":

Does the extra click I spend give me more helpful information? Nope. Check out the resulting page:

It's just telling me what I already know. At least tell me how long I should wait or when to try again. The message is as helpful as a flood warning a day after the flood has submerged the town. 

My retries produced a more problematic error message that gives away database details:

Maybe I stumbled upon a critical procedure during the maintenance. But shouldn't the BPI team be cautious about this and prevent this kind of sensitive error message to be published? 

UX design problems create security holes

The examples above are just one aspect of BPI's UX design issue. What's more problematic is that the UX design could lead to major security holes. For example, BPI requires users to change passwords once in every three months. You cannot repeat passwords so you have to create a new one every quarter. 

Can you imagine the burden of remembering a new password every three months, especially since your password cannot be a string of letters? This unreasonable policy forces people to write down their passwords -- which defeats the purpose of a strong password in the first place. 

Another consequence of frequently changing passwords is that people will forget their passwords and would have to call customer service, which leads us to another security hole. BPI does not have an online password reset service. If you forget your password, you have to call a customer representative to reset your password for you. Adding a human introduces a weakness in the security chain. Before the customer representative resets your password, you must answer security questions that force you to divulge private details to a stranger. 

In forcing users to call a human instead of offering an online password reset service, BPI probably thought it was creating tighter security. Yet this did not prevent users from giving away their passwords from a phishing scam, did it? 

Many know that UX design is important to any piece of software to improve usability. But as I explained above, UX can also lead to security problems that could be exploited by online criminals.   

The case I outlined above also shows how corporations build their security measures based on outdated assumptions. But that is for another blog which I will be writing soon. 

Yummy Filipino Adobo

Filipino Adobo stores well and gets better as you keep it for several days. Store it in the fridge and fry/heat it up as you consume. The recipe/s below combines different recipes I've learned from friends and relatives. If you're new to cooking adobo, try the Basic Prep instructions first.  

The Kapampangan adobo recipe varies from the one I record here. When I get the time, I'll also write that one down. There are many variations of Filipino adobo, as much as there are Filipino families, I bet. The word adobo is Spanish for sauce or marinate, so don't be confuse Filipino adobo with the Mexican version.  

Got some tips? Share them in the comments below. 

Enjoy!

Yummy Filipino Adobo

Ingredients

• 2 lbs - pork (belly and/or ribs is great, but any cut is okay)
• 1 cup - soy sauce
• 1 cup - white vinegar (rice vinegar is okay)
• 4-6 pcs - bay or laurel leaves
• 1-2 tbsp -  ground/cracked black pepper
• 1-2 bulbs - of garlic - with cloves crushed, peeled, and sliced (the more garlic, the better)
• 1 bulb - onion, sliced (optional, see Instructions for Tastier prep, below)

I. Basic prep

1. Rinse pork and drain away water.
2. Put pork in a pot and mix in the crushed sliced garlic cloves with the pork.
3. Pour in soy sauce and vinegar.
1. Note: If you want the sauce on the saltier side, add more soy sauce.
4. Add black pepper.
5. Crumple/crack the laurel/bay leaves and add them to the pot.
6. Put in stove, bring to a boil, then lower the temp to a slow boil for 1.5 to 2 hours (the longer the cook time, the more tender the pork will be).
7. Continue the slow boil until the meat is tender, has soaked in the sauce, and the sauce is reduced to a thicker consistency.
8. Taste and keep cooking until you’re happy with the taste.
9. Serve with rice.

II. Tastier prep options

Try each of the following options separately, from top to bottom or do them all at the same time. 

