You found good ad hoc methods for mutual authentication. That's good. I'd like to see more formal methods around this concept. We need tools that mortals can understand, and that work in a variety of contexts. This wasn't a problem in the old days, because we just walked into the shop. When you remove the physical element, scamming gets easier on both sides. The problem is impersonation, and we've been avoiding solving it on the Internet.

"Don't you know my name yet? That's the only answer. Tell me, who are you, alone, yourself and nameless?" — Tom Bombadil in Tolkien's Lord of the Rings

"There are only two hard things in Computer Science: cache invalidation and naming things." — Phil Karlton

This is one of the true hard problems in modern end-user computing, and it comes up all the time. What do you do when you get a phone call like, "hi, this is Don with $MORTGAGE_COMPANY. For security validation, please tell me your address."

How do you provide a way for two people (entities) to get introduced to each other in a reliable way, without a trusted third party to make the introduction? And, beyond that, if you have to create an "account" with me to maintain that relationship, how do we make that happen safely (another questions is why those accounts are so uni-directional; why doesn't the bank need to create an account with you as well?)

Most of the solutions to this problem favor us giving our personal information away for free to big companies, in exchange for some benefit which may never come. There's been talk for ages of having some sort of identity layer for the Internet, but that raises its own privacy and anonymity concerns.

So, just like every other CTO, right?

But that would turn them into terrorists hackers, and we can't have that.

Keep that up and I'll have to go find my Shadowrun gear.

Apparently trolls make awesome cyber-warriors.

When we were kids, many of us received immunizations against a host of nasty diseases. The purpose of these vaccines was to expose our immune systems to "fake badness," so that when we were exposed "real badness," the immune system would be pre-primed to deal with it.

Phishing is a problem precisely because most of the email that your average (l)user gets and most of the sites they visit are legitimate, with no badness (of this type) involved. When you've never been exposed to phishing behavior, it's much easier to fall for a scam.

You can run all the "awareness" campaigns you want, but users tend to ignore that sort of stuff, thinking, "right, I get it, but I'm smarter than that."

We need to inoculate users to teach them to be wary. There should be more sites like this out there. Some geared toward credit card data, some geared toward username & password, and others yet for other forms of PII.

Once a user is brought up short a few times by information pages like you see after you hit submit, they will be more cautious on all sites.

It must be a slow news day for something so technical to show up as a news article. But then again, the article has all of the necessary alarmist features, so I guess they had to let it through.