[HN Gopher] Stupid Patterns
___________________________________________________________________
Stupid Patterns
Author : darshitpp
Score : 85 points
Date : 2021-12-31 16:45 UTC (1 days ago)
(HTM) web link (darshit.dev)
(TXT) w3m dump (darshit.dev)
| tangoalpha wrote:
| So, some random person had subscribed to Tata Sky (television
| set-top box channels subscription in India) with my mobile
| number. He wouldn't pay his dues on time, and Tata sky would call
| me every month multiple times. Their customer service would take
| down my request to change the number, but they never changed it.
|
| I was able to track down his actual phone number and on Facebook.
| Messaged him and explained to him. He wouldn't act. He said he
| intentionally gave a random number since he didn't want to be
| bothered by their phone calls and asked me to "deal with it".
|
| Finding no other option, I used Tata sky IVRS service calling
| from my mobile number(linked to his account) to subscribe to a
| bunch of expensive channels, totalling the monthly subscription
| fee to 10x of what his usual fee was.
|
| He reached out to me requesting that he be allowed to take
| control of his account, as he is unable to change the phone
| number linked to the account, without an OTP (one time password)
| received on the existing number (which was my number).
|
| Did take some sweet revenge by not responding to his request for
| a while, but eventually gave him the OTP after a week.
| tsycho wrote:
| A bunch of people use my email address for signing up to all
| sorts of websites (I have a common name, and my email is
| basically my name @ popular email provider). It is annoying to
| receive all this spam (usually I can unsubscribe), but the
| worst ones are people using my email for their bank accounts.
|
| So now I get multiple password-protected monthly statements
| every month, and there is no way to unsubscribe since it's a
| bank statement. And the email subject doesn't have the full
| account number, and the email is from a no-reply address.
| Contacting the bank has been useless even when I found a way to
| do so. The most annoying one is from a bank where I have an
| account of my own (they used a capitalized version of my email
| address, which the bank thinks is a separate email), and so I
| can't block them all emails from this bank either.
|
| The one fun time was when someone (in Asia) would frequently
| place food delivery orders using my email, and this service
| would send multiple emails for each order. Frustrated, I
| canceled their order once directly from the email, after which
| this particular problem stopped.
| lokar wrote:
| I have a 3 letter Gmail account. This is all I get.
| tombrossman wrote:
| Try switching to an email service that supports custom Sieve
| scripts, which you can use to permanently reject messages
| based on variables you configure.
|
| These are handled differently than message user agent
| filtering. Incoming messages are immediately rejected and the
| sending server is notified.
|
| It's much easier than trying to contact some company that
| doesn't bother validating email addresses. You already know
| they are technically deficient so just bounce everything.
| Problem's at their end, let them work it out.
|
| Fastmail do this, as do a few other hosted email providers.
| Highly recommended. I also use Sieve filters to reject
| attachment types beyond the default set, such as Microsoft
| Office files (.docx, .doc, etc.).
|
| Here's some documentation to get started. No affiliation,
| just a happy customer. https://www.fastmail.help/hc/en-
| us/articles/1500000280481-Si...
| bserge wrote:
| They didn't verify the phone number when he signed up (with a
| simple OTP)? Wow
| kingcharles wrote:
| This was my conversation with a guy last night whose phone
| number I now own. I guess he let his mobile plan expire or
| something. I can log into a bunch of his accounts around the
| Web because the OTPs come to me. I found him on Facebook
| because I have all the details of his life, but I couldn't get
| any reply. So last night I logged into his account on TikTok
| and followed my own account so we could message each other:
|
| https://kingcharles.one/all-your-phones-belong-to-us.jpg
| MaxBarraclough wrote:
| > Finding no other option, I used Tata sky IVRS service calling
| from my mobile number(linked to his account) to subscribe to a
| bunch of expensive channels, totalling the monthly subscription
| fee to 10x of what his usual fee was.
|
| This is, presumably, a crime.
| ben_w wrote:
| Yup, had that problem with an airline. To avoid spam, I was using
| the + modifier -- <normal-address>+<airline-name>@gmail.com --
| the booking form accepted it, the ticket-sending system and the
| account login system, didn't.
| blorenz wrote:
| For the past year, every weekday at noon I receive an onslaught
| on calls for people trying to reach Humana. These are usually
| elderly people that report that my phone number came up on their
| caller ID. I have had my number for 20 years. I tried to Google
| my number to see if something popped up on Humana's site but
| nothing. I don't have an explanation or resolution for this
| behavior so I just prepare to ignore all calls starting at noon
| for the next hour.
