a) This is hilarious. b) It is not entirely obvious to me whether society should prefer making fun of users who fall for phishing, which includes ~everyone, or well-resourced firms should Sorry I Can't Let You Do That more frequently as part of their anti-fraud/crimes missions.https://twitter.com/stucchio/status/1153396044950048768 …
-
-
Given that we're in a threat environment where the adversary will *routinely* have the username and password, we probably have to design financial institutions' systems and processes to not mean "If the attacker has the password, they get all the money."
Show this thread -
And there's a material regulatory/political question here, too, in the same way that there was a regulatory/political question on where to allocate losses in the case of e.g. loss of payments credentials, which was resolved definitively (in the US at least) by political process.
Show this thread
End of conversation
New conversation -
-
-
at a bigcorp security training, they tell a story of an outgoing vp of security who was presented with his password lasered in to a glass trophy on his last day from his team, who had successfully phished him.
-
I've heard multiple stories of "presenting the outgoing employee with their password" in security companies. I always wonder where they draw the line in acquisition tactics. Ex: Are they allowed to hardware keylog their keyboard?
End of conversation
New conversation -
-
-
I wouldn't discount the impact this meme will have. They managed to create a financial services PSA using a popular, modern dancehall song and avoided Corporate Cringe. People remember seeing their first Unicorn.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.