The common thread among most stories like this is the spoof-ability of phone numbers. Telecom companies must make changes to prevent this kind of spoofing. Honestly, I think if telecom companies could be sued for damages caused by this kind of thing (not to mention spam) then I think the problem would get solved very quickly. The only reason it hasn't been solved yet is most of the cost and pain is borne by others.
>Telecom companies must make changes to prevent this kind of spoofing.
Traditional phone companies absolutely should do a better job vs spoofing (and I believe there is supposed to be at least some progress there via STIR/SHAKEN in the US at least), but I'm a lot more inclined to blame services and particularly armed response services that still treat them as secure in a way they have long long LOOONNNGGG since proven they aren't. Telephone numbers simply were never ever a particularly secure thing, predate the entire net let alone widespread use of cryptographic protocols, and retrofitting real security onto that legacy has proven non-trivial. They shouldn't be blindly depended on for something like SWAT deployment. Security services live in a world where they can be lied to and they act like it in other circumstances. They're the ones sanctioned by the state to responsibly employ lethal force, and have been given ludicrous amounts of outright military grade gear. They should be investing in tools and techniques to evaluate reports and gather intel on site before "storming the house". Even basic old humint like "asking the neighbors if they heard any shots" seems to have been tossed aside. Like take this very reported case:
>The caller told the dispatcher he had killed his girlfriend. He had barricaded himself inside his home in a quiet, affluent neighborhood on the eastern edge of Palo Alto.
OK, so maybe there is a criminal there, but by his own (suspicious) words nobody is in any immediate danger. The supposed body he's killed isn't going anywhere. Surround the place from a distance, sure, and if someone does start shooting from the house obviously that's clear enough. But if the police have the place covered and nothing happens, maybe ask some neighbors. Send in a drone or two. Get on the line with a judge for a quick order to use IR or terahertz imaging or whatever and see if that reveals anything. Get a megaphone and ask everyone to "come out with their hands up" even! If the police though just go and storm the place though they could well cause the very situation they seek to avoid, what if someone is fast asleep and hears a break in and opens fire to defend themselves? Hardly an impossible thing particularly in America. It's happened.
Everyone in tech knows all about blindly trusting user input. Yes absolutely it'd be good to deal with trivial spoofing but that alone isn't going to mean there can't be malicious input. Or even non-"malicious" per se, there are people out there on bad trips or with untreated disorders who might report fake stuff fully believing it. The human mind is an imperfect thing. Stopping spoofing also won't stop someone from making a real call from a real phone that they've stolen or hacked into some business network and used their VoIP, calls from the victim's number could just as easily be calls from "a neighbor who heard shooting and saw flashes through the window" or "concerned passerby". E911 is supposed to have a variety of standards for including location information and in principle that should cut back on this as well, if someone claims to be in a house and the location doesn't show they're at the house that should be a red flag. But that still leaves holes due to legacy and risk aversion from bad incentives. At the end of the day, I think any service for the general public needs to be careful about considering their inputs. Ask for money upfront for that pizza for the first order. Trust but verify and all that.
Edit: One useful thing the government could perhaps provide here would be something along the lines of a national "known harassed number(s) registry", where someone could report getting this kind of thing at their local police station in person, show proof of identity, and ask for their number to be flagged for a year along with a code word. Any future 911 calls could automatically be flagged in turn, the operator could ask for the code word, or at least let responders know that there was a history of spoofing and everyone should be extra careful.
> They should be investing in tools and techniques to evaluate reports and gather intel on site before "storming the house". Even basic old humint like "asking the neighbors if they heard any shots" seems to have been tossed aside.
Yeah, I've suggested this very thing myself on several occasions, but basically people who are against engaging in self-defense and prefer to use police officers as their own personal security are dead set against any kind of reform on this point. You're really not going to get any kind of reform on this point until it's more than just little people who are being inconvenienced by this. Basically unless and until SWAT shoots someone "who matters" it won't change... because some people are REAL sure they need a militarized police force who can kick in your door at any time on the word of an anonymous jackass on the other end of an unsecured line.
> but by his own (suspicious) words nobody is in any immediate danger.
