I think most people waaay under estimate the risk of reusing passwords. I don’t know if that’s what happened here, but in the security incidents I’ve seen there will often be the initial “No, I only use this password for banking!” and then “well… it’s just for my important accounts.” I’ve also seen the misconception that a complex password means it’s ok to reuse it.
The other thing I’ve seen is people just mashing “agree,” "ok, “yes,” or any kind of prompt. This probably isn’t what happened here, but with device-based 2FA, like when Google sends you an “Allow device?” message, it’s pretty easy for someone to just mash “Allow” so they can get back to whatever it was they’re doing.
I don’t want to come off as victim-blaming, or as overly sympathetic to a big bank, but at some point I think it’s fair to expect individuals to have their own shit in order. I think a reasonable step towards this is that consumers should start demanding safer devices and software.
I think most people waaay under estimate the risk of reusing passwords. I don’t know if that’s what happened here, but in the security incidents I’ve seen there will often be the initial “No, I only use this password for banking!” and then “well… it’s just for my important accounts.” I’ve also seen the misconception that a complex password means it’s ok to reuse it.
The other thing I’ve seen is people just mashing “agree,” "ok, “yes,” or any kind of prompt. This probably isn’t what happened here, but with device-based 2FA, like when Google sends you an “Allow device?” message, it’s pretty easy for someone to just mash “Allow” so they can get back to whatever it was they’re doing.
I don’t want to come off as victim-blaming, or as overly sympathetic to a big bank, but at some point I think it’s fair to expect individuals to have their own shit in order. I think a reasonable step towards this is that consumers should start demanding safer devices and software.