1279: Reverse Identity Theft

Explain xkcd: It's 'cause you're dumb.
Jump to: navigation, search
Reverse Identity Theft
I asked a few friends whether they'd had this happen, then looked up the popularity of their initials/names over time. Based on those numbers, it looks like there must be at least 750,000 people in the US alone who think 'Sure, that's probably my email address' on a regular basis.
Title text: I asked a few friends whether they'd had this happen, then looked up the popularity of their initials/names over time. Based on those numbers, it looks like there must be at least 750,000 people in the US alone who think 'Sure, that's probably my email address' on a regular basis.


Identity theft is the criminal method of assuming the identity of an unsuspecting person, usually to get credit in their name. While this is done deliberately, the comic introduces the idea of reverse identity theft: An older person with little knowledge of computers involuntarily uses another person's email address because they supposed it to be their own. Since most email addresses follow a generic pattern, they simply adapt the pattern to conform with their own name, unaware that someone with the same initial and last name already owns the address.

Most internet users face at some point the message that their desired email address is "already taken". Because email addresses must be unique and only a limited set of characters is allowed, people with common names usually add numbers to their name. The comic suggests that elder people might easily forget that they had to take, for instance, [email protected] when they signed up. Instead, the person would tell everyone that their address was [email protected], since that follows the generic pattern and is the most intuitive assumption for them. They are in complete ignorance that the address belongs, in fact, to whomever claimed it first. In this case, the address belongs to Randall himself. (In case you're wondering, yes, [email protected] is Randall's email according to the xkcd blag.)

The comic has Cueball call an older person, who apparently gave Cueball's email address to the phone company, which now emails Cueball the bills - this could have been avoided if said company confirmed an email address first. The person is not able to understand why this is not their email address (as it corresponds with their name) and is also very confused how Cueball got their phone number. The latter reveals a major problem of reverse identity theft: Using another person's email address for your own business matters exposes your own identity. The owner of the address could easily take advantage of the situation, leading to a scenario of regular identity theft. Fortunately, Cueball seems to be more honest; Black Hat probably would not have given any warning.

Due to the sheer mass of people online, nearly all simple nicknames are already taken; and the number of possible combinations is further diminished by services (e.g., Gmail) which ignore the dot sign altogether and does not allow the use of hyphens or underscores. This policy is designed to prevent fraud, but it forces users to add numbers or other unique identifiers to their names. Apart from the scenario addressed in the comic, another subsequent problem is the use of wrong email addresses by third parties. Someone sending sensitive personal information to the wrong recipient can just as easily expose a person's identity as the person himself.

In the end, there is no practical solution to the problems arising from the uniqueness of usernames and email addresses. Instead, it is simply the consequence of naming itself: While a name was originally intended to distinguish its bearer from a limited number of people (e.g. the rest of the village), the Internet makes it necessary to distinguish ourselves from the entire rest of the world (or at least everybody online).

Note that Gmail ignores everything behind a plus sign. Like ignoring dots, this is used as a way to create email aliases. The plus sign in the formula used in the comic should therefore considered to be only an indicator for concatenation, not a literal character in the address.


If your email address is [First initial]+[Last name]@gmail.com you gradually get to know lots of older people who have the same name pattern
Cueball: Yes, I know it would make sense if that were your email address, but it's not.
Person on the phone: But how did you get my number?
Cueball: Your phone bill.

comment.png add a comment! ⋅ comment.png add a topic (use sparingly)! ⋅ Icons-mini-action refresh blue.gif refresh comments!


My first attempt at an explanation. I have actually received emails designed for someone else because we had the same name and the sender missed a crucial difference between my email address and the intended recipient. Grahame (talk) 05:39, 18 October 2013 (UTC)Grahame

This must be the one of the few times where we have such an well written and complete explanation this early in the day -- well done Spongebog (talk)
Thank you, but all of what I said has been removed, and the new explanation does make more sense! Or at least the bits of it that are relevant.  ;-) Grahame (talk) 00:51, 22 October 2013 (UTC)Grahame

There once was an article that the security feature that [email protected], [email protected] and [email protected] are the same to gmail, but not to netflix could be used for off-loading your bill to a different gmail user. But I don't remember the details on how that worked. Gunterkoenigsmann (talk) 21:22, 15 February 2020 (UTC)

AFAIK if you have adress [email protected], then gmail delivers all mails in shape [email protected] to your box. So the trick is to make address like [email protected], then heavily use [email protected] to the point, that other people catch up an for example Joe Smith instead correct [email protected] will write [email protected] - which would end in your mailbox then. (talk) (please sign your comments with ~~~~)

Good explanation, except gmail only allowes usernames between 6 and 30 characters (and doesn't allow + in username). I would assume that this was true even before this strip and it's not so hard to verify, so Randal probably speaks about addresses like [email protected] being mistakenly used by other Joe Smiths. -- Hkmaly (talk) 08:55, 18 October 2013 (UTC)

I don't get this. When you're creating an account, every e-mail service provider checks to see if the username is available, and only lets you create an account if your username's unique. This kind of issue can happen if you then go around and enter a wrong e-mail ID whenever you sign up for something, or if the company automatically assumes an e-mail ID without asking you (I don't think the latter happens). It shouldn't matter if a provider (GMail for instance) ignores everything after a certain character (+) while determining recepient, or even if it ignores an entire character (.) - all this should've been taken care of when you signed up in the first place. 08:50, 18 October 2013 (UTC)

