[franga2000]

I see this argument everywhere and I've never heard of a case where a bank was liable because a customer was phished. I've even asked for examples and nobody ever provided them.

It's one thing to argue in court that they should be liable because they didn't provide you with the necessary security tools (like MFA), but they all provide at least SMS 2FA these days and their apps run on iOS and Android, both of which have plenty of security features.

[cwillu]

If a bank is required to reverse fraudulent charges (and they are), that means they're liable for those charges.

[izacus]

In reality what happened is that some security auditor put it into a checklist for the mobile app "Security ISO certificate++" and now everyone implements it for compliance.

Fighting against that is insane paperwork and professional exposure for software engineers that do it (since if people get phished, the C-suite will point a finger at a tech lead which went against the "professional security audit").

Most of other posts here are just post-rationalization and victim blaming.

[godelski]

So let's have more of these conversations so the idiots making those standards make fewer dumb rules and we can grease the wheels for anyone passionate enough to try to get it changed

[BrandoElFollito]

Unfortunately the idiots are often the nation's security agency, or a large consulting company.

You will not have them change their policies if they do not have a good person inside, who will slowly move the boat.

I fought for audit findings because they were pissing me off at a personal level and it wirked. But the auditor did not change their procedure, just reverted the finding. Until the next year.

[godelski]

I think you're making the naïve assumption that large organizations are heterogeneous.

The people at the top are idiots because the idiots were able to secure advisory positions. They were able to secure positions because those promoting them were either tricked or idiots themselves. This pattern repeated all the way down.

So I really do mean grease the wheels. And I really mean we won't kill the beast overnight. But we won't make any progress towards fixing things if we won't look at how the problems are created in the first place. We'll only perpetuate the problems if we oversimplify things, as that's exactly what got us into this mess in the first place.

[BrandoElFollito]

> I think you're making the naïve assumption that large organizations are heterogeneous.

Maybe, but this is what I managed to gather through a 30-year career in tech, in three huge companies, from IT management to SVP.