Login or Join

Search
Close this search box.

CWC 11: Doug Haslam on social identity theft

Doug Haslam of Stone Temple Consulting discusses his firsthand experience with social identity theft.

SUBSCRIBE:      Apple Podcasts    |    Google Podcasts    |    Stitcher    |    Spotify    |    RSS

[social_warfare]

On the latest episode of Chats with Chip, I am joined by Doug Haslam of Stone Temple Consulting who discusses his firsthand experience with social identity theft. Have you ever thought about what it might be like to lose control of your social network accounts to a hacker or miscreant? Do you know what it takes to regain control of something that you have spent years building? Doug’s experience has some important lessons for all of us. The post CWC #11: Doug Haslam on Social Identity Theft appeared first on FIR Podcast Network.

Click to read the full article: CWC #11: Doug Haslam on Social Identity Theft

The following is a computer-generated transcript. Please listen to the audio to confirm accuracy.

You’re listening to Chats with Chip on the FIR Podcast Network.

Chip Griffin: Hi, this is Chip Griffin, and welcome to another episode of Chats with Chip. My guest today is Doug Haslam. He’s a senior consultant with Stone Temple Consulting. Welcome, Doug.

Doug Haslam: Welcome. Welcome to me. Thanks for having me. It’s a pleasure to be on this. I’ve been on your other podcasts several times, but this is my first Chat with Chip.

Chip Griffin: Well, and this is an opportunity to talk about your identity, or in this particular case, how your social identity was stolen. And I, you know, you wrote a nice post about it. Obviously it was a miserable experience to go through. And so I thought I would torture you by making you discuss it yet again.

Doug Haslam: Oh, how do you know this is really me?

Chip Griffin: Well, I, I don’t, but, I think I’ve talked to you enough that I recognize your voice and you did come up on Skype when I, when I went with Doug Haslam. Well, I guess that’s not proven, right? Because it could be that someone stole your Skype account as well. but for, for, in all seriousness, for those listeners who may not be familiar with the, the whole saga, can you sort of give us a snippet of what happened?

Doug Haslam: Sure. I guess say, just to start from the beginning, which is always the best place to start, I was actually packing up to go home actually from work, I actually had ridden my bike that day, and I noticed on my computer that my personal Google account had a, an alert saying I needed to log back in again, and I was like, well, I’m not dealing with this right now.

Getting on my bike. I’ll just log back in when I get home and see what’s what’s the trouble I get home And I found that my my wife had gotten a call from our cellular provider which she didn’t pick up because Why you know right who does who does that? But what it turned out is they were trying to confirm Switching my phone number to another phone And when, this, you know, family member didn’t pick up, this cellular provider just went ahead and made the switch anyway.

Even though the person clearly did not have, my four digit code that they usually require. but the person did have my social security number. And was able to switch my phone number to another phone and, in the few hours that he had it, I was able to get my phone number back to my phone with the Verizon folks.

They were pretty quick about it. but he did have it for a few hours and was able to switch my Google account and, so control my email. So now I had to control my email and my phone number that was attached to many of my accounts. And, and then, swiped my, Twitter account as well. So I, I didn’t have either of those.

Chip Griffin: I find that kind of disturbing, and I’m sure you do too, that your cellular provider switched over even though they called to check and didn’t get approval. I mean, it seems like an odd process to call for approval and then when you don’t get an answer just say, Okay, we’ll allow it then.

Doug Haslam: Yeah, I got to think it was a breakdown in the process that a customer service rep basically didn’t follow protocol, because if you don’t have, if you don’t have the, this four digit code that everyone needs to be basically the pin number, right?

That, it, the social security number really isn’t important. Really shouldn’t be sufficient to go through, and I can’t imagine what this, what else this person had to, to go on, although you never know. you know, with, with all the, the data thefts going on, you, you never know what else a person might have.

But, but certainly not the random answers to security questions, or, or, you know, some of the other things that aren’t really written down in a lot of places. So it was interesting.

Chip Griffin: Yeah, you know, it’s interesting that someone, you know, who had your social security number would, I understand sort of taking the cell phone, right, because you can, you can see all sorts of nefarious ways that you can use someone’s cell phone and, and you’re saving yourself money.

But I mean, why do you think they took over your Twitter account too?

Doug Haslam: Well, my guess, and I really don’t know, but based on the actions taken and not taken, with my Google and Twitter account. it seemed that this person was just wanted to take the Twitter account. That seemed to be the main target. there was, well, I’m not at liberty, liberty to say who and the circumstances of, of this other person’s situation.