Exactly, it's about entering wrong e-mail ID. -- Hkmaly (talk) 08:55, 18 October 2013 (UTC)

I'm pretty sure the "+" in the comic refers to a simple concatenation of first initial and last name (e.g., [email protected]), not a literal + character (as in [email protected]). 09:04, 18 October 2013 (UTC)

No, because then it should be [First initial][Last name]@gmail.com instead of [First initial]+[Last name]@gmail.com.--Dgbrt (talk) 10:20, 18 October 2013 (UTC)
Taking the plus sign as a literal character does not make very much sense. GMail would ignore [Last name] behind it and deliver the message to [First initial]@gmail.com, which is no valid address at all due to the limit of 6 characters. Also, it is fairly uncommon to use a plus sign in an email address, and the joke of the comic relies on the pattern being generic. LotharW (talk) 11:28, 18 October 2013 (UTC)

The point of the comic is that old people forget their email address and regularly give other people the wrong email address. So when they register for something, like online notifications of a phone bill, Joe Smith puts down [email protected] even though his email address is a different variation on that.

Some of them might not even have an email address. They might easily believe that email addresses are assigned automatically, somewhat like street addresses or telephone numbers. Which is not so very far-fetched, since in the early days of the Internet your provider gave you an email address when you signed up for an Internet connection. Many might also think that an email address is reserved for the person with the corresponding name, instead of their having to claim it. LotharW (talk) 12:17, 18 October 2013 (UTC)
I can definitely tell you as the owner of a common-pattern email address: it's not just old people. I've had bank statements, insults, and declarations of love, thrown at me that were definitely intended for someone half my age. 18:37, 21 October 2013 (UTC)

[First Initial]+[Last Name] is the same as [ FIailnrst]+[ LNaemst]. Then he is clearly referring to names such as IrinaN or FanniL. Xhfz (talk) 13:24, 18 October 2013 (UTC) This is a joke, and the plus sign means concatenation.

I don't get it. How is [First Initial]+[Last Name] the same as [ FIailnrst]+[ LNaemst]? That isn't concatenation, it is scrambling. ~~~~ -- Stilbene (talk) (please sign your comments with ~~~~)
Regular Expressions character classes (talk) (please sign your comments with ~~~~)

The plus sign is clearly an indication of concatenation and not meant as a literal character. 14:29, 18 October 2013 (UTC)

This sentence is false, and I deleted it:

The problem is intensified by the fact that providers like Google Mail, which has become synonymous with email services, regard certain alterations as variations of the same address. For example, Google Mail ignores the dot character and does not allow hyphens and underscores, although they are valid characters for email addresses. Ironically, these restrictions are supposed to prevent fraud, but instead lead to problems like the one described in the comic.

If the addresses [email protected], [email protected], [email protected] and [email protected] belonged to different persons the problem exposed in the comic would be increased, not decreased. Xhfz (talk) 15:04, 18 October 2013 (UTC)

You should consider the context: The sentence you deleted appeared after
Most internet users face at some point the message that their desired email address is "already taken". [...]
And that problem is made worse by not allowing any variation in the address. LotharW (talk) 16:56, 18 October 2013 (UTC)
Small variations in the address lead to reverse identity theft. If the address [email protected] belonged to John Smith and [email protected] belonged to Jane Smith, the probability that John gets emails directed to Jane and viceversa increases. Xhfz (talk) 21:14, 22 October 2013 (UTC)

The second scenario presented in the explanation has nothing to do with reverse identity theft. The idea is that the victim is exposing their own identity by assuming someone else's address. A third party sending emails to the wrong recipient (thus exposing the victim) is very unfortunate, but there is nothing reverse about it. LotharW (talk) 17:06, 18 October 2013 (UTC)

I think the "reverse" nature is that instead of the THEIF going out and hacking the VICTIM'S email to learn their identity and steal information, the VICTIM is the one delivering the information to the THEIF'S email account. 14:08, 21 October 2013 (UTC)

It's worth noting that the name "Randall" peaked in popularity in the 1950s, so most people with that name are older than Randall Munroe. This isn't just an "old person" thing. My name peaked in popularity in the 80s and 90s, so I get a lot of people in their 20s and 30s signing up for stuff with my e-mail address. (talk) (please sign your comments with ~~~~)

I can't imagine how morbidly funny it would be if someone named Edward Coli did this. ~Cye from #team cyeborg

As I'm passing, a true story. My Mum had been piggybacking on the family home's sole email of <firstname><lastname>@<isp>.<tld> that was set up by Dad, in various online interest-groups she gradually got involved in over the years. He died a few years ago and she decided she finally wanted her own address (apart from everything else, Dad's address was being spammed quite a bit, so keeping it for checking at leisure for real 'legacy' communications but otherwise getting a clean sheet and telling regular contacts to slightly change their addressbook entry for her made a lot of sense), so tried adding <hername><lastname>@... on the same ISP. Found that already taken! Despite a quite rare surname and though a major ISP, hardly gmail.com in reach. Compromised with some semi-random digits. Shortly afterwards, I went with her to get a new washing machine, and she all too easily succumbed to the salesperson's request for her email, and I wasn't quick enough to politely stop her. But I waited until we left the shop to tell her a) She probably shouldn't have, as it would mostly mean more spam, and b) it was ok, as she'd given the <hername><lastname>@... one. Nothing important would get sent there, and we wouldn't be seeing it anyway! 01:51, 1 February 2022 (UTC)