Slashdot Mirror

← Back to Stories (view on slashdot.org)

Scammer Groups Are Exploiting Gmail 'Dot Accounts' For Online Fraud (zdnet.com)

Posted by msmash on from the security-woes dept.

Cyber-criminal groups are exploiting a Gmail feature to file for fraudulent unemployment benefits, file fake tax returns, and bypass trial periods for online services. From a report: The trick is an old one and has been used in the past. It refers to Gmail's "dot accounts," a feature of Gmail addresses that ignores dot characters inside Gmail usernames, regardless of their placement. For example, Google considers john.doe@gmail.com, jo.hn.doe@gmail.com, and johndoe@gmail.com as the same Gmail address. Regular users have been using this feature for years to to register free trial accounts at online services using the same email address, but spelled out in different ways.

In a report published today, the team at email security firm Agari says it saw criminal groups use dotted Gmail addresses in many more places all last year. In an example included in their report, Agari said it saw one group in particular use 56 "dotted" variations of a Gmail address to, among other things, submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit.

62 of 117 comments (clear)

  1. Plus (+) trick by MightyYar · · Score: 2, Insightful

    Wait until they figure out the plus trick!

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    1. Re:Plus (+) trick by MightyYar · · Score: 1

      I've had some entertaining exchanges with tech help when they don't seem to comprehend that I'm reporting a bug in their website.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    2. Re:Plus (+) trick by MightyYar · · Score: 1

      Some do, some don't. If they are standards-compliant, they accept the plus. Before I started using catchall addresses on my own domain, I used the plus trick to sign up with a unique email on every site. Occasionally I would run into a problem with a site not accepting a plus. I'd report the validation problem to somewhat clueless tech support sometimes, other times I wouldn't bother.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    3. Re:Plus (+) trick by Anubis+IV · · Score: 1

      I just set up a subdomain for spam email. Whenever a company wants an address, it’s companyname@spam.mydomain.com, or, more recently, just @s.mydomain.com, since a number of sites reject addresses with “spam” in the name. My wife gets a different subdomain, as do each of my family members for whom I administrate email. Makes it easy for everyone to filter out the real spam and tell who’s selling their addresses/got hacked.

    4. Re:Plus (+) trick by aardvarkjoe · · Score: 3, Interesting

      Some web forms see the plus char as invalid.

      In my experience it's most. And even if you get it past the client-side filter, it sometimes will cause the web site to break in interesting ways -- for instance, I've found cases where a site will accept a "+" address to register for an account, but then you can't actually use it to log in...

      I tried using it for a while to help me filter emails and keep track of who was selling my address, but it's broken on too many sites to be worth even making the attempt. I could report the problem, but most site owners won't bother fixing it, and it defeats the purpose of having easy-to-use aliases if I have to contact support every time I want to use one.

      I really wish that Google would offer a simple alias / disposable email service linked to Gmail that would work on most websites. Dot addresses could help (since most sites will allow a dot, at least), but they're pretty limited.

      --

      How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
    5. Re:Plus (+) trick by cyberchondriac · · Score: 1

      Doesn't work in gmail, I tried it years ago so I could track where spam might be coming from. That was disappointing.

      --

      Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
    6. Re:Plus (+) trick by The+MAZZTer · · Score: 1

      Or, you know, the "registering multiple free e-mail accounts" trick. Dots and pluses and multiple accounts are not the problem here. They have always been known and possible.

    7. Re:Plus (+) trick by MightyYar · · Score: 2

      It absolutely works in gmail. sample+slashdot@gmail.com delivers to sample@gmail.com.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    8. Re:Plus (+) trick by Anonymous Coward · · Score: 1

      All this stuff is permitted per the RFC
      https://tools.ietf.org/html/rfc2822#page-12

      Google doesn't get to decide this stuff.

    9. Re:Plus (+) trick by cyberchondriac · · Score: 1

      Huh.. I might've been trying to create an alias of some sort in my account, I don't quite remember because that was around 12 years ago.. but your example works out fine, I gave it a shot and was successful in seeing the + bit in the "To" field. Which is all it needs, really.

      Thanks!

      --

      Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
    10. Re:Plus (+) trick by kingbilly · · Score: 1

      Are you feeling alright?

    11. Re:Plus (+) trick by StormReaver · · Score: 1

      I just glanced through page 12 of rfc2822. It does indeed allow the period, but implies that it is a significant character. That would make "stormreaver", "storm.reaver" and "s.t.o.r.m.r.e.a.v.e.r" three distinctly different names. Google treating them the same would therefore be a violation of the standard.

