Here's the background of this tale: a few years ago, Bank of India decided to do away with browser-based access to internet banking. They instead created a piece of software called 'Star Connect' and started forcing customers to download it and use it, if they wished to use internet banking. Now, this software is available for only Microsoft Windows. If you are a customer who uses Linux/Mac, oh well, that's too bad. "Hey, why don't you use Windows instead?" probably best describes Bank of India's attitude towards non-Microsoft using customers. I thought I'd procrastinated about complaining, for long enough and decided that I'd register a complaint on the Bank of India grievance page. I filled in my particulars, and in the 'Details of Complaint' box, I wrote the following:
"I'm unable to use internet banking as I don't own a computer with Microsoft Windows on it. Please either enable accessing internet banking using a browser, or make software for Linux/Mac. Forcing customers to use Microsoft Windows if they wish to use internet banking, just because it means less effort for your programmers, is simply unethical and unacceptable. Imagine if the Government were to say that we can use the national highways, only if, say, we used cars manufactured by Chevrolet? Would that be acceptable? Your decision to allow only people using Microsoft Windows to use internet banking is just as absurd and unacceptable."
When I clicked on the 'Submit' button, I got a pop up that said, I quote "Enter valid complaint !!". I was taken aback for a second, but I quickly recovered. I'm a programmer myself and over the years, I've been exposed to examples of extraordinarily sloppy programming, so I asked myself aloud "What have I put there in that text box that would make a lousy programmer flag as invalid or objectionable?" I had the answer after a few seconds of thought: quotation marks!
Why were the quotation marks a no-no and why did that reluctance to let me use proper punctuation signal lousy programming? Here's a strip from xkcd that explains just that. The link to the original is here.
For those who didn't understand, the fields that you enter in just about any online form ultimately ends up in a database. If the programmer is exceptionally lousy and fetches the data from the various 'boxes' on the form and tries to enter it directly into a database, a devious individual might actually enter database commands into the text box and get them to execute on the server, potentially causing serious damage, as illustrated in the comic above. The solution? Sanitizing the inputs or ensuring that the contents enter the database verbatim, instead of getting executed as commands. It's really easier than it sounds and any programmer who is worth his/her place in any organization ought to do it! So, coming to Bank of India, either the programmer is simply not sanitizing the inputs or is not confident in his/her own ability to sanitize them, and is therefore opting to instead ban the user from using all punctuation marks such as quotation marks and semicolons!
I quickly removed all instances of quotation marks in my message, and clicked on 'Submit' again. What now? I got a popup again, but a different one. It now said, I quote "complaint should be minimum 300 characters !!". This was both funny and tragic at the same time! Funny, to think that Bank of India thought it mandatory for its customers to have long complaints, but tragic, when I realized that the lousy programmer was not only equally bad at English, but was also extremely careless: Not only did he fail to use proper capitalization where required, he used minimum when he meant maximum! Only after I removed all the quotation marks and trimmed the length to under the 300 character limit did the page accept my complaint.
Here's why I think Bank of India should do a serious rethink about their IT infrastructure, staffing and product deployment:
1) Their software developers are quite inept, as demonstrated above.
2) With developers as inept as the ones they have currently, how credible are the software they develop?
3) With Windows being as insecure and vulnerable as it is to all manners of malware/viruses/spamware, is it really prudent to develop a software related to internet banking that runs only on Windows?
I'm going to try and ensure that the people at Bank of India get to see this. They'll probably ignore it completely, but I'm being optimistic here: I hope to be able to see some changes in the right direction soon.
Screengrab of the shocker:
The other shocker!