In our industry we call it “security theater”. Looks great. Looks secure. Makes for great press-releases. Doesn’t do a lick of good as far as increasing security.

My job is not to make things completely secure. It is to balance the risk versus the cost of security measures. So when I say that these new measures don’t do any good, I mean that the total cost (monetary, user experience, etc.) is not worth the “increased security” (trivial). The money these companies spend is not to increase security, rather it is to increase the *appearance* of security to their customers. Given that this increases customer trust it is still probably money well-spent but don’t, for a second, think that they’ve improved security in any meaningful way.

Also, I don’t think you realize the threat that is out there. It’s not little Johnny hacking your computer from his mommy’s basement anymore. Organized crime is out there. They are well-funded. They have professional programmers writing their software and it is really well planned and well implemented.

Virus signature databases doubled in size over the past year and anti-virus vendors are struggling to keep up. An estimated 25% of the 600 million computers on the Internet today are thought to be parts of botnets. 150 million zombie machines out there that might do anything from attack a site, to resend spam, to collect your personal information. It is considered by many to be a virtual pandemic.

So pardon me if I don’t jump up and give a standing ovation to an under-arm-fart-noise rendition of Beethoven’s 5th. I think I’ll hold my applause for a real performance.

The point behind the modifications isn’t that the system is absolutely secure, it’s simply that they’ve added extra layers of security to make it just a little more difficult for the majority of script kiddies.

The reality is that if someone wants your information bad enough, they’re going to get it. It doesn’t matter what you do, or how you do it. The key here is that it now takes more effort and more technical know-how to get to what they’re after.

As you’re aware, the process of creating security measures to defend against security breaches is very cyclic by nature. Sooner or later the thieves ramp up on the new security measures, and then the business has to adapt and create a new hurdle. Then we start over again.

It’s an improvement, and as an information security professional, I would expect you to applaud the effort to at least improve security based upon what you know of the business involved, and the nature of security in a digital world.

Thanks.

When you are setting up the pictures, I always use meaningful phrases that will jog my memory when I am logging in. For instance, if you have a picture of an orange. Don’t use the phrase “An orange” associated with it. Instead use something meaningful like a song lyric, “I’ve got my spine, I’ve got my orange crush.” Now, even though you may not remember which picture is which, the phrase should hopefully jog your memory.

In addition, once the malicious software is on your system they can steal the cookies from your browser that store info about those pictures that everyone is using or stick in the middle and conduct their own electronic transfers. It’s a lot of sizzle and very little steak, if you know what I mean.