they have a solid point, y'know.

munin@infosec.exchange

they have a solid point, y'know.

users don't have meaningful agency here, but businesses sure the fuck do, and the way tech has treated users is creating perverse incentives and frustrations.

munin@infosec.exchange

if you want users to take security seriously?

gotta give them some reason to think it will matter.

tindrasgrove@infosec.exchange

@munin
I can never use online banking, and my bank may still allow my account to be compromised.

I can never fill out a form online with my address, but my address is still online because “public record”

I can never buy anything online, never use a credit card, but the combination of ALPR and security cameras means my shopping habits are still known when I shop in-person using cash.

Yeah, consumers are not the problem here.

arclight@oldbytes.space

@munin I just posted about an attack on/using agentic finance bots that cost someone $200k. https://oldbytes.space/@arclight/116587393934910011

I still can't stop laughing at a Trojan NFT.

tychotithonus@infosec.exchange

@phessler

Each individual user may not consider a given credential as worth needing MFA, but since most users reuse passwords, it's arguably better move for the ecosystem and site operators to require some kind of MFA. Otherwise, if one site gets popped, a wave of user accounts could be abused in bulk and require operator intervention. Whether or not mass lockout/reset is inconvenient enough for the individual user to think MFA is a good trade-off may vary.

@munin