Shubham Agarwal | The Verge

The black market for blue checks

2022-10-18T09:00:00-04:00

On August 15th, an alarming email popped up in the inbox of Diana Pearl, a New York-based news editor. Someone in Moscow had logged into her verified Twitter account, it said. Pearl was familiar with the email content’s theme as it resembled previous automated correspondence from Twitter — featuring a minimal white background, black text, and blue links.

Fearing her account’s safety, Pearl clicked the link inside the email that supposedly would instantly let her secure her account and entered her existing password on the following webpage to update it.

Moments later, a message arrived in a Telegram group. All it contained was a screenshot of Pearl’s Twitter profile and a link. Three hours later, the admin texted, “Sold.”

Pearl had fallen prey to a phishing attack. The email wasn’t from Twitter but from a hacker who had copied the look of an official Twitter message. Pearl was out when the email landed and assumed she couldn’t afford to wait till she was home to read it on her computer. Plus, the email’s urgent tone rushed Pearl to react without verifying its details. If she had, she might have noticed the fishy email address it came from or the fact that the link didn’t lead to the official Twitter URL.

Pearl’s account was just one sale in a vast and highly lucrative black market for verified Twitter handles. In this particular Telegram group, control of a verified account usually goes for a couple hundred dollars, which buyers usually hope to make back by promoting NFT scams. Such thefts occur regularly, with dozens losing their profiles every day if the frequency of new listings on marketplaces for verified profiles is any evidence. And despite years of evidence, platforms seem powerless to stop the ongoing trade.

When The Atlantic writer Jacob Stern’s account was compromised in May earlier this year, it was used to dupe Moonbirds NFT owners into transferring their tokens into the hacker’s wallet. Over a few hours, the hacker sent out hundreds of tweets announcing a new “drop” with a phishing link, which prompted buyers to transfer a sum of cryptocurrency in exchange for a fake NFT or none at all. MPR News reporter Dana Ferguson’s profile was similarly rebranded in August — except for the username, which would have revoked the verification badge — to steal Killabears NFTs. Both compromises linked back to the same Telegram group, where the accounts were listed for sale.

Some hackers even enlist smaller NFT artists in the scam. When California-based writer Marissa Wenzke was hacked, her account ran a promotional campaign for the group behind the NFT collection called “Meta Battlebots” — a real NFT art project with no obvious associated scam. When informed that they were being promoted by a hacked account, the official Meta Battlebots Twitter account responded, “No worries on that.” A moment later, they blocked the reporter’s account, ending the conversation.

Dipanjan Das, a security researcher at UC Santa Barbara who conducted an exhaustive study on NFT frauds, says a verification badge adds a stamp of authenticity, and a scammer with a verified Twitter profile can attract much stronger attention and have a higher impact. And by targeting the multi-billion-dollar NFT ecosystem, both hackers and buyers or scammers can recoup their costs in a few tweets before account owners initiate the recovery process.

“In a single ordinary NFT scam, it’s very easy for scammers to make hundreds of thousands of dollars,” Haseeb Awan, the founder and CEO of Efani, a secure mobile service provider, tells The Verge. “Even if one attempt is successful out of 10, it’s a lot of money.”

Previously, blue-check Twitter thefts were both rare and coordinated — largely traded on marketplaces like Swapd and Ogu.gg. However, as demand for verified accounts surges for NFT promotions and scams, hackers have taken to more accessible channels like Telegram to reach broader audiences. And the way hackers break in is easier than you’d think.

Most hackers behind blue-check Twitter thefts rely on an attack called “credential stuffing,” as per the conversations The Verge had with many current and former hackers who requested anonymity over fears of pushback in the security community.

In a credential stuffing attack, hackers begin with a vast leaked database of username and password combinations — which no longer are hard to come by, courtesy of the rise of large-scale breaches. The intruder brute-forces the usernames and passwords from the matched credentials on Twitter’s login form and puts the successful hits up for sale in their groups.

