Below the cut is a letter that was requested from one of the Chief Officer’s departments at Yahoo!

The letter will explain my entire situation and the steps I’ve taken so far.

Please note, I got to the point where I was asked to send this letter by a representative of one of the board of the company.

EDIT: Removed a name that hadn’t been removed, resigned the text because the <strike> were pgp encoded but not shouwing in the text.

This letter has certain information edited out..

The public digitalsignature is available at:
http://www.livejournal.com/pubkey.bml?user=lordandrei

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear OMIT,

Again, I'd like to thank you for listening to my situation. I am a Yahoo
user. This is going to most likely be a fairly long letter and I thank your
patience in reading through this situation.

I'm going to outline information about who I am, my membership as a
customer, the event that occurred, and the process that has occured or more
properly not occured as a result.

I first joined Yahoo (as far as I can tell) in December of 1997. At the
time I took on the user ID "gtapolow". In 2000 partially due to spam and
partially for privacy I established another Yahoo account. This one is
"life_magick".

I am a software engineer. I have been such since before leaving college in
1990. I have been involved with internet technologies since the days of
BBS's in the 1980s. The idea of secure information and transmission of
personal data is fairly important to me. If you take a moment to look at
http://profiles.Yahoo.com/lordandrei_93 you will see me as I am today.
(lordandrei_93 is a 'profile' of gtapolow) This is a recent creation. I had
pretty much settled my Yahoo dependancy on 'life_magick'. You will note a
relatively matching set of data at http://profiles.Yahoo.com/life_magick

To give more references to who I am you can look at my personal web site:
http://www.apolo.net/who.php which features the same picture (as well as
the picture of my wife. Further reference can be found at
http://www.livejournal.com/users/afreeman
and most currently used: http://lordandrei.livejournal.com

I write all of this to put a human face on this story and situation.

Currently I work for a software company dealing with a problem known as
Phishers. These are people who send false email purporting to be
representing a company. They direct the user to a web site that mimics the
site they are purporting to be. The false web site asks for the user to log
in. The user has now (more often than naught) unwittingly compromised their
log in information.

On Monday evening at about midnight, I received a message from a trusted
friend via Yahoo's Internet messaging technology. The message was a link to
their site on Geocities. Geocities forwarded me to a secure Yahoo page. I
logged in. The service was displayed as being unavailable. I am thoroughly
embarassed to say that as an engineer fighting against mail fraud, I
succumbed to the very style of fraud in question. Only this one came in
from something other than email.

Tuesday, while at the office I was logged off while in session on Yahoo IM.
I logged back in. I was logged out again. By the time I got to the Web page
to reset my password it was too late. The account password and credentials
had been changed. I was locked out of my account. The crux of my problem is
I no longer have any access to "life_magick".

Most of my mailing lists are maintained by Yahoo. Some of my financial data
may be accessible via this Yahoo account. I don't know for sure. Personal
files are in my Yahoo account. And to make matters worse, a time critical
project I am working on and managing is done thru that Yahoo account. The
project and all access is gone.

The process as it stands is to provide Yahoo with your date of birth and
the current postal code on file. Then an email is generated to the end user
with a special link to reaccess the account. This specific fraud captured
emails and passwords and then logged on and changed the current zip code.
The mechanism to report this as a problem is sent to a department known as
"account-security" They do not have a phone number or a live person that
the customer can reach. The customer fills out a form on the web, an
automated system generates a form letter that the user must then reply to
with a large array of personal information. (Sent via email without a
secure channel) The lynch pin of this mechanism is the exact postal code
you used when you initially registered with Yahoo. It doesn't matter how
much information you provide, unless you provide that specific piece of
data... the system will continue to send the same request repeatedly.

To be completely honest. I am a software engineer. In my line of work you
really don't stay with a company more than two years. I have in 5 years
moved 4 times. I have changed addresses 5 times (I changed apartments in a
complex after a promotion), to make matters worse... I have legally changed
my name. In retrospect, I have to admit, I have honestly no idea what I
entered initally for zip code when I applied for the life_magick account.
It may have been a 5 digit or a 5 digit+zip4 with or without hyphen. It may
have been my work address, home address, old address. I may have put in
something that was a code phrase because I didn't trust giving my zip code
to Yahoo at the time. It could have been 02134 (The zip code of child hood
favourite "Zoom")

The unfortunate thing is that I can provide a notarized copy of my drivers
license with a picture matching the profile. I can even acquire
OMIT because I have details about the photo that can't be
acquired by most people. I can send in proof and affirmation from people
that for all intents and purposes, I am "life_magick" 

However, the basic security process only acknowledges a zip code. A piece
of information that is not only not secure, but easily discoverable by
anyone with simple know-how. in my case, because I didn't trust that
information, the system has locked me out.

