> And that's the price we pay for anyone being able to buy their own domain and run their own secure site.
No, that's the price we pay for using a name resolution system from the 80's (70's?) that was not built with trust validation in mind,decoupled from the infrastructure we use to establish domain ownership and authority. And also without user friendliness or of a layman's ability to independently validate authority in mind. e.g.: reverse order of hierarchy where in english you read left to right but dns has least authoritative/lowest level on the left and most authoritative on the right,why would I evaluate trust worthiness of site.com if 'secure' is evaluated first in secure.site.com (another example:google.com.site.info).
yes, very wrong conclusion. the author blames cheap domains and easy to get https. You could as well blame cheap computers, cheap internet access, cheap electricity.
Since that looked like an SMS, I would report it to your mobile provider, let them track who sent the message.
The messages are spoofed. The attacker has access to a SS7 signalling link and you can set the source number to anything you want. Telco's share some blame in facilitating this. I tried to stop of of this in the 90's and was told to help the scammers send messages faster. I wanted to terminate their SS7 links but I would have been fired for doing so. To clarrify, the individual scammer may not even know what a SS7 link is. It's usually a tiered system, where one shady person has access to a link, then sells access via bitcoin to other shady people via some tor web interface.
As for the domain name, that problem isn't going away. If anything, it will only get worse, as people are lazy and push UX designers to show less and less information. And the UX devs are right, the users won't know what to do with the extra info most of the time anyway.
And then there are payment processors, who also teach people BAD habits, by sending HTML messages, clickable links, etc. And that isn't going to change because it would increase customer support cases which costs them money. Banks won't implement secure authentication beyond phone MFA for the most part. I can think of a dozen ways to make this more secure, but all the ideas would be rejected as adding too much friction.
All that is left is educating the masses and that fails as well. Most people learn by making mistakes. About 40% of people will click on the scammers links. About 10% of people will enter their credentials.
> All that is left is educating the masses and that fails as well.
That is not always true. You can have regulations which force banks to change. Banks don't like it but politicians don't like an unstable banking sector, especially if it causes sharp changes in the stock market.
As an example, the recent money laundering scandals in Sweden has caused some changes in credit card security. Politicians want to reassure the public and increase trust in Swedish banks, so the last years has seen several notable banking regulations. I would guess that they actually want noticeable friction in order to reassure the public that they have things under control.
I don't get why the phone companies don't implement something akin to bogon filtering on their interconnect points.
If the incoming call or txt has an internal source number, but is coming from an external network, reject it. If its an outgoing session with an external source, drop it and follow up with the account holder.
A similar concept applies in the SS7 [1] network, B-number [2] analysis, but is not used that way, as telco's have no way to properly manage which switches may originate which numbers as they are portable. They just do routing and trust the sender is allowed to have the number presented in the SS7 packet.
This would be problematic e.g. in the case of ported numbers, or if a customer is using a third party to send their SMS for a fraction of the cost. Implementing such blocks without covering these use cases would likely (rightfully) result in antitrust issues.
I'm the author. I'm not blaming cheap domains. I'm saying that spam like this is a consequence of cheap domains.
The blame lies at the feet of the spammers.
And, I've worked for a couple of mobile providers. This spam was likely sent from a disposable pre-paid SIM. There's no realistic way to check who sent it.
> I'm saying that spam like this is a consequence of cheap domains.
Technically correct, but the thing is, spam like this is a consequence of a lot of things. Why draw attention to that specific cause out of everything else?
You could just as accurately say that spam like this is a consequence of human-readable domains. If humans weren't visually validating URLs, it would be impossible for a scammer to use unicode tricks to make a URL look legitimate.
A lack of gatekeepers means we'll have more scammers, yes. But, gatekeepers almost universally don't scale well in any system as large as the Internet, and they come with so many additional problems that they're not worth paying special attention to or prioritizing as a solution to any problem on this scale.
Chances are the scammers didn't even pay the domain name or the SMS. Maybe the real issue is the state of payment services. You provide some random numbers in an unknown form....and this is since forever. How stupid is that? Things like Apple Pay seem to go a bit in the right direction but at the root you still use that random card number as identity/authentication.
The sending network may have a record of the IMEI, but I don't think the receiving one gets it.
But SMS sending devices are cheap and disposable. Sure, it's illegal to alter your IMEI in the UK - but if they're already committing one crime, I don't think that'll stop them.
