Is it possible to detect security breaches as a user before they're announced?

Question

I'm always concerned about the security of services I use. I'm even more concerned since security breaches have been happening more and more lately, and they always generate a lot of noise in the media.

Now I'm already trying to secure my accounts to the maximal amount possible, like using 2FA wherever possible and using a strong password manager. However these measures won't protect upon security breaches.

Is there a somewhat reliable method to detect security breaches before they are announced so I can act and don't have to react?

Optional bonus question: What steps can I take to ensure security of my data in case there's an unannounced breach?

Today we are expecting a shower of unsalted passwords. Tomorrow is partly cloudy with a 5% chance of SQL-injections. No but seriously if it would be easy to forecast companies would be doing it already. — John, Mar 03 '16 at 14:07
@John, I want the forecast in between when the attack has taken place and when it has been announced by the company. Not forecast it three days ahead. — SEJPM, Mar 03 '16 at 14:08
I see. Using different email-addresses per account from a provider that allows you to monitor attempted logins could be useful. — John, Mar 03 '16 at 14:10
Logically, the people who announce them have to find out about them somehow. — corsiKa, Mar 03 '16 at 15:51
@corsiKa Yes, but the point he is trying to drive home is that there is a lag between when the company finds out that they have a breach and when major news outlets find out and run the story. It would be nice to know of the breach in between these times, however impossible that may seem. I, myself, would like to know this too, but I fear it may not be possible. — Brad Bouchard, Mar 03 '16 at 15:55
@SEJPM This isn't answer-worthy so I'm posting as a comment. I use a site for detection for some of my free emails called: https://haveibeenpwned.com/. While this won't give you that "magic" detection you're seeking, it will help show you if you've registered on a site and they've had a security breach. I know it's after the fact, but what I use it for is to see if some site I registered for years ago and forgot about or haven't used since registration has been hacked and my creds therefore compromised. If you're practicing good security and not repeating passwords and using randomly... — Brad Bouchard, Mar 03 '16 at 15:58
...generated strong complex passwords and such then it shouldn't matter if one site with your creds has been compromised or not, but it's nice to know. — Brad Bouchard, Mar 03 '16 at 15:59
@BradBouchard if the site has your credit card info (i.e., online merchant) then it will matter. My answer http://security.stackexchange.com/a/116410/9640 focuses on credit card info. — emory, Mar 03 '16 at 16:56
@emory Correct, that's why I only addressed the credentials and not credit cards. You'll know pretty fast if you're credit card gets compromised unless you're hibernating for the winter and wake up 3 months later and realize you're credit card bill is now $100,000. — Brad Bouchard, Mar 03 '16 at 17:04
Another way is completely illegal and involves monitoring IT support and incident response teams' activity. — Deer Hunter, Mar 03 '16 at 17:14
@DeerHunter or you could be proactive and hack all the sites. Then you will know they have been breached. — emory, Mar 03 '16 at 17:44
@emory Secretly compromise GCC and use it to backdoor every computer system on earth? Sounds workable. — timuzhti, Mar 04 '16 at 07:04
Hard to be sure what you're asking. See, e.g., [Incident Discovery and Containment](https://securityblog.verizonenterprise.com/?p=7299) and, for a somewhat earlier time, [Verizon 2012 Data Breach Investigations Report](http://www.wired.com/images_blogs/threatlevel/2012/03/Verizon-Data-Breach-Report-2012.pdf) beginning page 48. What points in time are you targeting? (And what differences will you expect?) — user2338816, Mar 05 '16 at 01:06

score 99 · Accepted Answer · edited Mar 17 '17 at 10:46

99

You can't detect it with 100% certainty because not everyone who steals your data wants to phish you, or sell it. But for those who do want to phish you - and that's a large portion of them - there are some tricks you can apply.

In most places, you cannot provide fake details. You need to enter your name, physical address, credit card information, social security number, etc. You don't really have much control over the real details.