1. Marinate the meat in the soy sauce-vinegar sauce for 1-3 hours before putting on the stove. This will help the meat absorb the sauce even more.
2. When the meat is tender and has started to absorb the sauce, take it out and fry it. Drizzle some sauce with cooked garlic on the meat while frying. Meanwhile, let the sauce simmer and reduce further in the pot. When the sauce is ready, put the meat back and serve.
3. Instead of frying the meat, try baking, broiling, or grilling it.
4. Substitute 1 lb of chicken instead of pork. Note: chicken softens faster than pork, so you can add the chicken later. Marinate the chicken in the sauce so it absorbs the sauce (see II-1). 
5. Fry some potato wedges (season lightly with salt and pepper) and add them to the pot when the adobo is ready.
6. Onion - make a bed of sliced onions in the pan before adding the meat. This makes the adobo even tastier, but you’ll need to reduce the sauce even more as the onion waters down the sauce if not cooked well. To fix this, just reduce the sauce some more. The onion will dissolve and thicken the sauce. Try also putting some of the cooked onions with the meat when frying/baking. 
7. After a few days, fry the meat with some sauce. As you fry it, pull the meat apart. This makes for some great tasting pulled pork/chicken. 

What's a fake news site?

What’s a fake news source? 

This question is important especially in the aftermath of the 2016 elections in the Philippines. What I'll discuss is a very simplistic view, just enough to frame an answer. It will not be sufficient in many ways and is just a tiny tip of the prod-user/prosumer iceberg. 

To me, a fake news site or source is a website or Facebook page -- social media in general -- that is not backed by a real news organization. Here's a simplistic and minimalist checklist, based on a traditional view of media (because this will help us form a simple definition of "fake media source"):

1. A genuine news organization will have a trained team. 
2. That team adheres to a vetting process. Trained writers and editors verify the info they receive from interviewees and sources. 
3. A standard practice for verifying investigative pieces is to cite sources and cross-validate a story using a second, independent source. 

Again, that list is the bare essentials. So, halimbawa -- Get Real Philippines. Two of its biggest claims are that Marcos was the greatest president and that the youth are realizing this. 

Do they cite sources on this? Their claim that the economy was best during Marcos’s time has been debunked by so many independent sources -- by economists, historians, not just from the Philippines but abroad. 

Back to Get Real. Where’s the proof that Marcos was greatest? Get Real's claim about the youth needs statistical support. Nasaan? How do they define "a lot of youth"? Is it 80%? 51% Maybe they interviewed Bongbong Marcos. Or maybe the are citing sources controlled by Marcos in Martial Law, which is like USSR quoting Pravda to talk about their "glory" days. 

When researcher and professor Leloy Claudio asked Get Real operators to cite a peer-reviewed source, here was its response: 

"What I read in my own time is my business. What I publish via http://GetRealPhilippines.com  is all u got.” 

In short, benign0 is saying, “Hey, I can’t cite sources because I made it all up." Ergo, fake, unsubstantiated claims. 

Get Real’s response automatically cannot satisfy checklist item 3: citing and using a reputable source to cross-validate a claim. Since they failed on item 3, they most probably do not have a trained team (Item 1) that adheres to a vetting process (Item 2). No reputable news organization will fail this checklist. Otherwise they could get sued and lose credibility. 

Items 1 and 2 on our checklist speak about the credibility of a news organization, which we could also refer to as the gatekeeper function. You have a structure (the team) and a filtering function to sort out what’s true and what’s unfounded (vetting system). 

Let me emphasize again the importance of a trained team in a well-oiled organization. Trained -- because being a reporter and editor is not a joke. In the age of free blogs and Facebook, people think it’s easy to publish a story. That's a disadvantage of the social media explosion. People most of the time cannot distinguish opinion from evidence-based journalism. It's alarming how Filipinos are now using this ignorance to further erode media -- a freedom we won back after we kicked out Marcos. Andrew Keen warned about the rise of amateurs in blogging. I think he was worried about the erosion of the gatekeeper function of media. If you erode this, you erode an important component of the check and balances in society. Again, that's for a different story.

Let's go back to fake news sources. The second part of a credible news source is you have to have a trained team. In a blog, you write something and that’s it. In a credible news organization, you write something, cross-check the story, and submit to the editor. Your editor makes sure the sources are cited and credible, and the claims are backed by research. If you could do all these functions by yourself, it’s still not enough — you may have personal biases coming out. So you still need at least one other person — an editor — to make sure it’s a fair and balanced reportage. 

