
Using Gmail “Dot Addresses” to Commit Fraud - 0xmohit
https://www.schneier.com/blog/archives/2019/02/using_gmail_dot.html
======
wuunderbar
> Each of these accounts is associated with a different stolen identity, but
> all email from these services are received by the same Gmail account. Thus,
> the group is able to centralize and organize their fraudulent activity
> around a small set of email accounts, thereby increasing productivity and
> making it easier to continue their fraudulent behavior.

I'm sure there are creative & compelling uses of Gmail dot addresses to commit
fraud out there, but this one barely counts as fraud. I'm not sure what the
point of the article is.

~~~
deweller
Fraudsters are taking advantage of email aliases to get other people to pay
for someone else's account.

Example:

1) Fraudster create an account and put in a bogus card number.

2) Fraudster changes account email address to joe.smith@gmail.com.
joesmith@gmail.com already exists in Netflix's DB - but joe.smith@gmail.com
does not, so Netflix is ok with this.

3) Netflix emails joe.smith@gmail.com and says "hey your card is bad, please
update it" by clicking here.

4) The real joesmith@gmail.com receives the email, clicks the link and is
taken directly to a "update your card screen" and types in their credit card
information.

5) Fraudster has their Netflix account paid for by the real Joe Smith.

Granted, Netflix could fix this by requiring a login before updating billing
details. But the dot aliases in Gmail are a part of the scam.

~~~
SteveNuts
A few years ago I noticed an uptick in services sending out "magic links" that
take you direct to their service, already signed in. I've always thought there
has to be some sort of vulnerability in that, perhaps this is it?

~~~
ggggtez
The fact that netflix lets you create an account without verifying you
actually own the email address they are sending the token to is the real bug.

Besides, even without a magic link, they could still phish you into clicking a
link to a malicious page that performed a login-csrf which would have the same
effect.

------
giornogiovanna
> Thus, the group is able to centralize and organize their fraudulent activity
> around a small set of email accounts, thereby increasing productivity and
> making it easier to continue their fraudulent behavior.

How were Gmail's dot-addresses a central feature of this fraud? It looks like
it just made it a tiny bit more convenient. And regarding the Netflix example,
why isn't it 100% on them for not verifying email addresses?

~~~
ganoushoreilly
I agree, it implies they were using the . as a means to generate new emails vs
the . actually playing a pivotal role in a specific compromise. I've actually
used the . and + feature for years to manage different accounts.

~~~
throwaway5752
I know, this is infuriating. Dots and extensions are part of the spec, and
it's the fault of the party mishandling them.

------
mindslight
An email address should not be treated as some kind of closed-world
constraining identifier, but purely as an open-world point of contact. The
suggestion seems to be that businesses should view Gmail addresses with dots
as a sign of "abuse", presumably how the same broken philosophy views
Mailinator addresses. In reality if you're concerned about either of these,
you're doing something wrong.

Schneier should know better than to give credence to this snake oiled tripe.

------
wtmt
The part about tricking Netflix users was posted and discussed here before.
[1]

[1]:
[https://news.ycombinator.com/item?id=16781959](https://news.ycombinator.com/item?id=16781959)

------
tfandango
I was convinced someone was trying to perpetrate fraud against me using my
gmail address w/o the dots. I just didn't understand how. I continuously got
(and still get) emails from Amazon about app purchases (all free) because
someone has created an account using my gmail address minus the dots. I have
called Amazon 3 times and each time they have either removed my address from
the other person's account, or deactivated the account (or so they said).

And then I finally got an email from someone, the alleged fraudster? Asking me
to stop using their email address......

------
ASalazarMX
This is a non-issue, I'm surprised it's on front page. If you can defraud
companies just by making email aliases, what's stopping those hardened
criminals from just registering new addresses?

Companies have had procedures for dealing with duplicate
addresses/telephones/email addresses since forever, and if they don't, it's a
fault of their business model.

------
asaph
What other vanity email providers besides Gmail implement "dot addresses" or
similar systems for their email addresses?

Update: The table on this wikipedia page provides a list under the "Address
Modifiers" column. Curiously, it doesn't mention dot addresses for Gmail, only
plus addressing.

[https://en.wikipedia.org/wiki/Comparison_of_webmail_provider...](https://en.wikipedia.org/wiki/Comparison_of_webmail_providers#Features)

~~~
ASalazarMX
If we're nitpicking, it would be why Google allows dot aliases for regular
accounts, but not for G Suite, while allowing plus-sign aliases for both.

~~~
nerdkid93
If I had to guess, because corporate admins want to have separate inboxes for
people with similar names... 1 with a "." and one without.

~~~
ASalazarMX
That's more trouble than it's worth. davebowman@corp.net and
dave.bowman@corp.net will receive many emails not intended to them.

------
golem14
[https://github.com/kdeldycke/awesome-
falsehood#emails](https://github.com/kdeldycke/awesome-falsehood#emails)

------
leni536
> _The account "bruceschneier@gmail.com" maps to the exact same address as
> "bruce.schneier@gmail.com" and "b.r.u.c.e.schneier@gmail.com" \-- and so
> on._

Just a minor nit: the distinct _addresses_ map to the same _inbox_ or _google
account_. I fail to see how this breaks email.

~~~
ASalazarMX
Wait till he finds out about bruceschneier+whateveryouwant.@gmail.com

------
nerdkid93
This is a poorly sourced article. Where does this metric come from? > Submit
48 credit card applications at four US-based financial institutions, resulting
in the approval of at least $65,000 in fraudulent credit How does one even
open a line of credit with just an email address?

------
vkhn
I've used dot addresses in referral queues to bump myself up the queue.

Remember the Oneplus referral based phone ordering/shipping? Yep, I cheated
that one just to see if it would work.

It did.

------
seba_dos1
I have a catch-all domain. Just imagine all the fraud possibilities!

------
mike503
Can someone flag this as bullshit?

------
zAy0LfpBZLC8mAC
What a dumb article. Whoever considers email addresses to be identities is an
idiot, they are not, they are simply a contact address, and obviously you can
have as many of those as you want. If your software can't deal with this fact,
your software is broken.