| prettyStandard wrote:
| This has started happening to me also. Someone in my area of the
| country who has my same name accidentally put my email address on
| their registrations.
|
| These companies aren't verifying that the email was entered
| correctly.
|
| So I continue to get notices about what this person is doing even
| though I've reached out to the companies and this person to try
| to notify them of the error.
| phnofive wrote:
| Not sure GDPR is related to typos or deliberate misdirection by
| users - though I feel your frustration.
|
| By any chance does the numeric component of your e-mail alias
| form a shape on the 10-key pad?
| darshitpp wrote:
| Sadly, no. I only have 2 digits on my email to form a pattern.
| As said in the post, the guy whose bank statements I received
| had 5-6 more characters than my name, and didn't even have a
| number in it.
| throwaway744678 wrote:
| GDPR applies for EU companies, or companies dealing with
| customers from the EU.
| _dain_ wrote:
| Under GDPR, people have the right to have their PII stored
| accurately and can demand corrections from companies. There was
| a case where a bank couldn't store someone's name properly,
| because its legacy systems couldn't handle characters with
| diacritics. The customer sued, and won.
|
| https://shkspr.mobi/blog/2021/10/ebcdic-is-incompatible-with...
|
| Not a lawyer but I imagine this is a similar sort of situation
| and the same reasoning would apply.
| aflag wrote:
| My understanding is that the lawsuit is still ongoing. Maybe
| some legalese is going straight over my head, but was it
| ruled in favour of the plaintiff? How much was the fine? Will
| they have to pay it for as long as they are not able to
| change the customer's name?
| csunbird wrote:
| > "No company provides the email verification service"
|
| Sounds like a really nice startup idea.
| cebert wrote:
| I have a very short gmail email address which I've noticed
| intersects with several common names. I had not idea how rampant
| this issue is. I get a woman's Victoria Secret orders and
| address, school progress reports for a child that is not mine,
| worship team updates for a Mormon church, a Snapchat account, vet
| updates, German emails I don't even know how to read, and many
| more unusual emails for people who aren't me. What's worse is for
| group emails (e.g worship emails) I try to reply all and inform
| them of the mistake and only get more emails for the wrong
| person.
| feupan wrote:
| Every time I get a second message after my "wrong number" text
| I lose a little more faith in humanity. I regularly get
| voicemails and calls on my Google Voice number and people reply
| with stuff like "oh then tell him blah blah".. sigh
| 123pie123 wrote:
| does this describe the various companies that phone me
|
| and then ask me to prove my identity to them?
| spzb wrote:
| Pet peeve of mine. Especially when it's a bank or other finance
| company that really ought to know better.
| mikro2nd wrote:
| And then are at a loss when you demand that they identify
| themselves to you. After all, all you've got is a voice at
| the end of the phone. Seriously I'm sure there's good ways to
| solve this using some simple crypto(graphy, not currency). We
| ought to be able to mutually authenticate without resorting
| to stupid questions about things we were doing 25 years ago
| and no longer remember.
| DenisM wrote:
| We are able, I think.
|
| Say, my bank calls me and ask to call back with an
| extension#. I look up their phone # on their website, call
| that number, and provide the extension.
|
| They know who I am via The extension # I gave back to them,
| I know who they are via their phone # confirmed by their
| website SSL certificate.
|
| Alternatively, I call them back on the phone number at the
| back of the credit card.
| 123pie123 wrote:
| nice idea, that should be easy(ish) to implement
| rambambram wrote:
| Just a random thought: can it be that a part of 'darshit' (the
| poo part, I mean) triggers some code to remove bad language, does
| something unknown, and then your real e-mail address gets linked
| to the first known account the respective system can find? Maybe
| all the different websites use the same authentication method
| from another third party, so it can happen on seemingly unrelated
| sites.
| darshitpp wrote:
| I've never had such a problem before. My email is just not
| simply "darshit", but also has a couple of digits. Among the
| people whose mail I received, one of the guy's email had 6
| characters more than mine, and totally unrelated.
| HelloNurse wrote:
| This is nothing.
|
| I have a very common name and a very common surname and people
| have used my email (name.surname at gmail.com plus the infamous
| GMail variants such as namesurname or NameSurname) for purposes
| like accounts on dating sites, Spotify, Instagram etc.; invoices;
| banks and insurances; resumes and job applications; medical test
| results; newsletters and all kinds of personal communications.
