I agree, the biggest problem with on line security is that few use or even know about better ways to do business.
There are many ways to set up secure communications between users and it is only a little effort to make it more difficult for the criminals to use the links.
Unfortunately, most people will not bother until they have been victims, but by then it is too late.
Just my opinion.
I'm in favor of multi-factor identification but would prefer something that did NOT require me to give Facebook, Google or Yahoo my mobile number. I only give that number to a small select group that I can trust not to spread it to the world.
Bleeding edge security is in a continuous arms race with social engineers and hackers. If the social engineering is convincing enough, even digital security code cards can be defeated. Finally, we're going to need to develop better means for authentication of the "customer support representatives" (CSR) as well. Even routine calls for telephone or Internet service require the customer to reveal private information to confirm ownership of the account. How do we know the CSR is really legitimate .. or has the phone line been rerouted?
One of the big challenges is that often, legitimate business look exactly like scam business. The scammers copy legitimate businesses. The security experts tell users what not to do, then the legitimate businesses do exactly what the security experts tell us not to do.
Case in point, credit cards. On the one hand, their fraud detection is pretty amazing. I've had a credit card company, send a voice call, text message and email all within minutes of some scam-worthy activity. That's great. What's not so great is that they immediately pepper you with personal questions of the sort that a scammer would be asking.
In that case, the second level of security is to not answer any of their incoming correspondence and make an outbound call to the number on the back of the credit card.
A phantom third level of security are the laws and policies that limit a card owners liability in the event of theft, but that's pretty much plugging the wrong side of the dike.
Credit & debit card fraud detection departments at banks can take this paranoia too far at times. I recently had a card voided and a new one reissued after the bank said a store where I had recently used the card had a network security breach and my card number may or may not have been taken, although there were no suspicious transactions.
I appreciate that the bank doesn't want the liability of reimbursement if there were some fraudulent use, but preemptively cancelling cards that may or may not have been compromised seems a bit ridiculous. It's costly for the bank and a huge pain for the consumer who has multiple automatic payments attached to that card number. To add insult to injury, it can take up to 10 business days for the new card to arrive, and this kind of thing seems to happen several times a year.
Call rerouting and CSR legitimacy may be a concern. With the current PSTN, I would not be worried too much. However, re-routing and spoofying of VoIP call may be a challenge to security expert. I can't imagine what hackers can do if they hack into a SDN network.
Cyber security is reall worry now a day with every passing day more and more people and organization are effected by cyber criminals. Law for cyber crimes are very strict for them its time to bring some public awarness program to protect people from identity stealing and pther financial crimes. What ever governmnet and agencies do will not work becuase public are not aware that how they can protect theirself.