Lorenzo Franceschi-Bicchierai

Reddit says: “As we all know, humans are often the weakest part of the security chain.”

Other than this being a trite phrase and a cheap excuse, it also probably doesn’t make the victim of the phishing attack feel better.

Maybe one day we'll stop blaming the victim in infosec...one day.

https://techcrunch.com/2023/02/10/reddit-says-hackers-accessed-internal-data-following-employee-phishing-attack/

TechCrunch is part of the Yahoo family of brands

Feb 10, 2023 at 2:49pmWeb
Show threadBrianKrebsFeb 10, 2023
@lorenzofb They're not wrong, though. Human beings are the single most abundant and serious security risk for any organization. Happily, they are also their most important asset.
Show threadGuillaume RossFeb 10, 2023
@briankrebs @lorenzofb I just don't like seeing that especially if an attack involved phishing credentials, when we know OTP and push are not sufficient. FIDO U2F or at least push+code confirm should be a standard, why keep providing systems that allow an easy mistake to be made?
Show threadhammancheezFeb 10, 2023
@lorenzofb I think that knowing that humans are dumb and easily confused and then not designing your system to protect your helpless meemaw as she navigates facebook DMs is more on you than on meemaw
Show threadGrumpy Grimnir Feb 10, 2023

@lorenzofb OTOH, people /are/ the weak point in the chain. You, I, that genius down the street - we're all going to make dumb mistakes and probably already have.

Pointing out where the weak link is doesn't necessarily involve victim blaming. We should be designing in protection for the dumb mistakes people make.