When that approach hits a wall, either because the account has two-factor authentication enabled or they haven’t reused the password from a breached account, attackers turn to phishing. As email phishing grows less effective over email, many have moved to trying it on Twitter, repurposing a hacked blue-check account to impersonate Twitter’s Support team.

View Link

A former hacker named “Owen,” who has worked on development for credential-stuffing programs, told The Verge that at any given moment, dozens of verified profiles are compromised and looking for a buyer. In one DM conversation I saw, a prospective buyer said he was looking for someone who has experience stealing NFTs with verified profiles. “I can supply you with roughly 500 ‘verifieds’ within the next month,” he added.

And while individual compromises can be a headache for users like Pearl, it’s remained rare enough that platforms don’t seem troubled by the ongoing trade. Telegram didn’t respond to a request for comment from The Verge.

Twitter’s communications manager, Celeste Carswell, says the social network actively works to educate people about how to avoid scams and locks millions of suspected spam accounts each week. “Unfortunately, scammers have become more sophisticated,” Caldwell told The Verge.

Shortwave just rescued my inbox from the drudgery of Gmail

2022-03-24T06:00:00-04:00

When Google killed its Gmail alternative Inbox in 2018, it promised that several of its ideas would eventually come to Gmail. While some did arrive, most of what made Inbox a success, such as “bundles,” never did. Instead, in the following years, Google has shoehorned its entire productivity suite into Gmail to push people into using the rest of its Workspace services. And it’s about to get worse as Google gears up to roll out a major Gmail update that’s more cluttered than ever.

Gmail’s evolving interface works for those invested in Google’s ecosystem, but it does little to save people from the drudgery of sifting through their messy inboxes every day. It’s easy to see why: it still dumps on you a list of emails with no real structure beyond an unpredictable set of filters for keeping out promotional messages, spam, and social media updates.

The email apps that offer to fix Gmail’s shortcomings have been equally disappointing for me: Newton Mail couldn’t keep an owner, nor my trust. Spark had too many features I didn’t need. Superhuman, a $30 / month email app that wants to make you “feel like you have superpowers,” overpromises and underdelivers. But after years of app hopping, my search for a Google Inbox successor may be finally coming to an end, thanks to a refreshingly minimalistic new Gmail client called Shortwave.

Shortwave is designed by a group of ex-Googlers, including Andrew Lee, who previously founded and sold Firebase, an app development platform, to Google. Shortwave — priced at $9 / month unless you’re OK with only three months of email history — makes no bones about its ambitions to step into Inbox’s shoes. It even looks and works like it with a blue-accented theme, but it’s more than just a clone. It builds upon the effective design choices that powered Inbox with some of its own, and in the two weeks I’ve spent with it, it has made me far more productive at managing my email.

When I fire up Shortwave — available on the web, iOS, and Android — it doesn’t drown me in an avalanche of emails. Instead, the non-essential items, such as updates from social media and automated confirmations like the ones from Amazon, are bundled neatly together, and the threads I labeled previously for, say, a project are sorted in another by default. This all happens within the same inbox, not under various tabs like Gmail, which allows me to keep an eye on it and prevent junk from piling up.

Shortwave’s sample inbox. | Image: Shortwave" data-portal-copyright="Image: Shortwave" />

Because most of my inbox is already organized when I jump into it, there are far fewer emails that demand my immediate attention. It feels like my work has been cut in half: I know the messages under bundles such as “Newsletters” can wait, and I can quickly get to the emails that matter without stressing over the unread count (which doesn’t exist on Shortwave anyway).

Shortwave’s most striking quality for me, however, is how it compelled me to rethink how I tackle my email inbox. Before, I used to dive into it head-on with no plan — handling whatever was at the top first and likely missing what was at the bottom.

