Wednesday, January 11, 2012

Walk A Mile In My Shoes

If I could be you, if you could be me for just one hour
If we could find a way to get inside each other's mind
If you could see through my eyes instead of your ego
I believe you'd be surprised to see that you've been blind

Walk a mile in my shoes
Walk a mile in my shoes
Hey, before you abuse, criticize and abuse
Walk a mile in my shoes
----------------from Joe South's "Walk A Mile In My Shoes"

Walked into my bank yesterday to get a new debit card; my old one has taken up permanent residents with the dust bunnies and the missing socks somewhere in my house. The bank teller, while very nice, really struggled to help me out.

The cause of the teller's struggle? Seems the IT department at the bank randomly picks people on random schedules and requires them to change system authorization credentials: both user id and password. My teller's name came up in the "login lottery" about an hour before I walked in.

So, making a long story short, my teller fussed with the new login for five minutes and then simply called the IT department. She identified herself over the phone by simply providing her first name and her branch name; IT then verbally provided her user ID and password. She then logged in and helped me finish my business.

It was a slow day at the bank branch while I was there, so I took a moment to talk with the tellers about what happened. Seems my experience was a regular occurrence. I walked away with three thoughts:

1. I want IT security at a bank. We're talking about my money. I don't have much, but I am attached to what I have. But when the security process impedes a bank's ability to service it's customers, isn't that a huge problem?

2. Seems like the whole user authorization process was easily circumvented with a quick phone call. My teller called and received her credentials. No validations, no lookups, no nothing. I could call from a branch phone, tell IT I'm Pete from the Eastern Bohemian branch, and I'll get Pete's credentials. Hmmm....

3. Saving my best thought for last. I'm willing to wager big money that the entire "login lottery" process would change if the folks in IT had to perform as tellers for a few hours. The best way to improve the experience for users and tellers would be to have the IT security team "walk a mile in my shoes"...or the shoes of the tellers in this case. Once the IT folks experience the security disruptions for themselves, I'd bet that eliminating those disruptions with a better process would be at the top of their project list.

Thoughts? Feedback? Rants? Find the comments.


James Morrow said...

Floyd --

I read an article lately on password complexity. Basically saying that we (IT) are shooting ourselves in the foot by requiring complex passwords (numbers, symbols, non-words).

In making this requirement, while we do increase the difficulty of the password, we also make it more difficult to remember the password. As a result, users (as they often do) tend to defeat our best intentions by using the same password everywhere or rotating through a handful of passwords.

The article was making the point that we might be better if we simply required longer passwords or even if we required maybe a "chain" of passwords.

Personally, I like the "chain" concept. Use three unrelated words and string them together to make one 20+ character password? It would be easier to remember and, by virtue of it's length, be more difficult to brute-force.

Consider the password "0rclv1ll3". Has numbers and letters. It's >8 characters. But, it would actually be easier to brute-force than "thevelveteenrabit" (which has more characters and therefore more permutations...).

-- James

Alexander Hansal said...

Thanks for sharing this, Floyd. I can only highly recommend the "walk in my shoes" strategy.

When I started as an IT guy for a construction company years ago, my first assignment was to sit in the Vienna branch as an operations clerk, typing in orders and bookings into their order management system 8 hours a day.

Guess how good I understood the end users problems AND the system after those two weeks. Better than any training.

have a nice day


Misha Vaughan said...

I can only shout "Yes!" when you propose actually learning how end user are using a system.

It's a no brainer, and usually results in easy productivity fixes. Think how much money the bank could save on phone support if they paid one hour of attention to their tellers, and solved that problem.

But it does mean leaving your office :-).