    12. Re:Plus (+) trick by MightyYar · · Score: 3, Insightful

      How is Google violating that standard? There is nothing in there that says you can't run post-delivery forwarding rules, or that users are limited to one email address each.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    13. Re:Plus (+) trick by MightyYar · · Score: 1

      I tried but the lameness filter keeps catching my ASCII screenshots.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    14. Re:Plus (+) trick by MortimerGraves · · Score: 1

      What Google is doing is preventing three different people signing up with those different names. I don't know why they did this, but it does reduce the risk of a missing period sending email to the wrong person - or someone masquerading as you by registering an address that is nearly visually identical.

      When you, StormReaver, sign up with stormreaver@gmail Google effectively reserves storm.reaver@gmail, s.torm.reaver@gmail, etc., along with all addresses using a plus sign (e.g. stormreaver+slashdot@gmail), preventing any other person from registering them.

      Any and all of these email addresses will work, but all messages sent to them will be given to you, StormReaver, with a little info tooltip explanation.

    15. Re:Plus (+) trick by aardvarkjoe · · Score: 1

      mailinator

      Mailinator and similar services are useful in cases where you either don't want email at all, or only want it for a short time -- like for registering on a website that insists on you verifying your email address. It doesn't work for longer-term things where you want to keep receiving email.

      What I would imagine as what I would like to see:

      Have a button in GMail to create a new email address that automatically forwards to your email. A really simple approach would be to just automatically pick an address like "@tempgmail.com".

      Mail addressed to that new address would get a label indicating which address was used, which makes filtering really easy, and if that address starts getting spammed you can just automatically send it to the trash.

      Just that would be really useful. You could get fancier by allowing the user to select an address; adding a browser extension so you don't even have to go to your email to set it up; allowing extensions to the address (like current "+" addresses, but using some character that most sites allow); automatically registering @tempgmail.com to forward to your address... that's just what comes to mind immediately.

      Google is probably best positioned to do something like this, although obviously a third party could do a lot of it. Are there any services like that?

      --

      How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
    16. Re:Plus (+) trick by stoborrobots · · Score: 1

      To use storm.reaver you would have had to sign up with storm.

      That is specifically not true. As mentioned in the summary, if you sign up with stormreaver (or storm.reaver, or st.ormrea.ver), google will consider any of those emails as identical, and deliver them all to your mail box.

      --
      "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
    17. Re:Plus (+) trick by ayesnymous · · Score: 1

      Some web sites don't allow it. Others are worse in that they allow you to register with a + in your email address, but other parts of their web site treat the + as invalid.

  2. And that's why we have standards by david.emery · · Score: 2

    so that commercial companies like Google can ignore them, to achieve "a competitive advantage."

    1. Re:And that's why we have standards by MightyYar · · Score: 1

      You won't like my domains' behavior, then - I use catchall addresses.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    2. Re:And that's why we have standards by GoRK · · Score: 1

      Literally nothing about this violates any standard whatsoever or is in any way an actual problem. The fact that a person regardless of their ethical standards can have multiple email accounts isn't relevant at all. I have had catchall email addresses since before Google existed.

    3. Re:And that's why we have standards by david.emery · · Score: 1

      The standard that says FirstNameLastName is different from FirstName.LastName!

    4. Re:And that's why we have standards by david.emery · · Score: 1

      And that same standard says that FirstNameLastName is different from firstnamelastname

      dave

    5. Re:And that's why we have standards by Zocalo · · Score: 2, Informative

      Yes, there is. RFC5322 defines what constitutes an email address, amongst other things. Arguably though, all Google is going is automatically creating every single possible RFC5322 compliant alias of a given email address that you can create by inserting full stops in the bit before the @ sign and assigning them all to the same user, how they do that (almost certainly by stripping out the full stops from the LHS) isn't any concern of RFC5322. They're not actually creating any invalid email addresses or anything; just restricting the number of possible unique email addresses they can assign on their domain.

      --
      UNIX? They're not even circumcised! Savages!
    6. Re:And that's why we have standards by branchingfactor · · Score: 1

      What standard is the Gmail dot feature ignoring? And what "competitive advantage" does it give them?

    7. Re:And that's why we have standards by cascadingstylesheet · · Score: 1

      They're not actually creating any invalid email addresses or anything; just restricting the number of possible unique email addresses they can assign on their domain.

