Protecting Your Company or Laying Blame?
Ask yourself — what’s the point of your company’s security mechanisms and processes? Which ones are about security, and which ones are about legal coverage or shifting blame to another entity in the event of a breach?
The other day I wanted to wire some money to pay for a motorcycle I was buying from an individual. I went into the local branch of my brokerage and initiated the wire transfer paperwork. I showed them my Driver’s License and my US Passport as secondary ID, I knew the answers to the various secret questions about my account and past activity, but there was a problem.
Because the amount was over a certain threshold (quite small, in my opinion) my signature on the form had to be notarized. Never mind that I signed it in front of them, that my signature matched my ID, and that they’d photocopied my ID, I had to have a notary public stamp and sign the signature form.
What did the notary public do? They looked at my ID, pulled out a different form that I didn’t have to sign, stamped that form, and took my $10 payment. They couldn’t stamp the original form because there was no space for a notary stamp and they are only allowed to use that space on an original form.
What benefit does the brokerage gain from this little LARP quest to meet someone and go through a simple ritual? After I returned with the notarized second sheet of paper, we even changed information on the original form — I’d written down the wrong bank name for the payee and forgotten to fill in the date. They didn’t verify the notary name and signature before accepting my form, they just clipped it all together and started the wire transfer.
My guess is this had little to do with proving that I was who I said I was — it was pretty clear from both of my IDs and my knowledge of random facts about the account that I was the account holder. It’s my opinion that it was about covering their legal ass if there was ever a charge of fraud down the road (“My twin brother did it, it wasn’t me!”). The agents didn’t validate my ID, they relied upon a (supposedly) trustworthy third party, so if there’s fraud, it’s not their fault.
I wonder if the person who thought up this protocol realizes how easy it is to fake something like a notary stamp and signature — they’re trivial compared to a US Passport or state Driver’s License. If the fraud is going to involve more than a few grand, why would I let one more forgery stop me? Think about it — if I know enough about the person I’m ripping off to answer all the secret questions and fake a US Passport and Driver’s License, I can probably manage faking the notary stamp as well.
Do I feel better about my account security thanks to this little waste of time? Nope. I just feel $10 poorer and a bit guilty that I paid the seller a day later than I said I would.
[tags]security theater[/tags]