|
| "I" am a local politician, a Swiss or Italian banker, a boyfriend
| deserting some girl in Argentina, a rugby player, a professor or
| two; "I" buy screws, magic tricks, diving suits; I know several
| of "my" birth dates and addresses and I have easily identified a
| couple of correspondents.
|
| In most cases there is no practical way to verify email
| addresses, particularly if the person is really convinced that
| their email is the wrong one or that some approximation is
| allowed, and without actual payment collections coming your way
| little harm is done.
|
| I sometimes complain to web sites with inexcusable confirmation-
| less registrations or reclaim accounts on services I might want
| to use, but for the most part I just let incorrect emails
| accumulate to play the passive game of collating them and
| consolidating identities (e.g. is the person who follows cooking
| courses in a certain big city the same who received from a friend
| bus timetables for that city?).
| buro9 wrote:
| I have a similar situation.
|
| My most recent one was Apple telling me my id was reset by my
| request. This definitely came from Apple, was verifiable... But
| it turned out some person entered my email on their support
| case and it almost gave me access to their entire Apple
| account, the support people were willing to go through
| everything with me as I had the email.
|
| It was only when I asked for the transcript of what I'd
| apparently said to them that alarm bells rang on their end and
| they finally investigated enough and escalated enough and
| determined my email was not the one that had anything to do
| with the account in question.
|
| Mostly I ignore the email I receive, but once in a while it has
| enough details that I can find the person involved and give
| them their train tickets, or car insurance docs, etc.
| darshitpp wrote:
| We are on the educated side of the internet populace. I can
| only imagine worse things when this happens to the non-
| educated, especially in developing countries like India, where
| almost everyone has an (mobile) internet connection these days.
|
| It's interesting to think about how the very basis of our
| internet identities, that is the email, can be so easily abused
| by someone who has bad intent.
| OisinMoran wrote:
| > In most cases there is no practical way to verify email
| addresses
|
| What's wrong with "Click the link in the email we just sent to
| x@x.com to verify your email"?
| rerx wrote:
| A malicious recipient can click the link and exploit that
| their email is now associated to the account of some other
| person.
| dmurray wrote:
| This seems like a relatively small vulnerability in
| practice.
|
| But it could be mitigated by "click the link and enter the
| one time code we gave you at sign-up time". Too much
| friction? How about "click the link on the same browser you
| used to sign up, and we'll verify that using a cookie we
| just set" - functionally equivalent and probably works for
| 90% of users while the rest can fall back to the one time
| code.
|
| I've seen a handful of sites do something like this in
| practice. No idea why it's not more common: presumably most
| people don't roll their own verification process so if some
| major web frameworks adopt it we'll eventually see it more
| widely.
| feupan wrote:
| > presumably most people don't roll their own
| verification process
|
| Oh boy. Auth is that thing that looks so easy because you
| _just need to store an md5 password_ to feel like
| hackerman. If people actually used existing solutions,
| web logins wouldn't be in such dire conditions.
| fragmede wrote:
| or just make a verified email address part of the
| required sign-up flow. No click on registration link, no
| further access to account.
| HelloNurse wrote:
| Allowing password reset requests (or activating the
| account in full) before the email is verified, so that I
| can reset the password and take over the account, means
| that the holder of the email prevails over the password
| holder: a severe protocol design error, which can be made
| even worse by accepting payments before the email is
| verified or by restricting account creations attempts.
|
| Not all careless stupidity should be attributed to the
| website admin, however: assholes using random email
| addresses and phone numbers deserve to be punished, and
| knowing one's own email addresses is a basic literacy
| requirement.
| Macha wrote:
| Compared to the current status of doing nothing, where the
| malicious recipient has their email associated to the
| account of some other person without even having to click a
| link?
| tomrod wrote:
| Needs a follow up of "re-enter password" I think?
| Macha wrote:
| Yeah, I have firstnamel@gmail.com for my actual name. I get
| this from time to time, but 90% of the mixups are actually down
| to one guy, an older latino guy (judging by the surname used)
| with interests in car rentals, ford trucks on second hand
| sites, and dating sites. He's given my email so many times, I'm
| convinced he thinks it's actually his email.
| fragmede wrote:
| At least Google Workspaces now shows the profile pic for the
| recipient. I can forget the exact right permutation of
| firstname.middleinitial.lastname@gmail.com, but when the
| profile pic is wrong, I can be sure I've mistyped something.
| ncmncm wrote:
| The Stupid Pattern I encounter most is getting e-mail about some
| account, with a link in it to some completely-other domain that
| looks most like a phishing site.