If you watch kitboga (youtube / twitch) and in the odd chance kitboga gets to talk about why they do it the spammers fall into a couple of categories:
1) The angry/evil spammer. Doesn’t give a shit and wants make his dollars. Usually someone higher up.
2) The worker. Just his bills paid. Usually rather uncaring what they are doing, although they acknowledge its wrong
3) Playing oblivious, just ignoring and avoiding any sense of blame or justice
It’s lucrative and as long as we keep falling for it, it will stay. Making domains more expensive will make the barrier of entry higher, but the top players will likely just consolidate more resources vs little scammers.
If a domain is like an address then maybe we could or should enforce some more legitimacy, but such a thing would be hard to implement in the countries where spam usually originates from.
And who sent it shouldn't be recorded. Your problem is not the spammers but the reason users fall for the phish. Why are prepaid pins special and free email is not?
The reality is a lot of _us_ did, because we were trying to train the older generations some sensible internet habits. At the time, it was just easier to say “look for the green, and the bank company name next to it.” When we started killing the EV UI stuff (due to lack of UI space or what have you), people just kept looking for the padlock.
An EV certificate is still a decent proxy for legitimacy: it's somewhat expensive to get and allows you to track down a legal entity. Both points deter scammers and other evil-doers, even if they don't completely prevent them.
Sadly there's no way to judge from just the URL if a site has an EV cert or just a cheap/free https cert, and by the time you opened it in the browser it might be too late.
Not really. "Legal Entity" doesn't mean much, it's cheap to register a company and the name doesn't have to be unique. One guy registered a company called "Stripe" and got an EV cert for his site.[1] Modern web browsers don't show anything different for EV certs (try it). They stopped last year, mostly because EV certs were ineffective.
A lack of EV certificate is not a decent proxy for legitimacy, because most of legitimate important sites don't have an EV certificate - so people can't be trained to think that they should think twice if an EV certificate is absent.
They also don't show up any differently in browsers any more. There's no difference a user can see unless they go through the menus to view the cert itself.
I sure would do a double take if I noticed a bank website using a non-EV cert or an EV cert issued to somebody other than the bank. But that's probably one of the few industries where you can expect it.
I am not sure it really says anything about legit-ness either. It really only guarantees you and the next person you are talking to in the chain have an encrypted connection.
The Internet became the standard for global networking in the 1990s by being an informal trust based system where the competition was things like Al Gore's Information Superhighway - these other hypothetical systems were centralized extension of something like a cable TV network and essentially had all the bad things we decry in today's Internet and none of the good.
Which to say, the lack of centralization in DNS or whatever aspects on might name in the Internet (IP addresses, etc) allows bad actors from below to do their terrible things.
But the lack of centralization also prevents bad actors from above from doing their terrible things. Centralized DNS is already a target - cable companies were complaining to congress about firefox from enabling secure DNS and keeping them from MTM traffic.
No, it’s the price you pay for trusting concepts that are not intended to be trustworthy. No matter what you come up with, as long as you train people to do things wrong there will always be a way to fool them.
No company should send messages containing a url that requires login, payment data or the like. People should go to these places by typing the url or by using their own bookmarks.
> No company should send messages containing a url that requires login, payment data or the like. People should go to these places by typing the url or by using their own bookmarks.
Maybe they don't? This wouldn't help here, that's not the company sending the message. For that to work, people have to deeply know and trust the policies and resolve of each of their service providers not to do that - might as well just teach them how links work.
No, because that’s impossible. Are you going to teach them to distinguish between l and I in sans serif fonts? Or one of the look alike Unicode symbols? That roads leads nowhere but blaming someone else for a problem you brought yourself. You can’t trust links by visually inspecting them.
I think it's time stuff like domains and basic internet things like that need to become part of the school curriculum. Education is the only way to combat these things.
A few weeks ago I had an argument with a few engineering students is one of the 30 top schools in the world, whether you can send an email form Gmail to Outlook or not!!
They thought it was like Messenger and WhatsApp not being able to talk to each other.
The concept of Open protocols and clients have to be taught in school.
Oh, how puzzled the looked when I showed them my Outlook email on my phone's Gmail app.
I'm not convinced knowing about how this works is the solution. Plenty of software engineers that understand TLS/DNS/etc. get phished because it only takes a few minutes of distraction. The same principle applies in medicine or aviation: without systems in place, even the most educated person will predictably fail at least some of the time.
