Maybe security designers need to live with human nature

OK, so people generally reveal too much about themselves.  They tend to be more trusting than security advisers would like them to be.  So, where to next?

Some will view this video with alarm and will conclude that the huge investment in public awareness hasn't been enough.  Perhaps they will advocate even more training and education.

But others might conclude that maybe we've been pushing hard enough against basic human nature.  Maybe getting people to change their instincts and fundamental behaviours is a fool's errand? 

It really wouldn't matter that people gave up their name, DOB and e-mail address if these little ID molecules were useless to criminals.  I know it's not a fashionable view, but let's face it: what we have in security really is a technology problem!  It's absolutely nuts that my name and DOB can be used by someone who is not me in order to gain access to my digital property. 

And please, let's not forget that the majority of stolen IDs are now lifted en masse from backend databases.  So the behaviours of individuals online is less and less relevant to the broader fight against ID crime.

It's actually quite straightforward technologically to render ID data non-replayable.  All we have to do is digitally sign our transactions and communications.  All the requisite asymmetric cryptographic building blocks are built into the standard PC and e-commerce technology stacks. The smartcards, SIMs, smart phones and so on needed to carry individuals' keys are getting ubiquitous.

The Internet is full of paradoxes.  It's not at all like the real world.  We welcome and prize its unreality, yet at the same time, we seem to expect Internet users to embody even greater levels of caution and incredulity than they do in the physical world.  The moral of the vox pop seems to be little more than "Don't talk to strangers".  Sorry, but I think we need a more sophisticated way forward to secure the digital world.  If most people are innately trusting, then we must stop relying on training them, against their human natures, as the primary weapon against cyber crime.

Stephen Wilson, Lockstep.