      Also causing hilarity to ensue.

      My actual primary gmail is my name with dots in it.

      Apparently a large proportion of the other mes on Earth either think or believe that they have my gmail address (without the dots), or else their correspondents do.

      I get the most interesting and outrageous emails by mistake. My favorite was the playa who had had business cards made up with "my" address ...

      Then again, maybe the dots have nothing to do with it ... surely when people try to register, Gmail tells them that myname@gmail.com is taken? But maybe there is some bug there, as I find it hard to believe that so many people really don't know their own email address.

    8. Re:And that's why we have standards by MortimerGraves · · Score: 1

      I have the same issue and suspect it may be correspondents "correcting" what they think is a wrong email.

      My gmail has a dot between first and last name (my.name@gmail) . I've received more than a few emails for a chap in the UK at (myname.gmail). I have reason to suspect that his actual email address is (mynam@gmail) and that he's either giving out the wrong address or correspondents are assuming the missing terminal "e" is inadvertent and adding it.

    9. Re:And that's why we have standards by sexconker · · Score: 1

      It's probably just some retard who doesn't know their own email address. I've got a myname@outlook.com address that someone, presumably with the same name as me, thinks they own (probably because they use outlook and think that means outlook.com is their address).

      I regularly get emails destined for him. He's some old coot in the UK and has daughters / granddughters who play youth soccer.

      One day he bought a Kindle Fire and registered it to my email address. Amazon doesn't care to validate it, so I was getting constant emails for everything he downloaded. And I had a shiny new amazon.co.uk account with an attached Kindle Fire to play with. I promptly took over his Amazon account, and started emailing images to the Kindle email address that Amazon creates.

      For example, this one: https://i.imgur.com/eWJsKZx.jp...

      I gave it a while to make sure he had a chance to see the things I was sending (they appear in the Kindle library and show on the main screen when delievered, I believe). Then I disassociated the Kindle from the account and changed the account password. I'm sure the old coot thought he was HACKED. He managed to wipe and reassociate the Kindle with the same account, and reset the password himself.

      At that point I knew I had him. The only way the geezer could have managed that one is by phoning support. So I then sent in a support ticket to Amazon and told them that they need to fucking clue this guy in to the fact that he doesn't own my email address, and that I have no way of contacting him but they do (from the previous support ticket he certainly filed). After a bit of escalation to the security team, someone with a brain (not a script-reading Indo-bot) got involved and told the fool that he was using the wrong email, then nuked the amazon.co.uk account associated with my email address.

      I still get occasional emails meant for this guy, but no fucking Kindle bullshit.

    10. Re:And that's why we have standards by fuckface · · Score: 1

      Same problem. I have a "WrongNumber" folder where I store them as evidence in case some site eventually tries to make me comply with a contract signed by "other me". >95% of the bogus emails I get have no verification link, and >99% don't have a "this isn't me" link. If you try to mail them back it takes 3-4 exchanges before they understand the dot rule, "But your mail has a dot, we didn't send to a dot." Could save so many headaches if they just implement double opt-in.

    11. Re:And that's why we have standards by randm.ca · · Score: 1

      The same happens to me. I have a rule that filters mail to myname@, so then only my.name@ hits my inbox. Conveniently 99% of spam gets sent to myname@ so gets filtered out along with alternate me's misaddressed email.

  3. And? by pjt33 · · Score: 2

    Is there a story here, and if so what is it? That all you need to apply for a credit card is an email address?

    1. Re:And? by MightyYar · · Score: 2

      The story is that companies are so lax on security that they let you do things like update card details without actually logging in. You could achieve the same effect by forwarding emails to your victim - this just takes that step out for you.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    2. Re:And? by Oswald+McWeany · · Score: 2

      The story is that companies are so lax on security that they let you do things like update card details without actually logging in.

      Indeed, whereas gmail might have made things more convenient for them; the fact is, there are countless ways you can create innumerable e-mail addresses. The story here isn't that they used e-mail; the story is that Financial Institutions are so desperate for business that they give out lines of credit based on only having an e-mail address.

      That's really pretty stupid. I don't want to victim blame the companies here, clearly they were taken advantage of; but they clearly have some pretty dumb policies in place here to allow themselves to be victimized here.