However, what you do have control over is your email address. You can always provide a dummy email account to anyone, for any reason, even if the rest of your details are required to be legitimate.

Roving Email Address Method

Let's call this REAM. I like REAM.

Here's what I do: I buy a few domains and create unlimited amounts of email addresses, then use a different email address for each website on which I have an account. I also use Gmail, Yahoo, etc.

Buy 2-3 reasonable domain names, and give the accounts reasonable, unique names like michael.duncan2017@mysitex.com, jtrounders2020@heysitey.com, etc. You can also use free email providers, but having to repeatedly enter your phone number might cause you some issues.

It's a lot of work, but it pays off in the long run. When you're asked for your email address at a retailer, give them one of those emails, and use it ONLY for them. Make sure you use each email address only once. Carry a list of email addresses in your wallet.

Now why would we want to detect phishing, instead of sending it to the spam folder? Because a phishing attempt on these emails may indicate a breach.

I've found that, with astounding regularity, without even providing my email address to additional companies beyond the first one, that I get phished on a regular basis on each account. In fact, I've seen dozens of such breaches.

Here's a small list of some notable phishing attacks I've found:

OPM (2011, undisclosed until 2015)
IRS (2015, undisclosed until late 2015)
IRS (2016. Repeat of 2015? Undisclosed until recently)
Pizza Hut (early 2015, breach still undisclosed)
Target (2013?)

In most of the emails, the attackers usually have bad English. In some, they do not. They'll also google a location near the provided address, and say they have a job opportunity, etc.

In some cases, I will even get phone calls from them in the same area code as me! It's actually very easy to get a burner phone at Wal-Mart and have it set to the same area code as your victim. If you're clever enough, and they're in the same country, then you can quickly lead them down the path of the damned.

In nearly every case, they try to get me to click on an infected website. I will go there anyway (on a dummy+virtual machine, obviously) because I am a masochistic security researcher who revels in reverse-engineering malware, and making attackers suffer. Suffer mortals as your pathetic magic betrays you! You may not want to visit them, however.

The Multiple Phone Number Method

Some like to try and use multiple phone numbers. I would not do this. It's neither reliable, nor effective because:

Phone numbers can be enumerated very easily, and auto-dialed/texted.
It costs a lot of money to have multiple phone numbers.
You'll likely get calls from people who knew the person who knew the previous owner.

Therefore, REAM is a much better way than this.

The Plus Email Address Method

I guess we can call this PEAM.

Others have suggested the plus email address method. Gmail supports this. For example, if your email address is herpyderpyderp100@gmail.com, it's recommended to use herpyderpyderp100+pizzahut@gmail.com instead. Google will apparently discard the plus side of the email address.

Using this method could be good for a lot of reasons. However, very few - if any - of those reasons would apply to actual skilled phishers. I would not recommend using this method because it may only work against run-of-the-mill spammers, not actual skilled phishers. Here's why:

Phishers are more intelligent than the average spammer. They are targeting you personally. If you respond, they will build a profile on you, or maybe they already have a profile built on you based on stolen data sets.
Spammers are willy-nilly sending spam to everyone they can. Your plus addressing still gets delivered to your inbox. And you just know you want those lengthening pills... so you end up buying them anyway, and they don't work, and all the women laugh at you. [sobbing uncontrollably] Ahem...

This method can be easily circumvented with code. I'll demonstrate:

List<String> possiblyIntelligentTargetList = new List<String>();

foreach (string email in emailAddressCollection)
{
    // We might've found a plus-size individual
    if (email.Contains("+"))
    {
        // Ignore the plus email address
        string realEmailAddress = email.Split("+")[0] + "@" + email.Split("@")[1];

        // Phish user's actual email address.
        PhishUser(realEmailAddress);

        // Add their provided email to a new list so we can analyze later
        possiblyIntelligentTargetList.Add(email);
    }
    else
    {
        PhishUser(email);
    }
}

Of course, this could be made much better, but this is a rough example of how easy it would be do to this. It only took me like 0.05 miliseconds to write this.

