was successfully added to your cart.

Will the Real Matt Refghi Please Stand Up?

By July 29, 2011 April 16th, 2014 Personal Stories

Back in mid 2009, I discovered an unexpected shipping confirmation in my e-mail inbox. It was sent from my cellphone service provider, and was letting me know that the iPhone I ordered had been sent out to me. Thing is, I never ordered an iPhone, and though the confirmation showed my name, it was being shipped to another address, and was associated with another phone number. It didn’t take long for me to realize that this was identity theft.

Photo by Ken Banks, kiwanja.net.

I immediately called my provider, and realized that I would likely have problems authenticating with them. You see, the provider usually asked for two key items whenever I called: birth date, and postal code. Anticipating this, I first told the agent the situation, and he confirmed that the address and contact information on my account had been changed. Since I had the thief’s information as well, I was able to prove that I was legitimate, and the agent told me I’d have to call the fraud department, which was currently closed.

As a next step, I returned to the confirmation e-mail, and took note of the shipping information in there. It was being shipped by one specific package delivery company, and I had a tracking number. Seeing as it was late, I couldn’t call their hotline for help. Instead, I went ahead and sent an e-mail to their support, warning them that the package should not be delivered, as it was fraudulent. I realized that I would likely not hear back from them that night, but at least I knew I did something while waiting for the hotline to open the next morning.

The next day, I called my cell phone provider first, and spoke with their fraud department. From what they could tell, the thief simply managed to authenticate as me, providing my birth date and postal code. He then had them change the address and phone number on my account, likely after telling them he had moved. As a means of protecting my account from further break-ins, the provider offered to set up a password. I naturally agreed to this, but wondered why it wasn’t active by default.

Next in line was the delivery company, which I managed to reach by phone. The agent mentioned that the package was already in transit, and that she would notify the driver to abort the delivery. She seemed fairly confident that this would occur, so I was in a good position by the end of the call. Keep in mind, though, that I probably didn’t need to worry about the delivery, as the provider likely had insurance for such situations. My pursuit, at that point, was mainly for personal reasons – if I could stop the thief from succeeding, I would be much more satisfied.

Photo by KDavidClark.

Soon after completing the calls, I arrived at work, and told my boss the story. He naturally allowed me to deal with it from the office, rather than work. Since I had spoken to the delivery company and my cell phone provider, the next step was to call the police. I explained my story, and the officer told me someone would call me back to discuss it further. In the meantime, her advice was that I should activate a fraud alert on my credit line, which I went ahead and did immediately after the call. The alert would prevent anything from being charged to my name, effectively making a social security number a requirement in all large credit purchases. After activating the alerts, I went back to my desk, and tried to piece together how exactly I had been compromised. Within a few minutes, I had my answer.

To find my postal code, the thief probably just ran a WHOIS against my domain. At the time, I had multiple domains, and each one had been registered using my full name, address, and phone number. Domain registrations are public records, and though it’s a security concern, the contact information is needed to prove ownership. While this isn’t immediately visible to everyone, with the right tools, one can access that information. As an example, visit this website, and enter “microsoft.com” in the WHOIS box. Press “WHOIS >>” when ready, and then scroll down to see the registration information. There are hosts that offer private registration, usually for an additional fee, but at the time, my host didn’t have the option.

Now, on the other hand, my birth date was a little less straight-forward. It was a coworker who initially found that my Amazon wishlist was available to the public, and it revealed my birth day and month. While the year wasn’t actually revealed, there are many sites where my current age is displayed. With that, the year can be deduced, and there you have it – the date of my birth, cracked.

With the security holes revealed, I decided to correct the easiest one – I disabled my Amazon wishlist. The domain problem would have to be addressed later, as it would likely require changing hosts, which was not a quick task. My next goal was to find out as much as I could about the thief, as I had his address and phone number. After some googling, I located the Facebook profile of the supposed culprit, which of course included his name. Unfortunately, I couldn’t determine if he was the actual thief, or a scapegoat, so I couldn’t act on this knowledge. The actual thief could simply have given that address with the intention of being there just in time to grab the delivery. So, instead of acting on it, I took notes, and awaited the police phone call.

Photo by Tim Pierce.

A few minutes later, I got word from the delivery company – they had successfully blocked the package, and it was being returned to the sender. With this news, I knew that I had blocked the thief – it was now simply a matter of bringing down the hammer of justice. Soon after, the police called back, and I explained my story once more. To my surprise, I was told that there was nothing they could do to locate the individual, despite the information I had collected. Apparently, the scam was fairly common, and the person doing it was most likely not the one at the address. The officer then explained that it would have been a different story if I hadn’t successfully blocked the delivery. Even then, I was told it would have taken the police department ONE YEAR to investigate such a theft. I left the call feeling less respect for the police, and seriously considered taking a vigilante approach.

Despite my disappointment in the police, the problem had been mostly resolved. I successfully prevented the thief from getting anything, and my accounts were now all protected. I had called all companies I did business with, and had them activate all optional security measures.

Two weeks after the incident, I received yet another e-mail, notifying me that my password had been reset on my account. I once again called my cellphone provider’s fraud department, and they helped me piece together what happened. The thief probably noticed he hadn’t received the iPhone, and tried to get that corrected by going to a store in person. When he couldn’t figure out the password that was being asked of him, he likely claimed he had forgotten it, and had the agent reset it. Since my account had the correct contact information, the new password was sent to my e-mail address. Since he couldn’t get into the account, and couldn’t check my e-mail, he was officially stuck, and the conflict finally came to an end…. I had won.

However stressful, the whole experience proved instrumental in improving my security on the web. No longer could I just casually open accounts everywhere, worry-free. I now had to be very conscious of how websites intended to use my data, otherwise, I could be leaving bits of information for thieves to exploit. I once wrote an article that explains how I would google my own e-mail address to see if it was visible to spammers. Well, the same approach can be used for other things – you can google your name, address, phone number, and see if it is exposed anywhere. Keeping in mind, of course, that after searching for anything sensitive, you should probably wipe your browser history, as well as your Google Web History, if you have that activated.

Beyond making sure that websites don’t expose too much information about me, I also try to avoid being specific in my posts. You likely noticed that I never mentioned who my cellphone provider was, and who the package delivery company was. I do this to make sure I’m not giving away details that can be used against me. I also exclude certain facts from my posts so that if my identity is ever in question, I have unique information that can set me apart from the thief. I do something similar with the images that I upload to this blog – if I spot anything even remotely sensitive, I’ll cover it up.

So, that’s my story, folks – hopefully my experience will prove useful in preventing similar attempts on others.