A few days ago my wife was social-engineered into entering her PayPal password in an untrusted site. A few hours later they took some hundreds of euros out of a bank card. (Luckily we managed to reverse most of the transactions.)
It would be easy to blame my wife. She did something very stupid, and I’ve told her in the recent past that PayPal is a bank, and that she must treat her PayPal password with the same care she treats her bank card’s PIN.
But blaming doesn’t really solve any problem. My wife isn’t stupid. She was tired and overwhelmed, and the scam was brilliant. It could happen to anyone. “Maybe not to me, because I’m a computer professional,” I thought. And then I remembered Pierre-Cédric Bonin.
Pierre-Cédric was an aircraft pilot. On 1 June 2009, he did something incredibly stupid, which resulted in crashing Air France Flight 447. It appears he panicked. He acted irrationally for a good four minutes, continuously pulling the plane’s control stick backwards while the plane plunged from the sky to the Atlantic. When his co-pilot (and superior) attempted to fly the plane instead, Pierre-Cédric continued pulling his own side-stick without realizing what was going on.
So there you have it. A professional pilot did something incredibly stupid with a plane’s controls. This proves that a computer professional can do something incredibly stupid with a password or other information security issue.
So, as always, it isn’t about whether my wife or Pierre-Cédric behaved stupidly. It’s about devising such processes that ensure that when people behave stupidly, the damage is minimized.