There are people who are annoyed about poorly secured applications and equally good number of people annoyed about too many security measures in the applications leading to poor user experience. It is a common sense that neither security / nor experience has absolute limits and it is going to be a challenging job to achieve perfection on these measures and balance them too.
My experience with State Bank of India – Mobile banking application is a perfect example to discuss how unbalanced it is.
I am sure there are hardly few who know about State Bank of India mobile banking application and even if you are one among few, I am not sure how many of you are successful in installing and using the application. The primary issue over here is too many security measures at the expense of great user experience
Application Awareness …
First and foremost I am not sure why SBI doesn’t advertise / promote their mobile application in par with many of the private sector banks like ICICI Bank, HDFC etc. as mobile is seen as the way forward as a leading customer touch point and it no more seen as an optional service. May be they are not quiet sure about how well the application performs?
Knowing the general conservative perception about the bank, it could only be few technically savvy people who would have made attempts on their own (without any awareness) to search for SBI mobile application in Apple / Android market place and install the application.
First banks and organizations should not have second doubts about the acceptance of mobile applications and they should be aggressive in developing, deploying and promoting these applications to delight their customers
Activating the application ….
Assuming you are such a lucky person to do it (the application definitely offers great features at the tip of your fingers), your real issue starts in activating your mobile banking. There are three steps you have to do as a user to do this application
Step 1 – In first step of your activation after installing it from your application store, you get a cryptic alpha numeric username for your mobile banking application.
Step 2 – As step 2 you have to send another cryptic SMS containing the above username to a given phone number. This also returns you a 6 digit numeric password for application username your received in step 2.
Step 3 – Even after step 2 with a username and PIN, you can’t use the application as what you got is only a temporary PIN and to change the temporary PIN you have to visit one of the ATMs of SBI or Branch. In the ATM you have reconfirm your mobile number (It never worked for me)/ in the branch you have to let them know that this your current mobile number (I went three times in three consecutive weeks to remind the bank person to do it and meanwhile in three weeks time interval the username got expired and I have to go through the same process again….terrible experience)
If anyone after going through this thinks that it is reasonably acceptable to do all the above to ensure security, I believe he / she should be an outlier J
Can’t it be made lot more user friendly?
Why there is a need for a new user name? Why don’t it use by registered web banking user ID as the application User ID and Web banking password as the password to provide access to the application?
Knowing the bank already knows my mobile number (I have given at the time of account creation) if I key in my ATM PIN correctly in my mobile application, shouldn’t map the mobile number / PIN to my account and provide direct access to the application?
Assuming there is a catch here as there is a probability of you not having updated your mobile number and worst case the mobile number is recycled by your telephone operator to someone else, I understand there is a security issue, but still I believe it is ok as there is near zero probability of that person knowing by ATM PIN number. Worst case if required you can ask for your debit card number as well as ATM PIN number as an additional security measure as that is exactly you do in the ATM except that you are not inserting your physical card in the ATM machine…which is ok…
Just thinking one step beyond wouldn’t be great if these mobile service providers provide a web-service that the mobile banking application can use to match and check whether it is the current mobile number for the user and provide seamless access to the application as the mobile service provides can provide by Name / Address to cross check and revalidate without any user intervention?
Application Usage Experience ….
Assuming you are all set and you are now ready to use the application, the second set of issue starts in application usage.
Every time it asks for the cryptic username it provided me. I don’t have an option to change it. Considering the fact that it is difficult to remember you don’t have an option that storing somewhere in your mobile.
Second it asks for the PIN for every transaction even if you haven’t switched to other applications. This is real nuisance. I am ok to re-key the PIN if I have switched to some other application or mobile went to idle state for some-time before I use it again but I believe it is too much if you have to key-in the PIN every-time for every request right from balance enquiry to funds transfer.
And the list doesn’t stop there. There are other issues like, it not able to fetch by linked accounts, payees etc by default. The synchronization doesn’t work and you may end up setting the duplicates again in your mobile though personally I expect everything I have already set up in my web banking made accessible in my mobile without any further steps / actions.
The funny thing on security side is it sends an SMS on every action I do and this SMS contains confidential details that are right in my SMS folder which can be accessed by others without any protection measures. I believe this is a flip-side on the security front and I am not sure why they do so.
I believe as I stated in the opening balancing security and user experience is a fine act and unless you leverage technology / put your thoughts in have a secured but user friendly customer centric process, you might end developing a secured robust application but there may not be anyone to use it ….