September 26, 2016

Helping PR pros make smarter decisions

Chats with Chip: Doug Haslam on Social Identity Theft

Chats with Chip: Doug Haslam on Social Identity Theft

On the latest episode of Chats with Chip, I am joined byDoug Haslam of Stone Temple Consulting who discusses his firsthand experience with social identity theft.

Have you ever thought about what it might be like to lose control of your social network accounts to a hacker or miscreant? Do you know what it takes to regain control of something that you have spent years building?

Doug’s experience has some important lessons for all of us.

*** UNVERIFIED TRANSCRIPT ***

Please review the audio before quoting to confirm accuracy of this unverified transcript.

Chip G: Hi, this is Chip Griffin and welcome to another episode of Chats with Chip. My guest today is Doug Haslam. He is a senior consultant with Stone Temple Consulting, welcome Doug.

 

Doug H: Welcome to me, thanks for having me. It’s a pleasure beyond this. I have been on your other podcast several times, but this is my first Chat with Chip.

 

Chip G: This is an opportunity to talk about your identity or in this particular case, how your social identity was stolen. You wrote a nice post about it. Obviously, it was a miserable experience to go through and so I thought I would torture you by making you discuss it yet again.

 

Doug H: Oh, how do you know this is really me?

 

Chip G: Well, I don’t, but I think I have talked to you enough that I recognize your voice and you did come up on Skype when I went with Doug Haslam. Well, I guess that’s not proven, right? Because it could be that someone stole your Skype account as well. In all seriousness, for those listeners who may not be familiar with the whole saga, could you give us a snippet of what happened?

 

Doug H: Sure. Just to start from the beginning, which is always the best place to start, I was actually packing up to go home from work. I actually had ridden my bike that day and I noticed on my computer that my personal Google account had an alert saying I needed to log back in again and I was like, “Well, I’m not dealing with this right now. I’m getting on my bike. I would just log back in when I get home and see what’s the trouble.” I get home and I found that my wife had gotten a call from our cellular provider, which she didn’t pick up because …

 

Chip G: Right, who does that, right?

 

Doug H: But what it turned out is they were trying to confirm switching my phone number to another phone and when this family member did not pick up, the cellular provider just went ahead and made the switch anyway, even though the person clearly did not have my four digit code that they usually require. But the person did have my Social Security number and was able to switch my phone number to another phone and in the few hours that he had it, I was able to get my phone number back to my phone.

 

The Verizon folks, they were pretty quick about it, but he did have it for a few hours and was able to switch my Google account and so controlled my email. Now I had to control my email on my phone number that was attached to many of my accounts and then swiped my Twitter account as well. I did not have either of those.

 

Chip G: I find that kind of disturbing. I’m sure you do, too, that your cellular provider switched over, even though they called to check and did not get approval. It seems like an odd process to call for approval and then when you don’t get an answer you just say, “Well OK, we will allow it then.”

 

Doug H: Yes. I got to think it was a breakdown in the process that a customer service rep basically did not follow protocol because if you don’t have this four digit code that everyone needs to … Basically, the pin number that the social security number really should not be sufficient to go through and I can’t imagine what else this person had to go on. You never know. With all the data thefts going on you never know what else a person might have, but certainly not the random answers to security questions or some of the other things that are not written down in a lot of places. It was interesting, yes.

 

Chip G: It’s interesting that someone who had your Social Security number …  I understand sort of taking the cell phone because you can see all sorts of nefarious ways that you can use someone’s cell phone and you are saving yourself money, but why do you think they took over your Twitter account, too?

 

Doug H: Well, my guess and I really don’t know, but based on the actions taken not taken with my Google and Twitter account, it seemed that this person just wanted to take the Twitter account. That seemed to be the main target of this. Well, I am not at liberty to say who and the circumstances of this other person’s situation.

 

There was another person that had a similarly easy to recognize Twitter handle, not someone you would necessarily know, but like a word or an acronym that someone might want or someone might want to mess with. The person tried to take that person’s as well. It was unsuccessful for different reasons, but I think @DougH or Doe, my Twitter handle, and the fact that I have been on for a long time I think made that either he wanted that for whatever reason or just wanted to create havoc and be a mite about it.

 

Chip G: Gosh, it seems like so much trouble to go through just to get a Twitter handle. This is something that is not unique to you. There have been other people who have had their Twitter accounts hacked in one fashion or another as well as other social accounts, including some fairly prominent people. Then of course, there are some of the celebrities who will sometimes claim that there Twitter account was hacked, when in fact they were just drunk tweeting and probably should have kept their mouths shut.

 

I think it’s pretty safe to say that this was not the case with you. This is a legitimate theft. What do you think that we as communicators should take away from this? Should we be particularly concerned about social identity theft or is it really just one of those occasional things that happens either to really prominent people or folks like you who happen to have a really nifty Twitter handle?