I'd agree, were it not for my knee-jerk tendency to argue the contrary - the girlfriend may in fact not be dead, but only in shock. Also how do you know there isn't anyone in the house?
But probably those would be outlier situations, and the steps you suggest would be better than storming in.
Lots of companies are comfortable programming a single caller ID for many phone lines in a call center. It's a legitimate business need. Trouble is the caller-ID is not validated for each and every call. If the target phone could contact the claimed originator, and silently ask "did you sent/initiate this message/call <token> <target number>" then phones (subject to preferences) could /dev/null incoming and not at all interrupt the owner. While SMS could be the protocol for that, they are not free for everyone, and landline users can't participate with today's handsets. The other problem is the world's hundreds of call center technologies would need to be upgraded - circling back to money. Each time the FTC brings this up the telecos say they agree it is important yet do nothing. Google and Apple could lead the charge with that silent use of SMS (subject to handset preferences). They could take it out of the hands of the telecos, and make them play catch up.
It’s really not. SWATting has nothing to do with spoofing numbers. You can call from google voice or skype and the cops will take it just as seriously.
I grabbed a short 2-letter Twitter handle within a few months after they launched. A few years ago I had someone used SIM hijacking to steal access to my phone number. This failed to get access to my Twitter account because I never set up a recovery phone number, however he got access to my Facebook and a few other accounts. I got T-Mobile to fix the SIM swap, but after 3 nights of harassment I just changed my handle. I didn't want to give in but the handle wasn't worth the trouble. On the plus side since Twitter doesn't allow handles that short anymore, once I changed my handle the hijacker's attempts were foiled.
Did you not read the article? The one where peoples family members are getting harassed and someone died of a heart attack? That is a lot to put other people through out of "principle"
Darknet diaries has done a few recent episodes on this topic. Episode 106 is about account handles told from the perspective of the victims, and it is quite sobering. Episode 112 is long interview with an individual who had hacked handles, and it has a look into sim-swapping and some of the tactics around that. Highly recommend ep112.
We should probably fix SIM swapping / jacking for a lot of reasons but can we also maybe up the seriousness of the legal frameworks at play? It’s almost unconscionable that a Bay Area police department has no real idea / interest in understanding that you’re being SWATed. It’s definitely beyond crazy that the only way this guy got 5 years was because of further crimes committed while on bail. The criminals think the laws are lax _even in the midst of being prosecuted under them_
In 2016 someone figured out how to successfully repeatedly reset the password without my knowledge (via support maybe?). But since my e-mail was not compromised they didn't manage to change the password (or I was quick enough to set it again before they executed some second step of their scheme). I upgraded the security measures to 2FA and some insanely long password and it ceased.
Since November 2020 I am subjected to a brute-force attack - someone is trying to log in and I am getting an email notification about it each time. In the beginning it was once every five (!) minutes, later every 15 minutes. It went like this for over a year, now it seems to be throttled with emails arriving once every few days.
I am suprised that for such a long time Instagram didn't implement anything to counter such activities.
"Eberle left work and drove to the Palo Alto police station, where he explained the situation. But there wasn't much the police could do about it."
This is, IMHO, the key part. Mr Eberle found himself in a situation that would result in criminal charges for the "attackers" if they could be found, but the police simply gives up.
I remember getting a demand I surrender my HoTMaiL address to somebody in a very threatening email to my address way back in 1998. It was kind of surreal back then as the internet was still fresh. Nowadays the closest I've gotten to this is the people who keep using my Gmail address as their own email address. I find this behavior rather bizarre and don't know what it achieves.
> Nowadays the closest I've gotten to this is the people who keep using my Gmail address as their own email address. I find this behavior rather bizarre and don't know what it achieves.
I have this problem also! I thought it was rare. In my case I think the person is very bad with computers and doesn't know what their email address is. I've gotten emails from their bank, cell phone, and even online dating. I tried mailing them a letter once to tell them they are making a mistake but nothing changed.
I had some person's client email me regularly for years, which I ignored.
One day I decided to take action and sent a expletive filled email to them telling them that I was not the person they thought I was and to stop emailing me.
They then sent me an email telling me I was fired.
It's not a super-common lastname, but there are probably several hundred people with it in the US.