With the above code snippet, the plus side of the email address is discarded. Now how will you know where the breach came from? Because of this, I would recommend that you get REAMed.

Trawling the "Deep Web"

bmargulies brings up an interesting, and very good point: your data may sometimes appear on the Deep Web. However, this information is usually for sale.

While yes, it may be possible to detect a breach before it's announced by visiting the Deep Web or using an Identity Protection Service that does, this method has it's drawbacks as well. Here are a few problems I see with looking on the Deep Web:

While some Identity Protection services are excellent, they may cost a fair bit of money. Identity protection services may be provided for free, but they usually come after the breach announcement, and the protection only lasts for a limited time, usually around 1-2 years.
You usually have to buy this information from attackers, unless they released it for the Lulz.
The breached data simply may not appear on the Deep Web at all.

As you can see, there are a lot of pros and cons of every single method here. No method is perfect. It's impossible to get 100% perfection.

REAM also detects individual breaches

This method doesn't just detect breaches to companies. It detects breaches to individuals. You may find that, after giving someone your email address, they send you phishing attacks several months later. It may come from them, or it may come from someone else who hacked them.

Now that my data has been stolen, what do I do?

If you have a strong suspicion that your sensitive information has been stolen, you should do the following:

Shut down and replace all credit and debit cards associated with the aforementioned email address.
Put a freeze on your credit so they can't do anything with the details.
Inform the company/individual that they've likely been hacked, so they can take the appropriate steps.
Read about Virtual Credit Cards in the answer provided by emory for the bonus question below.

edited Mar 17 '17 at 10:46

Community

1

answered Mar 03 '16 at 14:05

Mark Buffalo

22,508
8
74
91

I support the REAM. However, I do not see why buying *several* domains can be of any use. – Yuriko Mar 03 '16 at 14:20
2

@Yuriko If one of your domains is found to be associated with phishing detection, then you've lost your little trick when attackers stop taking the bait. In the world of information security, tinfoil determines the winner. – Mark Buffalo Mar 03 '16 at 14:23
5

I respect your tinfoilery which in general is stronger than mine. However, there is room for improvement. I use shop safe which is a kind of virtual credit card. If I am making a purchase in October for $100, the credit limit on the card is $100 and the expiration date is November. After the payment is processed or November, the credit card info is no longer sensitive. I don't need to shut down and replace all cards associated with a hacked site. – emory Mar 03 '16 at 15:02
@emory That's a good idea... I need to look into that. However, my tinfoil senses are tingling: what if Shop Safe is breached? – Mark Buffalo Mar 03 '16 at 15:06
9

@MarkBuffalo my credit card company provides ShopSafe as a service to me. If they are breached, then I am hosed. It is one account, one physical card, and an unlimited number of credit card numbers with customizable credit limits and expiration dates. ShopSafe also records the first merchant to make a charge against the virtual card. If anyone else tries to charge against the card, they are rejected. ShopSafe is just the brand name my credit card company uses. The general concept is virtual credit card and your card may already be providing it. – emory Mar 03 '16 at 15:20
@emory Thanks. This is something I really need to consider adding to my tinfoil repertoire. If you want to add the details, you should post your own answer in this question. We'd definitely be interested in knowing more. – Mark Buffalo Mar 03 '16 at 15:46
1

@MarkBuffalo your answer is excellent for the question "is it possible to detect security breaches as a user". My comments do not really address that. It is just about reducing the post-detection workload. Your card has effectively been pre cancelled in anticipation of a security breach. If you can get the workload down to nothing, why bother with detection at all? – emory Mar 03 '16 at 16:07
@emory I believe your comments are very useful for the bonus question, and you could answer it below. If you don't want to do that, feel free to edit my post then. – Mark Buffalo Mar 03 '16 at 16:09
@MarkBuffalo So in essence REAM just serves to identify which company was breached? How does this information help you? They still don't have access to your email, they just know it exists (given that you use unique password per company account, as noted by OP with his password manager). The "only" thing you gain by having multiple email addresses is that you contact the company in question and inform them about the breach, correct? – mucaho Mar 03 '16 at 16:17
3

