A lot of service providers want prospective customers to believe that they take security seriously. Unfortunately, wanting customers to believe something and actually investing in the appropriate tools and technology are very different things. It is fairly easy for companies to feign strong security measures. This sort of security façade is the all too common security theater that airports and the much-maligned TSA have elevated to an art form. Of course, security theater is by no means restricted to the airline industry, and in fact, is a far too prevalent practice across sectors. Below is an explanation of security theater in the data world along with some reasons that it is problematic:
Security Theater Is...
Basically, companies require customers or users of their service to set up accounts and add requirements or features to make the account seem more secure than it really is. For example, to create an account the user may need to come up with an overly complicated password, usually with a ridiculous number of characters, several symbols or punctuation marks, and numbers. Although a password should be difficult for another person to figure out, it should never be so complicated that the person who created it won’t even be able to remember it.
Another example involves creating an account and choosing a picture for the account with a personal descriptor of it. The idea is that the picture and descriptor will appear on the login page for all subsequent login attempts and thus the person will know that they are in the right spot and under the correct username. These kinds of measures, while seemingly adding a layer of security, are insufficient both alone and together in keeping an account protected.
For one thing, passwords are shared and stolen all of the time. Some savvy hackers know how to exploit the "forgot password" link that most websites offer to illicitly enter an account. They simply enter the information they managed to obtain, have the reset password link sent to an email account that they can access, and then can easily create a new password, thereby gaining access to someone else’s account and information. As for the account-associated picture, most people can probably attest that once they choose and label that picture, they do not pay much attention to it when they login. Thus, users could easily enter information into a fake website without noticing that it does not show the picture on the login screen.
It Is Dangerous Because....
One of the problems with security theater is that it creates a false sense of security for users. Most consumers likely believe that a username and password, standard account access requirements, are sufficient security measures. And, because of the erroneous belief that the account is adequately protected, users may not take any additional steps to ensure that their accounts are protected. It has become so customary to set up accounts with this information that most people probably do not realize there are much better methods of account protection available.
Actual Security Involves...
Important information that will be stored electronically must only be stored in an online database that employs multiple, rigorous security measures. Two of the strongest methods that can be utilized to protect an account's contents are two-factor authentication and advanced encryption. With two-factor authentication, users must enter their usual username and password, but then they must provide a second factor, or piece of information, that authenticates that they are who they say they are. The most common way of achieving this involves text message-generated codes that have to be entered within a certain window of time before they expire. Thus, with every login attempt, a new factor is created and sent to ensure that at least one piece of information for account access is dynamic, cannot be memorized, and thus is far less likely to be intercepted.
With respect to encryption, this is an advanced security tool that will provide additional protection in the unlikely event that someone without authorization manages to access the system. Encrypting data scrambles it so that anyone who intercepts a transmission will not be able to read it. Unfortunately, providing encryption is not necessarily considered a standard practice, so companies with valuable matters at stake need to determine whether it is worth it to invest more in a system that does offer it.
With the ubiquity and prevalence of data breaches, it is incumbent on both companies and consumers to investigate and ask about any service provider’s data security measures and to take their business elsewhere if the security is inadequate or nothing more than security theater.