Attacks on 2FA methods are nothing new, but "ring the doorbell a whole bunch and annoy the target so they just buzz you in" really wasn't on my bingo card... not even as a city-dweller in the city at the center of delivery services. mandiant.com/resources/russ… But OF COURSE it worked. There are so many interrupts from mobile applications, popups on websites, SMS messages, robocalls, etc. warring for our attention. It seems pretty plausible for someone to dismiss a security alert just to get it to shush. There are just too many things.

So many people take a photograph of their state issued IDs for online transactions — and those images sit on camera rolls, email servers, and way riskier places than a Secure Enclave.

The ID functionality here is more harm reduction than slippery slope. one.npr.org/i/1005419007:1… Getting online prescriptions filled, applying for an apartment, buying a house, ID reqs for online financial services all ask consumers to take a photo of ID and upload or email elsewhere. There’s so much more opportunity for theft/exploit in bad business practice than big data

This email from Ledger to its customers about anti-phishing defense is such a train wreck. It is an absolute case study in everything wrong in the industry in regards to building security strategy and educating people in actionable strategies to minimize risk of exploitation. Offering trite security advice like “Never give away your [secret/password/words]” doesn’t help people, especially with spearphishing. It’s better to give users information about how they will/will not be asked to interact with you so they can avoid being tricked or compelled.

Incoming: tiny or possibly not-so-tiny security rant about vuln + dependency management Alright, so, real talk: many of us who are trying to live our best security lives run on a handful of pretty serious mantras-- that Bruce Schneider quote about security being a process and not a product is one of the big ones.