|
| Often these e-mails are not actual phishing attempts, they are
| just things made by absolutely phenomenally clueless hacks.
|
| So there is this company that does e-mail list services called
| mailchimp. Apparently, by default all e-mail from their customers
| comes with links to a site something like "mandrill.com".
|
| _If mailchimp is that clueless about security, do you really
| want to let them manage your password login setups?_
|
| There is a stock-market accounts company, Carta, that uses
| mailchimp.
|
| _Do you really want your stock market holdings managed by a
| company clueless enough to let someone as clueless as mailchimp
| to manage their password login setup?_
| Khaine wrote:
| It not just emails where this happens. Some idiot has been giving
| out my work mobile number as his own. I got a call from his aunt
| to wish him happy birthday (she was incredulous when I explained
| that no, this isn't X's phone, and I don't know x). I get random
| texts from I assume his friends, and calls from collection
| agencies.
| jonathanlydall wrote:
| A very stupid pattern I've come across recently is Best Buy
| sending me an email with the subject "Password reset didn't work"
| and a body of:
|
| > You may need to create an account.
|
| > We received a request to reset your password on BestBuy.com.
|
| > However, we don't have an account associated with this email
| address. You can try to sign in with a different email address.
|
| > You can also create a new account using any email you choose.
|
| > Happy Shopping!
|
| My guess is that it's a bad actor doing something like password
| stuffing to try see if my email address has an account there that
| they can try compromise. It's also possible someone thinks my
| email address is their email address, I doubt it though because
| in the 16 years I've had the Gmail address I've never received an
| email intended for someone else.
|
| Regardless, I've never lived in a country in which Best Buy
| operates, but some "genius" at Best Buy thought it would be a
| brilliant idea to email people who they know don't have an
| account with them, because _there is no way anyone would ever try
| reset a password for an account on an email address which they
| don 't actually have access to_.
|
| After getting these annoying emails a few times I landed up
| making a Gmail rule to always report them as spam, then delete
| them.
| shkkmo wrote:
| This doesn't seem stupid at all.
|
| BestBuy is considering two different scenarios and trying to
| handle both:
|
| BestBuy is avoiding leaking account status on their password
| reset page. This is done precisely so that people who don't
| have access to the email account can't figure out where you
| have accounts registered. This is a pretty standard approach.
|
| BestBuy is providing visibility to people who can't remember if
| they have accounts or which email they signed up with. Simply
| trying to reset your password and never getting an email leaves
| you in a situation where you are unsure if you waited long
| enough, missed the email, the business is having deliverability
| issues, or if you have an account. Having worked with
| businesses around reports of password reset email
| deliverability issues, it makes complete sense to me.
|
| This all seems like a perfectly reasonable approach.
| jonathanlydall wrote:
| It's very normal for password reset pages to say something to
| the effect of "if this email address is registered with us,
| you will receive an email..." and they can could also add
| something like "you can also try create an account here".
|
| Instead they opted for the option where every time a "hacker"
| is trying to use the form to compromise an account, it spams
| the victim with this email. As most of the world is not North
| America, it is statistically most likely that the email
| recipient is someone who's most assuredly _never_ going to be
| a Best Buy customer.
| shkkmo wrote:
| I still see no problem with this implementation. If someone
| is trying to compromise or even locate accounts tied to
| your email, wouldn't you want to know?
| jerrre wrote:
| > there is no way anyone would ever try reset a password for an
| account on an email address which they don't actually have
| access to.
|
| I think you overestimate your less computer savvy fellow humans
| :) Also it could be phishing?
| fragmede wrote:
| I once got a series of password reset emails, and 6 of the 7
| were genuine. The 7th was an obvious phishing attempt that
| seemed more genuine given that the first 6 _were_ genuine.
| Had I clicked on the 'report phishing attempt' on the last
| email, it would have been game over.
| michaelcampbell wrote:
| I have a very common name, and was lucky(?) enough to have gotten
| a gmail account with it back in the days you had to have an
| invite from a Google employee to get a gmail account.
|
| I get misdirected emails like this at least multiple times a
| week.
| iamstupidsimple wrote:
| > I never received any further emails because the user probably
| never recharged his internet subscription.
|
| > This wasn't even a spam email!
|
| I disagree, if it's not intended for you, then it's spam. Marking
| these emails as spam might affect the company's delivery rates
| and get them to actually fix the broken process that allowed this
| to happen.
___________________________________________________________________
(page generated 2022-01-01 23:02 UTC)