Something being known doesn’t mean a solution exist.
Computing the the set of Unicode characters that would result in a homograph of a latin alphabet word is non trivial. Now do this for relevant/trusted domains, now put in place a mechanism to mark a domain as trustworthy that also minimises your liability.
> Something being known doesn’t mean a solution exist.
But we aren't talking theory. In this case solutions exist, just not in this app?
Also, the triviality point is puzzling, are we only allowed to criticize professionals for trivial fails? (though using a different font is one of the trivial mitigations)
> that also minimises your liability.
How is that a factor, what is their liability now without any mechanism and will it increase if they add some?
Title: I Was Scammed Out of $130,000 — And Google Helped It Happen
Heading: Google failed me in two ways
Body: Google has become the vault of our digital lives — and that vault had cracks.
If Ford adds seatbelts and you decide to take them off because they annoy you; when get into a crash you can’t claim Ford failed you since the seatbelts weren’t forced upon you more.
Here are the two specific criticisms in the article:
> Phishing emails from “@google.com” made it into Gmail.
> Google enabled Authenticator cloud sync by default.
Both of these seem like fair points where one could reasonably expect one of the largest companies in the world to spend a tiny amount of money on security improvements which would make it harder to attack their customers. Not following Apple’s lead on security for Authenticator is especially disappointing since they have no shortage of good security engineers.
Not unless you actually got hired directly by Google. TVCs don’t have the same level of access/responsibility as FTEs. Also, iirc, your contract should state that it’s a breach to represent yourself as a Google employee.
https://en.m.wikipedia.org/wiki/IDN_homograph_attack
https://www.xudongz.com/blog/2017/idn-phishing/