undefined | Better HN

0 pointssmeej1y ago0 comments

I beat that drum so long it turned into beating my head against a wall.

The last two companies I worked for insisted that customer account security was the highest priority, but as soon as I said we needed to stop hiding links to our own website behind Hubspot tracking URLs so we don't train our customers to click links that look like gobbledygook garbage, the marketing team melted down and it became clear where user account security actually fell on the priority list.

I don't think it's always malicious, though. I think most people in most companies just don't realize the risk. Like, I had to explain to my doctor's office why I'm never going to "confirm my identity" by rattling off my DOB and address at the beginning of a call when they called me. I even think of those specific data points as public information anyway and I'm not going to participate in that nonsense. It had never occurred to them that this was risky behavior.

It did make me appreciate my parish priest's method, though. Every quarter or so, he reminds people from the pulpit that he will never email them asking for gift cards or anything of the sort. If the parish needs money for something, he promises he'll ask for it right from the pulpit!

0 comments

5 comments · 2 top-level

nerdponx1y ago· 2 in thread

People realize the risk, they just think it can't happen to them personally, and/or just don't care because they personally aren't going to bear the risk. People run businesses the way they drive their cars, i.e. selfishly and arrogantly.

nonrandomstring1y ago

Are all people bad drivers? Technology gives diffusion of responsibility. And business gives limited liability. Put them together and you have magnified sense of agency and invulnerability. But without wheels and a windshield people couldn't travel at 100 miles an hour. The question is how gracefully the person at the wheel handles that. Are you a gentleman in a Jaguar or a BMW driver? [0]

[0] https://www.fastcompany.com/90457589/science-proves-it-men-w...

nerdponx1y ago

It's not a question of how gracefully the person behind the wheel handles it. There is a certain moral expectation and minimum standard of handling, and this expectation is more often than not enforced by law and/or threat of civil suit, sometimes with severe penalties for deviating from expectation. That legal framework exists precisely because individuals cannot be trusted to handle it properly.

The natural set of incentives does not work well with human psychology. It does not prevent mishandling of motor vehicles, or at least fails to prevent it in enough cases that additional disincentives are needed, to ensure the safety of the public.

Stated another way: Enough people are bad enough drivers that we need laws and civil liability to create additional incentives against bad driving. The threat of collision, property damage, injury, or death to oneself, passengers, and people outside the vehicle is clearly not sufficient.

Driving is actually a great analogy, but maybe not for the reason you intended. If we relied only on individuals to act responsibly, the roads would be much more dangerous than they currently are.

1 more reply

nonrandomstring1y ago· 1 in thread

I like your priest's style. Maybe more cybersecurity and anti-fraud from the pulpit is the way to go now the digital realm has failed. I'll have a word with our vicar, see if we can't squeeze a bit of Kevin Mitnick and Julian Assange in between Proverbs and Revelations.

smeejOP1y ago

To be fair, he also uses the pulpit for the announcements before the Mass, not just preaching ;)

It really does help especially the elderly parishioners to hear it directly from the mouth of someone they trust, though. And he tells them if they have any concerns, any doubts about a situation they've gotten into, they can always call the parish office and they'll do the best they can to help them with whatever issue they're facing.

Even just training people to always hang up and call someone who definitely would know if the person they think is reaching out to them actually needs help is such a good first step. Even if the scam email "from" the priest says, "I can't talk right now," call the office. If he were in a bind, he wouldn't be the only one who knew about it.

j / k navigate · click thread line to collapse