The price we pay (scammers registering date based domain names) is due to the name resolution system being decoupled from the infrastructure we use to establish domain ownership and authority? How is looking up the domain supposed to give you more validation than the domain being assigned in the first place?
Right now that infrastructure is the only thing in the stack that actually does any validation (you get your cert because you have the name). There isn't any other validation infrastructure to couple it to for it to be "decoupled".
For some time I've wondered what the internet would look like if we used reverse domain notation (like with software package identifiers), which I think would mitigate this issue.
`com.01-01-2020-billing.secure.hsbc` or whatever looks a hell of a lot more dodgy. But I presume it comes with a whole lot of issues of its own.
According to Paul Mockapetris who designed the DNS, domain names are little-endian to make autocompletion easier and to allow unqualified "local" names (e.g. "bilbo" instead of "bilbo.cs.college.edu").
This is probably unpopular but I think domains should just cost more. We don't all need our own name as a domain. Make them cost $500 or $1000 a year. [This money goes to ICANN, W3C, etc.] That is nothing for a business but would make scammers and link farms (more) unprofitable. You could still make .org free but it requires sending 501c3 (or similar) documentation to the registrar.
If you want a phone line you have certain fees for 911 and other regulations to help pay for the infrastructure and this is very similar in terms of a naming and communication service.
That opinion is unpopular for good reason. A financial barier to prevent crime implies lack of petty money is the cause of the crime. You can make 10x what you said with the simplest scam targeting a few million valid recipients within a week.
Even if your solution would solve the problem, it would destroy the purpose of the system. Throwing the proverbial baby with the bath water.
If I want a phone line it costs me $10 to get a sim card from walmart. Most reputable TLDa cost a ton more.
I mean what is it with this lazy way of solving real problems. What's next, tax domain registrations? Require a government ID? How ridiculous, this is what happens when humans give up their basic freedoms to goverenments and ruling classes. By what authority are you even regulating my free speech here? If I put up a website, I am not engaging in commerce unless I sell or buy something using that site. It is the equivalent of me calling myself a name and making a speech in public and you want to charge me £1000 for the right to call myself a name or to label the soap box I stand on a name so others can distiguish me. The fact that scammers also stand in soap boxes and make false claims for profit does not magically give you, your ruling class or the goverenmen t authority to regulate soap box labels and tax speech.
Even if this has popular support, free speech is a natural right. You can police harmful/false speech retroactively but you can't inhibit speech proactively to deter a possible crime unless you can guarantee your measure affects only law breakers.
You are welcome to disagree but I guess I am missing your point.
Having a website doesn't require a domain. DNS is a vanity layer on top to make it more user friendly and provide an abstraction layer. Domain registration costs money today. According to your argument that should be free or it is limiting your speech. I never said anything about speech or what you use the domains for. If it is yours, do whatever you want with it. Ethos bought .org for $1B. Why should a private equity company be able to own DNS suffixes? Are you okay with that?
The issue at hand is that these domains are being created specifically to deceive. This is an issue of consumer protection and greater good. The US just passed bigger fines for robo-callers. Everyone seems fine with not getting scam phone calls from their own phone number. Is this a restriction of free speech? Everyone isn't allowed to run their own tv or radio station, it is regulated. Is that limiting your free speech? You can't make up your own phone number. If you want a special 800 number that is more memorable, you have to pay the phone company lots of extra money for it. I'm merely suggesting similar.
Are you even listening to yourself? Your idea was to make domain names hard to obtain so scammers can't have them. The only way that idea will be effective is if people only go to sites that are part of the validated domain name system. This means that if you don't have a domain, nobody will go on your site (this is already true today). So why on earth are you saying those legitimate websites should look like scams?
Domains are fundamentally different from phone numbers, because you interact with people you don’t necessarily “know” all the time while you only infrequently call people who aren’t in your contact list. Clicking on links would work, of course, but trying to remember the address of “that one dude who writes about maps” gets quite a bit harder.
I actually like this idea, and I wonder how low the cost could be while still deterring the spammers. From what I've read, the cost of domains is a factor that spammers are sensitive to, especially if they are abandoning them after 24 hours, so increasing the cost by just an order of magnitude could be enough to make many campaigns unprofitable.
saying "domains in the remaining five [out of ten] Top Bad TLDs can be had for between 48 cents and a dollar each." so I would suggest a one-off $100 fee rather than $500 or $1000 a year.
