> Each of these accounts is associated with a different stolen identity, but all email from these services are received by the same Gmail account. Thus, the group is able to centralize and organize their fraudulent activity around a small set of email accounts, thereby increasing productivity and making it easier to continue their fraudulent behavior.
I'm sure there are creative & compelling uses of Gmail dot addresses to commit fraud out there, but this one barely counts as fraud. I'm not sure what the point of the article is.
The fraudster indeed could just forward the netflix mail using their own mail server. This is just standard phishing (when you log in to netflix, wouldn't you notice it's not your account?)
If you use a disposable email, I guess you should consider the account disposable too?
If you have catch-all service forwarding your email, you as a technically minded person made that choice for your domain and you have to consider the consequences and risks.
Gmail has made this a default for everyone, including 99.999999% of its users who does not know scammers can automatically create aliases for them, so that the 0.0000001% which uses this feature doesn’t have to tick a checkbox first, or pre-register their aliases.
Completely irresponsible and a world of difference.
Fraudsters are taking advantage of email aliases to get other people to pay for someone else's account.
Example:
1) Fraudster create an account and put in a bogus card number.
2) Fraudster changes account email address to joe.smith@gmail.com. joesmith@gmail.com already exists in Netflix's DB - but joe.smith@gmail.com does not, so Netflix is ok with this.
3) Netflix emails joe.smith@gmail.com and says "hey your card is bad, please update it" by clicking here.
4) The real joesmith@gmail.com receives the email, clicks the link and is taken directly to a "update your card screen" and types in their credit card information.
5) Fraudster has their Netflix account paid for by the real Joe Smith.
Granted, Netflix could fix this by requiring a login before updating billing details. But the dot aliases in Gmail are a part of the scam.
Yeah, the other link(1) is more interesting. That's still not exactly a world shattering level of fraud though. Unless they subscribe to the 4k package, then we're getting unreasonable.
If Gmail sends emails for first.last@gmail.com to firstlast@gmail.com, then I would hope Gmail wouldn't allow another account to be made with f.irstlast@gmail.com or fi.rstla.st@gmail.com or any other permutation of the dots (or lack of).
They don’t allow it. The user is at fault for validating their email address.
Also Netflix gets partial responsibility for accepting email validation via a different browser session. Unfortunately it’s either that or have people constantly complain they can’t validate their emails from their phone yet browse on a different device.
Middle ground may be IP address check so if you’re on the same WiFi it’ll work. Of course IPv6 kills that.
It's more an issue of gmail not appropiately informing their users of the extra addresses that correspond to their inbox, it's not an intrinsic vulnerability of the feature, and it's not an issue of Netflix, or any other third party.
A few years ago I noticed an uptick in services sending out "magic links" that take you direct to their service, already signed in. I've always thought there has to be some sort of vulnerability in that, perhaps this is it?
The fact that netflix lets you create an account without verifying you actually own the email address they are sending the token to is the real bug.
Besides, even without a magic link, they could still phish you into clicking a link to a malicious page that performed a login-csrf which would have the same effect.
Given standard password flows include email-based password reset, there's really no difference in security; either way, if someone owns your email, you're screwed. TFA does help mitigate this though.
Netflix can also solve this on their end by sanitizing gmail addresses before saving them, stripping all dots and discarding everything after the plus sign from the account name.
Any attempt to submit additional gmail "dot addresses" would result in a violation of primary key constraint.
Because that was a known feature since 2008 that helps making aliases on the fly. For example, you register on SomeForum as myemail+someforum@gmail.com, and if you ever receive spam on that address, you know it was SomeForum who sold email lists. This was a good thing when email lists were being sold without regulations.
So every website everywhere on the internet which has anything to do with email will have to consider each and every hack which every email provider has done which deviates from Internet email standards, ever, before sending an email or registering an account or anything... or else the website is at fault if these standards-violations leads to security issues?
Fuck that shit!
