Linkedin Envelope

Well thought-out thoughts between algorithm and applause

Ferry van Saalbach's blog about technology, society, moderation and AI.

Ein Mensch, der verstört auf sein Smartphone schaut und daneben der Text "Warum Misstrauen die neue Form von SIcherheit ist"

Why mistrust is the new form of security

I have given many presentations on IT security. Recently, however, I myself was the victim of a perfidious attack. Here I tell the story. To illustrate how important people are as the last bastion of security. But also to show how incredibly clever attackers are these days when it comes to generating trust.

A pretty perfect call

I was just at the airport, on my way to vacation, when my bank called me. The display showed the number of my bank's hotline, which I knew. At the other end, an employee greeted me, addressed me by my name and explained that there was suspicious activity on my account. A transfer of 3,000 euros to a Mr. Müller - did I order it? I said no. Then he talked about credit card transactions in Turkey and asked if I was currently there. Again: no.

He then said that my identity had probably been compromised. To be on the safe side, they would now have to „reset all authentication measures“. He wanted to call me again at 3 pm. I should then have all my credit cards and my smartphone ready for multi-factor authentication. He also asked for my account number for verification. I gave it to him - although I already had a slight suspicion, but thought to myself: you can't do anything with the account number alone.

The moment when mistrust made the difference

Immediately after hanging up, I called the bank. And the bank confirmed that no call had come from there. However, they explained to me that this procedure was currently happening more frequently and that I should never confirm or release anything via the app. At the same time, they asked me to play along with the announced callback to see how the perpetrators were proceeding.

The call came at 3 pm sharp. The supposed employee asked if I was sitting in front of my computer and had my credit cards ready. I said yes. He then announced that an app release was required to reset the authentication devices, which he would now initiate and which I should confirm. I received the approval immediately. And it seemed credible that I should confirm it to protect my identity.

But as I already knew that I was dealing with fraudsters here, I naturally did nothing, but claimed that nothing had arrived. He tried two more times. Then he said he would try another way if it didn't work that way. Then I received a text message with a confirmation code, which he asked me for. The reason given in the text message was: „Forgotten password“. Of course, I didn't give him the code either, but told him that I had exposed him and that the police had already set up an interception system. That wasn't true, but I at least wanted to scare him a little.

What really happened

I then spoke to the bank again. She explained to me what had happened: the caller had tried to log into my online banking account using my account number. There, the account number (with an addition) forms the user name. He then clicked on „Forgot password“, which triggered an authentication request on my smartphone and, if unsuccessful, the SMS code later. If I had confirmed this release, he would only have needed the CVV number of my credit card - then he would have had full access to my account, including the option to register my own devices as MFA. And I was already supposed to have this ready.

My access would have been completely transferred to him. That was exactly his goal.

Man as the last firewall

I am delighted that I immediately became suspicious and contacted the bank. At the same time, I am shocked at how credible, planned and professional this attack was. I can very well imagine that many people in a situation like this gain confidence - and lose everything as a result.

That is why it is so important that we Security talk. About concepts such as Zero Trust. But also about people as a decisive factor in any security concept.

Because the threat is real - and it is becoming ever more sophisticated.
And sometimes the only thing that protects us is not a password, but a moment of mistrust.

Why I tell such stories

This is precisely why I always talk about this point in my presentations and keynotes: that technology is only as secure as the people who use it.

Because security often doesn't start with an update. It starts with awareness.

EIn Bild, das die Webseite von Steine im Rucksack zeigt und daneben der Text "Wie KI zur Co-Architektin einer neuen Website wurde"

How AI became the co-architect of a new website

November 7, 2025

AI can do a lot these days. If you use it correctly. Over the last few weeks, I have created a completely new website together with ChatGPT. Conceived, structured, designed, technically implemented and SEO-optimized. And invented a self-test that could help people to find initial offers of help directly and accurately via AI in mental health crises in the future. Honestly, I'm thrilled. But none of this came about because I sent a single super prompt and then a finished website popped out, but because I tinkered with it over and over again for hours, days and weeks. Again and again I sat there with ChatGPT as if with a hard-working and incredibly competent employee, contributing, discussing and refining my ideas and getting help where I needed it. From the idea to the self-test Incidentally, the decisive impulse came from the AI itself. At least somehow. At some point, I just sat down and asked ChatGPT if it could develop a

to the article »
en_USEnglish
de_DEGerman en_USEnglish