A more interesting approach would be to make the fee act as a bond, which is returned to the registrant after a year of good behaviour. Unfortunately, determining "good behaviour" is almost as hard as determining "bad behaviour", but perhaps a domain could opt in to having anonymous metrics recorded of how many users visit their site or send emails to that domain. That would put a substantial amount of trust into the hands of whichever organisations were responsible for recording these metrics, but the only harm they could do to a registrant is forcing them to pay their $100 bond to charity.
That's an important number to note, thank you. Do you have an estimate for how many victims a single domain is likely to trick (before it gets blacklisted by Google Safe Browsing or similar)?
Depends on who's being spammed and what kind of techniques the phishing site employs to resist safebrowsing. Single-use links and various browser fingerprinting techniques are common and fairly effective.
Beyond that it comes down to who's being spammed, with the right demographics your link could last very long without being reported by anyone.
I hack phishing sites for fun, anything between 0-500 hits seems common for the type of phishing seen in the OP (mostly depending on the quality of the leads).
Their real domain is SOMECOMPANYNAMEHERE.COM but as you see they made a special domain just for email clicks. I thought at first this was a scam email, but then tried clicking and sorted out that it redirects to the real site and login.
But man you can't even easily trust real emails if you're paying attention, i dont know how regular people will defend against stuff like this.
This likely happens to prevent the primary domain from being blacklisted. Many companies including key ESPs will register multiple domains to combat potential spam listings and blacklists. It's possible they rotate through a number of similar domains to ensure if any are blocked they have backups available for use until those get unblocked.
One problem is that if a subdomain gets hacked it can be used for XSS as subdomains are trusted by the TLD, which might be a reason why they don't want every division to use a domain under the TLD.
There's been a lot of talk about the benefits of browsers showing URLs in a stylized way that makes it more obvious to the user what is the domain and what is not the domain.
I should have realized this earlier but: it's also important to have anything that displays clickable URLs (like a messaging app) to also style the URL to help it be more obvious what domain is being linked to.
The problem of better stylized URLs is so much bigger than browser URL bars that show where you are right now; it's also everywhere that displays clickable URLs.
How you get to a page can't matter in terms of security or you've already lost the battle. What's important is once you're on the page you can validate where you are.
Hacker news is probably one of the least important places to do this.
It has a high concentration of technical users, only supports public posts (where technical users will notice and comment on such urls), and has very active moderation.
Texting apps seem like the most important place to implement it... judging by the spam that I get.
That kind of attitude will put people off guard though. These things pop up in places where you least expect them. I agree it's less important than other places, but also would be nice for us to practice what we preach.
> Money and technical expertise used to be strong barriers to prevent people from registering scam domains
That should not be, and should never have been considered the main line of defense against that.
This guy has it backwards. The problem is not that it's affordable or accessible. It's that there's no clear alternative to user vigilance to truly avoid these scams.
Too bad domain names are generally written in the 'wrong' order. These issues would have been preventable if domain names were written the following way: https://org.example.www/index.html
I remember (very vaguely) reading into the debates around domain name sequence and being irritated that natural readability won out over scope order. Codified so deeply for so long that there''s no hope of ever changing it except in limited circumstances (Java class hierarchy for example).
You're right, the benefit isn't really about character differences. In both cases users need to be taught that '-' isn't a divider and '.' is a divider. The benefit is that it would be easier to teach people to start on the left then search right than it is to teach people to start at the leftmost / (but not the ones in the scheme) then search left.
It means that information to the left is always the important part. Right now you have to find the '/', evaluate the components leftwards, return to the '/' and evaluate components rightwards.
Given that finding the '/' is not always trivial (broken screen example in the article) and doing this requires you to think a lot of people won't do it.
Web-based phishing has become a game of speed. Domains are not expected to survive more than an hour (and few do), even with all kinds of countermeasures in place (browser / geo detection, destroy-after-first-use links, etc). Yet it's still economically viable to do. Companies offering blocking products like Google Safe Browsing have been forced to increase the frequency of their blacklist, up to the point where Google had to resort to checking suspicious URLs against their online database rather than a cached local index.
