alt Hacker News> You could gate the functionality behind verification of an anti-scam awareness and education training and certification course, scammers would coach people through the entire course and the verification step, and people would still be victimized.
The problem with this line of reasoning is that it proves too much, which really gets to the heart of the issue.
If people are willing to be led to the slaughterhouse in a blindfold then it's not just installing third party code which is a problem. You can't allow them to use the official bank app on an approved device to transfer money because a scammer could convince them to do it (and then string them along until the dispute window is closed). You can't allow them to read their own email or SMS or they'll give the scammer the code. If the user is willing to follow malicious instructions then the attacker doesn't need the device to be running malicious code. Those users can't be saved by the thing that purportedly exists only to save them.
Whereas if you can expect them to think for two seconds before doing something, what's wrong with letting them make their own choices about what to install?
Replies
Exactly. They might give them their Gmail password, the 2fa code, their credit card number and cvc, etc etc.
To add as a sad example, mother of a acquaintance of mine got scammed into withdrawing all her money from an ATM, gave it to the scammer person, then sold her car and apartment (!) and only then became aware of what was happening. And even though she is senior (early 60s) she did work her whole life in a senior engineering role (not IT related). Point is, the social engineering is, and will be to primary tool of scammers, as it was for the entirety of humanity. And no amount of tools and locks will prevent this. To make the argument further - we know that lock-picking exists, and can be very effective, yet we're not rolling out bigger and more complex door locks every year, or mandate people having 15 doors with 10 locks each - we just acknowledge that this tech is not perfect, but good enough. So clearly, the incentive of all these changes can't be "security", it's just plain stupid.