      --
      "That's the way to do it" - Punch
    3. Re:And? by drinkypoo · · Score: 1

      This is happening to me left and right. I've been the victim of repeated identity theft because of my name. Martin Espinoza isn't exactly the John Smith of Latin America, but it's fucking close. Maybe Mark Smith. And perhaps for the same reason, my email with the dot removed is also being heavily abused. I used to assume it was just some butt-hurt slashbot trolling me, especially since there was a rash of crap that I figured nobody would sign up for on purpose, and maybe there actually has been some of that, but I've also been getting things like lease agreements, or kids' sports information. Then again, that could be phishing too. I like to reply all to those and suggest they verify addresses before spamming, like responsible people would.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re: And? by ljw1004 · · Score: 1

      No, that's not it at all!

      The technical story is explained at the original site https://jameshfisher.com/2018/... along with good impact analysis and recommendations

    5. Re:And? by Anonymous Coward · · Score: 1

      I know it's wrong, but if a bank will give out free money in exchange for only an email address, I think that they kind of deserve to get screwed.

    6. Re: And? by kingbilly · · Score: 1

      Meh. I'm split here. On one hand, I totally agree with his recommendation that Gmail lets people opt-out of catchall or at least provide a phishing warning similar to his provided mock-up.
      On the other hand, I think he is wrong to find Gmail that most at fault instead of the users and/or Netflix.
      Look at his numbered outline for how the phishing scheme works. In step 6, this is where the other parties have failed. You shouldn't be able to go from an email to the behind-authenticated section of an account.... without authenticating! I'm not sure if this is how Netflix actually works, but I do know other companies follow this poor security practice which allows this phishing scam to work. Shame on companies that do this.
      And shame on users who don't visit the site first and authenticate. We already tell everyone to not click links in their emails but to instead visit the site starting with their known homepage.

      I think James needs to call out the behavior of companies and users a bit more before throwing the blame to Gmail. After all, forgetting catch-all email addresses, almost every adult I have needed to help with technology has multiple email accounts on their phones. They forget the login, or the existence, of an email address and just sign up another. The same phishing James mentions would be possible here without that catch-all. These older adults often have no idea that they are pulling a hotmail, yahoo, and Gmail to their mail apps on their phones/tablets concurrently. In James' scenario, the victim would have johnsmith@gmail.com on file with Netflix, and an attacker would only need to sign up as johnsmith2@gmail.com, because John Smith created this (or johnsmith@hotmail.com) last week when he couldn't remember how to sign in on a different device. In this scenario, John Smith would get the phishing link from johnsmith2@gmail.com and be none the wiser.


      tl;dr James makes some good points, and when it comes to financial institutions, I'm not surprised that a hashed link via email counts as authentication, which is what allows this exploitation to begin with. But catch-all email address doesn't solve the issue that the average adult has a catch-all email addresses (PLURAL) ecosystem on their device and does not look at the TO field, so don't state the blame is mostly on Gmail.



      The blame should be placed on USERS, followed by COMPANIES that allow LINKS with a hash to BYPASS AUTHENTICATION.

    7. Re: And? by chispito · · Score: 1

      He never explained why email verification upfront would fail to solve the issue. I still believe it is a problem of the sites or services in question.

      --
      The Daddy casts sleep on the Baby. The Baby resists!
    8. Re:And? by drinkypoo · · Score: 1, Interesting

      me thinks I know why you get all that E-mail and get victimized by identity theft all the time...You respond.

      Mostly, I don't. And those who I do respond to, I'm not giving any additional information to them, so I'm not helping them steal my identity.

      DUMP SPAM into the trash. Don't answer, just trash can it.

      Yes, that's what I do with spam. Thanks for nothing, AC.

      It's quite simple, my identity gets stolen more than those of other people because of my hispanic name. People who have the same name have used my SSN for work, or to buy a car they never paid off. Then a court in Nevada City, CA granted a judgement against my SSN based on that person's debt. The evidence of debt was my SSN written on a check cashing card, by hand no less. The court that accepted that as evidence is corrupt. You can't have identity theft without corruption.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    9. Re: And? by ljw1004 · · Score: 1

      Meh. I'm split here... The blame should be placed on USERS, followed by COMPANIES that allow LINKS with a hash to BYPASS AUTHENTICATION.

      The original article also has a link to analysis by Bruce Schneier https://www.schneier.com/blog/... where he says "it's an example of two systems without a security vulnerability coming together to create a security vulnerability".

