
Establishing secure connection - eloisius
https://wellsoffice.wellsfargo.com/ceoportal/signon/loader.jsp
======
ben1040
This reminds me of something we had at my office about 15 years ago because
people were complaining their workstations were slow. In reality, their
workstations were just slow machines; standard issue box for most people was a
70MHz Sun SS-5.

So we wrote a perl script that printed out a bunch of platitudes like these,
while printing out an ASCII "progress bar." It had some randomly determined
sleep() calls in there to make it seem like it was doing something.

    
    
      Optimizing priority queues...
      Recalculating scheduler lookup tables...
      Terminating unused system processes...
      Recovering memory leaks...
      Flushing network buffers...
    

Then it'd randomly pick a number X and report to the user "System reports X%
faster."

We called it "speed" and deployed it to the app server. Some folks started
getting into the habit of running it every morning and swore by it.

~~~
hysterix
My father was an audio engineer/mixer and worked with some big names. He told
me a similar story that happened to him later in life when he finally owned
his own studio.

There were clients that would always insist on making audio adjustments, for
no good reason at all. They were paying to have their music professionally
mixed, yet still insisted on making adjustments and changes. Finally my dad
and his friend came up with a great solution.

Mind you this was prior to everything being digital, so what they did was they
had a massive 24 track. (a really big machine where you can individually
adjust the sound of each track) Well what they did was installed a knob that
looked just like the other ones in the track, but placed it a bit lower and
near to where the client would be sitting.

The client was then told they can adjust the "openness", or the "richness" by
adjusting this rotating knob to a particular setting (remember, the knob does
nothing, and isn't connected anywhere). My dad said clients would spend hours
adjusting this knob until they got it "just right", and would make sure to let
everyone know in the studio that knob was dialed in and to not touch it.

It's amazing how many silly things people have to do in all walks of life to
placate the ignorant.

~~~
acdha
One of the best designers I've ever worked with had a similar great strategy
with clients who considered themselves design experts (usually senior
marketing/advertising managers) and who would almost inevitably want to change
something in the “final” design.

The solution he had was to leave one obvious minor flaw in the final design –
a color which doesn't quite match, odd font choice, etc. It was a lighting rod
for unnecessary fiddling and was quite successful for keeping the changes
quick and low-impact.

~~~
hoka
There's a (Dilbert?) comic somewhere out there about this. Can't find it at
the moment, though :-/

 _edit_ found it:
[http://dilbert.com/dyn/str_strip/000000000/00000000/0000000/...](http://dilbert.com/dyn/str_strip/000000000/00000000/0000000/000000/10000/2000/400/12448/12448.strip.gif)

~~~
bobbles
The tv show had a part where they say they always give the manager a stupid
option and a realistic option to make it feel like he made the decision

~~~
grakic
What if the manager chooses the wrong one?

~~~
derleth
Apple's maps for iOS.

------
MattRogish
This is one of those things that is done by people going "We need our
customers to 'feel secure'". I get the rationale, but is there actually any
data that suggests this gives that actual feeling? That users "feel" more
secure? Or are more trusting of the site? Or is this just cargo-cult UX?

edit: I've seen this on too many financial apps to think it's an isolated
incident. It's clearly a "thing" in financial apps (TurboTax.com does it all
the time; I see it on my Bank app, lots of mobile apps, etc.)

There's gotta be a reason, even if it's wrong.

~~~
markkanof
I worked for a company that implemented a similar technique and it had
positive results. The main features of one of their web based software
products was a report generator. The report was quite complex and included a
lot of calculations based hierarchical relationships of entities in the
system. To build this report by hand would probably take hours, but the
queries and calculations were all highly optimized and could be run by the
server almost instantly.

Many users complained that they didn't like paying so much for this feature
because it didn't really seem to be doing very much. Instead of trying to
educate each individual customer about all the intricacies of the report they
just added a dialog box that would display for ~10 seconds and step through a
few fake progress messages. People stopped complaining about paying for the
report, and I would assume that is because the progress messages made them
feel like something complicated was happening.

~~~
dak1
Why do stories like this make me depressed.

~~~
swalsh
Because (i'm guessing, since you're on HN) that you're an engineer. You spend
all day telling the most logical thing ever created how to act. Its as
predictable as a childrens television show. Human psychology is irrational,
and thus unpredictable. The engineer psyche doesn't like that.

~~~
oh_sigh
Human psychology is irrational and unpredictable only for very narrow
definitions of rationality. Just because we don't understand the brains
operation doesn't mean it doesn't behave rationally

~~~
edmccard
Those definitions of rationality are useful _because_ they are narrow. If you
redefine "rational" to mean "how the brain operates", you might be able to
stop using the word "irrational", but...all the phenomena that previously fell
into the "irrational" category will still exist, and people will still want to
discuss them, so you might as well just use the same word for them as everyone
else does.

