Security theater, as defined by Wikipedia, “is the practice of implementing security measures that are considered to provide the feeling of improved security while doing little or nothing to achieve it.” This is a common term used by information security professionals and has been a concept for a long, long time. I recently pointed it out in my interaction with CenturyLink when canceling service. For such professionals, security theatre is frustrating since it means companies took time to create policies or “solutions” that ultimately do nothing but frustrate people and nothing else.
I’ve recently had to interact with Abbott many times due to failed continuous glucose monitors. When I send a Tweet to them to initiate a sensor replacement they ask me to send a direct message (DM). I do that and then find myself a performer in the security theatre. No matter how many times I point it out to them they tell me it is policy. Fine, so what? Change the damn policy instead of continuing to waste my time.
Backing up a step, let’s consider what it takes for me to send a direct message. To login to Twitter, I have to provide a password, a code from my mobile device, and then a recently instated PIN to access my DMs. That is two-factor authentication (2FA) with an additional piece of information. That is pretty considerable for a social media platform. When I message Abbott they ask for my name and phone number to “verify” me. I provide it and we continue the dialogue required to get the replacement.
Here’s where the theatre kicks in. Every single time I need a replacement, I have to provide my name and phone number. I tell them they have it already and they insist they need it for security purposes. Despite them knowing my name they still refer to me by nickname which is in my Twitter profile. What happens if someone compromises my account and the PIN to access my DMs? They can read the chat history which has… my name and phone number. Both of which are fully public on top of that.
So what does asking for those two pieces of information do that counts as “security purposes”? Absolutely nothing. It just serves as one more hoop I have to jump through to get a replacement for a defective product I paid for. And it gets worse. Last week I went through this same procedure. They asked for the information, I bitched, they asked again, I gave it, and then silence. When I finally got an answer, they asked for it again. What the hell?! Turns out if they don’t respond in 24 hours their policy says they have to ask again. Their failure means they hassle me for two pieces of information they already know, it’s in the history, and I already provided for that support case.
This is hand waving in the security theatre, cosplaying as “security” when it is not. I understand phone numbers change, but the odds of that happening during the support case in a matter of days? One that they drug out by being slow to respond? And do they really think my name has changed in that time? Absolutely ridiculous. But hey, at least they give me bullshit platitudes when I point this out!
They don’t improve when I give them feedback on their products either. I guess I keep banging my head against the wall in the mean time.
Leave a Reply