I get all sorts of email for people whose address is some variant of it, like <firstname.lastname>@gmail.com. I've gotten plane tickets, paypal payments, cancer diagnoses, Bar Mitzvah and Wedding invitations, college transcripts, all sorts of personal information.
In many cases, I don't think it's the fault of the person with the email; I think they give their email as "firstname.lastname@gmail.com" and some clerk just uses "lastname@gmail.com"
I’ve gotten invitations for a GP system, among countless signups for games as well as an account approval for a car. I’ve gotten a hold of one person who was ordering curtains with my email address, they were nice, I got hold of another person who was repairing their phone and they got angry. It’s really quite annoying, and half of the services aren’t even confirming the address, they just put whatever you fill in on the account and start sending ‘informational’ spam.
I have the same problem. Mostly for an old MobileMe/iCloud alias, but also for an entire domain that I own. Someone keeps signing up for Instagram accounts in another language.
My every day email is my name@myname.com, and I’ve had to purchase several typo domains and alias them.
Likewise I have no fewer than three people trying to use a gmail address I've had since 2003 as their own. It's extremely frustrating - one even sent me $45,000 in a mistaken paypal transfer and then when I reversed the charges I was hit with an overdraft since I had made a Paypal purchase (which would ordinarily come from my direct bank funds) not knowing the money had been sent to me in error.
It shouldn't be this easy to use someone else's email address.
I have an old 7 letter gmail address, not an English word even but it must mean something in India and someone must have used it because for years I got eye-opening stuff, full color scans of national IDs, job applications, business proposals, invoices etc. At first I tried to send messages back explaining but in the end I just had to block it all, didn't have the time.
>It shouldn't be this easy to use someone else's email address.
This though, seems hard. I don't think this is a "security" thing per se (though I dearly wish there was a modernized "email" system built with modern crypto from the ground up). But for any sort of communications at all it seems like there is an inherent tension between how low friction one wants for the world to communicate vs protection. Like, there is nothing stopping anyone from doing a pure whitelist system for email right now. I even do in fact do that for a few accounts like specific ones for client contacts, only active client addresses will be accepted everything else is blackholed. Those obviously receive zero spam or misuse of any kind [0]. But obviously the tradeoff for that is no new potential clients could ever "cold call" it either. One could imagine technical solutions like "only accept stranger email from accounts with a signed ID" or "vouched for by known address" (ie, WoT) or "only address with a signed time token >N from providers X, Y or Z", or some kind of challenge/response, but all would have privacy tradeoffs, complexity, and still wouldn't inherently do anything about honest mistakes.
We could have more powerful options for this, but it'd still involve subjective tradeoffs between how open to new communications one wants to be vs cutting down on noise. No one right answer there.
----
0: Forged from fields are of course possible but in practice someone would at the least have to know which handful of the total planetary email addresses were whitelisted, never mind flags that show up in the headers from that
When using Gmail to compose an email, sending to another gmail user, it shows me their profile icon. This has stopped me from sending to the wrong firstname.lastname@gmail.com variant several times. I don’t know if other providers do this but it’s something.
> Nowadays the closest I've gotten to this is the people who keep using my Gmail address as their own email address. I find this behavior rather bizarre and don't know what it achieves.
I have a very common english <firstname><lastname>@outlook.com address. My inbox is always full of bank statements, invoices, and all sorts of business correspondence and bills from all over the world.
Same here. You could guess my GMail e-mail from my HN login :-)
Looks like it is popular among some ethnic groups.
I get applications for waitress for Black Lion Pub in the middle of the England, tons of registrations to any and each popular service which doesn't require e-mail validation, receipts from all around the world for online purchases (from dresses to drugs to surgical treatment of cats and dogs). I don't mention registrations in several recruitment agencies for low-wage workers ("I" was offered positions of forklift operator, gas station worker, etc).
There was whole year+, when PA of some real estate agency in Florida used this e-mail to book airline tickets and hotels for her boss. It was at least a trip each week, all around Florida and neighboring states. I've wrote to hotels, I've wrote to public e-mail of this agency - to no success. I've cancelled these bookings - they were re-booked, sometimes for much higher price. One time Ive canceled non-refundable booking for hotel 6 times in a row. It was re-booked each time, nothing changed! In the end I've filtered out all messages addressed to this person (name was always the same, it is what allowed me to figure out firm & person). After year or year and the half it stopped.
