“Computers don't commit crimes, people do!”
This is the title of a seminar run by ISC2, the organisation behind the CISSP, and it got me thinking.....
How many times do we see on local news, read in local papers, or all over the Internet, coverage of the latest computer-based scam to part you from your personal information?
The phishing email from a bank asking for your account details, mothers maiden name and the name of your favourite pet…or the plea from the last Prince of some turbulent African nation with an offer of large sums of money for letting his money rest in your account. (This reminds me of a quote from the TV show Father Ted "That money was only resting in my account" http://fatherted.wikia.com/wiki/Father_Ted).
And in how many of these reports is there a poor soul who was duped into parting with large sums of money or their bank details, and was surprised when the account was emptied, or when the promised six-figure reward did not materialise?
I watched one such report in local news, where an elderly gentleman KEPT responding to these requests. I mean, what does he expect will happen? It brings to mind the famous Einstein quote: “Insanity is doing the same thing, over and over again, but expecting different results.”
People often draw the parallel of someone being stopped on the street, by a person in a bank uniform, with a clipboard, asking for private account details. Of course, for the most part you’d never give out your details to this person. Though chocolate provokes the odd exception…
Why is it more likely that the same details are given away to a complete stranger in response to an unsolicited email? I know you will always have an excuse ("It looked official!") but so did the person in the uniform that stopped you on the street! It’s an interesting psychological occurrence – or maybe it’s a function of being able to target many more people.
I think that that IT industry has to do everything in its power to prevent things like this happening, and most banks in particular take this very seriously in both the educational and technological sense.
But there is only so much we can do as an industry. There comes a point when users have to take responsibility for their own actions. If you make a mistake on your taxes, you cannot plead ignorance. There are also the unscrupulous banks that will use any excuse to get out of refunding someone's account even if it can be shown that the bank was at fault.
I think we need to find a balance between these two.
A starting point could be the teachings of Charles Darwin (I am paraphrasing here): if you give away ALL your details to a TOTAL stranger just because they asked, then maybe you shouldn’t expect too much in the way of recourse…
Answers on a post card please.....
Technorati Tags: Application Security, ASM, f5, F5 Networks, Security, Father Ted