Citibank Virtual Keyboard-Bad UI Example

For few years now, Citibank India has a Virtual Keyboard for their online login. While this is a good scheme to prevent Keyboard hookers the UI could have been better. Security and Prevention of hacking is not an excuse for lack of design and intuitive user interface, unfortunately many think it is so.

Notice the below screenshot. They say IPIN cannot contain special characters, can contain only Alphabets & Numbers. Then why did the Virtual Keyboard have special characters. Frequently I end up pressing special characters then get prompted I am wrong!