I have a similar gmail address as a successful VC. As a result of this coincidence, I get unsolicited pitches for startups regularly. My anecdotal evidence suggests that 100% of unsolicited startup pitches are dumpster fires of cash. YMMV
Hotmail: It was really easy to "hack" hotmail during that time. I created mine in 1999 and lost in early 2000. By summer 2000, I happen to talk to a friend of a friend who works at Hotmail. I got him to reset and give me a new Password that worked. I still have my hotmail account and is used to the times when you need a Microsoft Account.
Gmail: A lot of people seem to think email, then "Gmail". I get emails of at-least 4 (or is it 5) people who have used some variation and also exact ID of my Gmail account (created when it came out in beta). I get details of their Credit Card, Bank, Phone, and what not. I just ignore/delete them but someone with time and fun/bad intention can do some serious harm. I have tried sending emails, contacting them few times but to no good result. One got angry that I have access to "his email". From the mail history, I feel really sorry for them. They are definitely not well-off and I feel I should protect this part of their digital identity. :-)
I also have <mylastname>@gmail.com because I got my account before April 1st, 2004 (the public release date).
My name is also uncommon but it's very English, so I get weird email from England, Scotland, Ireland, Canada, South Africa, Australia, and New Zealand—anywhere there was an Anglo diaspora. I've given up trying to do anything about it, and it really isn't a problem because the volume is very low.
I have tried sending emails, contacting them few times but to no good result.
As someone who's had this same Gmail address for 18 years, I'm here to tell you it is absolutely a pointless waste of your time and almost never results in the sender changing their address book, workflow, or typing skills.
I have a domain I've used pretty much just for email for the past 25 years. The domain is similar in a kinda h4cker l33tsp34k way to the name of a SaaS that started up about 8 years ago and offers a free trial. Now I get multiple emails a day due to people being clever and using their made up name @ my domain for their test accounts.
It was hard to filter it at first since people kept exploring areas of the trial that generated novel message templates and the messages seemed to come from an endless supply of unique hosts.
At one point I contacted the SaaS company about it but they told me there was "nothing they could do" even when I promised I was the only user at that domain and I had no intent to sign up to their service with it.
I used to just log into their trial and delete the account, but while trying to automate this I figured out a better way to do my filters so the emails don't really bug me anymore (except in the cases when someone picks an alias I already have in use).
Yep, I get the same. My Gmail is a simple first initial + surname, and I've received payslips, job offers and, most entertainingly, invitations to speak at a neurosurgery conference in Brazil.
I was the target of an online harassment campaign, and very soon afterwards I got a bunch of emails confirming registration on a whole range of forums I had never heard of. Seemed like people were using my email address for forum spam. I’ve been trying to migrate to a new email address ever since, not sure what else to do about it.
Readit News
Traditional phone companies absolutely should do a better job vs spoofing (and I believe there is supposed to be at least some progress there via STIR/SHAKEN in the US at least), but I'm a lot more inclined to blame services and particularly armed response services that still treat them as secure in a way they have long long LOOONNNGGG since proven they aren't. Telephone numbers simply were never ever a particularly secure thing, predate the entire net let alone widespread use of cryptographic protocols, and retrofitting real security onto that legacy has proven non-trivial. They shouldn't be blindly depended on for something like SWAT deployment. Security services live in a world where they can be lied to and they act like it in other circumstances. They're the ones sanctioned by the state to responsibly employ lethal force, and have been given ludicrous amounts of outright military grade gear. They should be investing in tools and techniques to evaluate reports and gather intel on site before "storming the house". Even basic old humint like "asking the neighbors if they heard any shots" seems to have been tossed aside. Like take this very reported case:
>The caller told the dispatcher he had killed his girlfriend. He had barricaded himself inside his home in a quiet, affluent neighborhood on the eastern edge of Palo Alto.
