Maybe you’ve had the following happen.
Your bank sends you a monthly statement with your full name, including middle initial, visible through the cellophane window.
At your local food club, they had you a brochure about their internet site, and then say you’ll get your password in an email. If you’re like most people, you then expect them to send other information through email.
If you go to a pay phone, put a handkerchief over it, and phone your recruiter, you can tell them you’re 7-11 and you’re hiring programmers, can you get some background on your-name-here? and get actual information, including an address.
A friend once told me that the problem with humanity is a technological society in which we still have stone-age minds. I think he was being cynical, but the point is that we’re overwhelmed with data.
Businesses shouldn’t expect us to learn a new process for each business. Yes, it’s the bank but we have fifty or so businesses equally important to our daily existence. If each one has its own username, password, web site, and worse, procedure and separate security rules, we don’t have a chance of remembering it.
And if we do, we’ll be losing out on other more interesting things to do with our time.
Businesses need to wake up to the new reality. People are busy and overloaded. They need to make their web interfaces standard, security, and moron-simple, because even if we’re not morons we’re probably on the phone, thinking about something happening at work, and consoling a bored child as we use that ATM.
If you want people not to get hacked, phished, and ID-thieved, you need to hide their data. You need to standardize your process. You need to test every script on your website for overflows, injections, and cross-context variables. You also need to test the browser technologies that can hijack people’s data.
But most of all, you need to communicate about security, because only when people are aware of the process and know all of its steps can they spot something that’s out of line.