Photo by Ken Banks, kiwanja.net.

I immediately called my provider, and realized that I would likely have problems authenticating with them. You see, the provider usually asked for two key items whenever I called: birth date, and postal code. Anticipating this, I first told the agent the situation, and he confirmed that the address and contact information on my account had been changed. Since I had the thief’s information as well, I was able to prove that I was legitimate, and the agent told me I’d have to call the fraud department, which was currently closed.

As a next step, I returned to the confirmation e-mail, and took note of the shipping information in there. It was being shipped by one specific package delivery company, and I had a tracking number. Seeing as it was late, I couldn’t call their hotline for help. Instead, I went ahead and sent an e-mail to their support, warning them that the package should not be delivered, as it was fraudulent. I realized that I would likely not hear back from them that night, but at least I knew I did something while waiting for the hotline to open the next morning.

The next day, I called my cell phone provider first, and spoke with their fraud department. From what they could tell, the thief simply managed to authenticate as me, providing my birth date and postal code. He then had them change the address and phone number on my account, likely after telling them he had moved. As a means of protecting my account from further break-ins, the provider offered to set up a password. I naturally agreed to this, but wondered why it wasn’t active by default.

Next in line was the delivery company, which I managed to reach by phone. The agent mentioned that the package was already in transit, and that she would notify the driver to abort the delivery. She seemed fairly confident that this would occur, so I was in a good position by the end of the call. Keep in mind, though, that I probably didn’t need to worry about the delivery, as the provider likely had insurance for such situations. My pursuit, at that point, was mainly for personal reasons – if I could stop the thief from succeeding, I would be much more satisfied.

Photo by KDavidClark.

Soon after completing the calls, I arrived at work, and told my boss the story. He naturally allowed me to deal with it from the office, rather than work. Since I had spoken to the delivery company and my cell phone provider, the next step was to call the police. I explained my story, and the officer told me someone would call me back to discuss it further. In the meantime, her advice was that I should activate a fraud alert on my credit line, which I went ahead and did immediately after the call. The alert would prevent anything from being charged to my name, effectively making a social security number a requirement in all large credit purchases. After activating the alerts, I went back to my desk, and tried to piece together how exactly I had been compromised. Within a few minutes, I had my answer.

To find my postal code, the thief probably just ran a WHOIS against my domain. At the time, I had multiple domains, and each one had been registered using my full name, address, and phone number. Domain registrations are public records, and though it’s a security concern, the contact information is needed to prove ownership. While this isn’t immediately visible to everyone, with the right tools, one can access that information. As an example, visit this website, and enter “microsoft.com” in the WHOIS box. Press “WHOIS >>” when ready, and then scroll down to see the registration information. There are hosts that offer private registration, usually for an additional fee, but at the time, my host didn’t have the option.

Now, on the other hand, my birth date was a little less straight-forward. It was a coworker who initially found that my Amazon wishlist was available to the public, and it revealed my birth day and month. While the year wasn’t actually revealed, there are many sites where my current age is displayed. With that, the year can be deduced, and there you have it – the date of my birth, cracked.

With the security holes revealed, I decided to correct the easiest one – I disabled my Amazon wishlist. The domain problem would have to be addressed later, as it would likely require changing hosts, which was not a quick task. My next goal was to find out as much as I could about the thief, as I had his address and phone number. After some googling, I located the Facebook profile of the supposed culprit, which of course included his name. Unfortunately, I couldn’t determine if he was the actual thief, or a scapegoat, so I couldn’t act on this knowledge. The actual thief could simply have given that address with the intention of being there just in time to grab the delivery. So, instead of acting on it, I took notes, and awaited the police phone call.

Photo by Tim Pierce.

A few minutes later, I got word from the delivery company – they had successfully blocked the package, and it was being returned to the sender. With this news, I knew that I had blocked the thief – it was now simply a matter of bringing down the hammer of justice. Soon after, the police called back, and I explained my story once more. To my surprise, I was told that there was nothing they could do to locate the individual, despite the information I had collected. Apparently, the scam was fairly common, and the person doing it was most likely not the one at the address. The officer then explained that it would have been a different story if I hadn’t successfully blocked the delivery. Even then, I was told it would have taken the police department ONE YEAR to investigate such a theft. I left the call feeling less respect for the police, and seriously considered taking a vigilante approach.

Despite my disappointment in the police, the problem had been mostly resolved. I successfully prevented the thief from getting anything, and my accounts were now all protected. I had called all companies I did business with, and had them activate all optional security measures.

Two weeks after the incident, I received yet another e-mail, notifying me that my password had been reset on my account. I once again called my cellphone provider’s fraud department, and they helped me piece together what happened. The thief probably noticed he hadn’t received the iPhone, and tried to get that corrected by going to a store in person. When he couldn’t figure out the password that was being asked of him, he likely claimed he had forgotten it, and had the agent reset it. Since my account had the correct contact information, the new password was sent to my e-mail address. Since he couldn’t get into the account, and couldn’t check my e-mail, he was officially stuck, and the conflict finally came to an end…. I had won.

