On 27/09/16 10:47, Andy Burns wrote:
Halmyre wrote:

Andy Burns wrote:

it does have a system where they present you with an image and a
phrase which you set, which serves to avoid phishing.

IS that what it does? I've always been slightly baffled by that.

It lets you confirm you've connected to a genuine Santander site (that
knows something *you* set) not someone trying to fool you ...


Problems happen where users are unable to fathom out the functionality
of different security measures and why they are necessary.

If I was someone granting secure access to somewhere, I'd first set a
few online questions to ask users exactly what they understand about
internet security, secure passwords, 2FA, trusted machines, public
internet, AV, updates etc.... and on that decide whether it's worth
allowing them to sign up, or if access is really necessary, getting them
to pay for hardened biometric reader equipment.

At the moment, the way online security is described to users (i.e.
Google) is quite (but maybe unavoidably) technical and flies over the
heads of most. Yet they are the same folks that then throw toys from the
pram when their non-2FA account gets hacked. Education :-(

--
Adrian C