There was another person that had a, similarly, easy to recognize Twitter handle. Not, not someone you’d necessarily know, but, but, you know, like a, a, like a word or a, or an acronym, that, you know, someone might want or someone might want to mess with. the person tried to take that person’s as well.

It was unsuccessful for different reasons, but, but I think that, you know, at DougH or dough my Twitter handle, and, and the, the fact that I’ve been on for a long time, I think made that, either either wanted that for whatever reason or just, or, or just wanted to, to, create havoc and be a, you know, be a might about it.

Chip Griffin: Right. Well, that’s, gosh, it seems like so much trouble to go through just to get a, a Twitter handle, but Yeah. You know, so, this is, this is something that is not, unique to you, I mean, there have been other people who have had their, their Twitter accounts hacked in one fashion or another, as well as other, social accounts, including some fairly prominent people.

and then, of course, there are some of the celebrities who will sometimes claim that their Twitter account was hacked when, in fact, they were just drunk tweeting and probably should have kept their mouths shut. I think it’s pretty safe to say that this was not the case with you, that this is a legitimate theft.

You know, what, what do you think that we as communicators should take away from this? I mean, should we be particularly concerned about social identity theft, or is it really just, you know, one of those occasional things that happens either to really prominent people or folks like you who happen to have a really nifty Twitter handle?

Doug Haslam: I think the answer is both. I mean, what happened to me is probably a bit more of the latter. It’s not like I have any sort of fame or anything, but there was a, you know, a Twitter handle that, that was, I guess, worth messing with. but in terms of anybody, you know, just, just not having control of things that you use every day.

And, and between you and me, Twitter, Isn’t all that important. I can live without it. I can just switch to another handle. In fact, the hacker parked my account on a different handle. So I actually still had all my followers and my Twitter history parked on a different handle, which was, you know, instead of just taking over my account and, and tweeting like they might do with a celebrity, it, they just, they just took the username and that was it.

Chip Griffin: So, so they must have, they must have mechanically then what did they do? They took the, the dough account, switched the, the, the username to that so that it then became available. Is that how it yeah, well because you can’t usually transfer things from one twitter account.

Doug Haslam: Well, you you have to triangulate basically you you because you you can only have one account on an email address So, you know the person switch the account to his email address and then put And then parked, parked my, my Twitter history on this other, email, other Twitter handle that I didn’t want.

And I messed around. I had to actually have an alternate Twitter handle, which I kind of experimented with, with switching to because I didn’t, wasn’t sure when I would get my Twitter handle back, which was a whole other, you know, other side, part of the story. But I think just the idea that, you know, it’s, it’s, you know, it’s, it’s unsettling not have, have.

Not having access to these things and, particularly things you use every day. And it’s a little more unsettling if you, if any of these accounts that people take have connections to more personal info that, you know, that a person could do some real damage, either financially or personally to you.

Which wasn’t the case for me, but, but, you know, there’s always that fear.

Chip Griffin: Yeah, and certainly, you know, having access to your cell phone at that point, you know, it gives them quite a bit of additional capability should they choose to use it. and from what I understood you to say, your cellular company was able to relatively quickly get that back into your control.

Doug Haslam: Yeah, I mean, almost as easily as they gave it to the hacker. so, yeah, the flip side to them being so friendly in customer service is they were really friendly to the hacker, apparently. So, that, you know, You know, that was unsettling, but I was able to fix that quickly. And, you know, in the three hours I got my phone number back, you know, I was able to say, you know, establish that that was my phone number and while the backup phone number attached to my Google and Twitter accounts had already been changed at that point, I was able to, you know, retain any.

to it, particularly getting phone calls from people and texts, of course, but, but also just, just anything else that was attached to that account. I think the, the other thing, about the phone number is, you know, one thing that people, and some of the first people, first thing, things that people asked me was, Did you have two factor, verification or, you know, two step security set up?

And the answer actually, regrettably, was no. And I would recommend that if there’s two step verification, security for any accounts, you know, Twitter and Google certainly have it, Yahoo has it, you know, take advantage of it. It’s a bit more of a pain in the butt. To deal with in terms of signing in to new, to new devices and things like that.

I just had hadn’t gotten around to it yet, and it wasn’t that I objected to it. I was just like most people, I was lazy, but with this person having my cell, my, my phone number, and then getting my, my Gmail, he basically had both factors in his hands, which is how, you know, if I had had two factors set up, it would not have mattered.

Because he had my phone number and was able to, you know, was able to, you know, get the verification from there.

Chip Griffin: So, now, even though you were able to get your phone number switched back relatively quickly, the experience wasn’t quite the same with your actual online accounts, right?

