[kossae]

This is the case I've seen the most. It also really speaks to what is the ultimate security hole which is human error and social engineering. Granted your friend was not being malicious, the fact that it was that easy is scary.

[pmontra]

Maybe this is not intentional social engineering but a former customer working in the micro credit market once told me that the people who's most difficult to get money back are friends, not strangers. Maybe he had an agenda (send your friends to me) but it matches my experience.

[mrhappyunhappy]

Exactly. I lost count how many times I was able to sweet talk my way past regular phone security measures while trying to access my own account after having forgotten security details. Now imagine I was a bad actor trying to get someone else's info.

[weego]

Or it speaks to years of cost benefit analysis and outcome of someone doing this maliciously is so benign or so embedded within a trust chain that there's no benefit to closing that particular hole.

Not that I have any expertise in this particular situation, but not every 'threat' when armchair analysed in isolation is a threat when put into its correct domain and context.