~~~
oh_sigh
The term "rational" is already well defined. I was claiming that the OPs
understanding of the meaning of rationality was limited, not that the term
rationality was narrow.

There are many other words and phrases available for us to talk about this
concept that are well understood and do not need to be redefined.

------
rgbrenner
this page doesn't actually do anything. It loads two animated gifs from Akamai
(one for the text, and one for the bar), and then uses some javascript to
close the window.

If I had to guess, there's a login page. When you submit your login, this page
pops up and displays while the login is processed.

source:

    
    
      <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    
      <html>
    
      <head>
    
        <title>Loading....</title>
    
      </head>
    
      <body>
    
        <p align="center">
    
          <img src="https://a248.e.akamai.net/6/248/3583/000/wellsoffice.wellsfargo.com/ceoportal/DocumentumRepository/content/images/signon/messaging.gif" width="300" height="30" border="0" alt="Loading Status" /><br />
    
          <img src="https://a248.e.akamai.net/6/248/3583/000/wellsoffice.wellsfargo.com/ceoportal/DocumentumRepository/content/images/signon/statusbar.gif" width="300" height="30" border="0" alt="Loading Status Bar" />
    
        </p>
    
        <script type="text/javascript">
    
          var selfClose = function() {
    
            self.close();
    
          };
    
          window.onload = function() {
    
            setTimeout(selfClose, 10000);
    
          };
    
          window.onblur = function() {
    
            selfClose();
    
          };
    
        </script>
    
      </body>
    
      </html>

~~~
thorum
My favorite part is the onblur function.

------
jmandzik
Somewhere, deep within Wells Fargo HQ, there was a depressed developer in a
windowless office that died a little inside when asked to make this.

~~~
nym
I worked with the dev who wrote this at Wells Fargo.

To be fair, they do have windows in their office.

~~~
thebigshane

      I worked with the dev who wrote this at Wells Fargo
    

You can't say that and not provide more details.... You are obligated now.

~~~
nuclear_eclipse
He's probably obligated to _not_ provide more details...

~~~
nym
Ding ding.

------
seldo
This sort of fake-loader animated GIF is pretty common; it's just a slightly
more advanced version of a spinner GIF. I don't think it's really that bad.

What _would_ be bad is if this page would accept a parameter to redirect you
to somewhere, but it appears it doesn't do that -- it just closes itself.
Presumably this page appears in an overlay that then closes itself.

~~~
obviouslygreen
It's not "bad" in the sense of actually hurting people, but it is dishonest...
it's a meaningless progress bar (not so terrible, Windows has us used to
these), but the series of lies flitting on and off the page definitely isn't
_good_.

We all know banks aren't trustworthy, but that's what they _should_ be, and
their goal should be _actual_ trustworthiness and not false, theatrical crap
like this.

~~~
bonaldi
Or false, theatrical crap like building themselves massive stone buildings
more suited for courthouses than branches and decking their interiors out with
dark wood and brass?

Banks are all about theatrics in the service of image. They depend upon it, in
fact. A bank that loses trust is a bank in danger of a run.

~~~
Dylan16807
Impressive buildings are theatrical but not at all false. They don't really
have a veracity at all.

A throbber is theatrics. Fake progress messages are (excluding joke examples
like in video games) a lie.

------
joshwayne
I see a lot of comments condemning this feature and saying it's ridiculous.
However, you have to understand that people outside of the tech industry have
a very different mental model of how computers work than the rest of us.

One example of this is shown in a usability study by the Baymard Institute on
top ecommerce checkout processes [1]. The goal of the study was to determine
best practices for checkout usability by testing the top 15 ecommerce sites.
One of the more fascinating finds they made was that during the checkout
process, users perceived certain fields as being more secure than others. Even
though the fields were all part of the same form and on the same page, users
still believed fields with a little lock icon were more secure than the rest
of the fields! It didn't matter if the entire page was encrypted. Users would
abandon the checkout process because the credit card fields didn't "feel
secure" compared to the rest of the page.

To most of us, this looks like a frivolous feature suggested by a "UX monkey"
(as one commenter put it) but don't underestimate the power of making users
feel safe. For all we know, this stupid gif could have cut support calls 20%.

[1] <http://baymard.com/checkout-usability>

------
ripberge
I use this tool everyday and it has always made me laugh. The security of the
CEO portal is actually legit though. In order to do anything you must login
with: company name, username & password. Once inside in order to do anything
important you must use your pin number + a random number from a security
dongle like this: <http://en.wikipedia.org/wiki/Security_token>

Then someone else from within your company must repeat a similar process to
approve your action. So you always need at least two people within your
company to perform any action.

