When security gets in the way of things
A while back I went clothes shopping with my brother. While we were waiting in line, it occurred to me how the stores go to great lengths to prevent shoplifting. They obviously cannot have security cameras in the fitting rooms so they need another mechanism, and one popular way is to allow the customers to bring only a certain number of items into the fitting rooms. A lot of places enforce this by counting the number of items you’re bringing into the room (with an upper limit) and handing you a small badge showing exactly how many you’re bringing with you. When you come back out, the number on the badge is compared to the number of items you’re carrying.
This is a pretty simple and straightforward scheme that works quite well. With this post, however, I wanted to highlight how commonly used this approach has become that the stores (and their employees) seem to have forgotten why it was created in the first place.
Security is only as strong as the weakest link
I recently had to register myself at the Danish Consulate in New York since I’ve relocated to the US. The registration page asked for various information such as name, address, phone number, e-mail address, and addresses of relatives. It also asked for my passport information, although that was optional.
Most people probably wouldn’t have noticed, but as a security-conscious IT professional I immediately saw that the registration page wasn’t encrypted with SSL. This, in my opinion, is particularly bad practice for a government-controlled website that expects its users to enter confidential information — and we’re not “just” talking credit card information here.