This is a classical arms-race and will only intensify. With domains that look generic enough and only serve malicious traffic when hit with the right URL, parameters, user-agent and geographical location, blocking will have to rely on sourcing these URLs directly from the targeted endpoints (e.g. SMS/WhatsApp/Email), rather than "crawling" or relying on users to report these. Another approach is to do some of the blocking locally, which of course means pushing the detection logic to the client and thus exposing the classification mechanism. Neither approach is sustainable long-term in my opinion.
>Domains are not expected to survive more than an hour (and few do),
So if they have solved the problem why are we still complaining about it? All you need to do is show a big warning message for domains that are younger than 1-2 days.
Unfortunately the malicious domain could be registered for days or weeks before being used in a campaign. The time that the domain is in stealth mode doesn't incur any extra cost to the spammer, and nor does it give any clues to the blacklisters that the domain is about to host something malicious.
If there were some way of bootstrapping new domains with some sort of positive trust signal (e.g. links from domains that have been in use for a long time?) then it might be possible to preemptively blacklist domains, as you say, but there are potential anti-trust issues with any such system that dissuades people from accessing the websites of new companies, for example.
It seems to me that a list of known good domains provided by a large browser vendor (Google) with extra treatment in the browser might be the most effective against phishing and other scams.
This could be sold as an add-on for a certificate, or something like that, with a just high enough barrier for proving authenticity. Known-good domains could then additional treatment, like a blue padlock or one with a star (ok, I'm not an icon designer).
Of course you can argue against it on a freedom basis, but I think for protecting vulnerable web users it'd be pretty useful.
You're not that far off. If you took the Alexa Top 100k sites and display some kind of indication whenever a page isn't on that list you would be able to stop the most obvious phishing attempts. Google has a Safe Browsing Extension which, as its first steps, checks the 15k most common sites or so. If you tailor these lists to specific countries I'd wager you can get away with even fewer entries.
There's other tricks that scammers pull though, like compromising legitimate domains with a certain reputation and then adding their scammy subdomains, but that's a lot harder to pull off than just registering 100 free domains everyday and hoping one sticks.
Your idea isn’t that weird. If you do it right you’re basically inventing the Web of Trust. As long as you put the user in control of what entitles they trust to validate sites it would actually be a super useful feature.
The problem is always the political one. What does, say, Microsoft vouching for a site actually mean?
Wouldn't a soundex-like algorithm catch the similarity between the legit domain and a substring of the malicious one? An alert could be fired upon reception from any address resembling domains where online transactions or any other sensitive activities are involved.
I hate that companies do this. I get why they might do this to avoid red tape but it just piles on the phishing / scamming possibilities for people who dont know better.
Yup, I have seen both extremes: Global brands which redirect all their country-specific domains to their one global .com domain (good!) as well as global banks where every small branch and sub-organisation like funds and charitable foundations have their own domains, along with similar but not identical corporate branding. Training users of the latter brands to not fall for phishing in the latter case is gonna be next to impossible, as is whitelisting the legitimate domains.
You can make your domain effectively an eTLD by putting it on the Public Suffix List. This is what Google did with withgoogle.com . This means no cookies can be set on withgoogle.com . So hire.withgoogle.com is completely isolated from games.withgoogle.com (they are separate eTLD+1s).
It also makes every script look like it comes from a third party, because they usually keep using scripts from their main domain. Even worse when they have a stable of random cdn-like domains that serve scripts and iframes.
We logged a paid support case with Microsoft a while back, and support tickets were coming from something like microsoftdynamicssupport.net. The domain wasn't even registered so we had to call them and discuss the way our email replies were bouncing. They told us to forward everything to the same address, on the .com version of the domain. Months later a colleague had the same problem. It's like the people managing these support desks didn't even know what domains Microsoft owned.
> Money and technical expertise used to be strong barriers to prevent people from registering scam domains.
Cannot confirm. I registered my .de-Domain in 2005. That was 15 years ago. It wasn't that difficult, and quite cheap (imho 12€ for a year). So the tech barriers vanished a long time ago.
.info domains can now be bought for around €1. If, like the scammers I mentioned, you're buying one for every day of the year, that's a several thousand Euro difference.
Spammers are in business. When certain costs fall, it makes their enterprise more profitable.
Intentionally creating inhibitive costs for the sole purpose of preventing bad actors is playing a game of whack a mole.
It only temporarily solves the problem and ruins it for the rest of the customers. There are other ways to address scammers that do not involve making the entire market more expensive for expensive's sake.
