upvote

points

by acdha1 days ago |
comments
upvoteby dylan6041 days ago|
next
[-]
> your bank could shut phishers down cold by requiring wire transfers to be authorized in person but they don’t want to pay staff or risk you being upset by a transaction taking an extra hour so they don’t.

Isn't this essentially what just recently happened to the Pope? Then there were people here doing the rest of your comment for him saying how egregious it was for them to ask for an in person authorization. It sounded like all he was trying to do was update his address, but changing your address from one in Chicago to one in a European country absolutely sounds like something a phisher would be trying to do.

reply
upvoteby throwaway8582523 hours ago|
parent|
next
[-]
Its perfectly acceptable for a security model to make things difficult for extreme edge cases like the pope. After all if the situation warrants it such rare events can always be escalated.
reply
upvoteby Terr_17 hours ago|
parent|
[-]
To frame it another way: Better to inconvenience the pope once every few years than have tens of thousands of "little person" account compromises every year.

I expect his Holiness might agree.

reply
upvoteby acdha6 hours ago|
parent|
prev|
[-]
Yes, there were people here criticizing that but also plenty of people saying it was a reasonable trade off. Making exceptional things harder to make everyday security better is not a bad decision even if it upsets techies who’d like everything to be automated.
reply
upvoteby spullara1 days ago|
prev|
next
[-]
for a while facebook had the ability to recover your account by having them ask several of your friends if the recovery was legitimate but it was turned off. my guess is that not enough people added trusted contacts to bother running it.

https://www.theverge.com/2013/5/2/4292744/facebook-trusted-c...

reply
upvoteby parable23 hours ago|
parent|
[-]
I actually quite like this solution. Beats asking users to add a "recovery selfie" (something Meta actually does now) - I'd rather choose 3 of my friends and have them approve some notification in-app. Seems like better UX and preserves privacy a slight bit more, but we all know Meta's not in the privacy business.
reply
upvoteby spullara20 hours ago|
parent|
[-]
honestly I can't think of a better solution that would require a far more coordinated attack to pull off. it should work on any system where trusted folks are likely to have accounts.
reply
upvoteby 22 hours ago|
prev|
next
[-]
deleted
reply
upvoteby ronsor1 days ago|
prev|
next
[-]
The amount of hassle involved with regular physical checks is why it's not implemented, regardless of attack prevention.

The cost of hiring a person is part of it but not really the core reason. People were sold on the Internet with "you can do things online conveniently" and reintroducing the need to physically go somewhere negates that angle entirely.

reply
upvoteby acdha22 hours ago|
parent|
next
[-]
To be clear, I was thinking cost as more than just payroll - e.g. my bank can do this because they have paid for a branch near my house, Facebook does not - but another way to look at it is that many of the costs due to errors have been shifted to the user.

I do think friction causes a reflexive resistance to the idea but I think that might be an overreaction. This is a rare thing people should be doing no more than a few times in their life.

reply
upvoteby anonymars1 days ago|
parent|
prev|
[-]
> People were sold on the Internet with "you can do things online conveniently" and reintroducing the need to physically go somewhere negates that angle entirely

But how often does one need to do recovery procedures like this?

How much less convenient is it for everyone else to be at risk of their account being taken over?

reply
upvoteby econ1 days ago|
prev|
[-]
Then you get trusted parties selling account access. Even if you remove them for a single false positive they will do it. A bit like a % packages "vanishing".

The least terrible seem digital id.

reply
upvoteby acdha22 hours ago|
parent|
[-]
> Then you get trusted parties selling account access

How many bank tellers or USPS employees do that, though? It’s possible but quite rare because people know they’ll be running a big risk of being caught and no individual transaction is worth that much.

reply
upvoteby sparqlittlestar12 hours ago|
parent|
[-]
Interstingly, since 2008 Dutch bankers need to take an oath and whilst I don't think that in itself deters fraud, being fired for fraud would preclude going back to work for another bank (tuchtrecht / disciplinairy law)
reply