@mucaho With REAM, and if phished, you can tell if your personal information was breached or not. How else would the attackers know to phish that one single email, used in only one place, *unless* they had already dumped the database contents? This information helps you take appropriate steps to protecting your data before the companies release information on the breach. Some companies/agencies/universities/etc don't even know they've been breached, or they won't even disclose it years down the road. For example, with Pizza Hut, I'm still waiting for the announcement! – Mark Buffalo Mar 03 '16 at 16:22
Why do you use several domains instead of just using a gmail or hotmail email or something? – trallgorm Mar 03 '16 at 16:40
3

"Carry a list of email addresses in your wallet" -- or allow delivery to any address starting with "michael.duncan2017", and give out addresses like "michael.duncan2017.pizza.hut@", that you can improvise as needed (and later block if needed due to spam). This is a lot like using the feature "+pizza-hut@gmail.com", except that I benefit from a little bit of obscurity in that spammers and phishers *know* everything after the + in a gmail address is insignificant, whereas they don't know my mail delivery rules :-) – Steve Jessop Mar 03 '16 at 16:41
@trallgorm Read the second comment in reply to the first one. – Mark Buffalo Mar 03 '16 at 16:41
1

@SteveJessop Tinfoil says no. :P It could be a dead giveaway that you're trying to detect phishing attacks. And then they could just remove `+something`. – Mark Buffalo Mar 03 '16 at 16:43
@MarkBuffalo: fair enough, I'm just pointing out that it works for me in practice and is somewhat easier to manage. Actually I'm *not* particularly trying to detect phishing, though, it's mostly there as a last recourse against spam and in particular against people whose unsubscribe mechanisms don't exist or don't work. It's also not hard to arrange things so that if they *just* remove the `-pizza-hut`, then michael.duncan2017@ on its own doesn't get delivered or is filtered straight to the "blatantly an attack" folder. – Steve Jessop Mar 03 '16 at 16:44
1

Come to think of it, if instead of +something you use +somethingX where X is a check digit that you can calculate in your head, then you could improvise email addresses *and* have a very good chance of detecting when an attacker thinks they're being clever by removing or altering the +something. But I agree with you, tinfoil-wise the simple way to improve "very good chance" to "certainty" is to give up the ability to improvise email addresses on the fly (or at any rate, accept the need to edit your exim filter or whatever from your phone as you invent each new address) – Steve Jessop Mar 03 '16 at 17:01
3

@MarkBuffalo "With REAM, and if phished, you can tell if your personal information was breached or not" - not true. With REAM you can tell if your personal information was breached. It will never tell you that your personal information was not breached. I still think it is a good idea. – emory Mar 03 '16 at 17:01
@emory Bad wording, my bad. ;) – Mark Buffalo Mar 03 '16 at 17:02
Blur' DoNotTrackMe will automatically create email accounts and autofill them in w/ a browser extension. (No affiliation) – Daniel F Mar 03 '16 at 19:24
@MarkBuffalo I still don't get why you can't use gmail or hotmail. It's not like the attackers can choose to ignore all gmail/hotmail emails, that's probably 99% (if not more) of the data. – trallgorm Mar 03 '16 at 21:09
@trallgorm because it takes *much* longer and usually also requires a phone number. – Dom Mar 03 '16 at 21:20
1