      I agree that having users validate their email addresses before using it for the first time would solve the problem. I've always been irritated by the companies that do so, imagining they did it solely to make sure that someone used a real email address rather than a throwaway spam email address, i.e. solely so they could send unsolicited spam. I guess there's a real reason for it after all. Probably they also want to reduce friction with an entire generation of folks who don't really use or care for email.

      Personally I hesitate to blame users. These are products designed for the general public. The makers should do what they can to help everyone fall easily into the "pit of success".

    10. Re: And? by ljw1004 · · Score: 1

      He never explained why email verification upfront would fail to solve the issue. I still believe it is a problem of the sites or services in question.

      https://www.schneier.com/blog/...

      Bruce Schneier's analysis was that "it's an example of two systems without a security vulnerability coming together to create a security vulnerability."

    11. Re: And? by kingbilly · · Score: 1

      Ah, much better link. And I see your reply to me above with that very link, thank you!

    12. Re: And? by chispito · · Score: 1

      He never explained why email verification upfront would fail to solve the issue. I still believe it is a problem of the sites or services in question.

      https://www.schneier.com/blog/...

      Bruce Schneier's analysis was that "it's an example of two systems without a security vulnerability coming together to create a security vulnerability."

      I respect Bruce a lot, and I think from a practical standpoint, Gmail (Google) absolutely should make those dot-aliases opt-in. But this is still 100% Netflix's problem to solve. The problem would exist if Gmail did not allow the dot aliases, you would just need to find some other predictable pattern of email aliases (like a large organization where everybody is granted both @longcompanydomain.com and @shortcompanydomain.com email addresses).

      Stop and think. If your service will be sending payment related emails to people, why would you not verify the address first? The only thing I can think of is they know this is a problem but they get more money by reducing all possible barriers to entry, and the scams are considered a cost of doing business--a cost that some of their customers pay.

      --
      The Daddy casts sleep on the Baby. The Baby resists!
    13. Re: And? by J053 · · Score: 1

      I still don't get it. How would Eve be able to sign up to Netflix with an email address that she doesn't control? And no matter how this works, why on earth would you think it is Google's fault?

      Because, when you sign up for Netflix, you create a username and password - then, after the account has been created you provide an email address which Netflix does not verify (they send a "Welcome to Netflix" message to it, but the scam target might not notice that), but which can be used for password recovery. Then, to exacerbate the problem, Netflix sends payment update emails to the email address on the account which allow changing payment info without otherwise logging in. IOW, Netflix treats the unverified email address as if it was verified - and that is the fundamental failure here.

  4. since when 1 person = 1 email address? by Anonymous Coward · · Score: 1

    Why the heck are these companies assuming that just because the email is different it is a different person?
    Anyone could just own a domain and setup an unlimited number of aliases to a single address without exploiting any stupid weirdness google created.

    1. Re:since when 1 person = 1 email address? by Oswald+McWeany · · Score: 4, Funny

      Why the heck are these companies assuming that just because the email is different it is a different person?
      Anyone could just own a domain and setup an unlimited number of aliases to a single address without exploiting any stupid weirdness google created.

      Yeah, I use about a dozen different e-mail addresses. I'm clearly not 12 people. I'm not even 12 personalities in one person.

      Oh yes we are. No we're not... yes we are.

      --
      "That's the way to do it" - Punch
    2. Re:since when 1 person = 1 email address? by angel'o'sphere · · Score: 1

      I'm not even 12 personalities in one person.
      Are you certain? I mean, is anyone of your "yous" certain?

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    3. Re:since when 1 person = 1 email address? by cyberchondriac · · Score: 1

      I hate being bipolar, it's awesome!

      --

      Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
  5. um by cascadingstylesheet · · Score: 2

    So what? It's a slightly easier way of getting additional email addresses.

    If your business model depends on my not having more than one email, well ... not sure why that's my problem.

    I had no idea it was so easy to be a "cyber criminal".

  6. Wrong link by ljw1004 · · Score: 3, Informative

    The article has the wrong link. The correct link to the original is https://jameshfisher.com/2018/...

    Why does Slashdot do this all the time? Include links to dumb shallow copies of the original story that add nothing but instead take away necessary technical content? The article linked to in this case failed to actually explain how the scam works!

    1. Re:Wrong link by ledow · · Score: 3, Insightful

      Guarantee you that the submitter of the story benefits from that intermediate link, and that the Slashdot team know that.

      Though, the "Slashdot effect" is literally non-existent nowadays, and this is just a tiny niche website now.