Now when I log on, there’s a certain routine to it. I first archive all the junk in one go with the “sweep” button, instantly unclogging my inbox. Next, I check if there are any unread messages in the “Favorites” section, which houses emails from my most frequently contacted people, to know whether I have any updates from my editors and respond to those in case I do, as that’s usually my top priority, and I can now find them without manually going through countless stacks of other messages.

Then I can comfortably triage the rest: I pin the most urgent items to the top of the inbox, snooze what can wait, drag and drop related emails onto each other to throw them in a new bundle I can revisit later. Aside from actually answering my emails, none of it takes me more than a few minutes, and you can do just about everything with keyboard shortcuts.

Shortwave groups routine threads under a single item in your inbox. | Image: Shortwave" data-portal-copyright="Image: Shortwave" />

Like a lot of people, I suffer from an anxious tendency to roll over to my phone and check my emails first thing in the morning, but Shortwave’s Do Not Disturb mode now holds all emails until later and keeps my email-anxious brain in check. The app also lets me cherry-pick the sort of emails I want to be notified of and frees up my notification panel of junk like deals and marketing updates altogether.

And unlike many new email clients, it feels like Shortwave strikes the right balance when it comes to information density. Its interface is just spacious enough that my inbox shows plenty of emails at a time, doesn’t appear as one giant messy glob of text, and is easy to navigate — unlike Inbox’s, whose design was criticized for its low density of information. I also find it much better at laying out busy threads, clearly showing when there’s a new recipient in an email chain or when someone pings me directly instead of everyone by breaking the reply-all into a sub-thread.

To bring these sorts of conveniences to Gmail, I had to trust that Shortwave won’t sell or read my emails, which it technically can do. Though handing reins to my data to new companies has become harder for me to do than ever, Shortwave makes a convincing case. In addition to clear policies that state Shortwave doesn’t monetize personal data, it says it has passed a Google-mandated annual audit — which can cost third parties over $75,000 and involves stress-testing their security protections. It also helps its case that its business model depends on a premium subscription, not on ads or data brokerage.

(Google and the company that did Shortwave’s audit, NCC Group, refused to comment.)

Although Shortwave is now my default inbox, I still have to return to Gmail every once in a while because it can’t schedule emails yet and lacks a few standard folders, such as spam. The absence of a delete option has been a letdown as well. Lee claims all of these are “high on the priority list,” but he can’t comment on when those updates will arrive.

Another thing that could throw a wrench in Shortwave’s experience for me is the startup’s grander ambitions to replace apps like Slack with email. On Shortwave, organizations can create “Workspaces” where employees can chat in real-time as they would on a messaging service. Except in Shortwave’s case, all the messages are emails. At the moment, these enterprise tools live in their separate division and don’t get in the way, but whether that changes (and clutters Shortwave’s clean inbox in the same way Google did with Gmail) remains to be seen.

Shortwave also lets you turn email into chat. | Image: Shortwave" data-portal-copyright="Image: Shortwave" />

I am skeptical of Shortwave’s plan to transform email into the silver bullet for all work communication, but if my squeaky clean inbox is any indication, it can certainly restore a state of calm into your chaotic relationship with emails and patch that Inbox-sized hole in the world.

Shortwave doesn’t attempt to reinvent or complicate email, and its smart inbox is simple and practical. So much so that while using it, all I could wonder was why Google never brought over all of Inbox’s features to Gmail. Many of its features may seem minor additions to Gmail — but put together, they add up to an email experience that’s less frustrating and more functional.

The road to instant groceries is paved with broken bones

2022-02-08T10:00:00-05:00

Mahesh knew he was running out of time. Although he had already spent eight hours darting across the notoriously busy city of Bangalore, India — already driven his two-wheeler 70 miles to deliver half a dozen broccoli, 11 pounds of flour, and more — he needed a few more orders during the dinnertime surge to earn his weekly bonus. Right before he was about to call it a day, however, the 35-year-old met with an accident that’s crippled him for the past seven months and may mean he never delivers again.

