Social engineering as a problem goes away when anybody can get a model to do it for them for $5. It stops being possible, it's really the bank's problem when they can't have a minimum wage call center or a robot responsible for people's data.

>Here's my big fear: Even IF (and that's a BIG if) we get all critical vulnerabilities fixed in tech (before adversarial/state-actors turn up with open attack models) - we still have (in at least a year) models that will be so good in social engineering that they can still (given enough tokens) gain access to whatever system they want.

I was working at the fruit company when they just hard stopped people from recovering their fruitcloud accounts via phone support due to social engineering.

Social Engineering risk just increases the burden on the consumer/internal support services. The risk is that not everyone has pulled up stumps to protect these services. After a few high profile fuck ups they will. The herd loses 2 beasts and the rest wander away from that water hole.

Its much like how after bitlocker we dont have user access to backup server disks anymore. The lesson was learned and we moved on. Lots of high profile fuckups but we dont get those anymore. CTO's were forced, basically at gunpoint, to adapt or die.

If things really get that bad then everything will require FIDO keys or push authorization using a phone app and possibly a initial registration code sent to a physical address. This is how Epic MyChart works.

The government should be in charge of ID Provider infrastructure and has local offices (postal) that can establish physical identity (and already do for people who need to travel abroad), but the religiously affiliated NWO conspiracy theorists have made this politically infeasible in the US, so we have unsavory private sector providers like World ID stepping in.

A lot of social engineering attacks die the second you have domain bound 2FA. Not everything, but a lot.

But the idea that we'll squash all of the critical vulns is simply nonsense, despite the weird Firefox blog posts that indicate otherwise.