It's possible that you got phished on those addresses not as a result of an email address breach from the company that the address was used with but simply from random mailing. Attackers find a domain that's got an incoming email server then try a name-dictionary attack and hope that the server doesn't have mass-mailing protection (i.e. blocking the source address after too many undeliverable destination addresses). Quite often phishing attacks are supposedly from a company that I've never dealt with, which hints that the addresses didn't come from a breach of a company that I have dealt with. – micheal65536 Mar 03 '16 at 21:28
1

@MichealJohnson I find it unlikely that an attacker randomly guessed some rather grotesque/random email addresses with random numbers. – Mark Buffalo Mar 03 '16 at 21:39
1

@MichealJohnson Those names are just suggestions, not names I'd actually use. Good rate limits are set. – Mark Buffalo Mar 03 '16 at 21:46
You didn't say what kind of rate-limiting is on your server, so it's possible they brute-forced the address "michael.duncan2017" from a dictionary. If the first name was pulled from a list of 1000 first names and the surname was pulled from a list of 1000 surnames, and we assume that both names were in the middle of the lists, we have 250000 attempts, multiplied by numbers from 0 to 2017 gives 504250000 attempts, and at a rate of 100 attempts/second that takes 2 months. I'm not saying it's likely; just possible (i.e. you can't be *certain* that they were breached just because you got phished). – micheal65536 Mar 03 '16 at 21:49
@MichealJohnson Agreed, there's always room for funkiness like that. However, I'm pretty sure in every case mentioned that I was being phished. ;-) – Mark Buffalo Mar 03 '16 at 21:59
@MichealJohnson it's easy to figure out if it was really a brute force just by looking at the server logs. What I find is that although bad actors _do_ try to bruteforce emails (mostly as senders), it's very unlikely they would find the specific one you created. I find much more common that "smart" email validators deem your email address invalid, or that it feels awkward to use random/vendor-tagged emails when talking to a person, eg. in this case giving a «Michael Duncan» email when your name is «Mark Buffalo». – Ángel Mar 04 '16 at 00:35
1

I joined this website (which I like to browse from time to time) for the express purpose of giving you a +1, for your WoW quote. Excellent post. – Sh4d0wsPlyr Mar 04 '16 at 20:34
1

I always enjoy reading your answers. Whenever I'm reading them I'm like "yeah, this must be Mark", scroll down, yup it's him. – Hatted Rooster Mar 04 '16 at 22:40
Isn't it possible that Pizza Hut sold their email database to a third party, which then may have been broken into or just sold the email again to a bad actor? – Jac Mar 05 '16 at 08:21
@Jac Yes, [this is possible](https://order.pizzahut.com/privacy-policy#al6). However, I never signed up for any kind of promotional or marketing stuff. – Mark Buffalo Mar 09 '16 at 16:13

score 30 · Answer 2 · edited Mar 17 '17 at 10:46

30

For the main question, I recommend Mark Buffalo's answer.

For the bonus question, my credit card company provides me a virtual credit card service they call ShopSafe. Other credit card companies provide their own virtual credit card services that will have different names and different details. Here are the ShopSafe features.

I can create a virtual credit card at will in a matter of seconds using their web portal. I can choose the credit limit and expiration date. Any charges against this virtual credit card will show up on my regular credit card bill as if they were against my regular credit card. I can query for charges against specific virtual credit cards.

When I need to provide credit card information, I create a virtual credit card with a chosen credit limit and expiration date. If I am buying a $100 item in October, the credit limit is $100 and the card expires in November. If the site is breached, most likely my credit card info is stale. This covers the majority of use cases.

Another use case is my transit pass. I have a transit pass that allows me to ride buses and metros. I have provided the transit agency with a virtual credit card. Every time my transit pass drops below $20, they auto-reload it (by charging my virtual credit card).

I gave the transit agency a virtual credit card with a $500 limit and 12 months until expiry because I want the card to auto-reload by itself. (When I am running for a train, I don't want to spend time adding money to the transit pass.)