Mahesh worked for Instamart, which currently promises to deliver groceries and other daily essentials in 15–30 minutes. It’s part of Swiggy, one of the top two food delivery companies in India. As demand for home grocery and goods delivery spikes in India during the COVID-19 pandemic, nearly a dozen startups have scrambled for ways to one-up each other and capitalize on that demand. Some, like Zepto and Blinkit, now promise to deliver items in just 10 minutes flat. But it’s the gig workers who’ve borne the brunt of these promises with little to no safety net.

Instamart’s weekly bonus — awarded to drivers who make roughly $47 in wages in a week — was the difference between Mahesh living paycheck to paycheck in the city and sending a surplus back to his family in his native village. Since it was the end of the week, the clock was ticking, and over fears of cancellation or, worse, a poor rating from the customer, he rushed to fulfill his last batch of orders.

It was the peak traffic hour, and Bangalore’s pothole-riddled roads, as expected, were jammed bumper to bumper — so much so that two-wheelers often resort to climbing footpaths to circumvent the heavy traffic. The Google Maps screen, which he had to keep an eye on to make sure he follows the route assigned by Swiggy’s algorithms or risk getting penalized, was bleeding red. Because of the Metro rail construction on his right, the road had shrunk to fit just one car at a time.

Mahesh had to squeeze in through the gaps between other vehicles to progress, almost as if he were playing Tetris with his scooter. Once he found a relatively empty street, he sped up on the left side, nearly brushing against a line of parked cars. Suddenly, one of the car’s drivers abruptly opened their door, and at 40 miles per hour, Mahesh crashed into it before he could even react and broke his right leg’s bone.

Though gig workers have become more crucial than ever in lockdowns, their earnings, as well as benefits, have only deteriorated. More importantly, the race to be the quickest has made them even more vulnerable on the road. Every other day in India, there’s news of a delivery worker dying.

Mahesh, who says he joined Swiggy because it offered decent wages without the physical toil of blue-collar industrial jobs, is on bed rest for a year. Though Swiggy covered his initial medical costs, he no longer has a source of income to support his family of four and has fallen into a circle of debt. If and when he returns to work, he won’t have a livelihood either, as he lost his scooter when its loan payments defaulted.

“No scooter, no work. I don’t know how I’ll survive even after my leg recovers to pay back all the money I’ve borrowed from friends and family,” he tells The Verge.

Mahesh isn’t alone. The Verge spoke to over a dozen delivery workers who were injured while working for instant grocery services, many of whom spent months recovering and had to pay out of pocket, receiving little to no help from the companies they worked for.

Few auto drivers helped me to lift him up and we were discussing what happened and stuff. This guy didn't even say a word, he was constantly looking at his wound and his phone.

He was hurt and we wanted to take him to the hospital, but he refused to go with us.
— Rajesh Raghavan (@rajeshraghavan_) October 16, 2021

Bibhu Nandan, a former Swiggy rider, fractured both his arms on the way to a delivery location three months ago while chasing an extra 25 cents per order in the breakfast surge period. Unlike with Mahesh, Swiggy refused to cover Nandan’s medical costs because its system incorrectly showed it happened off duty. On top of that, his phone broke in the accident, and a new one set him back $150 — nearly his entire month’s earnings.

While startups have now begun to offer health insurance, they don’t cover the myriad of other expenses drivers have to struggle with in an accident, including vehicle damages, family support, and, as we saw in Nandan’s case, smartphone payments.

Nandan is now back on his feet, but he has ditched Swiggy for Zomato, another food delivery startup, because it doesn’t promise ever-shorter delivery times. “I’m fine with delivering food, but the pressure of 10-minute deadlines is impossible to handle,” Nandan says. (Swiggy / Instamart doesn’t specifically promise 10-minute deliveries, but others Nandan might have considered do.)

