Driving this is like being the man-in-the-middle with Alice and Bob in a vat of warm honey. You know your vulnerabilities are exposed, but you still would anyway, wouldn't you?
Although I notice with amusement that Clarkson deftly picks an example which demonstrates a flaw in his own argument.
A certain building we both used to work in which had cardswipe locks was entirely straightforward to navigate by catching doors opened by others before they had fully closed. With a security guard present, that approach would not have been an option.
It's a fairly firmly-held theory of mine that the weak points in pretty much any security policy are the people involved. Even if you work in an office where you need a passcard to get in, how many people will actually refuse to hold open a door to let another person in? Unless you work somewhere where security is very very important, I reckon politeness will beat security any day.
All the oddities with (say) bank security over the phone and so on seem to be caused by the bank employee Just Not Getting It - and hence they apply the rules quite blindly, and don't understand what is or is not a real risk.
I've actually has a few cases where bank employees have even (potentially) compromised security by promoting bad policy. They phone me up and then ask for security details. I respond by asking them to prove they're the bank and they are completely baffled, as though nobody's ever said this to them before!
Yes, that's one of the cases that led me to this theory.
Not only have they been baffled, but even after I've explained why I want them to do this, they don't seem to understand why it's important.
In fairness, I do think the bank ought to have thought this through and introduced a stage where they verify their identity, or at least included an extra bit of script in case the user asks for it. By the time I've answered the phone they've already got one-factor security ("something I have") on who I am, so a sensible policy would encourage people like me to demand something from them before I hand over information.
The best come-back I heard (from someone asking for my DOB and mother's maiden name) when I asked that they verify their ID first was "but I only want your DOB and mother's maiden name, anyone can get hold of those". Er... yes, they can. So why are you using them for your security checks?
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
no subject
no subject
no subject
no subject
no subject
no subject
A certain building we both used to work in which had cardswipe locks was entirely straightforward to navigate by catching doors opened by others before they had fully closed. With a security guard present, that approach would not have been an option.
no subject
All the oddities with (say) bank security over the phone and so on seem to be caused by the bank employee Just Not Getting It - and hence they apply the rules quite blindly, and don't understand what is or is not a real risk.
no subject
I've actually has a few cases where bank employees have even (potentially) compromised security by promoting bad policy. They phone me up and then ask for security details. I respond by asking them to prove they're the bank and they are completely baffled, as though nobody's ever said this to them before!
no subject
Not only have they been baffled, but even after I've explained why I want them to do this, they don't seem to understand why it's important.
In fairness, I do think the bank ought to have thought this through and introduced a stage where they verify their identity, or at least included an extra bit of script in case the user asks for it. By the time I've answered the phone they've already got one-factor security ("something I have") on who I am, so a sensible policy would encourage people like me to demand something from them before I hand over information.
The best come-back I heard (from someone asking for my DOB and mother's maiden name) when I asked that they verify their ID first was "but I only want your DOB and mother's maiden name, anyone can get hold of those". Er... yes, they can. So why are you using them for your security checks?
no subject