They don't have to be date specific but they need fresh ones constantly. They get flagged as malicious quickly (within a day or so for large spam campaigns) so they need fresh ones that aren't flagged.
The date is sometimes used to confuse people when they're reading it so they think it's part of the URL and not the actual domain name.
I think the most practical solution here is to train users not to use domain names and de-emphasize them in the UI (and URLs more generally). Which I hate as much as anyone here, but if I'm going to give my parents advice on how not to fall for a scam, telling them "Google the name of the bank [or whatever] and click on that link" seems like the most secure path.
Once security keys become ubiquitous, they should also provide some protection. But right now setting up 2FA for every site they use is impractical.
A lot of replies here are pointing at DNS being not trust-able, but let's back up a bit. This is only a problem because people are still clicking on unsolicited links they get in their E-mail. When you get an unsolicited phone call and the guy on the other end claims to be from your bank, do you give him your personal information and conduct whatever business he wants to conduct? Of course not! So why would you click through some random link you get in E-mail or text, regardless of how official it looks?
Users need to stop clicking on links they get out of the blue over E-mail, and legitimate companies need to stop sending links they expect customers to click, which encourages this risky behavior. Easy to say, but behavior is hard to change.
> Users need to stop clicking on links they get out of the blue over E-mail, and legitimate companies need to stop sending links they expect customers to click
I agree with the first part, but how is the second part supposed to work? We're using links to easier guide people in the "right" direction (depending on who "you" are, changes what "right" means), what could an alternative be?
So, a X just finished, and the user can now use it. In my notification to the user, how to guide them to that specific X?
I think the key is whether the E-mail is unsolicited. Request a password reset? The E-mail is solicited and expected. Just bought something from an online store? The receipt E-mail is solicited and expected. In these cases, users should not feel it's particularly risky to click the links, because they are currently interacting with the site.
On the other hand, "Hi! We noticed there is a scary-sounding problem with your account, please click here to fix it!" No legitimate company should be sending users something like this out of the blue, and users should be trained to immediately think fraud/scam when they receive this.
So you bring up a good example. Imagine something scary happened to the account, and the user needs to provide some additional details or fix something. How can I as a company inform the user about this and get them to fix this?
The incentive from the senders side is to get the person receiving it to do something. If that's good or bad, it's harder to say than draw a line in the middle. Currently, bunch of companies and other entities are finding the whole clickbait super useful, and it's only natural that bad actors take advantage of this. But who is the bad actor? Turns out a lot of them, but on different levels.
How would you do it if, instead of the E-mail address, you had the customer's phone number? You probably wouldn't call them out of the blue and ask them to do something, since that seems scammy. So why should a security-minded user treat an identical conversation over E-mail differently?
Is this need real though? I can't think of a legit example where out of nowhere (i.e. not in the context of some transaction I'm currently doing with them), a company would suddenly need me to fix something, do something for them, or provide them information.
Apple could do some basic spam filtering on SMS messages directly on the device (ditto for Google on Android). Querying a domain reputation service will very quickly tell you whether a URL is a risky click.
At a bare minimum, show me a warning when an SMS comes through containing a risky URL. I just don’t see why these giant companies with billions in profit can’t connect the dots here.
Those giant companies already have connected the dots and have super aggressive spam filters for links. It’s a testament to the volume of spam that’s out there that so much still gets through.
SMS has the problem that since you don’t have a spam folder filters have to be lenient because it’s more of a problem when they get a false positive.
I’m not seeing the SMS filtering market being super lively these days. There was a burst back a decade ago when Cloudmark and AdaptiveMobile were selling solutions that bolted onto the SMSC infrastructure. But that investment petered out.
I am not aware of any device side filtering, which IMHO is where it should live.
This is a situation where EV certificates would be helpful. The cost and the fact that it generates somewhat of a paper trail would discourage scammers from getting them.
That may be true, but it's an added opportunity to notice something is wrong. If and when people are used to U2F/Webauthn security, it'll feel very wrong to have to manually enter a code.
Although routing information isn't protected either way and is probably fundamentally unsafe.
Nothing. Smartphones are still very fragile. Eventually, pretty much everyone will crack their screen. Because usually the phone is perfectly usable with cracked glass, and because most smartphone designs are user-hostile, repairing the damage ranges from not economical to not possible in practice - so you see a lot of regular people walking around with cracked phones.
I've abused every single iPhone since the first one, only recently in the last couple of years putting a case on because they are too slippery now. Never had a single cracked screen, even dropping on pavement. You have to be quite unlucky to hit things just right.