Doug Haslam: No, it was not. It was, and again, I appreciate that it’s hard, they make it hard to get control of an account.

because you want it to be hard for someone to take it from you. But somehow it was a lot easier for the hacker to take control than it was for me to take control back. And there were some, I guess, recursive loops, or logical loops, feedback loops that, got stuck in. In trying to get things, returned to me, Twitter was restored.

I forget the date, but probably within a couple of weeks, and then Google and Gmail and all that Google account probably took closer to a month. And in the case of Google in particular, they have an account recovery form that you fill out. And there’s some, you know, information that’s good to keep hold of, like when you started using the services, for example, to try to help prove who you are.

but, I was continually getting messages back from Google support. Again, more about robotic messages and not people saying, well, we need more information. And then giving me a link to the exact same form to fill out again that I’d already filled out completely. And I did that four or five times. You know, I, I made appeals to people, to try to, escalate the, if they knew someone at Google to try to, you know, escalate trouble tickets and with varying success and to the point that I actually got to an open ticket that was able to, get, you know, get me to the resolution, I really don’t know who or, or what circumstance kind of led to breaking that, That endless feedback loop.

So it’s hard to say where that was. And if it was somebody I knew knowing somebody, then, you know, who, what if you don’t have that someone, you know, I mean, how long are you going to be? You’re just going to lose that account and access to all the information and, and content that you saved up in there.

And you just, just have to say wave goodbye to it because you don’t know anybody and that that’s not good, but.

Chip Griffin: No, and it, and it strikes me that, you know, that the, the majority of people who may have these issues, happening to them in one form or another, you know, don’t have the same level of knowledge or connections or things that, that, that you have, and even with all of that, it still took an incredibly long time to regain control.

Doug Haslam: Yeah. And I think again, it, it shouldn’t be instantaneous. And I do appreciate that it, you know, you need to, to, to, prove you are you, but I think there are, you know, other ways to do that. And they probably need to kind of reexamining the notion of customer support. Now I know, I know we don’t pay for Twitter and we don’t pay for Google accounts.

So we, but, but we are, as I like to say, we are the product that, that, you know, these. Folks can sell on their marketing and saying we have users and we have users that use our product all the time But if the customer support isn’t there people will start to you know, fritter away, okay Eventually, and so if you’re not serving these people if you’re not basically nurturing your product You’re not gonna have anything to sell if you if you you know piss them off too much and they start to go away.

So you, you know, you want to make it, secure, but you don’t want to make it impossible. And I think there is a, a fine line that they could tune a little bit better than they have.

Chip Griffin: Well, it, it strikes me that having some more human engagement in this process wouldn’t be a bad thing either because in about, in about, well, yeah, in about five seconds, they could figure out that you were the legitimate owner of the Twitter account at least, right?

I mean, you know, I, I think that, That was not something that should have been particularly challenging. And the irony is, you know, it took you a couple of weeks to do that. I actually got control of an old corporate account that I had, that I didn’t have a login for, and it only took me about three days.

and that was one where it was not quite as obvious. you know, you couldn’t just Google it and say, Oh yeah, that’s the, this is the correct. Linkage here because it was an account that really had been from a Twitter perspective in disuse for some time. so it’s, it’s interesting to me that in, in your case where it was so obvious, it took weeks, whereas in my case it took a matter of a few days for something much less consequential.

Doug Haslam: Yeah, and I, and I know it’s, it’s an expense to have, you know, humans. doing personal customer support, but there, there needs to be a point where, escalation needs to kind of move out of these, these, robotic loops and into, into, you know, a quicker resolution one way or the other, where, you know, I can go, go to, some other length or other, Other way to prove that I’m me and and kind of show what happened and maybe Provide other documentation that they don’t normally ask for that helps prove who I am, you know in the case of Twitter I was a very early user, you know, I had been using it coming up on ten years and It’s it’s pretty easy for through the history to figure out who you know Who I was if somebody just looked at it, they could tell that this, you know, person was me That, that the, there was something wrong there and that, that the right person was not having access to the account.

the fact that that took a few weeks.

Chip Griffin: And if you looked at the one or two moronic tweets that the turkey put out there, I mean, it was pretty clear that it was, you know, not serious.

Doug Haslam: Yeah, no, no, absolutely. I mean, you know, change the, change the, the, the, the name, you know, not the username, obviously, but the name associated with the account and change the, you know, change the tagline on there to something stupid.

And, you know, if I’m going to have something stupid, I’m going to do it myself. You’re perfectly capable. Proudly.

