One of the requests was for a business card ... I haven't had a business card made with my name on it in 20 years.
The amazing thing is that I bet scammers working this system can get through this faster than I can.
At this point they should just give me control because no way would some scammer fail this much at this ungodly process.
I got hit by this from google.
1. Gmail added requirement for 2FA on my primary email address. Since I had no phone number on file, it instead used my recovery email address. Thankfully, I still had the password for my recovery email address, and could continue to (2).
2. Gmail added requirement for 2FA on my recovery email address. Since I had no phone number on file, it instead used by recovery's recovery email address. Thankfully, I still had the password for my recovery's recovery email address, and could continue to (3).
3. SBC Communications no longer exists, as it merged with AT&T in 2005. Email addresses at `sbcglobal.net` were maintained up until around 2021-ish, when they started purging any mailboxes that had been idle for more than 12 months.
Fundamentally, this was google's fault for misusing a recovery email for 2FA. Unfortunately, the only way to fix it would be to contact AT&T, asking them to pretty please update the email settings for somebody who hadn't been a paying customer for two decades.
Once it became clear that they'd shifted from "crappy customer service" to (IMNSHO) "we fetishize the complete absence of customer service" it became dangerous to depend on them. Really, what's the worst that could happen? Maybe someone spams emojis in live chat on a game livestream at the request of the streamer on a personal account, it gets banned for abuse, Google recognizes that it's linked to other services and locks down everything? But that's so unrealistic I'm sure it could never happen.
It's not like they also have the ability to identify links between multiple accounts accessed by the same person and have automated processes that might stomp the associated accounts as well. Why, that would probably require something like allowing poorly-understood automated agents to take actions on their own!
While this would absolutely suck and I sympathise with anyone getting hit by this out of the blue, it's pretty clearly your fault, not Google's. What should they have done? Just permit everyone to avoid upgrading to 2FA indefinitely? That would result in relatively more account hacks overall, for which they would inevitably be roasted in the court of public opinion.
Or yours, for not caring about 2FA. It's been a common practice for many years, and strongly recommended by most identity services, as well as OWASP and NIST recommendations.
What would you do in Google's place?
If Google wanted to lock me out of my account for my own good until I enabled 2FA, fine. But as GP stated, they abused the recovery email addresses to force 2FA on people and ended up locking some people out of their accounts.
The rest of your complaints make sense but this one is bizarre. It's a recovery email, isn't having access to it the entire point? Like what else did you think it was supposed to be there for beside being accessible?
Google clearly misused it for something else, and you have a strong argument they shouldn't have. This one sentence just needlessly weakens the argument.
Best treat all org controlled email address as temporary.
This probably doesn't comply with the relevant recommendations, but cutting a user of from their email is worse in my opinion.
if you make an app it is not your customers responsibility to secure it with additional actions from their side..if it is, you need to make it mandatory and guide them step by step.
you cant after a while enable some toggle.and tell people to fuck off and its the fault of their ignorance to not know some technical details.
most consumers of these services dont know shit about IT and they should not be burdened with it..any product that demands it is either only meant for tech savy people or more likely lazily and badly engineered by money hungry people who see opportunity to make more money in user's issues.
That's why Google sent them multiple emails explaining what it is and recommending to turn it on. What else could Google do?
Google is one of the rare places I actually see positive value to 2FA. Compare with say banks, where it being demanded actually decreases my security. But regardless, it should not be forced.
Yes, some banks implement it silly, like SVB requiring biometric login in order to scan one-time QR 2FA code from their app (biometric login is less secure), but you don't have to use the QR code, can use regular 2FA without biometrics.
But even then having 2FA is 42 times better than not having it.
They certainly did a proper thing forcing people to use 2FA AFTER multiple emails over the years recommending to turn it on, and warning that they will enforce it, which they did.
I constantly remove it whenever Gmail sends me the notification.
I can't help but think there is some method for the other person to steal my Gmail account if I never remove my email as their backup.
We both get hit with "OG Hell," where people are constantly entering our emails. I think most time, it is accidental (maybe they meant "XXX1234", and forgot the number).
What makes it worse, is that Apple aliases mac.com, icloud.com, and me.com together, and there's no way to turn off one of the aliases.
mac.com is really in retirement. No one sets up new ones, but the miscreants typo icloud.com, which gets routed to me.
I have a rule, where I shitcan every mail to icloud.com, but I wish I could simply turn off the forwarder.
I hope it's because I have small simple email and not because they want to steal it.
Not jsmith, but kstrauser. Not Gmail, but Yahoo. And I still get banking docs, and HOA meeting minutes, and birthday party invitations, and Facebook logins, and other bizarre random stuff.