Likewise here with a Samsung Galaxy S that lasted 8 years, without a case or cover. Plenty of dropping on all sorts of hard surfaces, no cracked screen. Some of the finish started smudging off on the back though. I have no idea what people are doing to cause such damage.
(Only ended up replacing that phone because it started just not picking up calls and texts for days at a time)
Well, my friend's S7 cracked itself overnight. My S4 cracked twice due to dropping it on the floor, both times I had the screen replacement. My current S7 fell frequently, but is still mostly intact. As far as I can tell, everyone in my immediate family cracked their smartphone at least once over past few years.
Beyond dropping, as far as I can tell, there are two other common causes of screen breakage. One, sitting on it (a lot of people carry their phones in their back pockets, which is something I cannot understand; beyond accidents, this makes them vulnerable to pickpocketing). Two, women sometimes crush their phones in their purses (especially when they are in hard covers that act as levers when an item gets between it and the cover).
I have dropped multiple phones and never broken the glass. I dropped my iPhone XS hard onto the sidewalk, but it hit the side of my case and while the case was quite damaged, the phone is pristine.
The funny thing is that each generation of Gorilla Glass is much stronger than the previous one. And what do phone manufacturers do? They make the glass thinner since it's now stronger. The end result is that the phone is as easy to crack as with the previous generation glass.
Is there a phenomenon? If anything I feel like about five years ago nearly every phone I saw in the wild had a cracked screen and now it's far fewer, but my sample bias probably also changed with age.
Anecdotally glass screen protectors seem to have grown a lot more popular. When you buy your phone at a store chances are they will tell you it's a must-have addon (and they are not entirely wrong).
Screens also get more shatter resistant all the time, but at the same time the industry seems to constantly find new phone geometries that look very prone to fall damage, so that probably balances out.
Yes, indeed, that's the problem. People buy a $1000 iphone without actually being able to afford it, pay monthly instalments for 5 years and then they drop the phone and can't afford to repair it.
It's a pretty common problem many experience for some period. Explaining a problem which "is easy to avoid" and coupling it with another you've already experienced "that made using my phone harder" reinforces the idea "this could happen to you".
People like glass phone screens but drop them on the floor by accident and it cracks. I don't think it's any more complicated than that. Perhaps it also projects some aloofness and coolness, the way torn and worn jeans are fashionable.
I'm not sure what you're asking. People drop their phones; the screens crack. People are too busy|lazy|cheap to get it fixed in a timely manner. Anecdotally, this group has a high percentage of people with younger kids - why replace the screen today if your toddler is going to drop the phone again tomorrow?
I have four children. I've been using all-screen smartphones for the entire time that there have been all-screen smartphones.
I've endured zero cracked screens. Ever. A couple of my kids are old enough to have had smartphones for a couple of years now (kids these days) -- they've had zero cracked screens as well.
This is one of those posts that tend to raise people's ire, but I'm just pointing out that a lot of us manage to never have cracked screens. It isn't just a normal that we all tolerate. And yes, I've always used a case -- I have a case in hand before I even take the phone out of the box. It seems insane to not have a case. Maybe when phones are unbreakable I can enjoy the sleek design, but until then it's a Spigen 100% of the time.
Yeah, don't understand it either. Never cracked a screen in my life, and I've never even used a screen protector or a case. Always confused by all the cracked screens I see around me.
I put a case and a screen protector on my current iPhone 7 at the time of purchase. Dropped it on the driveway the next morning. The screen cracked. Shit happens (and I did fix it immediately).
I do agree that failure to use a case is insane for a device that's as expensive as a smartphone. But, I see lots of people will to risk a $100+ screen over buying/installing a $30 case. My son does this. He probably breaks one screen/year. Whatever, he's 25 and it's his money.
Cracked screen is a serious price reducer in the second hand market. Great opportunity to get better specs if you want a purely functional device.
Unless you're after fashion accessories. Cracked screens are no go for fashion accessories. Can't let other people think you're too poor to buy an un-cracked phone.
If you are even a 4th tier Instagram influencer, you can't have anything but a pristine latest generation iPhone. If your phone back is visible in the picture and you cant see the three iPhone 11 lenses, you are basically screwed.
Just because it happens doesn't mean there's something wrong with the technology. This is the real-life equivalent of walking into a shop that's branded "AyeAye" when paying your "EE" bill.
