Comment by anonym29
4 days ago
The people falling for social engineering now won't be protected by this either. You could gate the functionality behind verification of an anti-scam awareness and education training and certification course, scammers would coach people through the entire course and the verification step, and people would still be victimized.
> You could gate the functionality behind verification of an anti-scam awareness and education training and certification course, scammers would coach people through the entire course and the verification step, and people would still be victimized.
The problem with this line of reasoning is that it proves too much, which really gets to the heart of the issue.
If people are willing to be led to the slaughterhouse in a blindfold then it's not just installing third party code which is a problem. You can't allow them to use the official bank app on an approved device to transfer money because a scammer could convince them to do it (and then string them along until the dispute window is closed). You can't allow them to read their own email or SMS or they'll give the scammer the code. If the user is willing to follow malicious instructions then the attacker doesn't need the device to be running malicious code. Those users can't be saved by the thing that purportedly exists only to save them.
Whereas if you can expect them to think for two seconds before doing something, what's wrong with letting them make their own choices about what to install?
To add as a sad example, mother of a acquaintance of mine got scammed into withdrawing all her money from an ATM, gave it to the scammer person, then sold her car and apartment (!) and only then became aware of what was happening. And even though she is senior (early 60s) she did work her whole life in a senior engineering role (not IT related). Point is, the social engineering is, and will be to primary tool of scammers, as it was for the entirety of humanity. And no amount of tools and locks will prevent this. To make the argument further - we know that lock-picking exists, and can be very effective, yet we're not rolling out bigger and more complex door locks every year, or mandate people having 15 doors with 10 locks each - we just acknowledge that this tech is not perfect, but good enough. So clearly, the incentive of all these changes can't be "security", it's just plain stupid.
Exactly. They might give them their Gmail password, the 2fa code, their credit card number and cvc, etc etc.
That's unfortunate if true but it isn't a convincing argument to force the rest of society to live in proverbial padded cells. There's a minimum bar here. Some people probably shouldn't have online accounts and aren't responsible enough to manage their own finances. The rest of us are (hopefully at least marginally) functional adults.
This is actually a really interesting problem. Some portion of the public (nerds) are competent to understand what running software even means and the rest (let's call them "sheep") are naive and helpless. A portion of the nerds (Evil Hackers) are easily able to coach any sheep to do any action. Obviously everyone should default to being a Sheep, and obviously it would be ideal if Nerds could have root on their own damn hardware. But how can one ever self-certify that they're actually a Nerd in a way that an Evil Hacker can't coach a Sheep through? "Yes, now at the prompt that says 'Do not use this feature unless you are a software engineer. Especially don't click this button if someone contacts you and asks you to go through this process.'... type 'I am sure I know what I am doing' and click 'Enable dangerous mode.'"
> Obviously everyone should default to being a Sheep
This isn't actually that obvious, for a number of reasons.
The first is that it causes there to be more sheep. If you add friction to running your own software then fewer people start learning about it to begin with. Cynical cliches about the government wanting a stupid population aside, as a matter of policy that's bad. You don't want a default that erodes the inherent defenses of people to being victimized and forces them to rely on a corporate bureaucracy that doesn't always work. And it's not just bad because it makes people easier to scam. You don't want to be eroding your industrial base of nerds. They tend to be pretty important if you ever want anything new to be invented, or have to fight a war, or even just want to continue building bridges that don't fall down and planes that don't fall out of the sky.
Another major one is that it's massively anti-competitive. If the incumbents get a veto, guess what they're going to veto. This is, of course, the thing the incumbents are using the scams as an excuse to do on purpose. But destroying competition is also bad, even for sheep. Nobody benefits from an oligopoly except the incumbents.
And it's not just competition between platforms. Think about how "scratch that itch" apps get created: Some nerd writes the app and it has only one feature and is full of bugs, but they post it on the internet for other people to try. If trying it is easy, other people do, and then they get bug reports, other people contribute code, etc. Eventually it gets good enough that everyone, including the sheep, will want to use it, and by that point it might even be in the big app store. But if trying it is hard when it's still a pile of bugs and the original author isn't sure anybody else even wants to use it, then nobody else tries it and it never gets developed to the point that ordinary people can use it.
So maybe the scam we should most be worried about here is the one where scams are used as an excuse to justify making it hard for people to try new apps and competing app stores, and deal with the other scams in a different way. Like putting the people who commit fraud in prison.
> easily able to coach any sheep to do any action
No. This assumption is the core fault with the entire line of reasoning. The typical sheep will not do arbitrary things for a stranger such as sending you his entire bank account because you told him he needed to pay an IRS penalty in crypto to avoid being picked up by the state police who are already en route in 15 minutes.
It's a continuum. The question is how much of the low end needs to be protected by the system.
Binning into discreet blocks to match your example, the question is where to place the dividers between the three categories - nerd, sheep, and incompetent. We don't care to accommodate the third.
3 replies →
Nothing is perfect, but by what percentage would you think scams that leverage sideloading would drop? 1%? 10%? 50%? 90%? 99%?
Compared the current paradigm, where you already need to enable developer options, allow installation from untrusted sources, and tap through a warning screen for each apk to be installed?
Maybe 10-20%, generously. The people who are falling for it under current protections clearly are not reading anything they're looking at or thinking about security at all, they've fallen for social engineering scams and sincerely believe they're at imminent risk of being arrested by the FBI or that their adult child is about to be killed. They're in fight or flight mode already, not critical thinking and careful deliberation mode.
If you were to rank everyone by gullibility, these people would largely be clustered in the top 1-2% of most gullible people. There is very little you can do to protect these people, realistically.
> They're in fight or flight mode already, not critical thinking and careful deliberation mode.
That actually sounds like an argument is favor of this restriction. If someone is in a position of deep trust with the scammer then waiting a day is nothing. But if they're in a panic, not thinking things through or calling anyone for advice, that state probably won't last 24 hours.
I guess I just don't believe your estimate. I think you're grossly underestimating how far we can get through these kinds of approaches.
5 replies →