The bug of security theater

It seems like the Internet and web-based services have been around forever and work well – from anywhere, just open up a browser on any device that supports Internet browsers. Well, at the end of 2016, there is a new bug going around, preventing many different services from serving. The bug of security theater.

After many a security breach, billions of records exposed or stolen, millions of people affected in some serious or minuscule or unknown ways, the providers have learned that security matters. However, security breaches are still relatively rare, unsystematic, and often caused by an ‘oops’ – some singular event that wasn’t supposed to happen, like operator error.  In many cases, there is simply not enough information how to prevent the break-ins and unwanted exposure or loss of data. In other cases, providers may be able to do somewhat better – but at the great expense of re-training staff, updating and enforcing stricter policies, and re-working technical systems.  

Still, there is something that is relatively cheap and easy to do, and improves security – at least in the eyes of users and media.  Security theater is commonly show-cased in the user interface. Many-factor authentication, secure codes sent by email or text message or by audio in a phone call, highly sophisticated personal and public questions going back many years for the users to answer – all for the privilege of accessing the same old web-based email account.

Many providers are requesting a smart phone# to authenticate against, which is good for them – more data, but bad for us – more advertising phone calls.  Many providers require a live exchange of data over the phone or email before allowing access, which is hardly good for them, and definitely bad for us – the wait times are often unreasonable.  Still others insist on following up online communication with a phone call – which is bad for everybody, because if we wanted to communicate by phone, we would not bother with online access at all.

Security is different from security theater.  Security is hard, and should enable us to do more business. Security theater is cheap, generates false sense of being protected (and very real frustrations), and prevents us from doing things we want to do.