It all started with a little assignment...
Back then, my boss also doubled as a tech trainer, and he had a series of courses he marketed. At some point, he wanted me to write a course scheduler that would allow the user to pick a course, select the available dates and input his or her details. Discounted rates were available for prospective students who selected certain options (this little detail will be relevant later).
So I dug in and wrote the code. It was HTML and JavaScript, with a PHP back-end to send an email upon completion, with the details that the applicant had entered, to my boss. Within a day, I had the site up, and I was testing my JavaScript, and putting it through all the test cases I could think of. There were plenty of moving parts, so I had to be careful to try all options to ensure that the site displayed only the options that were available under certain conditions.
The site was up and running for a week. It seemed to work, and I received no complaints.
Change... and catastrophe
After a week, the boss requested that I make a slight change to the site. The discounted price would no longer be available no matter what options the applicant selected. I made the necessary adjustments, which amounted to some lines of code being commented out. It was a quick and dirty fix, but tests indicated that it worked.Then one morning, all hell erupted. One applicant had somehow managed to get the discounted price on his application and raised a fuss when informed by my boss that the discounted price was no longer available. After the dust had settled, he was livid. He chewed me out for allowing this to happen. I didn't take it personally; I was too preoccupied trying to figure out where my tests had gone wrong.
 |
| Clicking repeatedly and randomly. |
Speaking to the aggrieved applicant, it turned out that when the discounted price had not appeared, he simply assumed that it was a browser error and refreshed the page over and over again till he got the result he wanted. This somehow jammed up my asynchronous procedures, another reminder that where async is concerned, just getting correct output is never enough.
Rumination
When the dust settled, I took a long hard look at the entire thing I had set up, and the events that had led up to the catastrophe.A user had succeeded in hacking the system; not by design, but by accident, which was worse. How could this have been prevented? Well, prevented is a strong word and presumes that the problem was technical. And yes, to an extent, it was. But there was a bigger picture behind this incident. Had the user known that the discounted price was no longer available, he would not have assumed that the system had calculated his final bill incorrectly and taken those actions.
What I learned from this, is that the importance of User Experience (UX) cannot be overestimated. The system had not even warned the user that the discount had been discontinued. There was no feedback that would take the user from one point to the next; no visibility. Sure, this would not have stopped a deliberate and determined hacker, but it would have made the system more user-friendly and forestalled the relatively innocent user from what I call "panic-clicking" and causing the system to malfunction. Not looking pretty is one thing; but clarity is important. When it gets to the point where the user is just randomly clicking around to see what happens, the system is failing. Not at a technical level, but at an interface level.
 |
| Lost in the interface. |
Also, how many deliberate and determined hackers are there compared to the number of users with innocent intentions? I'd wager that the latter outnumbers the former by a factor of hundreds. Therefore, it's only good business sense to put in the extra bit of effort for those people.
Think about it: all it would have taken was a simple system message to inform the user that the discounted rate was no longer available! Such a simple thing, and so obvious in hindsight.
No matter how solid you think your code is, no matter how much you've tested the system, it will never be enough. Something's going to get through. Something you never foresaw. And if this can be mitigated with just a little more user-friendliness, it's worth it.
Till next time, stay UXcellent!
T___T
T___T
No comments:
Post a Comment