However stressful, the whole experience proved instrumental in improving my security on the web. No longer could I just casually open accounts everywhere, worry-free. I now had to be very conscious of how websites intended to use my data, otherwise, I could be leaving bits of information for thieves to exploit. I once wrote an article that explains how I would google my own e-mail address to see if it was visible to spammers. Well, the same approach can be used for other things – you can google your name, address, phone number, and see if it is exposed anywhere. Keeping in mind, of course, that after searching for anything sensitive, you should probably wipe your browser history, as well as your Google Web History, if you have that activated.

Beyond making sure that websites don’t expose too much information about me, I also try to avoid being specific in my posts. You likely noticed that I never mentioned who my cellphone provider was, and who the package delivery company was. I do this to make sure I’m not giving away details that can be used against me. I also exclude certain facts from my posts so that if my identity is ever in question, I have unique information that can set me apart from the thief. I do something similar with the images that I upload to this blog – if I spot anything even remotely sensitive, I’ll cover it up.

So, that’s my story, folks – hopefully my experience will prove useful in preventing similar attempts on others.

Photo by bpsusf

The first situation I’m going to describe revolves around the handle. When creating gaming handles, I now know to exercise caution, as the name may be seen in a context that isn’t… appropriate. I have personally experienced this before, and it is both and amusing and troubling tale. At one point in my life, I went in for an internship interview, and when the interviewer arrived, he pulled up the electronic version of my resume on his laptop. I couldn’t see his screen, but after a few moments, he looked up, and said: “ToadLurker?” It took me a couple seconds to realize that yes, I heard correctly. ToadLurker was my gaming handle, but I didn’t understand how it had anything to do with my resume. I confirmed the name as my own, and asked him where he saw it. It seems the file’s properties actually contained the author name, which, by default, seemed to be related to the Windows logon name. This is where I learned a very valuable lesson – despite the gaming, your Windows account should always be based on your real name. Also, the handle should be something that you can show to an employer without being embarrassed. Certainly not something that you’ll want to do, but I feel it to be a good rule of thumb.

Photo by Umberto Salvagnin

Similarly, it is important to resist the temptation of using gaming handles as usernames for non-gaming websites. Recently, as I was using a finance-related website, I realized that I could not remember my username. I had to call their support line, and the agent eventually told me my username: ToadLurker. Registering with that username was obviously a mistake (rarely use it -hence why I couldn’t remember), but it was pretty awkward to hear that on the phone, and have to acknowledge that it was, in fact, your username. You’re also probably wondering what ToadLurker is, and to me, that’s the amusing part. To a random person, it doesn’t sound very good – it almost sounds like ToadLicker, suggesting I like to lick psychoactive toads to get high. Even if they don’t think this, the word “lurker” doesn’t really inspire trust in anyone.

Along the same line, by the way, don’t register on websites using an e-mail address that is too embarassing to show to a potential employer. I used to live with a guy that had an e-mail called operationpimp@providerhere.com. Just keeping that e-mail address around is a risk to his reputation… what if it accidentally was seen by an employer? I used to have a good laugh imagining what would happen if he actually sent his resumes using that address.

Finally, to put an end to your wondering, I’ll explain how I came to adopt ToadLurker as my gaming handle. It goes back to my earlier gaming years, where I played Starcraft, a real-time strategy game, most of all. I really liked one particular unit, called a Lurker. Lurkers burrowed into the ground, and stayed there, awaiting enemy units. When enemies would walk near burrowed Lurkers, they would be immediately attacked by spines that pierced through the ground. The Lurkers themselves remain burrowed, making them great ambushers. I always liked that concept, so it found a way into my gaming handle.

Photo by Chase N

The Toad portion actually started at SOAD, which is an acronym for System of a Down, a band I listened to at the time. SoadLurker was therefore my first draft, and I kept it for a while. A few years later, I began playing Battlefield 1942 with a clan, regularly. During one of our league matches, a shoutcaster decided to broadcast our match. He was essentially watching the match, and behaving as a regular sports commentator would. After the match, the team got together on an audio chat program, and listened to the shoutcast together. At one point during the match, the shoutcaster noticed me doing something in the game world, and tried to pronounce SoadLurker a few times, with little success. He decided it was too hard to read, so he asked his wife what she thought. Her suggestion was to just call me “Toad”, as it was simpler. Upon hearing that, the team had a good laugh, and I decided that yeah, why not call myself Toad?

That was, of course, a very long time ago. At this point in my life, I’m very supportive of the idea of using real names as gaming handles. They’re much less likely to lead to awkward situations like the ones I have experienced.

SSL (Secure Sockets Layer) is a protocol that helps provide secure Internet communications for services like web browsing, e-mail, instant messaging, and other data transfers. When you search over SSL, your search queries and search traffic are encrypted so they can’t be read by any intermediary party such as employers and internet service providers (ISPs).