OK, so maybe there is a criminal there, but by his own (suspicious) words nobody is in any immediate danger. The supposed body he's killed isn't going anywhere. Surround the place from a distance, sure, and if someone does start shooting from the house obviously that's clear enough. But if the police have the place covered and nothing happens, maybe ask some neighbors. Send in a drone or two. Get on the line with a judge for a quick order to use IR or terahertz imaging or whatever and see if that reveals anything. Get a megaphone and ask everyone to "come out with their hands up" even! If the police though just go and storm the place though they could well cause the very situation they seek to avoid, what if someone is fast asleep and hears a break in and opens fire to defend themselves? Hardly an impossible thing particularly in America. It's happened.
Everyone in tech knows all about blindly trusting user input. Yes absolutely it'd be good to deal with trivial spoofing but that alone isn't going to mean there can't be malicious input. Or even non-"malicious" per se, there are people out there on bad trips or with untreated disorders who might report fake stuff fully believing it. The human mind is an imperfect thing. Stopping spoofing also won't stop someone from making a real call from a real phone that they've stolen or hacked into some business network and used their VoIP, calls from the victim's number could just as easily be calls from "a neighbor who heard shooting and saw flashes through the window" or "concerned passerby". E911 is supposed to have a variety of standards for including location information and in principle that should cut back on this as well, if someone claims to be in a house and the location doesn't show they're at the house that should be a red flag. But that still leaves holes due to legacy and risk aversion from bad incentives. At the end of the day, I think any service for the general public needs to be careful about considering their inputs. Ask for money upfront for that pizza for the first order. Trust but verify and all that.
Edit: One useful thing the government could perhaps provide here would be something along the lines of a national "known harassed number(s) registry", where someone could report getting this kind of thing at their local police station in person, show proof of identity, and ask for their number to be flagged for a year along with a code word. Any future 911 calls could automatically be flagged in turn, the operator could ask for the code word, or at least let responders know that there was a history of spoofing and everyone should be extra careful.
Yeah, I've suggested this very thing myself on several occasions, but basically people who are against engaging in self-defense and prefer to use police officers as their own personal security are dead set against any kind of reform on this point. You're really not going to get any kind of reform on this point until it's more than just little people who are being inconvenienced by this. Basically unless and until SWAT shoots someone "who matters" it won't change... because some people are REAL sure they need a militarized police force who can kick in your door at any time on the word of an anonymous jackass on the other end of an unsecured line.
I'd agree, were it not for my knee-jerk tendency to argue the contrary - the girlfriend may in fact not be dead, but only in shock. Also how do you know there isn't anyone in the house?
But probably those would be outlier situations, and the steps you suggest would be better than storming in.
Deleted Comment
Dead Comment
https://darknetdiaries.com/
In 2016 someone figured out how to successfully repeatedly reset the password without my knowledge (via support maybe?). But since my e-mail was not compromised they didn't manage to change the password (or I was quick enough to set it again before they executed some second step of their scheme). I upgraded the security measures to 2FA and some insanely long password and it ceased.
Since November 2020 I am subjected to a brute-force attack - someone is trying to log in and I am getting an email notification about it each time. In the beginning it was once every five (!) minutes, later every 15 minutes. It went like this for over a year, now it seems to be throttled with emails arriving once every few days.
I am suprised that for such a long time Instagram didn't implement anything to counter such activities.
But luckily, no pizzas yet.
This should be standard stuff really!
This is, IMHO, the key part. Mr Eberle found himself in a situation that would result in criminal charges for the "attackers" if they could be found, but the police simply gives up.
I have this problem also! I thought it was rare. In my case I think the person is very bad with computers and doesn't know what their email address is. I've gotten emails from their bank, cell phone, and even online dating. I tried mailing them a letter once to tell them they are making a mistake but nothing changed.
One day I decided to take action and sent a expletive filled email to them telling them that I was not the person they thought I was and to stop emailing me.
They then sent me an email telling me I was fired.
It's not a super-common lastname, but there are probably several hundred people with it in the US.
I get all sorts of email for people whose address is some variant of it, like <firstname.lastname>@gmail.com. I've gotten plane tickets, paypal payments, cancer diagnoses, Bar Mitzvah and Wedding invitations, college transcripts, all sorts of personal information.