Chip Griffin: Yeah, absolutely. So in the in the case of Google, you know You you said that sort of an unknown third party apparently got you flags that you could you know Get to a real trouble ticket solution, right?

Yeah But you know I mean I it would strike me that that’s an even bigger loss than a Twitter account because of the things that are probably tied to your Gmail account, right?

Doug Haslam: Well you have in even Outside of the fact that there may be, you know, financial information and some potential catastrophes that you might have stored in documents, the fact that you have documents, if you’re using Google Documents, obviously you need to back stuff up.

And I didn’t have anything that I couldn’t replace for any of that stuff, but the, you know, the access to months and years worth of, you know, tracking my bike training or Or, things that I’d save for, saved up for documenting career moves or things like that. you know, all those were conveniently there, and there was a ton of things.

Again, most, most of it replicable, but, but, you know, you use that stuff every day, and then all of a sudden it’s gone. It’s no, to, to, you know, replace that information.

Chip Griffin: So, you know, obviously you’ve recommended that people have, two factors security turned on, but are there other lessons from this that, that, you know, we all can learn from so that perhaps, you know, we don’t, we don’t Go through the same fate that you did.

Doug Haslam: Well, I think the other, and I was actually just talking to someone in the office who had seen my post, about that. And, and, I think the other thing is just, you know, be, be vigilant about your personal information. You know, part of it is having good passwords and changing passwords. But I think more important than that is just being aware of what’s going on.

With your accounts, so especially financially, it kind of comes to I was watching everything like a hawk and nothing happened And I had control it was pretty clear after a while that that I had sole control of things but but but you know, I put fraud alerts on the credit bureaus and that’s very effective I Kept a watch on all my credit and bank accounts to make sure that there wasn’t anything You know, any crazy charges going on.

and again, going back to the credit bureau thing, if someone tried to open up a credit card in my name because they had information, they wouldn’t be able to do it without, you know, without that check from the credit bureau. They would have been stopped there. And I know that for a fact because I actually bought, on behalf of my son, I bought some, graduation related things for friends, at Kohl’s.

Online and opened a charge account to try to get a discount and I got a letter saying I needed to Basically verify a lot of personal information Which I just decided I didn’t want to bother doing and I and I got another letter saying well We couldn’t verify it was you so we’re we’re declining the the charge accounts like good.

I didn’t really want it anyway I’ll shop at Kohl’s again, and I didn’t really need the card. I was just like, okay, well this works. This is great.

Chip Griffin: So, so did they take away your discount or did you get to keep the discount?

Doug Haslam: no. There was a, there was like some sort of new customer or other discount that I had used anyway that kind of superseded that anyway, so it was a, so I was good.

Gotcha. Excellent. I was still getting coupon emails, so great, it’s great. There, Kohl’s is awesome. I just don’t have a charge account with them.

Chip Griffin: Well, and since you have control of your account now, your email account, you can actually see all those offers. You know, whereas, you know, perhaps, when you, when you didn’t have access, you, you were mercifully free of some of the commercial email.

Doug Haslam: Yeah, well, actually, I was, I think I was still not, on my Google at that point and I was sending it to my Yahoo email and I saw I was getting them anyway.

Chip Griffin: Gotcha. You know, I mean it’s, I talk to a lot of people who are, you know, particularly concerned about doing anything financial online or these sorts of things and, and stories like yours obviously don’t really, tend to reassure folks.

and at the end of the day, though, it seems to me that it’s a, it’s a balance of, of convenience with the inherent risk, right? I mean, we can never eliminate all risk. And so we have to all decide, you know, is, is it worth, you know, having online access to your bank account, even though if someone steals your email account, they can probably find a backdoor way in.

Doug Haslam: Or they can just set something up in your name and destroy your credit. So it really doesn’t even matter.

Chip Griffin: Yeah, but that’s, I mean, but that risk has been out there even, even without online. I mean, if someone has your social security number, then, you know, for years and years and years, they’ve been able to open up new credit in your name, if they so chose.

Doug Haslam: Yeah. Well, one thing that was interesting is when I, you know, among the things that I did was to file a criminal complaint, a dented complaint with a local police, even though nothing had been stolen. The officer at the desk there was, was pretty adamant that I didn’t really need to do this since nothing had been stolen.

I said, well, in case something gets stolen, fill out my complaint on, on file, you know, a case on file there. And he said, fine. And he said, in the course of that, he said, you know, Several people have all your information. People, lots of different people have your social security number because it’s out there everywhere.

People have your address. Everything’s easy to find. it’s very hard to, to hide that information from the entire world, and I kind of thought about that for a second. It’s like, well, you know, you could go, you could panic and say, oh my god, everyone has my social security number, too. Everybody has everybody’s social security number, and it’s very common that it’s out there.

