At What Point Does Security Become Counter-productive?

As my recent experiences with a bank (which shall remain nameless) confirm, some people take security too far. There is a point at which more security measures actually reduce security, rather than increase it.

Take, for example, Internet Banking. Most places, you need a customer number, a passphrase (of which you usually enter 2 or 3 characters at a time, never the entire phrase), and some other piece of information – a date of birth, memorable place, and so on. The same applies for telephone banking.

These measures are designed to ensure the security of your account; there are always three pieces of information needed, and usually only one of them, the customer number, is written down, since you can remember your date of birth, and the passphrase is a relatively short piece of data to remember.

Consider, however, the case where you need to have five or more pieces of information to log in. Each one is distinct; addresses, dates, places, names. Each one must be something other than your date of birth, home address, place of birth, or mother’s maiden name. That means you need to remember those five additional pieces of information, over and above the usual pieces like your own address, your date of birth, and so on.

Most people won’t be able to remember all of those things, so their natural reaction will be to write them down. Here is where the problems arise, though. While there is nothing wrong with writing down a passphrase, especially if that is kept safe and doesn’t identify the site or system for which it is active, (this clearly doesn’t apply to a PostIt note stuck to the monitor of your work computer with your username and password written on it), these are five pieces of data which fairly uniquely identify the site for which they were intended. Often, in fact, when you set up these items, you’ll have a letter from the bank in front of you, so the natural reaction is to write your “memorable data” onto that letter. Now, you have a single piece of paper which contains everything someone needs to log into your Internet Banking.

Similar scenarios exist in many environments where security is considered. The security concerns take over from practicality concerns. The banks don’t think about whether you can remember your “memorable data”, they just want to protect themselves. If someone does log in using your data, they can claim that they had enough levels of security, and it was your fault for writing down the details in the first place.

As far as the customer is concerned, though, in this case it actually makes more sense to have less security. Two pieces of information is enough for anyone to have to remember for identification and access to a single website. By requiring more, the banks are simply reducing the security provided to their customers, while protecting themselves against liability for any losses due to that reduced security as there is the illusion of higher security.