Since then, I have filled out the web form. I have received countless
automated emails to which I have elabourated more personal data than I'm
really comfortable sharing with colleagues, let alone a company that is
hard to reach. Each email has included an increasingly desparate request to
be contacted by a human being to offer alternate forms of proof. Each mail
has beeen processed and replied with a form letter than seems to ignore
everything I've written, simply asking for the same piece of information, I
have to admit that I don't have. Most recently I have replied with every
imaginable number I can come up with, but the truth of the matter is... it
should never have come to this.

I took the next step. I tried calling Yahoo.

At first I was sent to account verification who could only take a postal
code and enter it into a program that would compare it with the current
data. This system becomes broken the moment someone changes that piece of
data. The hacker knew this. There is no way I can verify my account in the
current system because the hacker has put in false data.

- From there I asked for a supervisor. My first foray into the phone banks of
Yahoo customer support passed me off on OMIT and
OMIT. Both were obviously in a foreign call center (our
company uses them as well) Both are well versed in voicing empty sympathy,
("I really wish I could help you."), both made it clear that if I couldn't
provide a zip code I'd have to send the email. (By this point I was up to 5
pieces of automated email)

I asked OMIT for her supervisor who transfered me to
OMIT in Canada. By this point I was prepared to ask for
each supervisor until I could get my issue remedied. OMIT
informed me that these issues were handled by Account-security and that
they had no phone. They only have email. I had previously been told this. I
was seeking to push through that black box since there was no resolution
path. (I am an engineer, problem solving is what I do for a living)

OMIT, who is a supervisor exceeded at the ability to voice
compassion without actually supplying any resolution. OMIT
also explained that her supervisor is in fact an administrator that
wouldn't be able to understand the situation and would report it to his
corporate supervisor. OMIT also informed me that she had no idea who her
supervisor's supervisor was. For most companies, this means I hit the top
of the outsource chain. OMIT reccommended that I call the
corporate number.

The corporate number had a plesant phone tree that would dotingly send me
back down the line to customer service. I pressed zero and was greeted by
another female voice with a very thick Indian accent. The operator would
not identify herself beyond, "Operator #5." I told her that I'd been sent
to the corporate line from account-verification to ask for a number for
account-security. She told me that this wasn't who I wanted to talk to and
she'd transfer me to account-verification. I tried to explain to her that
it was that department that sent me to her. She told me quite simply I was
wrong. I asked for her supervisor, she refused to do so. I explained one
more time what the full situation was. She put me on hold. After a few
minutes she returned to the line and reiterated that I was wrong and told
me that she was going to transfer me to account-verification. Frustrated
that I was about to repeat the process that had already eaten an hour out
of my work day I asked for the president of the company. She curtly
informed me that he doesn't handle customer issues and placed me on hold. I
believed it was hold. Two minutes later the line disconnected.

At this point I decided that the system was broken. To gain access to an
account all you need is a password, a birthdate and a zip code. These are
not secure pieces of data. And because I couldn't provide one of these
pieces of data, I float 2 days later still waiting for my 12th automated
response from Yahoo's security department.

I went to the investor page. I started using the names to call anyone who
seemed to be high on the food chain to alert them that there is a problem
with this system. I don't work for Yahoo and it only took me two days to
find the problem.

To explain how I wound up at your desk I called corporate and punched in
the names of people on the investor page for executives.
OMIT is out of the office until April 18th
OMIT actually resolves to OMIT who has a
full mailbox
OMIT resolves to a voice mail for OMIT
who is now working out of Santa Monica. His forwarding number in Santa
Monica is wrong but that number gives a forwarding number to the new phone
number. The operator in Santa Monica was very nice albeit unable to help.
It was her first day and she was having difficulty finding information.
OMIT is not listed in the phone system at all.
OMIT... I got a human being on the executive staff.

To reiterate, I've lost an account that has five years of collected Yahoo
resources in it. Private files, pictures, over 200 mailing lists of which I
administrate several.

I am obviously frustrated. My lack of progress has left me with a very
unhappy taste in my mouth for the service. Now as a software engineer and
manger I'd rather see the system fixed than abandon the technology.

So, here is where I am. I represent one user who's taken the time to find a
problem and try to work with the comapny to find a solution. I can list
countless people who can attest to my identity. I can also list countless
people who may not have the knowlege or will to get this far and have
simply given up on Yahoo as a product.

This is my story and situation. I hope it gets into hands that can make it
right. I am more than willing to offer what experience and knowledge I have
in the industry to aid Yahoo in making it right.

Thank you
- -Andrei Freeman
(Legally changed from OMIT)

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.0 - not licensed for commercial use: www.pgp.com
Comment: 93, 93/93

iQA/AwUBQl8HCnouKvXM/BhwEQI/JACeIFGhS1aXB7ItPoaYXktmtzLmQ3AAn3Ag
nnh5fpZpSc9z+D3Z8LKUx85M
=vIo2
-----END PGP SIGNATURE-----

Edit:2005.06.16: This post was friends only. It is now public as the Yahoo situation has been remedied.

« »