![](\"http:\/\/www.apolo.net\/images\/yahoo1.o.gif\"\/)
\n
\nThis letter has certain information edited out..
![](\"http:\/\/www.apolo.net\/images\/yahoo1.c.gif\"\/)
<\/p>\nBelow the cut is a letter that was requested from one of the Chief Officer’s departments at Yahoo!<\/p>\n
The letter will explain my entire situation and the steps I’ve taken so far.<\/p>\n
Please note, I got to the point where I was asked to send this letter by a representative of one of the board of the company.<\/p>\n
EDIT:<\/b> Removed a name that hadn’t been removed, resigned the text because the <strike> were pgp encoded but not shouwing in the text.
\n
\nThis letter has certain information edited out..<\/p>\n
The public digitalsignature is available at:
\nhttp:\/\/www.livejournal.com\/pubkey.bml?user=lordandrei<\/p>\n
\r-----BEGIN PGP SIGNED MESSAGE-----\rHash: SHA1\r\rDear OMIT,\r\rAgain, I'd like to thank you for listening to my situation. I am a Yahoo\ruser. This is going to most likely be a fairly long letter and I thank your\rpatience in reading through this situation.\r\rI'm going to outline information about who I am, my membership as a\rcustomer, the event that occurred, and the process that has occured or more\rproperly not occured as a result.\r\rI first joined Yahoo (as far as I can tell) in December of 1997. At the\rtime I took on the user ID \"gtapolow\". In 2000 partially due to spam and\rpartially for privacy I established another Yahoo account. This one is\r\"life_magick\".\r\rI am a software engineer. I have been such since before leaving college in\r1990. I have been involved with internet technologies since the days of\rBBS's in the 1980s. The idea of secure information and transmission of\rpersonal data is fairly important to me. If you take a moment to look at\rhttp:\/\/profiles.Yahoo.com\/lordandrei_93 you will see me as I am today.\r(lordandrei_93 is a 'profile' of gtapolow) This is a recent creation. I had\rpretty much settled my Yahoo dependancy on 'life_magick'. You will note a\rrelatively matching set of data at http:\/\/profiles.Yahoo.com\/life_magick\r\rTo give more references to who I am you can look at my personal web site:\rhttp:\/\/www.apolo.net\/who.php which features the same picture (as well as\rthe picture of my wife. Further reference can be found at\rhttp:\/\/www.livejournal.com\/users\/afreeman\rand most currently used: http:\/\/lordandrei.livejournal.com\r\rI write all of this to put a human face on this story and situation.\r\rCurrently I work for a software company dealing with a problem known as\rPhishers. These are people who send false email purporting to be\rrepresenting a company. They direct the user to a web site that mimics the\rsite they are purporting to be. The false web site asks for the user to log\rin. The user has now (more often than naught) unwittingly compromised their\rlog in information.\r\rOn Monday evening at about midnight, I received a message from a trusted\rfriend via Yahoo's Internet messaging technology. The message was a link to\rtheir site on Geocities. Geocities forwarded me to a secure Yahoo page. I\rlogged in. The service was displayed as being unavailable. I am thoroughly\rembarassed to say that as an engineer fighting against mail fraud, I\rsuccumbed to the very style of fraud in question. Only this one came in\rfrom something other than email.\r\rTuesday, while at the office I was logged off while in session on Yahoo IM.\rI logged back in. I was logged out again. By the time I got to the Web page\rto reset my password it was too late. The account password and credentials\rhad been changed. I was locked out of my account. The crux of my problem is\rI no longer have any access to \"life_magick\".\r\rMost of my mailing lists are maintained by Yahoo. Some of my financial data\rmay be accessible via this Yahoo account. I don't know for sure. Personal\rfiles are in my Yahoo account. And to make matters worse, a time critical\rproject I am working on and managing is done thru that Yahoo account. The\rproject and all access is gone.\r\rThe process as it stands is to provide Yahoo with your date of birth and\rthe current postal code on file. Then an email is generated to the end user\rwith a special link to reaccess the account. This specific fraud captured\remails and passwords and then logged on and changed the current zip code.\rThe mechanism to report this as a problem is sent to a department known as\r\"account-security\" They do not have a phone number or a live person that\rthe customer can reach. The customer fills out a form on the web, an\rautomated system generates a form letter that the user must then reply to\rwith a large array of personal information. (Sent via email without a\rsecure channel) The lynch pin of this mechanism is the exact postal code\ryou used when you initially registered with Yahoo. It doesn't matter how\rmuch information you provide, unless you provide that specific piece of\rdata... the system will continue to send the same request repeatedly.\r\rTo be completely honest. I am a software engineer. In my line of work you\rreally don't stay with a company more than two years. I have in 5 years\rmoved 4 times. I have changed addresses 5 times (I changed apartments in a\rcomplex after a promotion), to make matters worse... I have legally changed\rmy name. In retrospect, I have to admit, I have honestly no idea what I\rentered initally for zip code when I applied for the life_magick account.\rIt may have been a 5 digit or a 5 digit+zip4 with or without hyphen. It may\rhave been my work address, home address, old address. I may have put in\rsomething that was a code phrase because I didn't trust giving my zip code\rto Yahoo at the time. It could have been 02134 (The zip code of child hood\rfavourite \"Zoom\")\r\rThe unfortunate thing is that I can provide a notarized copy of my drivers\rlicense with a picture matching the profile. I can even acquire\rOMIT because I have details about the photo that can't be\racquired by most people. I can send in proof and affirmation from people\rthat for all intents and purposes, I am \"life_magick\" \r\rHowever, the basic security process only acknowledges a zip code. A piece\rof information that is not only not secure, but easily discoverable by\ranyone with simple know-how. in my case, because I didn't trust that\rinformation, the system has locked me out.