There is nothing being exploited here like a display bug in the URL bar, TLS vulnerability, etc - it is completely obvious that you are not connecting to EE.co.uk and instead to some weird domain.
There's only so much we can do to fix stupid and natural selection (or in this case financial selection) can take care of the rest. Banks refunding every instance of fraud (even when the user is obviously at fault and failed for an obvious scam) don't help either as it means people still don't understand the importance of being vigilant and actually taking the time to learn some basics in order not to fall for these very obvious scams.
>Just because it happens doesn't mean there's something wrong with the technology. This is the real-life equivalent of walking into a shop that's branded "AyeAye" when paying your "EE" bill.
I would guess that if this scam was performed over snail mail it would have vastly higher success rates than SMS spam.
Do you think browser makers should do more to distinguish the host part from the path part of a URL? Right now Firefox uses a darker color for the domain and Chrome uses a darker color for the full hostname.
I hate it how browsers always screw with how they display URLs. Some hide protocols, some hide the path, etc and the display of HTTPS is inconsistent.
I could see this weird domain name being slightly confusing and looking like a full URL in a browser that normally hides the path part.
It would be much easier if browsers just cut the crap and displayed the full URL (including the protocol) consistently. It's just one thing everyone can learn and then apply across all platforms & browsers.
I don’t agree. We don’t school marketing people as a whole when people fall for pyramid schemes. Not sure why your average engineer should take the blame for scammer actions. Yes, life is hard and complicated. Tech is no exception.
Nobody is saying to "blame" all engineers for these scams. But you make it seem like that URL would be immediately obvious for everyone, and that clearly isn't true.
Tell that to the any number of people that have fallen for similar (or even more basic) scams. Unfortunately, not everyone is Internet savvy enough to know what's legitimate and what's a scam.
A good deal of that same group can get scammed over the phone. The issue doesn't seem to be so much about specific technology.
Granted, domains are "backwards", and browsers could be made to match known banking sites against every URL to warn of scams. But at the point where people are clicking scammy bit.ly links too, the domain part doesn't seem to be so key anymore.
In HTML (emails) you can make the url look like the real thing onscreen. Should GMail alert when anchor text is a different link than it actually links to? (Maybe it already does?)
More interesting than these obvious scams are when your phone company sends you legitimate texts that look like scams. I got what I thought was something super scammy from Verizon and did a lot of investigation and eventually found out that it was them.
The TLDR is that apparently they send all their marketing texts from "+90 (007) 000 38 64". You can opt out on their website and now I don't get these anymore. It's nice. But sad that my $120 a month isn't enough money for them, and they have to text me at 3AM to get me to buy a new phone. (And sell my browsing data.)
Is this what the URls look like normally? (not from UK so I would not know)
Why not just https://ee.co.uk.billing.info/jan-02 ? I mean if someone does not notice it is a domain name and not path would they really notice where the info part is?
In addition to the sibling comments, there's also the problem of having an actual slash in your example, which may cause the mark to notice it and therefore notice the "missing" slash after the 'co.uk' part.
Because ee.co.uk.billing.info would get taken down pretty quickly. Using this method the domain only has to work for one day before they move on to the next one.
If you're stood up on a crowded train, with your phone screen cracked, would you notice that a . is where a / should be?
If you do your payments in a crowded train while standing and using an outdated, broken Android phone, you're a dumbass who deserves to get ripped off.
Domains are one area where I support more regulation. It should be harder to buy a domain in my opinion. Right now, it is way too easy. I am not even talking about domain hoarders.
The price can remain the same but whenever someone wants to purchase a domain, they need to go through an additional audit of some sort. Add more entry to barrier. Legit folks will be a little inconvenienced but it will help weed out the scammers a bit more. Yes I know dedicated scammers will still bypass at times but it will surely deter them. Thoughts ?
No, that's the price we pay for using a name resolution system from the 80's (70's?) that was not built with trust validation in mind,decoupled from the infrastructure we use to establish domain ownership and authority. And also without user friendliness or of a layman's ability to independently validate authority in mind. e.g.: reverse order of hierarchy where in english you read left to right but dns has least authoritative/lowest level on the left and most authoritative on the right,why would I evaluate trust worthiness of site.com if 'secure' is evaluated first in secure.site.com (another example:google.com.site.info).
Cracked foundations make shaky buildings.