Beyond verification on Twitter that has become the property of those who pay for a subscription, Gmail a month ago integrated verification badges with the cause they should always have: to differentiate official accounts from unofficial ones. In this case, for business. The game went backwards.
This measure was mainly put in place to prevent phishing, i.e. the use of company names in an attempt to defraud users. However, succeeded in circumventing the system used by Google and some companies are superseded and now with the addition of blue verification.
Closing the loop on identity theft
The context of appearance of this badge, as we said at the beginning, is found in Differences must real companies from scammers.
In these emails it pretends to be a well-known company so that the victim believes it and follows its instructions, which range from downloading a malicious attachment to entering an external link in which it asks us for personal data and even a payment to be made. an action. Verification (the blue ‘tick’) should be used to distinguish these scams from real company emails.
However, as he comments a twitter a cybersecurity expert, some verified emails arrive though they are not from the real company it should. He attaches an example email which is presumably from the courier company UPS and which, given the sender’s email address, is not really UPS.
The expert does not provide details on how Google’s authentication system was breached, presumably so that it wouldn’t run like foam and other cybercriminals would join it. The fact is that can be extremely annoying. Anyone can trust an email received with this “cheque” and, as we can see, it is no longer synonymous with veracity.
It’s clear that the system Gmail uses to authenticate businesses and grant them the badge is weak somewhere. Until now, Google had outsourced everything to companies like Entrust or DigiCertto to verify both the logo and the email domain.
In 9to5Google they report that Google itself already acknowledges the problem, although it attributes the cause to third parties, and they announce that in the next few days they will be implementing a new verification requirement. Specifically, they say they will require the DKIM (DomainKeys Identified Mail) authentication standard to be used.
Therefore, at the cost of this change, we recommend take extreme precautions if you receive a verified email. Try to see if the sender’s email address is real (although it may be hidden) and especially question the context. If you are asked to download a file or enter a suspicious link, beware
Through | 9to5Google
Cover Image | Clfr21 on Pixabay | Feen to Flaticon | Wikipedia, the free encyclopedia
In Xataka Android | Everything your Android mobile does for you so you don’t get scammed or hacked