 

Doug H: I think the answer is both. What happened to me is probably a bit more of the latter. It’s not like I have any sort of fame, but there was a Twitter handle that I guess was worth messing with. In terms of anybody, just not having control of things that you use every day and between you and me, Twitter is not all that important. I could live without it. I could just switch to another handle. In fact the hacker parked my account on a different handle so actually I still had all my followers and my Twitter history parked on a different handle, which was instead of just taking over my account and tweeting like they might do with a celebrity, they just took the username and that was it.

 

Chip G: They must have mechanically, then what do they do? They took the Doe account, switched the username to that so that it then became available? If you transfer things from one Twitter account to another …

 

Doug H: You have to triangulate. Basically, because you can only have one account on an email address, so the person switched the account to his email address and then parked my Twitter history on this other Twitter handle that I did not want. I actually have an alternative Twitter handle, which I experimented with switching to because I wasn’t sure when I would get my Twitter handle back, which was a whole other part of the story.

 

I think just the idea that it’s unsettling not having access to these things and particularly things you use every day. It’s a little more unsettling if any of these accounts that people take have connections to more personal information that a person could do some real damage, either financially or personally to you, which was not the case for me, but there’s always that fear.

 

Chip G: Certainly, having access to your cell phone at that point it gives them quite a bit of additional capability should they choose to use it and from what I understood you to say your cellular company was able to relatively quickly get that back into your control.

 

Doug H: Yes, almost as easily as they gave it to the hacker. The flipside to them being so friendly in customer service is they were really friendly to the hacker apparently. That was unsettling, but I was able to fix that quickly and in three hours I got my phone number back. I was able to establish that was my phone number. While the backup phone number attached to my Google and Twitter accounts had already been changed at that point, I was able to retain anything else that was attached to it, particularly getting phone calls from people and texts, of course, but also just anything else that was attached to that account.

 

I think the other thing about the phone number is one thing people and some of the first things that people asked me was did you have two factor verification or two-step security set up? The answer actually, regrettably was no and I would recommend that if there is two-step verification security for any accounts, Twitter and Google certainly have it, Yahoo has it, take advantage of it. It’s a bit more of a pain in the butt to deal with in terms of signing into new devices and things like that.

 

I just had not gotten around to it yet and it was not that I objected to it. I was just like most people. I was lazy, but with this person having my phone number and then getting my Gmail, he basically had both factors in his hands, which is if I had had two factor set up, it would not have mattered because he had my phone number and was able to get the verification from there.

 

Chip G: Even though you were able to get your phone number switched back relatively quickly, the experience was not quite the same with your actual online accounts, right?

 

Doug H: No, it was not. Again, I appreciate that it’s hard. They make it hard to get control of an account because you want it to be hard for someone to take it from you, but somehow it was a lot easier for the hacker to take control than it was for me to take control back. There were some I guess recursive loops or logical loops, feedback loops that I got stuck in trying to get things returned to me. Twitter was restored, I forget the date. It was probably within a couple of weeks.

 

Google and Gmail and all that Google account probably took closer to a month. In the case of Google in particular, they have an account recovery form that you fill out and there is some information that’s good to keep hold of like when you started using the services, for example to try to help prove who you are. I was continually getting messages back from Google support, again more were about robotic messages and not people saying, “Well, we need more information,” and then giving me a link to the exact same form to fill out again that I had already filled out completely and I did that four or five times.

 

I made appeals to people if they knew someone at Google to try to escalate trouble tickets and with varying success and to the point that I actually got to an open ticket that was able to get me to the resolution. I really don’t know who or what circumstance led to breaking that endless feedback loop. It’s hard to say where that was and if it was somebody I knew knowing somebody, then what if you don’t have that someone you know? How long are you going to be? You are just going to lose that account and access to all the information and content that you saved up in there and you just have to wave goodbye to it because you don’t know anybody? That’s not good.

 

Chip G: No, it strikes me that the majority of people who may have these issues happening to them in one form of another don’t have the same level of knowledge or connections or things that you have and even with all of that, it still took an incredibly long time to regain control.

 

Doug H: Yes. I think again, it should not be instantaneous and I do appreciate that you need to prove you are you, but I think there are other ways to do that and I probably need to re-examine the notion of customer support. I know we don’t pay for Twitter and we don’t pay for Google accounts, but as I like to say, we are the product that these folks can sell on their marketing and saying, “We have users. We have users that use our product all the time.”

 

But if the customer support is not there, people will start to fritter away eventually. If you are not serving these people, if you are not basically nurturing your product, you’re not going to have anything to sell if you piss them off too much and they start to go away. You want to make it secure, but you don’t want to make it impossible. I think there was a fine line that they could tune a little bit better than they have.

