Saturday, September 29
Followup to an earlier post: We finally got a response from Google letting E. reset her Gmail password, though it took long enough that we'd given up and quit checking the appropriate e-mail, so we only actually noticed it tonight.
It turns out that, aside from bogus Paypal charges, our friends in Hong Kong attempted a fairly transparent eBay scam. The thing that strikes me here is that actors like Paypal and eBay are really good at catching this kind of thing - though we temporarily lost some dollars to the Paypal charges, most of the transactions were immediately flagged as suspicious, and the eBay auctions were taken down in short order. What's really weird is that, with all of the work and apparatus going into fraud detection, everything is still tied to this mail address = identity conceit - even as compromised mail accounts have to be one of the most common and basic avenues of attacks.
Maybe this was sane when everyone was using a mail provider with some immediate, human accountability (a local ISP or institutional affiliation), but in the world of webmail and "forgot your password?" links, it just don't make sense. It's kind of like most of the basic practices around identity are still operating on unexamined assumptions forged sometime in the mid 90s.