I’ve had two recent experiences involving organisation processes in the name of “security” that were deeply insecure and added no value – and no security – at all.
The first was in my local supermarket. I wanted cash-back in a debit card transaction. The cashier printed off the receipt, asked me to sign it to authorise the transaction – which I did – and then handed the signed receipt back to me to dispose of anyway I liked.
This process added nothing. In other supermarkets, I have been asked to sign the stores’ copy of the receipt – in which case they then have evidence that I authorised the transaction and had accepted the cash. This presumably formed part of those organisations’ audit trail – though I never believed that any supermarket retained a paper copy of the transactions, relying instead on their electronic systems. (I’ll happily be disabused of this.)
But for my local supermarket to get me to sign the receipt and then hand it back to me makes no sense whatsoever. It is, frankly, bonkers. I can only assume that the cashier was incorrectly completing the process, or the store management had instigated a process without understanding why or what outcome they wanted. Instead, they just held up the queue a little.
[Edit: Joanne Jacobs has pointed out that by the shop making me sign my receipt, they may be protecting themselves against my returning with the receipt and claiming I didn't receive the money. This is true - although by getting me to sign the receipt before I've received the money, it is still open to abuse by the check-out person...]
The other experience involved my bank. I called them to arrange payment of my tax bill. The operator asked for my phone number, which I gave them. And today I had a phone message from my bank saying that the payment hadn’t been made because they wanted to check that it wasn’t fraudulent. Aside from the unlikely scenario that a fraudster would be paying a tax bill – I mean, really! – my bank phoned the number that someone they thought might be a fraudster had given them to check that person wasn’t a fraudster. Their security check involved information that I imagine anyone determined to pretend to be me would be able to find out. (Though it is a good idea to keep a lot of that kind of stuff hidden on Facebook!)
I completely accept the need for security, but having “security” processes that do anything but provide security is dangerous: if my bank actually believes that what they do is providing them and their customers security from fraud, then they really do have big problems.