Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
jeroenhd 5 hours ago

Developer registration doesn't prevent this problem. Stolen ID can be found for a lot less money than what a day in a scam farm's operation will bring in. A criminal with access to Google can sign and deploy a new version of their scam app every hour of the day if they wish.

The problem lies in (technical) literacy, to some extent people's natural tendency to trust what others are telling them, the incompetence of investigative powers, and the unwillingness of certain countries to shut down scam farms and human trafficking.

My bank's app refuses to operate when I'm on the phone. It also refuses to operate when anything is remotely controlling the phone. There's nothing a banking app can do against vulnerable phones rooted by malware (other than force to operate when phones are too vulnerable according to whatever threshold you decide on so there's nothing to root) but I feel like the countries where banks and police are putting the blame on Google are taking the easy way out.

Scammers will find a way around these restrictions in days and everyone else is left worse off.

kodebach 3 hours ago | parent | next [-]

My guess is that Android 17 will show the registered name of the developer of the app you're trying to install. With stolen IDs you can only get accounts for individual developers not for organisations.

When a scammer pretending to be your bank tells you to install an app for verification and it says "This app was created by John Smith" even grandma will get suspicious and ask why it doesn't show the bank's name.

gjsman-1000 5 hours ago | parent | prev [-]

> Stolen ID can be found for a lot less money than what a day in a scam farm's operation will bring in.

Well, in that case, Google has an easy escalation path that they already use for Google Business Listings: They send you a physical card, in the mail, with a code, to the address listed. If this turns out to be a real problem at scale, the patch is barely an inconvenience.

jeroenhd 5 hours ago | parent [-]

So they'll have a lead time building up a set of verified developers. These scams are pulled by organized crime syndicates, using human trafficking and beatings to keep their call centers manned with complicit workers.

Now they'll need to pay off a local mailman to give them all of Google's letters with an address in an area they control so they can register a town's worth of addresses, big whoop. It'll cost them a bit more than the registration fee, but I doubt it'll be enough to solve the problem.

joshuamorton 3 hours ago | parent [-]

> Now they'll need to pay off a local mailman to give them all of Google's letters with an address in an area they control so they can register a town's worth of addresses, big whoop. It'll cost them a bit more than the registration fee, but I doubt it'll be enough to solve the problem.

Yeah, this is a huge amount more work than, like, nothing.

iamnothere 2 hours ago | parent [-]

All it will do is create a new low risk black market job. Someone will manufacture and sell bulk identities like they do fake social accounts.

joshuamorton 2 hours ago | parent [-]

> Someone will manufacture and sell bulk identities

How? You've now moved the level of sophistication required from "someone runs some bots on the facebook website" to "someone is now committing complex fraud against a government".

If the only people who can run scams are state sponsored, that's still vastly better than the status quo.

iamnothere an hour ago | parent [-]

Amazon has a huge problem with packages being sent to fake people at different addresses. It’s part of review scams. This won’t be much different. Just send the verification to empty houses and apartments.

joshuamorton an hour ago | parent [-]

You now need to have a variety of fake addresses you can use, since scammed addresses will get banned. You also need fake IDs. So again, the bar has now been raised from "run a bot to make fake Facebook accounts" to "I have a large number of physical addresses and the ability to create arbitrary fake government IDs".

> Amazon has a huge problem with packages being sent to fake people at different addresses.

This usually involves those people getting weird packages and not doing anything with them, it doesn't require attacker-controlled addresses.

iamnothere 40 minutes ago | parent [-]

I still think it’s doable. Fake IDs aren’t exactly hard to come by. You could also pay randos a $30 gift card to sign up for a developer account and share access. Enough people will do it. I guess this does raise the cost a little though.