| ▲ | blindriver 5 days ago |
| Sorry but it’s stupid to blame Google when it’s 100% your fault. This is a scam that is 10+ years old and you fell for it in 2025. It’s not googles fault at all. |
|
| ▲ | ycombinatrix 5 days ago | parent | next [-] |
| It isn't Google's fault that an attacker was able to spoof mail from "legal@google.com"? |
| |
| ▲ | Avamander 5 days ago | parent | next [-] | | Proof of that remains to be seen. That being said, there are a few approaches that might leave such an impression to people unfamiliar with their email client. | |
| ▲ | arx_ 4 days ago | parent | prev | next [-] | | The attacker doesn’t need to spoof anything, this is known as a homograph attack: https://en.m.wikipedia.org/wiki/IDN_homograph_attack https://www.xudongz.com/blog/2017/idn-phishing/ | | |
| ▲ | otterley 4 days ago | parent | next [-] | | We don’t know yet that that’s what actually happened in this case. | | |
| ▲ | arx_ 4 days ago | parent [-] | | It seems likelier than a @google.com spoof landing in the person’s inbox. Without them providing the headers this is just idle guessing, but I’d argue my guess is likelier to be the truth. |
| |
| ▲ | eviks 4 days ago | parent | prev | next [-] | | If it's a known attack, Google has a known defence in its apps? | | |
| ▲ | arx_ 4 days ago | parent [-] | | Something being known doesn’t mean a solution exist. Computing the the set of Unicode characters that would result in a homograph of a latin alphabet word is non trivial. Now do this for relevant/trusted domains, now put in place a mechanism to mark a domain as trustworthy that also minimises your liability. | | |
| ▲ | eviks 4 days ago | parent [-] | | > Something being known doesn’t mean a solution exist. But we aren't talking theory. In this case solutions exist, just not in this app? Also, the triviality point is puzzling, are we only allowed to criticize professionals for trivial fails? (though using a different font is one of the trivial mitigations) > that also minimises your liability. How is that a factor, what is their liability now without any mechanism and will it increase if they add some? |
|
| |
| ▲ | palmfacehn 4 days ago | parent | prev [-] | | Seems like a good use for the .google tld |
| |
| ▲ | blindriver 5 days ago | parent | prev [-] | | Spoofing email addresses has been around since the 90s. | | |
| ▲ | acdha 4 days ago | parent [-] | | Yes, and the industry has been responding to it since approximately 5 minutes after Canter & Siegel started cranking out that green card spam in 1994. We have SPF, DKIM, DMARC, etc. _and_ more importantly, the victim in this case was using Google's mail client to access Google's mail service so they don't even need complex protocols designed to inform 3rd parties about whether a message is legitimate. If Gmail refused to accept any messages claiming to be from google.com which didn't originate from their servers, it'd be quite defensible given the ratio of attacks to the handful of legitimate cases where someone needs to do something like post to an outside mailing list using their @google.com email address. |
|
|
|
| ▲ | acdha 5 days ago | parent | prev [-] |
| This is like saying it’s not Ford’s fault that they didn’t put in seatbelts and safety glass because people knew driving was unsafe. When bad outcomes happen at scale, you need a system-level fix. EDIT: to be clear, the fix has arrived: had he used passkeys, this attack would have been impossible and every login would’ve been faster and easier. There are edge cases but this is literally the reason why U2F was created a decade ago. |
| |
| ▲ | blindriver 5 days ago | parent [-] | | The author knew that the scam existed and he even was skeptical. Then chose to rely on it being true despite all the red flags. That’s his fault. At some point people have to accept responsibility for their own stupid actions. | | |
| ▲ | acdha 5 days ago | parent [-] | | Yes, they made a mistake. They were honest about that. A little secret which will help you in life: everyone makes mistakes, even people who don’t think they will, even you. Looking all the way back to last week and 2 major NPM hacks ago, you can get access to a lot of systems simply by hitting someone when they’re busy and distracted. | | |
| ▲ | blindriver 5 days ago | parent [-] | | There's a difference between taking accountability for your mistake and blaming other people for your mistake. Blaming others when you are clearly in the wrong is reprehensible. | | |
| ▲ | acdha 4 days ago | parent [-] | | That's a very harsh position to take and one I struggle to find support for in the post. I hope that you are never in the position where you make a mistake and others apply that standard to your response. | | |
| ▲ | arx_ 4 days ago | parent | next [-] | | Per TFA Title: I Was Scammed Out of $130,000 — And Google Helped It Happen
Heading: Google failed me in two ways
Body: Google has become the vault of our digital lives — and that vault had cracks. If Ford adds seatbelts and you decide to take them off because they annoy you; when get into a crash you can’t claim Ford failed you since the seatbelts weren’t forced upon you more. | | |
| ▲ | acdha 3 days ago | parent [-] | | Here are the two specific criticisms in the article: > Phishing emails from “@google.com” made it into Gmail. > Google enabled Authenticator cloud sync by default. Both of these seem like fair points where one could reasonably expect one of the largest companies in the world to spend a tiny amount of money on security improvements which would make it harder to attack their customers. Not following Apple’s lead on security for Authenticator is especially disappointing since they have no shortage of good security engineers. |
| |
| ▲ | blindriver 4 days ago | parent | prev [-] | | It’s weird that you think blaming other people for your own self-admitted mistakes is acceptable. | | |
| ▲ | acdha 4 days ago | parent [-] | | Good thing neither I nor the author did that, then. |
|
|
|
|
|
|
