Think about UX and Security next time you get onboard!

It works! Another title bait. Perhaps it should have been written as “Oslo’s Flytoget: a good UX/Security balance?”. Anyways, since you are here, I hope you enjoy the read.

Besides visiting many places, meeting interesting people and experiencing different cultures, working as a consultant provides you the possibility to face unique human–computer interaction experiences.

I actually started my career as a web designer and since then, I’ve been into this UX thing, so it’s great to spot different User Experience (UX) implementations.

San Francisco’s BART

BART stands for Bay Area Rapid Transit and is probably the most used public transport between SFO and the city center. If you ever been there, you will probably recall its ticket machines from the images below.

Look at how many buttons, slots and signs! That’s scary. My first time there I felt stupid trying to get it working. After a few attempts I decided to step away and check someone doing it correctly (or becoming embarrassed as well).


But rather than describing how it sucks it’s a struggle to buy a ticket for BART, which seems to be well known, I will simply compare it to another experience I’ve had in another country with similar goal: airport ↔ city ride.

“Wait, what if I use a Clipper card?” Well, check the official video instructions on how to top up and tell me what you think about it!

In case you don’t know BART or haven’t checked the videos, please take a moment to imagine how to operate this thing from the pictures below. And have in mind we are into IT/Computers, let alone elderly and other humans not so tech savvy.


BART’s ticket machine home-screen


For buying a ticket – after you check the destination’s ticket price on the wall, you should input the exact price by adding/subtracting values from side buttons!

At this point, we should agree the city of Golden Gate bridge – where a lot of startups and great minds are constantly coming up with cool ideas – deserves a better interface for its rail/subway system.

How does Oslo’s Flytoget work?

Basically, you swipe and go.

Well, all you need to do is swipe your credit card at one of the “ticket machines” and enter the train. That’s it. Done. End. No plastic/paper ticket, no ticket gate/ratchet/turnstile.

Apart from the fact BART is located in a country where a lot of people do use cars rather than public transportation (sources: Vehicles per Capita and Public Transportation usage), and that it is not an Express service like Flytoget, I am simply comparing interfaces for a train ticket system.

Here are the pictures from the simplest ticket interface I have ever seen:


Flytoget’s ticketing machine


Single operation: swipe the card.


After successfully swiping the card, a green message is shown (assuming red otherwise?)

An additional step is needed after swiping the card, in case you are departing from the airport. There’s a touch screen (image below) where you tap the icon corresponding to your final destination. Since the ticket price is fixed, I guess that’s for Analytics reasons.


There’s also an app for mobile phones, no swiping  card needed, but I’ve never tried though (perhaps less CC data exposure here?). That’s not an exceptional UX example, but better than most systems being used out there.

Everything comes with a price: Security x UX

How are they handling or storing my credit card data? What about a receipt? How can I expense the cost of the travel journey if my company does not consider credit card reports? Here Security/Privacy might become an issue.

A receipt is available at Flytoget’s website within 24hs after the journey. First, you create an account and then you link your CC number to your profile (!).

Now, needless to say they must be storing some credit card data, likely including parts of the CC number. If you know how it works, please leave a comment below.

It’s easy to suggest we need a balance between UX and Security when there are actually so many variables involved. But IMO, we need to think about the business success first, which is directly tied to UX (way beyond Security?).

If following the rules (laws, regulations, etc) does allow such an option (Swipe and Go), it should be considered. Also, users should know their CC might be exposed since the time it’s shipped, as they should know about refund policy in case of CC theft or fraud.

From the user’s perspective, depriving yourself of those solutions sometimes make little sense. That becomes even more interesting from the UX designer’s perspective, considering most users will not even bother evaluating those risks.

Should we provide an unique user experience (UX) at the price of an increased risk? Or should we provide better Security at the price of an average UX? That’s just one of the dilemmas UX/Infosec professionals face.

UX pros should consider Security as part of their design as we, Sec pros, should consider UX when planning our strategies and actions.



Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s