Shaik Salauddin, the head of India’s biggest app-based worker association, the Indian Federation of App-Based Transport Workers, isn’t surprised that instant commerce has caused more road accidents and claims he’s getting more requests for help than ever from injured drivers seeking compensation from startups. Salauddin often tries to force action on an accident case (and sometimes succeeds), either by shaming startups on social media or requesting his sources inside these companies to make reviewing it a priority.

View Link

“With time-based targets, all these startups are putting a time bomb on workers’ heads,” Salauddin tells The Verge.

It’s completely unreasonable to expect humans to deliver groceries in just 10 minutes, Salauddin argues; within minutes, workers have to find parking spaces twice in congested cities — once to pick up, once to drop off — grab and pack bags of items that typically weigh 10-15 kilograms (roughly 20-30 pounds), follow the navigation on their phone while driving a two-wheeler, walk multiple floors to reach the customer’s doorstep (since they’re usually barred from using the resident lift), and more.

“You can’t make promises like that sitting in your air-conditioned offices,” Salauddin added. “There’s no sense of humanity anymore. It’s all profit.”

“Accidents involving delivery workers have at least doubled per week”

Several local traffic police stations The Verge spoke to echoed Salauddin’s fears. “Accidents involving delivery workers have at least doubled per week,” one senior officer told The Verge on the condition of anonymity since they’re not authorized to comment on subjects the government has no official data on, “and although most of them are not fatal, we’re concerned whether this 10-minute trend will escalate these cases.”

Startups like Swiggy and Blinkit, in statements to The Verge, claim that they’re optimizing for speed at their “dark stores” instead of asking workers to drive faster.

Instant delivery platforms are powered by a network of mini warehouses — dubbed “dark stores” because they’re often nameless hole-in-the-walls — where startups stock the most frequently ordered grocery items. The startups explain that if enough such warehouses are available within two kilometers (1.2 miles) of a platform’s most active locations, delivery workers would be able to meet the deadline with time to spare. Blinkit claims its “average distance of delivery in most locations is now under 900 meters” and that it “can pick and pack an average order within 60 seconds.” “Our delivery partners spend way more time at the entry gates and guard posts than they do on the road,” writes Blinkit chief people officer Naina Sahni.

Startups also reject the idea that injuries are common and medical insurance is lacking. “Statistically, in 2021, 98% of the claims were settled within 3 days,” writes Swiggy communications manager Sanjana Shetty. “There have been 7 insurance claims by our partners in the last year. Roughly one claim for every 6 million orders delivered,” writes Blinkit.

But three Blinkit drivers tell The Verge they were unable to get insurance money after their accidents and that the claim process is too complicated for an uneducated workforce. And though startups say they don’t directly incentivize workers to deliver in a specific amount of time, that’s not what workers are hearing.

Saleem, a 21-year-old Blinkit driver from Mumbai, India, was on his way to his first order one Saturday morning. At a crowded traffic signal, Saleem brought his scooter to a halt amid the cacophony of vehicles honking, heat, and smoke, switched off the ignition to save fuel (which eats up 20 percent of his daily earnings), and put his feet down on the ground. As there’s barely any lane discipline in India’s traffic, a noisy public bus was waiting right on Saleem’s shoulder, and as the light turned green, it accelerated. Before he could move out of the way, it had rolled over his foot and dashed off.

Before Saleem could call in for help, he recalled his manager’s warning from an hour ago: “Deliver in 10 or don’t come back.”

“Deliver in 10 or don’t come back.”

Instead of rushing to the hospital, Saleem knew he had to take care of the order or risk a penalty. Despite the excruciating pain, he rang his friend and asked him to deliver the order on his behalf. His next call went to the customer, Geetarani Lourembam, and begged her not to file a complaint about the delay. Loureumban agreed. But by the time Saleem reached the hospital, he realized he didn’t have any money, and Blinkit refused to wire the amount before reviewing the case. With no other options, he called Lourembam again, asking if she could help in any way. To Saleem’s surprise and relief, Lourembam handed his friend some cash for the doctor’s visit.