 

Chip G: It strikes me that having some more human engagement in this process would not be a bad thing either, because …

 

Doug H: Some at all.

 

Chip G: … Yes, in about five seconds they could figure out that you were the legitimate owner of the Twitter account at least. I think that was not something that should have been particularly challenging. The irony is it took you a couple of weeks to do that.

 

I actually got control of an old corporate account that I did not have a login for and it only took me about three days. That was one where it was not quite as obvious. You could not just Google it and say, “Oh yes, this is the correct linkage here,” because it was an account that had been from a Twitter perspective in disuse for some time. It’s interesting to me that in your case where it was so obvious it took weeks, whereas in my case it took a matter of a few days for something much less consequential.

 

Doug H: I know it’s an expense to have humans doing personal customer support, but there needs to be a point where escalation needs to move out of these robotic loops and into a quicker resolution one way or the other where I can go to some other links or other way to prove that I am me and show what happened and maybe provide other documentation that they don’t normally ask for that helps prove who I am.

 

In the case of Twitter I was a very early user. I had been using it coming up on 10 years. It’s pretty easy to the history to figure out who I was. If somebody just looked at it they could tell that there was something wrong there and that the right person was not having access to the account. The fact that that took a few weeks …

 

Chip G: If you look at the one or two moronic tweets that the turkey put out there, it was pretty clear that it was not serious.

 

Doug H: Yes, absolutely. Change the name, not the username obviously, but the name associated with the account and change the tagline on there to something stupid. If I’m going to have something stupid, I’m going to do it myself.

 

Chip G: You are perfectly capable.

 

Doug H: Proudly, absolutely.

 

Chip G: In the case of Google, you said an unknown third party apparently got you flagged so that you could get to a real trouble ticket solution, right? They would strike me that that’s an even bigger loss than a Twitter account because of the things that are probably tied to your Gmail account.

 

Doug H: Even outside of the fact that there may be financial information and some potential catastrophes that you might have stored in documents, the fact that you have documents … If you are using Google Documents, obviously you need to back stuff up. I did not have anything that I could replace for any of that stuff, but the access to months and years worth of tracking my bike training or things that I had saved for documenting career moves or things like that, all those were in there and there were a ton of things. Again, most of it replicable, but you use that stuff every day and then all of a sudden it’s gone. It’s no easy task to replace that information.

 

Chip G: Obviously, you have recommended that people have two factor security turned on, but are there other lessons from this that we all can learn from so that perhaps we don’t go through the same fate that you did?

 

Doug H: I think the other, and I was actually just talking to someone in the office who had seen my post about that, and I think the other thing is be vigilant about your personal information. Part of it is having good passwords and changing passwords, but I think more important than that is just being aware of what’s going on with your accounts, especially financially it comes to. I was watching everything like a hawk and nothing happened and I had control. It was pretty clear after a while that I had sole control of things.

 

I put a fraud alert on the credit bureaus and that’s very effective. I kept a watch on all my credit and bank accounts to make sure there were not any crazy charges going on. Again going back to the credit bureau saying, if someone tried to open up a credit card in my name because I had information, they would not be able to do it without that check from the credit bureau. They would have been stopped there.

 

I know that for a fact because on behalf of my son, I actually bought some graduation-related things for friends at Kohl’s online and opened a charge account to try to get a discount. I got a letter saying I needed to basically verify a lot of personal information, which I just decided I did not want to bother doing. I got another letter saying, “Well, we could not verify it was you, so we are declining the charge account.” I was like, “Good, I didn’t really want it anyway.”I will shop at Kohl’s again and I didn’t really need the card. I was like, “OK, this works. This is great.”

 

Chip G: Did they take away your discount or did you get to keep the discount?

 

Doug H: No, there was some sort of new customer other discount that I had used anyway that superseded that anyway, so I was good.

 

Chip G: Gotcha, excellent.

 

Doug H: I was still getting coupon emails, so great, that’s great. Kohl’s is awesome. I just don’t have a charge account with them.

 

Chip G: Well and since you have control of your accounts now, your email account, you can actually see all those offers, whereas perhaps when you do not have access you were mercifully free of some of the commercial email.

 

Doug H: Actually, I think I was still not on my Google at that point and I was sending it to my Yahoo email, so I was getting them anyway.

 

Chip G: I talk to a lot of people who are particularly concerned about doing anything financial online or the source of things and stories like yours obviously don’t tend to reassure folks. At the end of the day though, it seems to me that it’s a balance of convenience with the inherent risk, right? We can never eliminate all risk and so we have to all decide is it worth having online access to your bank account, even though if someone steals your email account they can probably find a backdoor way in?

 

Doug H: Or they can just set something up in your name and destroy your credit, so it really doesn’t even matter.