Typically the CEO portal is used for wire transfers where security is pretty
damn important--once the money is gone--its really, really gone.

------
unsignedint
This reminds me of a story I heard about those ATMs. What I heard is that
there are technologies out there that can make a machine to count/validate
cash almost instantaneous while not sacrificing accuracy. But apparently, that
makes some customers worry that their money is not being processed right, and
thus, every time you deposit money to those ATMs, they make that grinding
noise, appears to be doing something useful.

~~~
jdechko
Which pisses me off because I'm wondering what the heck is taking so long. If
the vending machine can count a dollar instantly, why can't the ATM do it.

On the other hand, whatever algorithm they're using for the handwriting
recognition on checks is pretty amazing. I've deposited 100's of checks and
I've only had to type an amount once.

~~~
encoderer
A state of the art surely advanced by the USPS. Every time I scribble out an
address in my awful handwriting I pause for a second to appreciate the USPS
software that reads this and turns it into a barcode. Though to be fair I
think all it has to do is decipher the zip code.

~~~
shiflett
It's more complicated than that. The last line has to match two out of three
(for example, city and ZIP), and then it can try to do some reverse analysis
on what you've written for the address line. (Even that's an
oversimplification; it's pretty darn impressive.)

The USPS also has the additional challenge of matching what you think is your
address with what is actually your address. Very, very few people know their
address.

If that's not bad enough, if you've ever had something arrive successfully,
you expect the address that was used to work forever.

~~~
kd0amg
_The USPS also has the additional challenge of matching what you think is your
address with what is actually your address. Very, very few people know their
address._

What parts of their addresses do people typically get wrong? Where can one go
to find one's actual address?

~~~
jloughry
Here's where you can go to find your actual address:

    
    
        https://tools.usps.com/go/ZipLookupAction_input
    

There are, occasionally, errors in the database. I'm trying to get one
corrected now. If you find one, go to your local Post Office, find a
supervisor, and ask him or her to notify "Address Management".

------
mattdeboard
TurboTax has something that struck me today as similar (in spirit) to this,
though TurboTax's is a skeuomorphic thing.

It's the "Save & Exit" button TurboTax has. I'm sure that they are saving all
info as it is entered, but users of QuickBooks, Excel, etc., I'm sure are used
to having to save their data manually then exit.

I think all the guffawing at this progress bar is a little overblown. If a
question or concern comes up in user testing multiple times -- "How do I know
my connection is secure?" -- then why not put something in there that makes
the user feel safer? What's the problem with that? Sure maybe it's a little
overblown graphically but, c'mon, when you're a bank you _need_ your customers
to _feel_ secure, in addition to actually _being_ secure.

~~~
emilv
I think it is a terrible idea to put fake security symbols on the screen. It
makes people trust those fake symbols instead of learning what they should
look for. Since the symbols are just fake it is very easy to stage a MITM
attack.

A much better security indicator would be something saying "This site is
secure if there's a green area in the address bar [picture of what it should
look like]. Click it to verify our identity.".

------
tptacek
Exactly the security I'd expect from a "CEO Portal". :)

~~~
jneal
Very true, but for those that don't know in this case CEO is "Commercial
Electronic Office"

------
aqme28
If you were going to inspect to see if it was actually doing anything, let me
save you the trouble. It just plays these two gifs ontop of eachother.

[https://a248.e.akamai.net/6/248/3583/000/wellsoffice.wellsfa...](https://a248.e.akamai.net/6/248/3583/000/wellsoffice.wellsfargo.com/ceoportal/DocumentumRepository/content/images/signon/messaging.gif)
[https://a248.e.akamai.net/6/248/3583/000/wellsoffice.wellsfa...](https://a248.e.akamai.net/6/248/3583/000/wellsoffice.wellsfargo.com/ceoportal/DocumentumRepository/content/images/signon/statusbar.gif)

------
salman89
Likely is security theater, but in all fairness they might actually be doing
all those things and wanted a UI element to let users know what is taking so
long.

------
dumyCredentials
You can see this in action by trying to login using dummy credentials here:
<https://wellsoffice.wellsfargo.com/ceoportal/>

:-)

~~~
thebigshane
That makes this even sillier... The popup stays open claiming to be
authenticating, while the main page has already returned with the error
message "Your sign on was unsuccessful. Please try again..."

~~~
shivaas
yep.. its a theatre all right

------
jlarocco
That's kind of silly.

But as a Wells Fargo customer, I've never seen it while using their website,
and I use the site to check my accounts and transfer money between accounts
once or twice a week.

~~~
jeff18
It is for their commercial portal: <https://www.wellsfargo.com/com/>

------
daigoba66
"reticulating splines"

------
ante_annum
So, it's actually possible to update a dynamically served gif to provide real
progress updates. If that's what they were doing, I'd wonder why they did that
rather than use js hooks.