Oh... We should only give Google and Gmail a free pass because they’re big?
No, fuck that too. That’s not how internet standards and internet emailing works.
It’s level playing field because everyone plays by the rules, and when you cause fuck-ups like this, it’s entirely on your base.
Gmail is the one who needs fixing, not everyone else.
I don’t see how this very pleasant user friendly feature of Gmail is an issue. IIRC, email addresses are not even case insensitive. So foo@example.com isn’t necessarily FOO@example.com.
Websites should be validating email addresses by sending them an email with an (expiring quickly) link and having the user act upon it. Short of that there’s no way for you to know that a user controls a given address.
I’m clearly biased working in tech but from my anecdata the gmail “address hacks” are used by significantly more than 0.00000001% of the population. And not just because that’s 1 out 10 billion people.
Regardless that’s no excuse for shitty software and websites that don’t follow standards. Literally anything before the @ sign is fair game to be interpreted by the email server as it sees fit. That include emojis, case sensitive names, and most punctuation.
Assuming email addresses are unique because the text is unique is simply wrong.
The fault is shared between Gmail having dot addresses/plus aliases (barely known unless you see an article on it) and web developers, especially those at Netflix, not looking into how these services handle their email. It would be nice to know everyone followed the RFC, but our reality is far from that.
This isn't just Gmail - outlook also has "plus aliases", and unless the web developer handles these you can simply sign up with "johnsmith+netflix@hotmail.com" and perform the same attack.
> Thus, the group is able to centralize and organize their fraudulent activity around a small set of email accounts, thereby increasing productivity and making it easier to continue their fraudulent behavior.
How were Gmail's dot-addresses a central feature of this fraud? It looks like it just made it a tiny bit more convenient. And regarding the Netflix example, why isn't it 100% on them for not verifying email addresses?
I agree, it implies they were using the . as a means to generate new emails vs the . actually playing a pivotal role in a specific compromise. I've actually used the . and + feature for years to manage different accounts.
An email address should not be treated as some kind of closed-world constraining identifier, but purely as an open-world point of contact. The suggestion seems to be that businesses should view Gmail addresses with dots as a sign of "abuse", presumably how the same broken philosophy views Mailinator addresses. In reality if you're concerned about either of these, you're doing something wrong.
Schneier should know better than to give credence to this snake oiled tripe.
What other vanity email providers besides Gmail implement "dot addresses" or similar systems for their email addresses?
Update: The table on this wikipedia page provides a list under the "Address Modifiers" column. Curiously, it doesn't mention dot addresses for Gmail, only plus addressing.
What a dumb article. Whoever considers email addresses to be identities is an idiot, they are not, they are simply a contact address, and obviously you can have as many of those as you want. If your software can't deal with this fact, your software is broken.
This is a non-issue, I'm surprised it's on front page. If you can defraud companies just by making email aliases, what's stopping those hardened criminals from just registering new addresses?
Companies have had procedures for dealing with duplicate addresses/telephones/email addresses since forever, and if they don't, it's a fault of their business model.
I was convinced someone was trying to perpetrate fraud against me using my gmail address w/o the dots. I just didn't understand how. I continuously got (and still get) emails from Amazon about app purchases (all free) because someone has created an account using my gmail address minus the dots. I have called Amazon 3 times and each time they have either removed my address from the other person's account, or deactivated the account (or so they said).
And then I finally got an email from someone, the alleged fraudster? Asking me to stop using their email address......
This is a poorly sourced article. Where does this metric come from?
> Submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit
How does one even open a line of credit with just an email address?
48 comments
[ 3.0 ms ] story [ 98.8 ms ] threadI'm sure there are creative & compelling uses of Gmail dot addresses to commit fraud out there, but this one barely counts as fraud. I'm not sure what the point of the article is.
If you have catch-all service forwarding your email, you as a technically minded person made that choice for your domain and you have to consider the consequences and risks.