 

Chip G: Yes but that risk has been out there even without online. If someone has your Social Security number, then for years and years and years they have been able to open up new credit in your name if they so chose.

 

Doug H: One thing that was interesting is among the things I did was to file a criminal complaint, an identity theft complaint with the local police, even though nothing had been stolen. In fact the officer at the desk was pretty adamant that I did not need to do this since nothing was stolen. I was like, “Well, in case something gets stolen I want my complaint on file, a case on file.” They say, “Fine.”

 

In the course of that he said, “Several people have all your information. Lots of different people have your Social Security number because it’s out there everywhere. People have your address. Everything is easy to find. It’s very hard to hide that information from of the entire world.”

 

I thought about that for a second and I was like, “Well …” You could panic and say, “Oh my God, everyone has my Social Security number, too.” Everybody has everybody’s Social Security number and it’s very common that it’s out there. You have to give it away to financial institutions to open accounts and things like that, so it’s not so much to worry that someone is going to have it, but it’s just more being vigilant over your accounts that people do not do weird things.

 

If you see anything that’s just out of the ordinary, just look at it, just being in the habit of doing your financial accounts every month. Be in the habit of just logging in and possibly changing passwords on a regular basis, even just to login to accounts to make sure that they are not being used in a strange way or taken control of by someone else.

 

Chip G: I think one of the other interesting things you mentioned in your post is some companies do do a pretty good job of alerting you if something unusual is happening, even without going and putting a fraud alert on file. You particularly cited American Express and I agree with you.

 

American Express is really phenomenal about flagging potentially …  Anytime I used an odd vendor, I will often get an email saying, “Hey, can you confirm this purchase?” Now occasionally I get them for silly things that I am like, “Well, why are you confirming? I use that vendor all the time,” so it’s not perfect, but I think in some of the cases where I have made particularly unusual purchases, usually a gift or something like that, they are pretty good about flagging it.

 

Doug H: Yes, it’s not just American Express. Some of the other banks will do that. I think American Express were the first to be known for doing that. A long time in the past I had a hard time disputing charges with American Express on a card where someone had taken the number and bought gasoline in some town in Texas I had never been near and it took me a while to convince them that maybe that was not me. Nowadays if there is, again, a charge in a place that’s not outside of where I usually charge, I will get a call immediately. They won’t hold up the charges, but they will say, “This charge went through. Is this you?” If it’s not, they can reverse it.

 

I find that that’s good. It’s also good to know if you have those strange charges, even if it is not a legitimate one that they are on top of it. They call you and say, “Hey, this is a sketchy charge in a sketchy place,” and I say, “Nope, that was me being sketchy but thanks.”

 

Chip G: It’s a huge improvement over the old days where you would go to the store and you try to make a purchase and they would just decline it and you didn’t even know why usually. I remember the first time that happened to me when I was in college actually and I was all panicked. I’m like, “Why is this being declined?”

 

Of course, I got home and my home answering machine had an explanation to call them, but of course that was in the days before cell phone or mobile email or any of those things.

 

It’s a much better system now that’s available for those sorts of things, but unfortunately it does not help you with your social identity and so I think your situation has taught us all some good lessons that hopefully we can learn from so that fingers crossed, we won’t have the same thing happen to us.

 

Doug H: I think and if it does happen I am just hoping that some of these companies eventually improve the process by which you can reverse account theft.

 

Chip G: You see I always thought you were more of a cynic than an optimist, but you are …

 

Doug H: I didn’t say I hoped they will. They say that they will. I said I would love to see that.

 

Chip G: Well, most people would love to see a unicorn, too. I think that’s probably more likely than these companies instituting first-class customer service.

 

Doug H: I don’t know. I don’t want to see unicorns. They look like they could be really mean and do some damage.

 

Chip G: Sort of like bunny rabbits, right?

 

Doug H: More like swans, oh swans are beautiful, yes. To go near one, they will bite your face off so unicorns would be the same way I am sure.

 

Chip G: Well, on that note, listeners be careful of unicorns, swans, bunnies and all these kinds of things that look cute but might be very violent and nasty towards you. Certainly use two factor authentication, be diligent about your accounts and we will all hope that social identity theft does not happen to us, but at least we can be prepared if it does. Doug, I appreciate you taking the time to share your story with us and the tips that come along with it.

 

Doug H: Well, thanks for having me. This was a great chat with Chip.

 

Chip G: Yes indeed and thank you all for listening all the way to the end and I look forward to having you all back listening to the next episode.

 

Ad Block 728

About The Author

Chip Griffin is the Founder of CustomScoop. He writes and speaks frequently about data-driven public relations. You can follow him on Twitter at @ChipGriffin.

Related posts

Ad Block 728
13 Shares