ShopSafe records the first merchant to charge against a virtual credit card. Subsequent charges made by other merchants will be automatically rejected. If the transit agency is breached, my virtual credit card will not be expired and it will have credit left, but nonetheless the hackers will not be able to make charges against it. No one but the transit agency can charge against that virtual credit card.

Without a Virtual Credit Card If you do not have virtual credit cards, then you might make all purchases with the same credit card number. If a site gets breached (and even if you know about it) you will probably choose not to cancel the card because it would disrupt everything else. Instead you would probably rely on your credit card's fraud guarantees. As hackers put bogus charges on your card, you dispute them. The credit card company is exposed to financial risk.

So virtual credit cards are mostly a benefit to your credit card company. If they do not make it available to you, their heads are full of rocks.

edited Mar 17 '17 at 10:46

Community

1

answered Mar 03 '16 at 16:29

emory

1,570
11
14

1

Are you affiliated with "ShopSafe"'s issuer company? – Mindwin Remember Monica Mar 03 '16 at 17:11
7

@Mindwin I am affiliated as a user. – emory Mar 03 '16 at 17:23
@Mindwin This is an article about the general concept - https://en.wikipedia.org/wiki/Controlled_payment_number - including other providers. – emory Mar 03 '16 at 17:35
17

I used to use a service like that. I loved it until a baseball team wouldn't let me pick up my tickets at Will Call because I couldn't show them a credit card matching the number I used to buy my tickets (it got sorted out eventually but took a while). – Mar 03 '16 at 19:26
1

This is an excellent recommendation. I've completely stopped using my real credit card number for any online purchases. Any time I buy something, I quickly create a new virtual credit card with all the details, set the limit a few dollars above the purchase price and use that. This actually saved me on one occasion when one of my email accounts got breached - the thief only got an already-used / expired CC number. – xxbbcc Mar 03 '16 at 20:09
I've been using virtual credit cards for years when paying online, can't recommend them enough. – Daniel Mar 04 '16 at 09:16
Are you aware of a resource with per-country pointers to banks that provide this type of service? – E.P. Mar 04 '16 at 10:02
"Are you aware of a resource with per-country pointers to banks that provide this type of service?" -- I'm afraid not. – Daniel Mar 04 '16 at 10:25
@E.P. the closest thing to what you are asking for that I am aware of is https://en.wikipedia.org/wiki/Controlled_payment_number which is far from exhaustive – emory Mar 04 '16 at 14:05
Thanks. I'm looking for ways to turn your answer from "so there's this useful tool that other people have that can help, but who knows how or where they got it" to "there's this useful tool and here are some ways you can get it". But I realize it's a tough ask. – E.P. Mar 04 '16 at 15:40
@E.P. it should be available to anyone in the United States and definitely a few other countries. It is probably not available to many people. If you are starving to death b/c of civil war in your country, you have other security threats to deal with first. – emory Mar 04 '16 at 17:02
No, what I mean is that your answer as stated is not particularly helpful if I want to secure myself (in, say, a developed european country). For one, googling ShopSafe in the UK returns pretty different results. Are you saying that essentially all banks in the USA support this service? Or that there are independent services that one can use regardless of the bank? If so, including them in your answer would make it stronger. Or whatever. – E.P. Mar 04 '16 at 17:05
1

@E.P. I know similar services are available in the UK, Portugal, and Egypt. Other than that, I have no clue. – emory Mar 04 '16 at 17:17

Neil McGuigan · Answer 3 · 2016-03-04T22:34:55.913

11

Facebook scrapes popular pastebin type sites where hackers post stolen login info and checks for their users' account info. You could do the same (for your various email addresses or credit card numbers), though it'd be a lot of work!

