Side note: if unexpectedly getting a new card, call the support number on your old card. A friend of mine almost got taken about 15 years ago by a scam where someone got his address and bank name, then sent him a fake credit card from that bank with a letter saying something like fraud had been detected and they were sending him a replacement card. When he called the number on the new card's activation sticker, something seemed off and he balked when they asked for his SSN. He called the support number from his old credit card and confirmed that he had in fact not been sent a new credit card by them!

Hopefully we can at some point stop treating a SSN as a universal password that can never be changed. At least mother's maiden name stopped being a universal security question.

Whoah, that's a pretty smart attack.

somebody physically manufactured a fake, new card and mailing envelope that was close enough to pass scrutiny and in person physical inspection, and send it to him by US postal, for the purpose of getting the person to call the 1-800 number on the sticker and give the scammers his SSN and other details?

He was the CTO of a reasonably large hedge fund at the time, so it's reasonable to think he was the target of a spear fishing attack. If you don't need the magnetic strip to actually be magnetic, I don't think making a fake credit card is much different from making a fake ID.

Though, I suppose it's possible he was telling me a tall tale, he's generally trustworthy.

The two additional explanations would be that he was confused about what was going on, or that there was genuinely a mixup at his bank. If he was confused about what was going on, it would seem that he would have needed to have gotten a card that he didn't remember applying for, and being confused about which bank issued it. The spear fishing and mixup at his bank both sound like million-to-one odds to me.

So now, re-evaluating things based on what I've learned about banks in the past 15 years, maybe his bank grew organically by acquiring several other banks, and has incomplete consolidation internally. Maybe he requested a card from one subsidiary of the bank, forgot about it, and called another subsidiary of the bank (the one that gave him his first card), which had no idea what was going on. The internal structures of large banks are much more disjoint than I realized 15 years ago.

>It is security theater of the worst degree by incompetents and MBAs and I am getting sick of it.

It's security theater giving people exactly what they want. People want to feel secure, but they don't want any amount of actual difficulty in getting what they want from Company A.

Like it or lump it, but regular people really don't want actual security. They want the ease and convenience of no passwords at all, and want someone to blame in case something goes wrong.

>They want the ease and convenience of no passwords at all,

That's not what I see. I see people looking for inconvenience. Expiring passwords. Password requirements, so you have to write your passwords down. (You will change it soon, anyway) "Security" questions. Lock-Screens, session limits. 2FA-SMS. That horrible and unsecure Microsoft 2FA that was on the frontpage yesterday. IP-Geo-location-voodo so you can't log in from a different ISP/cellular/your parents place on this supposedly world wide internet. It's not like these things happen on their own.

Computer illiterate people thing that these inconveniences bring them security.

Of course people want security, how can you say otherwise? What you seem to be talking around is that security researchers have been unable to figure out simpler forms of maintaining a true sense of security, simpler forms of reliability. There is no survey where people say they don't want these things, and if you're relying on the sales figures for Yubi keys or something, that's not a good indicator.

And of course people don't want difficulty! That's why we don't hand-crank to start our cars anymore. Blaming people for wanting faster horses[1] is a convoluted anti-intellectualism where the experts who actually know what's possible are let off the hook. All in all, if you ask me this should be a locus of UI/UX research.

1. https://hbr.org/2011/08/henry-ford-never-said-the-fast

You're absolutely right. People do unquestionably want security! They want privacy too!

The issue that the parent is alluding to is that the same users who want these things seem unwilling to make decisions or change behavior to get that security or privacy. Those of us working with security and privacy often wind up with the sense that users want them, but also that users expect them to be automatic and perfect and free. This starts with the computer-illiterate user who finds passwords confusing and goes all the way to developers who find it irritating to be forced to update the libs in their docker images.

Are there better ways? I sure hope so. So far we don't have simpler forms of maintaining true security or simpler forms of reliability. We just have cheaper ways of maintaining a sense of security - and that's theater.

I don't blame people for wanting faster horses. We don't have them on offer though, so in the meantime it might be nice if they were willing to consider what's available.

> always says "You will never be asked for this code" and everytime they ask for it.

Yes, but the real meaning behind that phrase is "You will only be asked for this code by pages served by our domain name or a native app we published." It's unfortunate brevity.

Sorry the exact message is something like you will never be asked for this by a real employee.

Oh I didn't mean to suggest the brevity was your doing. I've seen it the short way first-hand, but yes, more typically it's pretty decent, as you've clarified.

Maybe it would be better to send a link. Then it can't be sent to the wrong domain.

Of course you need to then educate people that they shouldn't trust the domain they land one and always immediately close the tab. Even if that tab says "Warning you have a fraud alert on your account. Click here to check your recent transactions"

Unfortunately, there are all sorts of ways to phish links. https://en.wikipedia.org/wiki/Phishing#Link_manipulation

The link may look similar or even appear identical, and still be under control of the scammer.

Similar to just not trusting incoming phone calls, you can't really trust incoming links via standard email, without some definitive way of validating the sender.

Hell, I'd wish there'd be some zero-knowledge proof protocol that can be performed with a pen and paper over a phone call. You know, like Dining Cryptographers or Solitaire cipher. Maybe there is something, but I'm not a cryptographer and not aware about it.

Though, of course, it's completely unrealistic to expect that some bank person would agree to do some weirdo math tricks with SSN numbers :)

isn't there a phone # printed on your credit card?

Only the customer support number, not the fraud number specifically and at the time I didn't have the time nor patience to navigate through a thousand mile phone tree and wait on hold for 8 hours.