It’s bill-pay day, so of course I’m confronted once more with several payment portals that have security theater. What do I mean by that? I mean, stuff that looks like it’s some kind of security (preventing theft of personal information, verifying that the actor is the right person, etc.) but which doesn’t actually provide any security. Sort of like the bit where you have to take off your shoes when going through airport security — that doesn’t do anything useful, but it makes people feel as though something useful is happening.
So here I have to deal with four separate payment portals. The situation is, I’m paying a bill. I’m trying to give someone else money. And here’s what the someone else wants:
- Enter my checking account number and the bank’s routing number, since paying with a credit card incurs the credit processing fee. But, the paste operation is disabled on these fields. So I have to type these numbers.
- And, I have to type them twice, to make sure they’re the same.
- Fill in a CAPTCHA before submitting the payment form.
What the first step does for the portal is a mystery. Why should I be unable to paste the routing number and account number, which I copied from my banking website or my password manager? It makes no sense. I’m much more likely to make a mistake while typing than while doing copy/paste.
The second step is a legacy from the days before copy/paste. That’s an error detection step to catch mistakes on data entry. If you allow copy paste, you don’t need that step. If you disallow copy/paste, then you do need it, but why are you disallowing copy/paste? (Special bonus frustration: the fields are marked as password fields, so you can’t even read what you’ve entered — it’s all just asterisks or bullets.)
The third step is an utter mystery. I’m not entering a password, I’m paying a bill. The information displayed on the “payment received” page is the same as the information required on the “submit payment” page: account number and payment amount. As I’ve written before, who cares whether a robot submits the information?