    2. Re:Wrong link by skovnymfe · · Score: 1

      You mean people aren't hosting their websites on discarded HP desktops on a dual ISDN anymore, and can actually serve up 100,000 page views like it's nothing? Technology, huh?

  7. What is the problem exactly? by kbg · · Score: 1

    I don't see any problem here. If you can apply for credit using only a email address then it's the company own fault. You don't give credit out to just an email address. And for registering free trial accounts, what's the problem here? You give out trials, so what if somebody gets many trials? Who cares?

  8. Root cause of fraud by 140Mandak262Jamuna · · Score: 5, Insightful
    US lending institutions consider the ability to lend to people at an instant to fund impulse purchases a big money maker.

    They know they may not be able to complete a thorough verification before the impulse to borrow passes. So they rush to lend. They know they make mistakes and lend to fraudsters. But to them it is cost of doing business, net profit from impulse lending is so great they do this knowingly.

    Then, the fraudulently lent loans get written off, sold for pennies for a dollar to the debt collectors. These people come after you, get default judgements, demanding that you prove you did not borrow the money. Even if you do to one debt collector, he sells the loan to the next debt collector and it goes on.

    Small things might help here:

    Make a law, "Lenders can not sell defaulted loans without fully proving the identity of the borrower.".

    Get a couple of precedent judgement, "if the bank sold a loan based on stolen identity, they are liable for slander and all damage caused to the person whose identity was compromised".

    Once you make the banks eat all the losses, and prevent damage to people whose identity is compromised, they will do the basic necessary things to verify identity.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Root cause of fraud by 140Mandak262Jamuna · · Score: 1

      Many of the "debt collectors" are themselves victims of fraud. They fall for "work from home, make phone calls, make money" schemes. They are sold completely uncollectable debt at cents per dollar, they pay money for "training" and "equipment", and services to trace address and phone numbers. In the end they are so desperate they will break all these laws, will resort to telling all kinds of lies, they are in despo situation themselves.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    2. Re:Root cause of fraud by phantomfive · · Score: 1

      I feel sorry for no one involved here. No need for a law.

      --
      "First they came for the slanderers and i said nothing."
  9. Re: WTF? by chispito · · Score: 1

    It didn't just become anything. As many have noted, catch all email isn't new. Gmail should be a little perturbed their platform is being used for fraud but it has since inception and will be for years to come. The problem is the defrauded institutions' to fix.

    --
    The Daddy casts sleep on the Baby. The Baby resists!
  10. Scammer Groups are Using Multiple Email Accounts! by branchingfactor · · Score: 1

    This report is no different than saying, "Scammer Groups are Using Multiple Email Accounts for Online Fraud!". The gmail dot feature makes it a tiny bit easier for them, but it's no different than using multiple fake email accounts. This is non-news.

  11. Email address is not SSN! by Comboman · · Score: 1

    ... file fraudulent unemployment benefits, file fake tax returns...

    Who on earth thought it was a good idea to use an email address as a unique identifier for government programs? That's what Social Security Numbers are for.

    --
    Support Right To Repair Legislation.
  12. The premise of this article is not right!! by SmaryJerry · · Score: 1

    I always log in to a firstname.lastname@gmail.com but if I try to test send an email to firstnamelastname@gmail.com then I do not receive the email. So my point is in basic testing this dotted theory does not work. Also if I try to log in to the non dotted email it does not let me sign in. I assume it's this way for everyone?

  13. "Regular users" by 1ucius · · Score: 1

    "Regular users have been using this feature for years to to register free trial accounts at online services using the same email address, but spelled out in different ways."
    vs
    "one group in particular use [sic] 56 'dotted' variations of a Gmail address to...submit 48 credit card applications...resulting in the approval of at least $65,000 in fraudulent credit."

    I'm not sure I see the difference. Most free trial accounts are limited to one/person...

  14. The issue is people getting a credit by houghi · · Score: 1

    I live in Belgium. If you ask for a credit, your ID will be verified. Alse a credit check at the the national bank. If there are too mÃn lians, no credit. If there is a negative score, i.e. not paid for one for three months, (removed after one year) no credit. If you have a fake ID, no credit.

    If you get a credit, it will be added to the national bank.

    Only banks and the like have access to data at the Natonal Bank (NBB) and can e.g not see the names of other companies.

    So having 20 emailadresses or one does not make a difference. Yes, fraud is always possible.

    --
    Don't fight for your country, if your country does not fight for you.