Gmail has made this a default for everyone, including 99.999999% of its users who does not know scammers can automatically create aliases for them, so that the 0.0000001% which uses this feature doesn’t have to tick a checkbox first, or pre-register their aliases.
Completely irresponsible and a world of difference.
Example:
1) Fraudster create an account and put in a bogus card number.
2) Fraudster changes account email address to joe.smith@gmail.com. joesmith@gmail.com already exists in Netflix's DB - but joe.smith@gmail.com does not, so Netflix is ok with this.
3) Netflix emails joe.smith@gmail.com and says "hey your card is bad, please update it" by clicking here.
4) The real joesmith@gmail.com receives the email, clicks the link and is taken directly to a "update your card screen" and types in their credit card information.
5) Fraudster has their Netflix account paid for by the real Joe Smith.
Granted, Netflix could fix this by requiring a login before updating billing details. But the dot aliases in Gmail are a part of the scam.
1) https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-t...
Rule #1 of security: trust nothing from the client!
Also Netflix gets partial responsibility for accepting email validation via a different browser session. Unfortunately it’s either that or have people constantly complain they can’t validate their emails from their phone yet browse on a different device.
Middle ground may be IP address check so if you’re on the same WiFi it’ll work. Of course IPv6 kills that.
If the user clicks a link in the email they won’t be able to log in to that account to confirm the change.
If the user navigates to Netflix themselves they won’t have anything to confirm in their own account.
Besides, even without a magic link, they could still phish you into clicking a link to a malicious page that performed a login-csrf which would have the same effect.
Given standard password flows include email-based password reset, there's really no difference in security; either way, if someone owns your email, you're screwed. TFA does help mitigate this though.
It might be better to look at solutions that actually fix the underlying issue - like requiring a login.
Imagine what would happen if we let this kinda sloppiness play loose on DNS instead. Terrifying, right?
So why do we allow google to mangle standard internet email?
https://gmail.googleblog.com/2008/03/2-hidden-ways-to-get-mo...
Fuck that shit!
Oh... We should only give Google and Gmail a free pass because they’re big?
No, fuck that too. That’s not how internet standards and internet emailing works.
It’s level playing field because everyone plays by the rules, and when you cause fuck-ups like this, it’s entirely on your base.
Gmail is the one who needs fixing, not everyone else.
Websites should be validating email addresses by sending them an email with an (expiring quickly) link and having the user act upon it. Short of that there’s no way for you to know that a user controls a given address.
That’s grossly irresponsible. Let the users who needs aliases enable them explicitly and manage them themselves.
Regardless that’s no excuse for shitty software and websites that don’t follow standards. Literally anything before the @ sign is fair game to be interpreted by the email server as it sees fit. That include emojis, case sensitive names, and most punctuation.
Assuming email addresses are unique because the text is unique is simply wrong.
This isn't just Gmail - outlook also has "plus aliases", and unless the web developer handles these you can simply sign up with "johnsmith+netflix@hotmail.com" and perform the same attack.
How were Gmail's dot-addresses a central feature of this fraud? It looks like it just made it a tiny bit more convenient. And regarding the Netflix example, why isn't it 100% on them for not verifying email addresses?
Remember the Oneplus referral based phone ordering/shipping? Yep, I cheated that one just to see if it would work.
It did.
[1]: https://news.ycombinator.com/item?id=16781959
Schneier should know better than to give credence to this snake oiled tripe.
Update: The table on this wikipedia page provides a list under the "Address Modifiers" column. Curiously, it doesn't mention dot addresses for Gmail, only plus addressing.
https://en.wikipedia.org/wiki/Comparison_of_webmail_provider...
Just a minor nit: the distinct addresses map to the same inbox or google account. I fail to see how this breaks email.
Companies have had procedures for dealing with duplicate addresses/telephones/email addresses since forever, and if they don't, it's a fault of their business model.
And then I finally got an email from someone, the alleged fraudster? Asking me to stop using their email address......