Back to identity. Name an established news organization now and we know its owners: ABS-CBN, TV5, Inquirer, GMA, Rappler. Even if you did not know them offhand, you could do a bit of digging to find out. The information is available. Knowing the owners helps us understand the limits of the organization and the agenda that we should expect from the business behind the news organization. (Note that I am not even saying that a real news organization should be free from bias. News objectivity has long been debunked even in journ schools. What’s really important is provenance and veracity of the stories you are publishing. But that’s another story.)

When Amazon owner Jeff Bezos bought The Washington Post, his purchase was highly publicized and Bezos took lots of effort to reassure the public and Washington Post staff that he will not intervene with the current editorial policy. This helped the paper maintain its credibility to its readers. 

Now let's ask: who is behind Get Real? It’s pretty hard to find out. The “About Us” page, and I urge you to read it (for one, it uses a blog post from Manolo Quezon as endorsement) -- the "About Us" page says it was founded by benign0 — no real name. The Twitter account’s profile picture is a blurry image of someone who looks like Jimi Hendrix. Some say he came out as some guy from Australia (the domain name is registered to someone in Arizona, USA). But that information is not in its About Us page.  

Anonymity is good if you’re a fictionalist, but not if you claim to be a real source of news. That’s just irresponsibility.

So okay, let's be kind to Get Real and not call them a fake site, despite their name. At best, they have user contributed opinions, managed by an anonymous entity hiding behind a username.

---
Postscript. Further pursuits:

Again, this is a simplistic view. There are nuances in between that are still being debated by experts (of which I am not one).

• For example, some will argue that the owners of the media organizations I named above represent the oligarchy. I agree with that view, but that is for another story.
• Vulnerability of the model I described: in the US, the Koch brothers set up a seemingly legit news agency which started feeding national news releases that were clearly written to protect the interests of their business empire. These news releases eventually found their way in legitimate publications and broadcasting companies. 
• In the early days of blogging and Wikipedia, news organizations imposed policies not to cite blogs or Wikipedia. As reporters started put up their own blogs, the corporate policies later included some guidelines for their reporters. What emerged was that all official, verifiable information got published, while blogs could contain longer interview transcripts and supplemental material.  
• Which brings us to a gray area: If a bunch of my friends who used to work for mainstream media decided to put a team blog that also aggregated news from legitimate news sources, are we a genuine news source? Huffington Post started as a commentary blog and news aggregator but seems to be emerging as a recognized news source. 

Pancake Bot draws stuff using pancake dough, then cooks it

Another popular, fun exhibit at the World Maker Faire 2015 was this robot that draws figures using pancake dough. It's drawing board is a hot surface, ergo, the output is pancakes.

Watch the video below. Listen out for references to MC Escher and tessellated turtles.

#WMF15 #makerfaire

Kit Rex: a cheap, cardboard dinosaur costume kit

Kids and adults love Kit Rex -- a dinosaur costume made out of cardboard. The makers of the costume say it started as a school project which generated lots of interest.

It was one of the most popular booths in the World Maker Faire and you'll see why in this video (below). Now it's got its own Kickstarter campaign.

‪#‎WMF15‬ ‪#‎makerfaire‬

SeeMore: a kinetic sculpture that's also a cluster computer

SeeMore is more than just a kinetic sculpture. Each "leaf" here is a  Raspberry Pi computer node. A total of 255 computers can perform parallel computations. In this video, SeeMore is doing a map reduce search. 

As work is distributed to a leaf, it folds out. As it completes its computation, it folds back in. The farther away it folds out, the more intense the processing it's doing. The search results are read out of a monitor beside the sculpture (not shown in this video). 

It's mesmerizing to watch and listen to, as the nodes undulate in and out.

