The Fallacy of “Security”: anything but…

I’ve had two recent experiences involving organisation processes in the name of “security” that were deeply insecure and added no value – and no security – at all.

The first was in my local supermarket. I wanted cash-back in a debit card transaction. The cashier printed off the receipt, asked me to sign it to authorise the transaction – which I did – and then handed the signed receipt back to me to dispose of anyway I liked.

This process added nothing. In other supermarkets, I have been asked to sign the stores’ copy of the receipt – in which case they then have evidence that I authorised the transaction and had accepted the cash. This presumably formed part of those organisations’ audit trail – though I never believed that any supermarket retained a paper copy of the transactions, relying instead on their electronic systems. (I’ll happily be disabused of this.)

But for my local supermarket to get me to sign the receipt and then hand it back to me makes no sense whatsoever. It is, frankly, bonkers. I can only assume that the cashier was incorrectly completing the process, or the store management had instigated a process without understanding why or what outcome they wanted. Instead, they just held up the queue a little.

[Edit: Joanne Jacobs has pointed out that by the shop making me sign my receipt, they may be protecting themselves against my returning with the receipt and claiming I didn’t receive the money. This is true – although by getting me to sign the receipt before I’ve received the money, it is still open to abuse by the check-out person…]

The other experience involved my bank. I called them to arrange payment of my tax bill. The operator asked for my phone number, which I gave them. And today I had a phone message from my bank saying that the payment hadn’t been made because they wanted to check that it wasn’t fraudulent. Aside from the unlikely scenario that a fraudster would be paying a tax bill – I mean, really! – my bank phoned the number that someone they thought might be a fraudster had given them to check that person wasn’t a fraudster. Their security check involved information that I imagine anyone determined to pretend to be me would be able to find out. (Though it is a good idea to keep a lot of that kind of stuff hidden on Facebook!)

I completely accept the need for security, but having “security” processes that do anything but provide security is dangerous: if my bank actually believes that what they do is providing them and their customers security from fraud, then they really do have big problems.


3 thoughts on “The Fallacy of “Security”: anything but…

  1. Dan Sutton

    I love the idea of a fraudster paying your tax bill.

    Perhaps that’s the way the HMRC should operate. Whilst you are taking the senior tax guy out for lunch one of the guys in the office phones your bank and gets the bank to pay the HMRC the amount you own them.

    I am not sure whether to be proud or ashamed that my immediate throught when reading about fraudulent payments the HMRC was – it would be a cunning wheeze to pay your own tax liability with other people’s money.

  2. patrickhadfield Post author

    I think you have that wrong – surely HMRC take Goldman Sachs out to lunch to tell them how little tax they have to pay?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s