\r\rSince then, I have filled out the web form. I have received countless\rautomated emails to which I have elabourated more personal data than I'm\rreally comfortable sharing with colleagues, let alone a company that is\rhard to reach. Each email has included an increasingly desparate request to\rbe contacted by a human being to offer alternate forms of proof. Each mail\rhas beeen processed and replied with a form letter than seems to ignore\reverything I've written, simply asking for the same piece of information, I\rhave to admit that I don't have. Most recently I have replied with every\rimaginable number I can come up with, but the truth of the matter is... it\rshould never have come to this.\r\rI took the next step. I tried calling Yahoo.\r\rAt first I was sent to account verification who could only take a postal\rcode and enter it into a program that would compare it with the current\rdata. This system becomes broken the moment someone changes that piece of\rdata. The hacker knew this. There is no way I can verify my account in the\rcurrent system because the hacker has put in false data.\r\r- From there I asked for a supervisor. My first foray into the phone banks of\rYahoo customer support passed me off on OMIT and\rOMIT. Both were obviously in a foreign call center (our\rcompany uses them as well) Both are well versed in voicing empty sympathy,\r(\"I really wish I could help you.\"), both made it clear that if I couldn't\rprovide a zip code I'd have to send the email. (By this point I was up to 5\rpieces of automated email)\r\rI asked OMIT for her supervisor who transfered me to\rOMIT in Canada. By this point I was prepared to ask for\reach supervisor until I could get my issue remedied. OMIT\rinformed me that these issues were handled by Account-security and that\rthey had no phone. They only have email. I had previously been told this. I\rwas seeking to push through that black box since there was no resolution\rpath. (I am an engineer, problem solving is what I do for a living)\r\rOMIT, who is a supervisor exceeded at the ability to voice\rcompassion without actually supplying any resolution. OMIT\ralso explained that her supervisor is in fact an administrator that\rwouldn't be able to understand the situation and would report it to his\rcorporate supervisor. OMIT also informed me that she had no idea who her\rsupervisor's supervisor was. For most companies, this means I hit the top\rof the outsource chain. OMIT reccommended that I call the\rcorporate number.\r\rThe corporate number had a plesant phone tree that would dotingly send me\rback down the line to customer service. I pressed zero and was greeted by\ranother female voice with a very thick Indian accent. The operator would\rnot identify herself beyond, \"Operator #5.\" I told her that I'd been sent\rto the corporate line from account-verification to ask for a number for\raccount-security. She told me that this wasn't who I wanted to talk to and\rshe'd transfer me to account-verification. I tried to explain to her that\rit was that department that sent me to her. She told me quite simply I was\rwrong. I asked for her supervisor, she refused to do so. I explained one\rmore time what the full situation was. She put me on hold. After a few\rminutes she returned to the line and reiterated that I was wrong and told\rme that she was going to transfer me to account-verification. Frustrated\rthat I was about to repeat the process that had already eaten an hour out\rof my work day I asked for the president of the company. She curtly\rinformed me that he doesn't handle customer issues and placed me on hold. I\rbelieved it was hold. Two minutes later the line disconnected.\r\rAt this point I decided that the system was broken. To gain access to an\raccount all you need is a password, a birthdate and a zip code. These are\rnot secure pieces of data. And because I couldn't provide one of these\rpieces of data, I float 2 days later still waiting for my 12th automated\rresponse from Yahoo's security department.\r\rI went to the investor page. I started using the names to call anyone who\rseemed to be high on the food chain to alert them that there is a problem\rwith this system. I don't work for Yahoo and it only took me two days to\rfind the problem.\r\rTo explain how I wound up at your desk I called corporate and punched in\rthe names of people on the investor page for executives.\rOMIT is out of the office until April 18th\rOMIT actually resolves to OMIT who has a\rfull mailbox\rOMIT resolves to a voice mail for OMIT\rwho is now working out of Santa Monica. His forwarding number in Santa\rMonica is wrong but that number gives a forwarding number to the new phone\rnumber. The operator in Santa Monica was very nice albeit unable to help.\rIt was her first day and she was having difficulty finding information.\rOMIT is not listed in the phone system at all.\rOMIT... I got a human being on the executive staff.\r\rTo reiterate, I've lost an account that has five years of collected Yahoo\rresources in it. Private files, pictures, over 200 mailing lists of which I\radministrate several.\r\rI am obviously frustrated. My lack of progress has left me with a very\runhappy taste in my mouth for the service. Now as a software engineer and\rmanger I'd rather see the system fixed than abandon the technology.\r\rSo, here is where I am. I represent one user who's taken the time to find a\rproblem and try to work with the comapny to find a solution. I can list\rcountless people who can attest to my identity. I can also list countless\rpeople who may not have the knowlege or will to get this far and have\rsimply given up on Yahoo as a product.\r\rThis is my story and situation. I hope it gets into hands that can make it\rright. I am more than willing to offer what experience and knowledge I have\rin the industry to aid Yahoo in making it right.\r\rThank you\r- -Andrei Freeman\r(Legally changed from OMIT)\r\r-----BEGIN PGP SIGNATURE-----\rVersion: PGP Desktop 9.0.0 - not licensed for commercial use: www.pgp.com\rComment: 93, 93\/93\r\riQA\/AwUBQl8HCnouKvXM\/BhwEQI\/JACeIFGhS1aXB7ItPoaYXktmtzLmQ3AAn3Ag\rnnh5fpZpSc9z+D3Z8LKUx85M\r=vIo2\r-----END PGP SIGNATURE-----\r<\/pre>\nEdit:<\/b>2005.06.16: This post was friends only. It is now public as the Yahoo situation has been remedied.<\/p>\n
Share this:<\/h3>