What I learned at the World Maker Faire 2015

I went to the World Maker Faire 2015 at the Hall of Science in Queens, New York. For two days, I drank in an intoxicating mix of 3D printers, robots, drones, quirky musical instruments, and other inventions. The Maker Faire brands itself as "The Greatest Show and Tell on Earth" -- a reference to PT Barnum's circus tagline. But beyond all these, one of the most important lessons I picked up was over late lunch in one of the show and tell tents where David Lang, co-inventor of OpenROV, gave a talk about how to start making. The lesson? Don't let your lack of knowledge and skills stop you -- just start making something.

David was promoting his book, Zero to Maker: Learn (Just Enough) to Make (Just About) Anything. The title piqued my curiosity, because I faced the same dilemma as David did -- he jumped into the OpenROV project (mission: build a robotic submarine) without possessing any of the skills needed to build a submarine.

The OpenROV v.2.8: A Thing of Beauty, ain't it?

So I sat at a nearby table and listened to David while devouring my sandwich. As I listened, I found out that David was actually in a worst starting point than me. He talked about having not built anything, not even in school. Compared to him, I had enjoyed my classes in woodworking, where I built a folding chair with the help of my father, created my own step-down transformer by soldering various parts together, and various other crafts whose skills I would sometimes put to use doing household repairs.

Listening to David made me realize that I had no excuse for procrastinating. Here was a man who had zero skills by his own admission, driven only by his desire to learn. And he did learn and even wrote a book about it. I liked the talk so much that I bought his book and asked him to sign it. He asked me whether I had a project in mind and I answered sheepishly that I've only been tinkering with Arduino stuff and vaguely told him about hoping to build a robot and a synthesizer.

Then he asked me if this was my first Faire. I told him, this was my second -- the first having been the Silver Spring Maker Faire, which happened only a week ago at Maryland. He said, that's good, and to keep on going to maker faires, particularly the Bay Area Maker Faire. It's even much bigger than this World Maker Faire, he said. I made a mental note to look it up.

Talking to David and then reading his book Zero to Maker got me excited to start doing things again. It revived my belief in that adage, learning by doing.

It had been years since I'd soldered anything. I would occasionally dust off my Arduino Uno and play around with it using a breadboard. I had a Blinky POV kit my wife gave me for Christmas two and a half years ago that remained unsoldered in its tin can. There was a 3-month old Tiny Tesla kit still in its original box. And I had a couple of unassembled components to build an Arduino robot and audio synthesizer.

That neglected kit, waiting to be soldered.

At the World Maker Faire, I lined up at the Google Learn to Solder booth and confirmed that I was too rusty for this. So I resolved that I would practice again. I bought a cheap soldering iron from eBay, a desolderer from Micro Center, and used both to take apart a discarded mouse which I then reassembled.

The Google solder badge features a blinking RGB LED at the tail of a rocket.

What I found out from desoldering and re-soldering the tiny components of the mouse was that my $10 eBay soldering iron wouldn't do. It's point was too big for small parts. There was obviously a loose contact inside (it took ages before it would melt the solder) and eventually it just broke apart.

I ordered a new soldering iron from Amazon, this time with different points which cost only $17. When it arrived, I started working on the Blinky POV kit and completed it in less than an hour. Most of the soldered points were rough. But I was happy.

Done!

I'm about to finish David's book and I've taken his other important advice -- visit the nearest maker space and learn how to use the machines available in it. It so happens that I found a Fab Lab at a nearby community college, so I signed up for a class ($99) which resulted in a small wooden keychain whose design was engraved by a laser cutter in the shop.

Going through that class has given me access to the Fab Lab ($5 per visit). They have several gadgets that I could use: 3D printers, a couple of laser cutters, a vinyl cutter, and a big shopbot (aka a CNC machine, which will take a separate lessons before I can use it).

So, thanks, David. It was a chance encounter, and you will probably not really remember it, but it's something that's inspired me to start making stuff again.