To do this, we monitor a selection of different 'paste' sites for stolen credentials and watch for reports of large scale data breaches. We collect the stolen credentials that have been publicly posted and check them to see if the stolen email and password combination matches the same email and password being used on Facebook

https://www.facebook.com/notes/protect-the-graph/keeping-passwords-secure/1519937431579736

edited Mar 04 '16 at 22:34

answered Mar 04 '16 at 01:17

Neil McGuigan

3,399
1
17
21

4

Essentially this is one of the services [haveibeenpwned.com](http://haveibeenpwned.com) provides. – Mike McManus Mar 04 '16 at 21:26
1

@NeilMcGuigan I see now, I thought it was restricted to facebook. I took a second look at it and it is a very good service. I was not trying to be argumentative. I just did not see the value at the time. – emory Mar 04 '16 at 23:18

loopbackbee · Answer 4 · 2022-07-19T14:17:14.087

5

I like Mark Buffalo's REAM method, but in reality it's too cumbersome for most people, so I'll give a better alternative: plus addressing (aka address aliasing, virtual identities).

Instead of creating several email accounts, you can have a single account, but multiple email addresses.The best news is that, if you use Gmail, you already have everything you need.

In practice

Let's say your email is johndoe@gmail.com, and you want to give your email to SomeCompany.

You can provide johndoe+somecompany@gmail.com, and it'll be routed to your account - anything after the + is ignored.

Some websites won't let you have a + in your address. Feel free to let them know that they are in violation of RFC5322 section 3.2.3 and the internet police will come and fine them. If they don't believe in you, for some reason, you'll have to resort to more...

Underhanded tactics

Provide them with jo.hndoe@gmail.com - still the same address (as far as Google's servers are concerned). If you know how to count in binary and have a email with 11 characters, you can get 1024 different addresses this way.

I can count in binary, but it's a pain

You might just as well invest a couple of bucks in your own domain, a book about Exim, and some caffeine. A lot, actually. Then, besides plus addressing, you can have minus addressing, multiply addressing, dollar addressing, or whatever suits your fancy.

Spammers / phishers are not stupid, they'll remove the plus

Please let the dozens of scammers hitting my domain know.

Some particularly bright chaps actually wrote a parser that thinks johndoe+somecompany@yourdomain.tld is actually somecompany@yourdomain.tld. Truly genius.

If you are savvy enough to use a plus on your address, it's probably fair to say you won't fall for a mass scamming operation, so writing a parser to address it is likely a waste of resources for people doing that.

That is not to say, of course, that you won't get targeted specifically if you are a high-value target. If you're that concerned, just use your own domain. The way the address is parsed is entirely at the discretion of the MTA, so there's no way for the sender to actually know what they should parse out.

edited Jul 19 '22 at 14:17

answered Mar 03 '16 at 23:30

loopbackbee

5,338
2
22
22

1

If I'm writing malware to phish people, the first thing I'm going to remove/filter everything that has plus addressing. ;-) – Mark Buffalo Mar 04 '16 at 01:17
Do you think spammers are stupid enough not to know that `johndoe@gmail.com` and `jo.hndoe@gmail.com` are the same address? – Dmitry Grigoryev Mar 04 '16 at 07:56
@DmitryGrigoryev - no, but I do think they're LAZY and are very unlikely to hand-sanitize a large stolen database of email addresses. – James Snell Mar 04 '16 at 09:20
4

@JamesSnell **hand-sanitize**? I think it is safe to assume that spammers know at least some Perl. – Dmitry Grigoryev Mar 04 '16 at 10:13
@MarkBuffalo This is a good point, I've addressed it in the answer – loopbackbee Mar 04 '16 at 11:01
I've used plus addressing for some time, it's safe to say that while they *could* filter things like that they don't, it requires effort on their part. Also it was a reference to Dmitry's comment, where the example wouldn't easily be automatically dealt with without breaking good addresses. – James Snell Mar 04 '16 at 11:11
I am slightly surprised that spammers don't immediately discard any email address with a '+'. It's a pretty big hint that the recipient is clue-ful (so why bother sending the email). (Possibly because the cost to send is so low, and bad grammar etc is a better test of cluelessness.) – Martin Bonner supports Monica Mar 04 '16 at 13:14
@MartinBonner Spammers are less intelligent than Phishers. And spammers aren't going to worry about plus addressing, especially if your spam ends up in their mailbox anyway. – Mark Buffalo Mar 04 '16 at 13:21
2

