Stop Trying to Fix the User

Security Design: Stop Trying to Fix the User by Bruce Schneier (schneier.com)
We must stop trying to fix the user to achieve security. We'll never get there, and research toward those goals just obscures the real problems. Usable security does not mean "getting people to do what we want." It means creating security that works, given (or despite) what people do. It means security solutions that deliver on users' security goals without­ -- as the 19th-century Dutch cryptographer Auguste Kerckhoffs aptly put it­ -- "stress of mind, or knowledge of a long series of rules."
Old (by Internet standards) but still relevant.

Phone Phish

Voice Phishing Scams Are Getting More Clever by Brian Krebs (krebsonsecurity.com)
Fraudsters can use a variety of open-source and free tools to fake or “spoof” the number displayed as the caller ID, lending legitimacy to phone phishing schemes. Often, just sprinkling in a little foreknowledge of the target’s personal details — SSNs, dates of birth, addresses and other information that can be purchased for a nominal fee from any one of several underground sites that sell such data — adds enough detail to the call to make it seem legitimate.
I’ve also seen some very convincing email phishing in the last few weeks with spoofed email headers. It’s made it challenging for my email spam filter to weed out the fakes. I think the best I can do at this point is to never trust these phone calls or email even if it seems to be coming from legitimate sources. It is best to visit the website of the bank or call the numbers on the back of the card. The risk are too high.
Link posted to: