I just went through a real-life event that really rubbed salt in my security wounds. It's not bad enough that meaningful security is hard to accomplish - but when we solutions step on each other... it makes matters even worse.
Let me explain...
I wanted to take my wife out some place fun for her birthday. There was this comedy club in town her friends were always talking about, that we've never been - so I thought I would give it a shot. Naturally I hit the website rather than going to the box office. First off, the site design left something to be desired but I figured, hey - they had one of those "McAfee Secure" seals so everything must be good ... I mean, my buddy Trey Ford works there... I checked out the site, bought some tickets online (using a one-time virtual credit card like this) and that's when things really started going south.
First off, the site has that look. You know what I'm talking about. Second, that "McAfee Secured" logo makes me wonder even more about how seriously they took security - or whether it's more likely they're just "checking the box"... But here lies the real problem... I paid with a virtual credit card. Why is this a problem? Because - I now have to show that card and an valid ID when I go pick up my tickets. ... So one security feature (virtual credit card numbers) is stepping on another (validating the credit card in person). Now - this would be a seriously sticky situation - if people actually cared about security. Why do I say that? Well - when I called the box office to explain my situation I was told "Oh, don't worry, just give them you're name, no one really checks that (physical credit card)". Well ... that sucks.
So here's my problem - we have 2 pretty good security measures in place, unfortunately they're stepping all over each other, and we sprinkle in a bit of carelessness and we have all the makings of a disaster.
The bigger picture still, here and elsewhere, is that this is common. Employees don't understand the value of things like checking physical credit cards against an ID in-person, and all the best planned security measures in the world won't do any good if no one cares. The site demonstrates clearly, at least to me, that they are simply checking the security check-box- otherwise someone at some point would have noticed ...gee, this may be a problem!
Bummer. Another place to avoid.