You've taken exactly the wrong lesson from this. It actually reminds me of the Southall Rail Crash. What we actually did after Southall was mandate Automatic Warning System for passenger trains. Faulty AWS? Train can't enter passenger service. Driver isn't paying attention? AWS brakes the train to a full stop. But what the unions wanted instead was to add more drivers. Sure, the unionised driver was inattentive, but if we have two, or three drivers in each train that'll be mitigated. Your reasoning is like theirs "Let's do the thing that failed even more until it works".
Security based on the automation works really well. How well? Google drove phishing of its employees to zero. Not just technical employees like my friends, but random sales people and other non-tech roles, because they were mandated to use Google's security that relies on automation and not a vague human judgement. They don't need to know why it's safer, they don't need to pay attention in a class, the automation doesn't care why they aren't supposed to give their Google credentials to "Oogle" or "Goggle" or "Gøøgle" it's just designed to not work when things don't match.
I'm not a Google employee, I'm just a user, let's walk through what happens to see how automation saves us every single time, resolutely and without fail.
I visit google.com which is really Google and I sign in. I am prompted to press the button on my Security Key (a physical object). Since I'm at google.com the Key will present credentials for google.com proving I've still got that key to google.com
Later I am fooled (maybe by a malicious ad) into visiting a site that is not google.com but I think it is, my adversary is very sophisticated and resourceful. The site looks 100% the same as the real one, but of course this is not google.com. It might be anything else except google.com, but for the sake of clarity let's say it's crooks.example
I try to sign in. The crooks have two options:
1. They claim to be google.com, which they aren't, the automation rejects this and they get an error, if they like they can present me with the error, but neither of us can do anything with it except say "Huh, that's an error".
2. They admit they are crooks.example, which is true. The Key happily gives them credentials for crooks.example, because that's who they are. But these credentials are useless for attacking my Google account, why did they bother getting them?
Notice there's no human judgement involved. This system is equally happy to present credentials to nazi-scumbags.example or cat-videos.example. But what it refuses to do is give the nazi-scumbags.example credentials to cat-videos.example or vice versa no matter how much the user is convinced it's fine. There's no "Are you sure?" dialog, there is no "Press OK to proceed" step, it just does not work.
An insistence that we should just add more humans, like at Southall, is simply motivated reasoning, and has no basis in the observed facts. Automation works. You should resort to human judgement when automation isn't an option, it should never be your first choice.
> Security based on the automation works really well. How well? Google drove phishing of its employees to zero.
It's funny Google solved the problem so well for itself, despite it's utter inability to do it for others. The challenge is preventing phishing of Google employees is a single domain problem. Google knows everything about Google.
But Google woefully fails to have a solution that even starts to work for consumer Gmail or other companies they export their services to. My Gmail account got a phishing email today from Google Forms about a transaction. Google didn't understand it was spam, it came straight from Google, but it was definitely a scam.
Another great example is Google Voice, the source of 9 out of every 10 spam calls I receive. I could write a single line filter that would block all of the spam calls: I'd block all calls from my Google Voice number's own area code (which is different from my own real area code). But Google doesn't give me the tools to do that, it uses it's own automated system, fails spectacularly, and my spam calls continue. Automation has failed because one competent human wasn't allowed or empowered to act.
Automation can get things right 95% of the time, but will never understand the other 5%. And the big problem is, Google refuses to adopt human judgment: It insists automation is good enough, and rarely allows you to reach a human at all, even in an appeals process. When Google's automation decides to cut you out of their system, when it fails to judge correctly, you're just gone, often with no recourse.
Security based on the automation works really well. How well? Google drove phishing of its employees to zero. Not just technical employees like my friends, but random sales people and other non-tech roles, because they were mandated to use Google's security that relies on automation and not a vague human judgement. They don't need to know why it's safer, they don't need to pay attention in a class, the automation doesn't care why they aren't supposed to give their Google credentials to "Oogle" or "Goggle" or "Gøøgle" it's just designed to not work when things don't match.
I'm not a Google employee, I'm just a user, let's walk through what happens to see how automation saves us every single time, resolutely and without fail.
I visit google.com which is really Google and I sign in. I am prompted to press the button on my Security Key (a physical object). Since I'm at google.com the Key will present credentials for google.com proving I've still got that key to google.com
Later I am fooled (maybe by a malicious ad) into visiting a site that is not google.com but I think it is, my adversary is very sophisticated and resourceful. The site looks 100% the same as the real one, but of course this is not google.com. It might be anything else except google.com, but for the sake of clarity let's say it's crooks.example
I try to sign in. The crooks have two options:
1. They claim to be google.com, which they aren't, the automation rejects this and they get an error, if they like they can present me with the error, but neither of us can do anything with it except say "Huh, that's an error".
2. They admit they are crooks.example, which is true. The Key happily gives them credentials for crooks.example, because that's who they are. But these credentials are useless for attacking my Google account, why did they bother getting them?
Notice there's no human judgement involved. This system is equally happy to present credentials to nazi-scumbags.example or cat-videos.example. But what it refuses to do is give the nazi-scumbags.example credentials to cat-videos.example or vice versa no matter how much the user is convinced it's fine. There's no "Are you sure?" dialog, there is no "Press OK to proceed" step, it just does not work.
An insistence that we should just add more humans, like at Southall, is simply motivated reasoning, and has no basis in the observed facts. Automation works. You should resort to human judgement when automation isn't an option, it should never be your first choice.