Sunday, January 10, 2016

Why governments should never be allowed to design webapps

At the end of December, California sent out a letter stating:

"Providing you convenient online services is important to us. Our highest priority is protecting your tax information"
Then they state they will be deactivating existing myFTB account and requiring registration with a new account.

OK, so they are enhancing security. It makes sense. But how do they do it?

Well, they require the annoying security questions that you must chose from. And the answers have to be at least three characters long. (If your second grade teacher happened to be Po, you are out of luck.) And don't you dare change your favorite book, or call your first childhood crush by a nickname. Alas, this idiocy has become common place in the name of "security". (Thus scammers would have to go through the hassle of scanning somebody's facebook profile to break into their account.)

From there, it asks for numeric digits of your address, zip code and tax information. And then it barfs out because it doesn't like something. It doesn't matter that the information matches what California sent, it still doesn't like it. What do you do?

Well, there is a support link. Only, chat is broken and secure email requires you to have an account. And phone? Well, you can try, but typically all circuits are too busy to respond to your call. Great. How about website support? There actually is a simple web form. Yeah! Fill it out, and it complains that special characters are not allowed. What are special characters? In this case, a quotation mark.

Lovely California. Just lovely.

(1/13 update) And to add to the dumbness:
Tried the super secure form again. It requires you to answer all those dumb security questions and enter all this information about yourself. Then only at the end to you play the game of "match the numbers" to see if you could create an account. Why isn't this the first step? If you fail this final step everything done previously is useless. Uggh!

But, if you are unable to register, you can still make payments. However, they don't make this easy either.

They specifically disable copying and pasting in their form fields. You would think it would be more accurate to simply paste account information, right? Nope. Instead, you have to manually type it. The html source identifies the trickery.

 oncopy="return false;" onpaste="return false;" type="text" 

Somebody at Accenture felt really smart didn't they?

No comments:

Post a Comment