View Link

“I didn’t need anything urgently, and I told him I don’t care about the order,” Lourembam, who we later learned is someone who fights for human rights at an anti-trafficking NGO, tells The Verge. “It wasn’t like emergency meds. So placing this kind of pressure for groceries is a bit ridiculous because someone’s life is at stake,” she says, recalling the incident.

Saleem, who started delivering food on a bicycle when he was 15 after his parents passed away, says he was lucky and grateful for Lourembam’s support and returned to work after two weeks of bed rest. (There was no lasting injury, but the hospital asked him not to move his feet for 10 days.) But he’s still looking to move away from 10-minute services because, despite assurances, dark stores are still located at least 5–6 miles away from delivery spots — an issue many other delivery workers brought up while speaking with The Verge. “Can we do seven miles in 10 minutes, especially in Mumbai?” he asks me. Mumbai is the second-most congested city in the world.

The dilemma many face, including both riders and customers, is that they no longer have an option. Nandan and Mahesh didn’t sign up for Instamart by choice. They were automatically enrolled in instant deliveries because they worked for Swiggy, and it’s the same at many other delivery startups across India. And even though startups don’t directly incentivize deliveries under 10 minutes, they’re deeply tied into a driver’s earnings, as per conversations The Verge had with drivers and investigations conducted by independent agencies like the Oxford Internet Institute’s Fairwork.

To earn their bonus, for instance, drivers are required to deliver dozens of orders in a day within the deadline. Instead of raising the base pay, startups run “peak hours” windows around mealtimes, where drivers rush to earn the extra money available during those brief periods. The delivery apps dole out periodic rewards and incentives based on a driver’s ratings and performance as well, like monetary bonuses and branded merchandise.

Kaveri Medappa, a University of Sussex researcher who’s studying India’s gig labor, believes startups are “gamifying” aspects of workers’ livelihood by orienting much of their earnings around incentives and offers (such as the substantial bonus that drove Mahesh to break his leg). The strict time limitations, she adds, increase the chances of lower ratings and insecurities among drivers. “All this ultimately pushes workers to work under more stress and in constant hurry,” Medappa tells The Verge.

Instant deliveries are making headway across the world as new startups enter the space in droves. In New York City alone, there are now more than half a dozen startups promising grocery deliveries in 15 minutes or less, including DoorDash, Gorillas, Getir, Buyk, Jokr, Gopuff, 1520, and Fridge No More. UberEats is experimenting with a similar model in Paris. Gorillas, in particular, seems to be going broad; the German startup now offers 10-minute deliveries in 60 cities and has reportedly fired dozens of workers for striking over pay and working conditions.

However, India, where two-wheeler crash deaths have doubled in the last few years and which has some of the most congested cities in the world, has accelerated and highlighted the concept’s potentially deadly consequences. It offers a glimpse into what’s possibly to come for other countries as startups race to expand speedy deliveries in more crowded cities. And it will only get worse as quick commerce — the “delivery of consumables” within 45 minutes — is expected to grow by 10–15x in the next five years in just India alone.

India’s gig workers, however, aren’t ready to settle and walk out from an industry they helped build yet. In the last couple of months, startups in India have faced an unprecedented uprising from their gig workers. With anonymous Twitter accounts, in-person protests, and mass walk-outs, delivery riders are holding startups accountable and demanding a better system. And after complaints, India’s advertising standards body is questioning Zepto about whether its ads promote dangerous driving.

For people like Salauddin, who has filed a plea for gig workers’ social security benefits with the country’s highest court, the fight has only just begun.

Correction February 9th, 3:17PM ET: This story originally stated a backlash forced Swiggy into announcing two-day period leaves for women. However, the public debate around period leaves actually occurred after India’s delivery companies introduced them. We regret the error.