> Social engineering will never be stopped, people want to be helpful.
They really do. And so you should design security systems with the assumption that your employees will actively undermine security "to be helpful" to adversaries.
> And generally speaking the cost for stopping it at non-secure businesses is going to be too high until a security incident happens.
The cost for Yubico's "Security Key" is $20 and there is a volume discount. You should buy each employee a key, and if there's no secure means by which they can be re-authorised when they inevitably lose it, a second one to keep safely for that case.
The attackers correctly anticipated that while "Can you get me Jenny in user assistance's phone number?" is just being helpful, "Can you disable Elon Musk's 2FA and give me control over his account?" is a bit... obvious. So they got themselves credentials to do that stuff. But there is no need for Twitter employees to be able to give away those credentials.
They really do. And so you should design security systems with the assumption that your employees will actively undermine security "to be helpful" to adversaries.
> And generally speaking the cost for stopping it at non-secure businesses is going to be too high until a security incident happens.
The cost for Yubico's "Security Key" is $20 and there is a volume discount. You should buy each employee a key, and if there's no secure means by which they can be re-authorised when they inevitably lose it, a second one to keep safely for that case.
The attackers correctly anticipated that while "Can you get me Jenny in user assistance's phone number?" is just being helpful, "Can you disable Elon Musk's 2FA and give me control over his account?" is a bit... obvious. So they got themselves credentials to do that stuff. But there is no need for Twitter employees to be able to give away those credentials.