I have so many questions. I’ve typoed my address before and had to correct it. That’s understandable. But to wholly invent one and say, yep, that looks good even though I’ve never used it before, I’m sure it’ll be fine! I just don’t get it.
Some of the emails are really unfortunate stuff. "Your account was added as a backup address." - Then inevitably, a few weeks later, dozens of password reset emails. Sorry bud. I've received pay stubs. Orders and invoices. I get phone bills every month for someone in India. Its chaos.
Early on I'd sometimes reply to these random emails telling people they've got the wrong address. The most astonishing reply I ever got was from HSBC bank telling me I needed to come into the branch to change my email address. Over the course of a week, I explained about 3 times that that was impossible. That I live in Australia. That I'm not their customer, and its not my account. Eventually they told me they were disabling online banking on my account. Now I've given up replying at all.
Send emails into that pit of PII misery if you want. I don't read them.
>You send it to johnsmith@gmail.com
>You receive a new message, it says "Hey, can you please stop using my email address?"
>You're johnsmith@gmail.com, you only know that's the address that's being used
PD: I know that if he resets the password he can get the other address, but this scenario was funny in my head.
They may well be looking for targets.
I've had this happen several times... There's a lawyer I used for a dispute a few years ago, and they now have another "First Last" name that matches mine, and he keeps emailing me... my reply, "Wrong Michael, again..."
It's kind of annoying all around... I need to get off my butt and get a few things shifted, then just start relying on my own MTA again, instead of forwarding *@mydomain to my gmail to. I'll still wildcard the domain, but to a single mailbox on my own mta.
I'm not sure how bad the spam might get though... I've had a test account on my mta for a couple years and it hasn't really recived any... my wildcard accounts either... I use the wildcard so I can do things like walmart@mydomain, to see if/where an email address is sold/leaked from regarding spam.
Just include "not me!" In the verification email, dam it
“We’ll be right over.”
Later, after OP told the user and they failed to change their address, OP logged into the site and changed their password, putting an end to the spam they were receiving from the user’s actions.
I don’t have an ethical qualm with this. He didn’t want to sign up for the service. Someone else signed his email address up for it. Legally, I can’t imagine that being prosecutable.
I got divorced a decade ago, and every well-wishing person in my life was strongly urging me to do things which were shockingly counter-productive / dangerous / wrong, based on their confident understanding (assumption, really) of the law which was completely and dangerously inaccurate.
Hacker News audience is global. People start accounts for various purposes. Yet people still freely share the notion that logging in to some unknown website run by an unknown company from a hard to spell country and then touching things is universally safe.
I miss the old "IANAL" tag which at least provided basic warning and self-awareness :-).
"It's OK: you can curse on the Internet." "Not when you're typing from Iran!" "Well, OK, if you're in Iran, don't take this American's advice for dealing with a government."
Part of our obligation as a reader is to consider what others are saying in the context of our own circumstances and experiences before trying to apply it. If you don't, and things end badly, that's on you.
But I stand on my words: I think it's ethically OK. You may not. That's alright. We're not required to have the same ethics or morals. And I don't think that's prosecutable. That's my opinion, based on my circumstances, not a statement of fact that applies in all jurisdictions around the world.
Above all else, I got tired of giving disclaimers about every single thing I say lest someone jump in with a "gotcha! scenario" I hadn't considered because it's not relevant to the context of the discussion.
Does it? So I can say, "I'm not your lawyer, but I'm happy to go ahead and give you specific legal advice on your case." and I can't be accused of illegally practicing law? I was under the impression that this could still get you into hot water. But not being your lawyer, due to the fact that I am not a lawyer at all, I don't know if it is true or not.
As with all things, who are you going to get in trouble with? And what's so magical about legal practice as opposed to, say, giving shitty medical advice or telling someone how to build porch? Asking genuinely. No one falls all over themselves to say "I am not a doctor, but...", even though their next words could kill someone. The implication is that they don't have formal training but they saw something on Facebook that you should try. What happens next is on you, not on them.
This is precisely why I’m pointing this out: IANAL is a very curious case of people self-labeling their statements as “not trustworthy for the topic”. I can think of perhaps no other cases where it is so popular to claim to not be a professional in the relevant field, which suggests that IANAL is a ‘badge of honor’ rather than a proper legal disclaimer. Certainly few (if any) claim IANAD before writing about their experiences with medical issues, body things, or nutritional supplements here, even though those topics are (as you correctly indicate) potentially lethal.
