I pay for my email that gives me a lot of aliases and most of them have not been pwned yet. So with his tool I would be flagged as a bot. Honestly, doesn't sound like a great idea to be frank.<p>There must be large swaths of people that have either been careful or have specific emails that they use for certain purposes that haven't been pwned.<p>The question, what should happen if I haven't been pwned? Should I not be able to purchase the thing or would I face some annoying captcha?<p>I like Troy Hunt, but this idea penalize people with good habits and that is just something I can't support.
Facebook and Twitter are basically closed to new users. If you've gone this far without an account, your new one will be shut down for being a bot within hours of creating a new account, or flagged for "extra verification" which requires sending a government ID to these companies so they can verify that you didn't photoshop a fake government ID.<p>This new approach seeks to extend this feature to <i>the entire internet</i>. What could possibly go wrong?
I'll be a contrarian: I like it.<p>Is it a black and white silver bullet one call destroys 'em all solution? Not even close. But, like he states in his article; from a "defence in depth" its another strong signal.<p>Are you a bad guy just because you have a weirdo email (which I do)? No.<p>Are you a bad guy just because you use tor? No.<p>Are you a bad guy just because you're trying to make a purchase during an extreme surge? No.<p>Are you PROBABLY a bad guy given a weirdo email, you're on tor, and you're trying to buy during a surge in purchases? I would say yes. I might not ban you outright, but you're going to jump through a lot more hoops than someone with an ancient email and a residential ip address.
Wouldn't bad actors just push their fake email addressess to haveibeenpwned in fake leaks? Steps:<p>1- periodically set up a legitimate looking service, possibly proxying real services.
2- wait a year or two for your fake service to premiate throughout the www and for seach engines to index it.
3. Mix your bot email addresses with legitimate previously pwned addresses.
4- proclame "woe is me, for thyself hasth been pwned"<p>You can set up this process so that you can inject a couple 100k bot email addresses periodically every couple of months.<p>This is an incredibly shortsighted idea with the potential to hurt a lot of innocent people.
This is a cute "hack" for bot detection, but it's too unpredictable for the real world. Far too many users with good security hygiene are penalized by this system<p>Plus, this might incentivize hackers to defeat the system by logging into and using email accounts pwned in these breaches.
> If an email address hasn't been seen in a data breach before, it may be a newly created one especially for the purpose of gaming your system.<p>I’ve started using iCloud Hide My Email which generates a random email that forwards to my account email. This assumption is going to cause issues.
This feels a lot like email providers assuming that if you're running your own mail server, you must be spamming people.<p>This depends on the lack of use of good tools like FF's relay to anonymize accounts. I mean, HIBP is great, but Troy is self-consciously not interested in handling subaddressing, which would improve his service and its (mis)use in detecting "humanness".
Maybe I'm an outlier but the e-mail-adress I use for online payments or shops for over 10 years now has not been pwned. Maybe because I don't use this email for other sites where no money is involved or for social media. But I think hibp is not a great bot indicator.
So the crux of the technique is to roughly date how long an email has existed for, using leaked databases as a timestamping measure. I'm not sure this metric is a good one though, as older and importantly "pwned" emails are far more likely to have been taken over.<p>Without an idea for the percentage of emails that are still in the original owners hands, this risks a high false negative rate.
> This is called "sniping", where an individual jumps the queue and snaps up products in limited demand for their own personal gain and consequently, to the detriment of others.<p>This reminds me of Utility Monsters[0]. From Wikipedia:<p>> the utility monster, receives much more utility from each unit of a resource that it consumes than anyone else does. For instance, eating a cookie might bring only one unit of pleasure to an ordinary person but could bring 100 units of pleasure to a utility monster.<p>I'm a utility monster, and shops and convenience stores either love or hate us (since the monster consumer derives a skewed amount of utility from certain items). Some stores deliberately up their prices on certain items if they see utility monsters taking advantage, other times, they let the price remain stagnant, in full knowledge the utility monster brings them good business.<p>[0] <a href="https://en.m.wikipedia.org/wiki/Utility_monster" rel="nofollow">https://en.m.wikipedia.org/wiki/Utility_monster</a>
> We're all so comprehensively pwned that if an email address isn't pwned, there's a good chance it doesn't belong to a real human.
Profound: "We're all so comprehensively pwned that if an email address isn't pwned, there's a good chance it doesn't belong to a real human."<p>Should we be using if an email is pwned as input to antiabuse systems to give them higher confidence?<p>It reminds me a bit of when the % of emails that were #spam vs ham crossed 50% many years ago.
> <i>it may be that they're uniquely subaddressing their email addresses (although this is extremely rare)</i><p>That “extremely rare” is about plus-addressing. My experience is that catch-all subaddressing (e.g. *@chrismorgan.info in my case) is <i>considerably</i> more popular, only rare rather than extremely rare.
I have always wondered why pricing can’t fix the issue. On launch day, or for your first batch or whatever, start the pricing higher than you expect most anybody to pay. Target a constant <i>rate of purchase</i> by gradually lowering and raising the price to maintain some target sales per min/hour. Bots and scalpers get stuck holding the bag if they buy on launch day because the price will likely never be higher than what they had to pay to get the product. The company makes marginally more money on launches. People who really really want the product get it at a fair price (they were willing to pay).
I think the problem bot vs real-person needs to be solved by the governments. Every government doing its own thing to tackle this wouldn't work, it would be great if they created an open-source project/standard that they implement. Alternative would be using bank accounts which is actually what Scandinavian countries do (e.g. in Sweden it is Bank ID) to verify that you are a real person.<p>All these methods of trying to recognize government ID pictures and etc. just seem very inefficient and not accurate enough for wide-spread use.<p>Unfortunately, not many governments are well-run to manage such solutions.
>Now, think of it from Nike's perspective: they've launched a new shoe and are seeing a whole heap of new registrations and purchase attempts. In amongst that lot are many genuine people... and this guy How can they weed him out such that snipers aren't snapping up the products at the expense of genuine customers?<p>Is it true that Nike actually wants to cut the snipers out? It seems like they're selling the shoes either way, possibly faster this way, and the resellers are doing free promotion for their shoes in order to resell them.
Ha I do this all the time for buying second hand concert tickets! Scammers usually use throw away email addresses. If the seller has a pwned account I trust them more ;)
Everything from that Stripe data about IP addresses in Europe is just pure cringe.<p>Did you know, that at least in my country, nearly everybody is behind CGNAT, so hundreds if not thousands households has exactly same external IP address and this rotates very often.
So you constantly have same IP address, which hosts tons of torrents with porn or movies (nobody cares about torrents in my country). etc.
How does this work with data protection laws? Is there a way for me to object to a company doing this, i.e. an automated background check on my email address with stolen personal data?<p>I guess I cannot effectively object to my email being included in data leaks…
Very bad idea. Most people are not terminally online like HN folks, and they barely register and barely appear in leaks. Unless every single facebook and instagram and wechat etc user is leaked, it will already have too false positives.
> Only 76% of transactions from the IP address had previously been authorised<p>Sounds like a self fulfilling prophecy, if they use these rules to authorize transactions.
Snipers are just as much legitimate customers as anyone else. They only snipe under priced products so if you don't want people reselling them do not sell them for so cheap.