Source: Google SSL Search Help

So, put simply, the announcement was great news for privacy and security enthusiasts everywhere. As one of these enthusiasts, I immediately switched to Google’s SSL search for all my web search needs. Sure, there were some drawbacks to switching – namely, a loss in performance – but in my mind, I rather wait a little longer, knowing I have increased security.  So, as a first step, I switched my homepage in Google Chrome. This was pretty straight forward, I simply had to press the Wrench icon, and then select Options.

The next step was to change the search provider – in Google Chrome, this is crucial – since it relies so heavily on one smart search/address bar. When I went to do that, I instinctively selected the existing search engine I was using: Google Canada, and attempted to edit it. Unfortunately, the URL field was grayed out, preventing me from making changes to the URL pattern.

I then figured out that some of these providers are built-in, and can’t be edited. You have to manually add a new search engine, which allows you to define all fields. Here’s what I entered for each field:

• Name: Google HTTPS
• Keyword: g
• URL: https://encrypted.google.com/search?hl=en&q=%s

Once I selected the new engine as my as the default, I was ready to go. Google’s SSL search was my homepage, and my default search engine. Yet, I still had some flexibility: I chose keywords that would allow me to easily switch between engines. For example, by typing:

gc wikipedia ducks

Chrome understands that I want to search using Google Canada:

This allowed me to have a secure search engine by default, all the while making it easy for me to use others on-the-fly.

Despite Firefox dropping to #2 in my list, I still use it regularly for web development. They have plenty of extensions to keep me coming back: Firebug, Web Developer, ColorZilla, HTML Validator, and… well, NoScript. All of those extensions are excellent; however, NoScript sometimes irritates me.

NoScript Firefox extension provides extra protection for Firefox, Flock, Seamonkey and other mozilla-based browsers: this free, open source add-on allows JavaScript, Java and Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank), and provides the most powerful Anti-XSS protection available in a browser.

NoScript’s unique whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality…

Certainly sounds great – and it works very well too. I really get a sense of safety in knowing I can selectively enable specific elements on webpages, blocking everything else by default. The functionality they offer is great. The problem I have is more with the developers, not the extension. You see, here’s the problem: NoScript is regularly updated, so you’re very likely to see this on a regular basis:

Kind of annoying, but by itself, not a deal breaker. After an restarting Firefox due to the update, I’m immediately greeted by the following page:

Let me state this very clearly: Every time I update NoScript, I’m thrown to that page. Ugh.  Sure, they show me the change log, news, and more – but they also show me ads… a lot of them. Let’s start by looking at how much of the site is devoted to ads. I’ll highlight pure advertisements in red, affiliations in pink, and donation controls in orange:

That’s quite a lot of advertising on the main page… and it is above the fold of the page. It’s not the worst I’ve ever seen, but it is still a significant assault on my eyes. I won’t show you screenshots of what the rest of the page looks like, but trust me – it follows the same trend. If you’d like to see it all, you can visit it here. That said, I get the whole “we’re starving programmers and we need the money” thing, but I expect a certain amount of elegance in pursuing revenue. Considering their previous shady practices, though, I’m not entirely surprised.

Another aspect of their advertising that particularly bothers me is how they claim to be “your friendly web cop”, keeping you safe, and yet, they are suggesting software that they probably never even tried. I’m particularly referring to the “PC slowing you down? Free scan” and “Top tip! Click here to check if your drivers are up-to-date!” ads. I would never click on those things… but I know some people that might, especially if they are shown on a security-related site. At first glance, even I have to ask myself if it is an ad – it almost looks like it could be another software offering from the same company. Things like that really make me want to start using AdBlock Plus again… and that’s not cool, since I am a web developer myself.

Overall, if their site was more tastefully presented, and the ads were more respectful in number and placement, I’d have less of a problem with them showing me their page every time I update. In its current state, it is just so obvious to me that they are money-hungry – to the point where they put little thought behind the resulting user experience.  Even with that aspect improved,  a pretty page could still be an annoyance if you are automatically thrown to it once a week. Thankfully, the NoScript guys have a way for you to disable the feature. Hurrah!

Solution

With the latest version of NoScript installed (In my case, 1.9.9.15):

1) Right-click the NoScript icon, and select Options.

2) Click the “Notifications” tab.

3) Find the checkbox titled “Display the release notes on updates”, and uncheck it.

4) Click “OK”.

That’s it! The NoScript page should no longer be force-fed to you after every update. Take a moment to truly enjoy that fact.

If you’re ever wondering about what they added in a particular update, you can check the update-specific release notes from within Firefox itself. In the Add-ons Manager, click the “Updates” tab, select the NoScript update, and click the “Show Information” button at the bottom of the dialog. Once clicked, you’ll see additional information about the update:

Now… remind me, NoScript developers, why I need to see your homepage every time you release a new minor version? For the sake of your advertising revenue, perhaps?