Wednesday, January 16, 2013

What a strange notification

I was paying my credit card bill today and after logging out I noticed their standard notification: "You have successfully logged out of Online Banking".

Really? Is this necessary?

Has there ever been a case of someone unsuccessfully trying to log out?

12 comments:

  1. In most cases, just leaving the website logs you out, anyway. This is pretty standard for online banking.

    ReplyDelete
    Replies
    1. Ya I know, but Kate always bugs me about just leaving the website so I've gotten into the habit of pushing the log out button for the sake of marital bliss.

      Anyway - still a weird message I think.

      Delete
    2. Yeah, it would make more sense if it just loaded the homepage. Or at the very least only flashed the message for a second or two before loading the homepage. I don't know anything offhand, but how much would you be willing to bet that there is some regulation that says that they must do this? I don't really want to bet money, and it does sound kind of nuts, but I certainly wouldn't doubt it.

      Delete
  2. I want to say that the message is due to regulation...but I can't point to any regulation. However, my credit union recently switched to an industry standardized type of login system that includes identifying questions, cookie authorization, and an identifying picture (and a logout message). There was a vague allusion to bringing the system up-to-date with industry standards and regulation.

    So that is where the regulation idea comes from.

    ReplyDelete
  3. Often it's possible to access the website using more than one window or tab. Depending on how the system is written it can be difficult to log out those other parts of the session. So, say you're in the main window for an account in one tab and in that you press "logout". In another tab you may be somewhere else in the site in a critical part of a procedure. In that case the site may tell you that you haven't logged out and can't log out until you've finished with the other tab/window. What's presented as one site to you may be more than one to the bank itself, perhaps running on different servers or provided by different companies. That makes this problem more likely.

    ReplyDelete
  4. Logging out involves sending information to the web site and getting a response back. That communication can fail. The message is there to tell you that the server is aware that you have actually logged out. It also tells you that you no longer have a secure (i.e. "https:" vs "http:") connection to the server.

    ReplyDelete
  5. Redundancy is important to communication. In the case of my banks, they farm out some processes to other entities, which also require you to log out. Logging out of them does not log you out of the bank site. I use other sites that do that, as well.

    BTW, once you have logged out of you bank site, you should close your browser and delete cookies from the bank site. You can't be too careful online.

    ReplyDelete
  6. It can fail. Your session may have already timed out, or communications may have failed, either enroute to or on return. This provides a signal the logout was successful. If you don't logout, the session will generally remain active until time out which leaves a time window for hijacking to occur. The simplest case would be you walking away from your computer and someone else coming up to it and continuing your session without having to authenticate.

    ReplyDelete
  7. It's to make you, or most people anyway, feel better about the interaction and provide a reward for clicking the logout button. Many social sites don't log you out when the browser closes, which can foster a lack of trust. They may be wishing to provide a clear contrast to such sites, in order to foster trust with you. Necessary? Not for a banking site.

    ReplyDelete
  8. It's a good idea, as if the logout does not happen further actions might still be allowed. Dangerous.
    It's like the lock on your door. Hearing the lock latch when you close the door.

    ReplyDelete
  9. I really think the notice is intended to let you know your status. I have moved around in different accounts, only to get "hung" and not be able to return to a desired screen. In such cases in the program logs you out, giving you the "Success" message. It is irritating, but a bit more positive than a message such as "You have displayed gross ineptitude on our site. Out..out I say!! Good bye, and Good Riddance!"

    ReplyDelete
  10. It's security theater and it's stupid if they actually are capable of signaling a failed logout attempt. They're training you to click on the "everything is fine" button. What are the odds you'll notice when they change it to an "everything is not fine" button? Not big.

    ReplyDelete

All anonymous comments will be deleted. Consistent pseudonyms are fine.