But this is just a silly static image. What if the server takes longer than
the image to load?

~~~
Mahn
Then it'll just get stuck at 100% until it's done. It's not like users have
never experienced this, progress bars have never been _that_ accurate.
Probably thanks to Windows, which did a pretty good job at educating users not
to expect an accurate progress bar at all.

------
gesman
I envy consulting company that was tasked $100k to build such a "secure
solution" :)

------
obilgic
It closes the tab when I click "inspect element". How does it detect that?

~~~
eccp
it's the window.onblur handler. If you select "inspect element" the browser
opens a new window for the developer tools and the previous window loses the
focus, triggering the handler.

It also happens if you load the page then open a new tab. The previous tab
will lose focus and close itself.

------
eclipticplane
We added progress bars and silly status messages to our 500 error pages in our
web app. Things like a 15 second count down to "recalibrate" or "attempting
automatic system correction". It, at minimum, stopped users from constantly
clicking a button or link that was having server issues (and thus spamming our
error queue). Instead, they'd wait the 15 seconds and then go try again.

If the issue was transient, like a dropped connection to the database or
memcached or some obscure deadlock, the "automatic" fixes worked as expected
from the user's perspective. We, of course, still got the full error report to
diagnose the issue.

I even have a few gems in our user feedback system where the users outright
praise the "automatic error fixer" and they wish every website/app had a tool
like ours.

------
jloughry
It happens in chemistry too. In his book _The Green Flame_ , Dequasie told the
following story:

"The salesman had been selling hydrochloric acid, sometimes known as muriatic
acid. The industrial grade usually had a green tint caused by contamination
with iron. The company that the salesman worked for improved its equipment at
considerable expense and proudly began putting out water-white muriatic acid.
The salesman immediately began getting complaints from customers who did not
want that weak white stuff. They insisted that they wanted that strong green
stuff that they used to get. So, for those customers, the salesman arranged to
have a small nail dissolved in each jug shipped to them. Result: happiness."

------
hy3lxs
"Locksmith gets less tips and more price complaints for being faster"

<http://news.ycombinator.com/item?id=2007385> (807 days ago)

------
manaskarekar
Reminds me of this interesting reddit discussion:
[http://www.reddit.com/r/AskReddit/comments/uc6qy/reddit_toda...](http://www.reddit.com/r/AskReddit/comments/uc6qy/reddit_today_i_was_reading_about_bose_thanks_to/c4u50kr)

And the corresponding HN discussion that followed:

(Apple's iOS is "deceptively fast")
<http://news.ycombinator.com/item?id=4047032>

In this case, we have security instead of speed. That's not to say it isn't
secure anyway.

------
JadeNB
The Mac OS X.4 PBE would display the estimated boot time on startup; I thought
it was using sophisticated logic, but was later told that it just averaged the
last, say, 10 boot times (which is probably at least as reliable). I seem to
remember that you could even execute `/usr/bin/loginwindow` (or some such
path) from the command line and watch it pretend to boot at any time. I forget
when this 'feature' went—maybe as early as Leopard?—but it's not in Mountain
Lion.

------
arjn
Wow! I can't decide if this is hilarious or scandalous.

------
bmle
I used to work for a major online tax software provider. I won't name them but
I'm sure you can guess. Not sure if it's still there but right after you log
in, there are some redirects that take you to the app servers hosting the
product and you get the same type of loading image though no secure
connections were being established.

~~~
bmle
I should emphasize that the connection was already secure, but creating a user
session on the server side took a long time so this graphic was displayed to
users. So don't worry!

------
phpnode
hfs - your account has been dead for > 200 days

------
bestest
This felt uncanny. Like I was violated in some strangely wonderful peculiar
way.

------
noblethrasher
Don Norman discusses why you would want to do something like that here
<http://businessofsoftware.org/video_09_dnorman.aspx> (50:30).

------
bbq123
As a customer of Wells Fargo CEO Portal I no longer feel safe using it.

Fun aside this portal uses two factor authentication with RSA tokens (that
were promptly replaced after RSA token vulnerability was found).

------
maxhe
I noticed something similar on TurboTax:
<https://turbotax.intuit.com/tto/alias/dncanimation>

------
gfalcao
This is ridiculous

------
jseip
We need a progress bar! ~Brilliant MBA

~~~
rozap
That's why they get paid the big bucks. Genius!

------
adev
Been there done that. Software development is sometimes Social development as
well.

------
mikegirouard
As a fan of UX patterns I'm curious: what would this one be called?

------
DrewHintz
> ceoportal

Sounds about right.

~~~
mtrn
My thoughts exactly.

------
borgchick
security theatre much? face palm

