Not too long ago I was sitting in the executive lounge at the airport in Sydney waiting for a flight to Hong Kong. I decided to use the computer kiosk to print out the map to a restaurant some friends told me about. The printer was out of paper so I loaded it up and out popped about 5 sheets of paper, 2 were my directions and the other 3 were the banking and investment account information of a gentlemen we will call Peter, we’ll call him Peter because that’s his first name. The printout had his bank name, full account information including account number, his name, credit card account with about $14k balance and the last 5 transactions, an investment account with a $128k balance, and the date the accounts were open. Couple this information with some creative social engineering and credit card fraud or a bank transfer would not have been that difficult to execute.
It is almost 2007 and with a constant flood of hype, some of it justified, this guy uses a shared computer at an airport kiosk, logs into his bank oblivious to all the keyloggers running, and attempts to print out the information, which he clearly was unable to do, so he leaves with his data camping out in the print buffer waiting for someone with the technical skill to “load paper”
The real issue here is that this guy is representative of the typical user; no matter how much time we spend trying to make them aware of the threats, no matter how much the media bombards them with stories of stolen identities and credit card fraud, no matter how the vendors spread fud like butter dripping off a hot biscuit, someone somewhere is opening an email because they want to believe that someone somewhere else really loves them.
Now if this was just a case of bad user no cookie or those who walk down dark alleys holding wads of cash deserve to be robbed then so be it, but the problem is that these users are walking down these dark alleys with their organizations “cash” in the form of access rights, confidential data, or other pieces of sensitive information.
So as we enter the holiday season, with all its wonderfully relaxing travel, and a new year full of shiny Internet enabled hand-held devices greets our return, remember users are always the weakest link and we cannot assume they will do the right thing no matter how much we attempt to make them security aware.