You have to give it away to a lot of, to, you know, financial institutions to, you know, to open accounts and things like that. So, it’s not so much the worry that someone’s going to have it, but it’s just more being vigilant. over your accounts that, you know, that people don’t do weird things and if you see anything that’s just out of the ordinary, just look at it, you know, just be in the habit of doing your financial accounts every month, be in the habit of just logging in and possibly changing passwords on a regular basis, even just to log into accounts to make sure that they’re not being, used in a, in a strange way or, or taken control of by someone else.

Yeah.

Chip Griffin: I think, you know, One of the other interesting things that you mentioned in your post was that, you know, some companies actually do do a pretty good job of alerting you if something unusual is happening, even without, you know, going and putting a fraud alert on file. I mean, and you particularly cited American Express, and I agree with you.

I mean, American Express is really, Phenomenal about, you know, flagging potentially is, I mean, anytime I use a really odd vendor, you know, I’ll often get an email just saying, Hey, you know, can you confirm this purchase? Now, occasionally I get them for silly things that I’m like, well, why are you confirming?

I use that vendor all the time. So it’s not perfect, but you know, but I, but I think, you know, in some of the cases where I’ve made particularly unusual purchases, usually a gift or something like that, they’re pretty good about flagging it.

Doug Haslam: Yeah, and it’s not just American Express. Some of the other, banks will, will, will do that.

I think American Express were the first to be known for doing that. And, you know, a long time in the past, I had a hard time disputing charges with American Express, on a card where someone had taken the number and bought gasoline in some town in Texas that I’d never been near. And it took me a while to convince them that maybe that was not, not me.

But nowadays, if there’s I get a charge in a place that’s not you know, outside of where I usually charge, I’ll get a call immediately. you know they won’t hold up the charge, but they’ll, they will say, Oh, this charge went through, is this you? And if it’s not, they can, they can, you know, reverse it and and I, I find that that’s good and also it’s also good to know if you have those strange charges, even if it isn’t a legitimate one, you know, that they’re on top of it.

So, you know, they call you and say, hey, this is really sketchy charge from the sketchy place. And I’d say, nope, that was me being sketchy, but thanks.

Chip Griffin: Right. And I mean, that’s, and it’s a huge improvement over the old days where they, you know, you’d go to the store and you’d try to make a purchase and they just declined.

You didn’t even know why usually. I mean, I remember the first time that happened to me when I was in college, actually, and I was, I was all panicked. I’m like, why, why? Why is this being declined? And, you know, then, of course, I got home and my home answering machine, had, had an explanation, you know, to call them.

But, of course, that was in the days before cell phone or mobile email or any of those things. So, it’s a much better system now, that’s available for those sorts of things. But, unfortunately, it doesn’t help you with your social identity. And, so, I think, you know, this, You know, your situation has taught us all some good lessons that, that hopefully we can learn from so that, you know, fingers crossed, we won’t have the same thing happen to us.

Well,

Doug Haslam: I think, you know, and if it does happen, I’m just hoping that the, some of these companies, eventually improve the process by which you can reverse the process. you know, account theft.

Chip Griffin: See, I always thought you were more of a cynic than an optimist, but, you’re, you’re, you’re playing.

Doug Haslam: I didn’t say I hope they will.

I mean, I, I say they say that they will. I said I, I’d love to see that, that, but

Chip Griffin: Well, and, you know, most people would love to see a unicorn too. Mm-Hmm. . I, I think that’s probably more likely than these companies, instituting, first class customer service. But

Doug Haslam: I don’t know. I don’t wanna see unicorns.

They look like they could be really mean and do some damage. Sort of like bunny rabbits, right? No, more like swans. Oh, swans are beautiful. Yeah, to go near one, they will bite your face off. So, unicorns would be the same way, I’m sure.

Chip Griffin: Well, on that note, listeners, be careful of unicorns, swans, bunnies, and all these kinds of things that look cute, but might be very violent and nasty towards you.

And certainly use two factor authentication, be vigilant about your accounts, and we’ll all hope that social identity theft doesn’t happen to us, but at least we can be prepared, if it does. Doug, I appreciate you taking the time to, to share your story with us, and, and the tips that come along with it.

All right.

Doug Haslam: Well, thanks for having me. This was a great Chat with Chip.

Chip Griffin: Yes, indeed. And thank you all for listening, all the way to the end, and I look forward to having you all back listening.

Never miss an article, episode, or event

Subscribe to the weekly SAGA Newsletter

Subscription Form