Regarding sanitising addresses, it's pretty trivial to set up your email so that "sanitised" addresses won't work. Tell all your friends that `johndoe+mail@example.com` is your address, and funnel everything that comes to `johndoe@example.com` into your spam folder. Spammers who know that this is possible realise that attempting to sanitise an address without knowing the recipient's mail rules might make it *less* likely to work. – anaximander Mar 04 '16 at 14:38
@goncalopp I just updated my post with a code snippet defeating this plus addressing method. This might still work for spammers, but phishers... I doubt they'd be stupid enough. – Mark Buffalo Mar 04 '16 at 14:45
I think the REAM technique is better but more work so this is the technique that I use. A major flaw with this technique that has not been commented on is that some form validations reject plus addressing. Hypothetically, I try to create an account at www.acme.com using my email address as the login id. The registration form rejects b/c "invalid email address". When I remove the plus address, it accepts. – emory Mar 04 '16 at 16:38
There are some parsers that treat the `+` as a space (like URL escaping), which might cause your "truly genius" problem. (I had once a mail provider, whose web interface didn't accept those `+` addresses as receivers, I assume for that reason.) – Paŭlo Ebermann Mar 04 '16 at 22:17

bmargulies · Answer 5 · 2016-03-05T16:12:35.687

3

There are various 'identity protection' services you can pay for. Amongst other things, they troll the dark web for your email, credit card, etc. Everyone exposed in the OPM breech gets one of these for free. If you are really concerned, you might decide that one of them is worth the cost to you.

Of course, as pointed out in a comment, there's no guarantee that your information will turn up where they look.

However, I'm a bit perplexed by the focus on email addresses in other answers here. It's not hard to avoid phishing. I've never seen a phishing email that even momentarily threatened to mislead me. I gave up on protecting my email address a long time ago; I find that Google correctly spam-folders 99% of the phishing I get, and the rest, as above, is not hard to spot.

If someone has a breech, they might leak your email. Your bigger worry is that some set of idiots failed the PCI test and have leaked your credit card number. You can invent email addresses all day long and it won't help you with these cases.

edited Mar 05 '16 at 16:12

answered Mar 05 '16 at 15:30

bmargulies

327
1
7

The identity protection services can be good, yes, but not everyone posts your data on the deep web, and those who do usually try to sell the info before providing it. Will the identity protection services purchase data from hackers? Different hackers have different motivations for that data, and if someone else contacts your fake email, then it's bad news. The focus on email addresses is shared as a way to detect *phishing* attempts, not avoid them: nobody should be emailing you at that email address to begin with except the company. If they do, it usually indicates something very suspicious. – Mark Buffalo Mar 05 '16 at 15:46
The question asked, 'how to detect a breech'. Detecting a phishing attempt is interesting, and even useful, but its not quite the same thing in my jaundiced view. – bmargulies Mar 05 '16 at 16:13
1

I think you are misunderstanding the question. The OP wants to know how he can possibly detect a breach *before* the breached company announces it so he can protect himself instead of waiting for the company to tell him his data has been stolen. While yes, the Dark Web may contain information on these breaches eventually, and the information may only be available if someone pays for it, I've found that a lot of phishers attempt to attack my dummy emails before the information even ends up on the deep web, if it even does. – Mark Buffalo Mar 05 '16 at 16:18
1

Even though I feel you missed some points, I'm giving you a +1 for your input. It's very welcome. The Deep Web / Identity Protection Services was a good addition, and I've now updated my answer to address it. – Mark Buffalo Mar 05 '16 at 16:31