Thus, IANYL: if your goal is to ensure that the recipient of your advice / opinion / whatever does not have grounds to claim that you provided legal advice, and therefore are their lawyer, then you can either do so weakly with TINLA (“this is not legal advice”), which still leaves the door open for awkward claims by some desperate grifter-rando to reach a bench, or you can do so strongly with IANYL (“I am not your lawyer”), which closes that vulnerability in full.
Not once in years of using IANYL have I seen anyone else properly protect themselves from this vulnerability; meanwhile, “IANAL but” remains in use as a badge of honor. So, yeah, I don’t think anyone considers the particular avenue of vulnerability a serious threat, and yeah, the general context of IANAL here is prideful rather than protective. But after twenty years of dealing with a stalker who was adept at internet and tried to fuck with my job at one point, I do now tend to value closing off legal vulnerabilities with certainty, and as a bonus it doesn’t imply insult to the professions of law.
IANYL, YMMV :)
Consider that the “imposter” starts uploading child porn or something, and it’s on an account registered to your address. I think it’s perfectly A-OK to tell the service that it’s not me using the thing and I want them to close the account someone created in my name.
I get TONS of emails of people trying to join services that use my address as a "fake email".
What would you expect clicking that "wasn't me" link to do?
In 99% of cases, the user who signed up with your address already can't do any more with that account unless you positively confirm it was you; and the site also won't send you any more email because they don't consider the email verified (and so sending to it might result in their emails getting sent to spam -> their email-sending reputation score going down.) So things are already in the state you'd want them to be in, no?
The only problem I can think of with that state is that now you can't sign up "fresh" for an account with the same provider, because now there's already an account associated with your email address sitting there in their DB in the pending-email-verification state. (But you still can acquire that account, by clicking "forgot/reset password" and going through that flow, which will inevitably go through your email, as anything like a 2FA setup flow always waits behind email verification.)
Etc.
I believe they included the “unsubscribe” link too…
In the past when this happens I usually reset the password and change the email to some anon throwaway but I can't do that without Raymonds DOB (don't quote me on that, been a while since I tried).
I wonder if finding people responsible and spamming then with their own service emails would make the team care enough to fix this. But of course that's mostly dubious, probably illegal, and shouldn't be a responsibility of some vigilante hacker
Malicious in-attention then, by the profit driven org? :)
When pointing out that legal parallels exist, to enact a solution, must I envision that solution?
I do wish there was a requirement for some sort of "no" button that would stop sending sign up requests entirely.
I run a few websites that accept an email address (all noncommercial, I have no interest in spamming anyone). One of them is the "contact me" feature on my personal website. To prevent spam, I had people just put in their email address and it'll automatically email them my email address. This works perfectly to this day, haven't got a single spam email on any of the addresses I've handed out, but the ratio of emails sent out to received is probably 50 to 1. Why would anyone put an email address in there if not to contact me? I've been wondering if it's used by mail bombing services, idk if that's a thing but I know of the concept of annoying someone by signing them up for a hundred newsletters. My site doesn't send recurring emails, though, and it doesn't allow putting more than two email addresses per month in, per /24 IPv4 block (and even more strict on v6). It's useless for mail bombing services but the (presumed) bots keep submitting a steady rate of maybe 2 new email addresses per day, each time from a new ISP in a random country. No email addresses is ever submitted twice. No rhyme or reason to it. If anyone can make sense of this, that might help me in stopping the abuse
That doesn't prevent a huge majority of them from sending you notification emails all the time even if you never verify.
Relevant xkcd:
Yeah, I get the same regularly.
On the other hand... Occasionally someone gets my info because some careless person entered my email address into their system incorrectly. You'd think this problem would be solved by moving to a custom domain, but I still once in a while find someone completely ignore what I put into the form and sign me up as firstnamelastname@gmail.com.
They can't just say "we don't want to deal with small timers who will not pay us big bucks doing nonstandard things" without pushback but they can write the policy so that a huge fraction of those use cases fall into some crack that can only be got out of by incurring the kind of expense that's a non-starter for those users. Your municipal code is rife with examples of this.
The people who create a system have some intent for it. The system may or may not effectively achieve that intent, may or may not outlive the initial conditions that surrounded its creation, and may or may not have side effects.
Purpose is something humans assign. It is sometimes linked to intent. A carpenter's hammer is intended to drive and pull nails, and that is often also its purpose. The purpose of the hammer I keep in my basement is breaking open walnuts.
The phrase is stating that the purpose we should assign to systems when judging them is their outcome, and not the intent behind them.
The classic example is a hospital for treating cancer patients. Suppose that one third of the patients are successfully treated, while the other two thirds die of their cancer. Is the purpose of the hospital to kill two thirds of the patients? Clearly not, but that is the outcome.
how naive. most of the world work to survive, not because its their dream vocation. they probably dont care as much as you do