In many cases, I don't think it's the fault of the person with the email; I think they give their email as "firstname.lastname@gmail.com" and some clerk just uses "lastname@gmail.com"
My every day email is my name@myname.com, and I’ve had to purchase several typo domains and alias them.
It shouldn't be this easy to use someone else's email address.
>It shouldn't be this easy to use someone else's email address.
This though, seems hard. I don't think this is a "security" thing per se (though I dearly wish there was a modernized "email" system built with modern crypto from the ground up). But for any sort of communications at all it seems like there is an inherent tension between how low friction one wants for the world to communicate vs protection. Like, there is nothing stopping anyone from doing a pure whitelist system for email right now. I even do in fact do that for a few accounts like specific ones for client contacts, only active client addresses will be accepted everything else is blackholed. Those obviously receive zero spam or misuse of any kind [0]. But obviously the tradeoff for that is no new potential clients could ever "cold call" it either. One could imagine technical solutions like "only accept stranger email from accounts with a signed ID" or "vouched for by known address" (ie, WoT) or "only address with a signed time token >N from providers X, Y or Z", or some kind of challenge/response, but all would have privacy tradeoffs, complexity, and still wouldn't inherently do anything about honest mistakes.
We could have more powerful options for this, but it'd still involve subjective tradeoffs between how open to new communications one wants to be vs cutting down on noise. No one right answer there.
----
0: Forged from fields are of course possible but in practice someone would at the least have to know which handful of the total planetary email addresses were whitelisted, never mind flags that show up in the headers from that
Ask me how I know :( PP money was not recoverable that one time my ex sent it to the wrong email address.
I have a very common english <firstname><lastname>@outlook.com address. My inbox is always full of bank statements, invoices, and all sorts of business correspondence and bills from all over the world.
It made the address unusable.
Looks like it is popular among some ethnic groups.
I get applications for waitress for Black Lion Pub in the middle of the England, tons of registrations to any and each popular service which doesn't require e-mail validation, receipts from all around the world for online purchases (from dresses to drugs to surgical treatment of cats and dogs). I don't mention registrations in several recruitment agencies for low-wage workers ("I" was offered positions of forklift operator, gas station worker, etc).
There was whole year+, when PA of some real estate agency in Florida used this e-mail to book airline tickets and hotels for her boss. It was at least a trip each week, all around Florida and neighboring states. I've wrote to hotels, I've wrote to public e-mail of this agency - to no success. I've cancelled these bookings - they were re-booked, sometimes for much higher price. One time Ive canceled non-refundable booking for hotel 6 times in a row. It was re-booked each time, nothing changed! In the end I've filtered out all messages addressed to this person (name was always the same, it is what allowed me to figure out firm & person). After year or year and the half it stopped.
Gmail: A lot of people seem to think email, then "Gmail". I get emails of at-least 4 (or is it 5) people who have used some variation and also exact ID of my Gmail account (created when it came out in beta). I get details of their Credit Card, Bank, Phone, and what not. I just ignore/delete them but someone with time and fun/bad intention can do some serious harm. I have tried sending emails, contacting them few times but to no good result. One got angry that I have access to "his email". From the mail history, I feel really sorry for them. They are definitely not well-off and I feel I should protect this part of their digital identity. :-)
My name is also uncommon but it's very English, so I get weird email from England, Scotland, Ireland, Canada, South Africa, Australia, and New Zealand—anywhere there was an Anglo diaspora. I've given up trying to do anything about it, and it really isn't a problem because the volume is very low.
I have tried sending emails, contacting them few times but to no good result.
As someone who's had this same Gmail address for 18 years, I'm here to tell you it is absolutely a pointless waste of your time and almost never results in the sender changing their address book, workflow, or typing skills.
It was hard to filter it at first since people kept exploring areas of the trial that generated novel message templates and the messages seemed to come from an endless supply of unique hosts.
At one point I contacted the SaaS company about it but they told me there was "nothing they could do" even when I promised I was the only user at that domain and I had no intent to sign up to their service with it.
I used to just log into their trial and delete the account, but while trying to automate this I figured out a better way to do my filters so the emails don't really bug me anymore (except in the cases when someone picks an alias I already have in use).
I think it's a mix of room temperature IQ and Main Character syndrome thinking they're the only ones with their own name (especially if it's common)