Personal security shenanigans

To start this off, I have to say this: I have not ordered stuff in my real name for about a year now. I have one or two shops that know my name, but the vast number of e-shops have no idea who the package is for. Where I live, it’s not illegal to put a burner card number in (many banks support this feature nowadays) and a fake name in the order. If you can have your shit sent someplace else entirely, even better, although I cannot say I’ve done this (I do not have a private P.O. box at the time of writing).

That said, my main concerns are:

  • Someone finding an old delivery address and putting my name to an address
  • Someone soliciting flyers and other useless shit after I buy something
  • Having my other personal data tied to a place of residence (phone number, e-mail, etc.)

Sure, that data can be found in registries, however the house I live in is not a house, it’s a series of flats. Therefore, the number of residents grows by one every time I place an order.

Dropboxes make my life easy

There are shops that will pick up packages for you. E-shops cooperate with these very often, and I use these whenever possible. It’s oftentimes cheaper than “to-house” deliveries, so I save money, and I get to pick where my package arrives. Most places I pick don’t even have security cameras, so that lowers my adrenaline levels a bit (I’m a little uneasy around cameras, if that wasn’t obvious).

With these drop points, it’s great, since the only data I need to put into an order are:

  1. Place of residence - Fuck, I’ll live anywhere. Fake name generator helps with that, but who checks these things? I don’t need to pick a real address, it just needs a city, street name, and a ZIP code (postal code, for those not in the US).
  2. Name - again, Fake name generator. I often have fun with these, if I’m buying something for a friend as a gift, I can put their name on it and “mail” the thing to them with package intact. If I want to be really private, I pick some John Doe-level name. If I want to be funny, I pick a name that is fun to look at, but still regular enough that the people giving me the package will not think twice.
  3. E-mail - there are way too many temporary mail addresses to choose from. Just google for one you like, but keep in mind: Choose a good long username, since some real data will still be contained in the e-mail. You may choose to make a shopping-only e-mail address with no identifying features (literally any e-mail will work, usually deliveries send texts or call you).
  4. Phone number - You can go with +1234567890, but if you need it for communicating with the delivery service (they call you, you call them), I suggest getting either a burner SIM (cheap-ish, but physical) or a VoIP number (something like Google Voice, twilio or I get my numbers from a local VoIP provider, $0.50 for a number is good enough, in my opinion, and I can burn or amass them.

Whatever you do, remember this: When you use a package pickup point, you need at least one of the communication methods. E-mail, phone, doesn’t matter, they will send you a text, call you, or e-mail you the pickup code. If you don’t have that, you’re shit out of luck.

Why do this?

Privacy. That’s the main bit. Even if you never touched security before, you can still practice some security habits to keep your information secure. Maybe you shop at shady sites that you don’t trust. That’s the point where a fake name and address, drop point in some other city, and a fake number that you burn after one use come in handy.

There is a second reason for my madness: I am a pentester. If I ever get thrown into a vishing call, I will not lie as convincingly unless I practice first. Getting face to face with someone and telling them your name is different may not seem like a lot, but being completely at ease with an alias can help with social engineering, since you’ll get used to not using your name. Sure, there is more to social engineering than just having a different name, but if you want to go all in, you can try to change posture, dress, give your fake persona a little more distance from the real you. Just training in these innocuous (and legal) circumstances will harden you to be more used to it. Hell, even my girlfriend started doing this from time to time! It’s fun. I always imagine myself to be agent 47 and getting some super-secret package, driving home with a cleaning run on the way, all that shit. Of course it’s not super-serious, but it doesn’t have to be. Whatever makes you smile as you walk out the door with a package for a James “My-password-is-my-middle-name” Johnson.

When can this bite back?

I would like to tell two stories where this practice has bitten me in the ass because I didn’t do my due diligence or forgot some part of the persona I was using at that time. All of these have a happy ending (I can hear you groan in discontent, don’t worry), but each presents a nice little lesson to keep in mind for the next time. If I don’t learn from my mistakes, I’m bound to repeat them.

A good post office (and a bad e-shop)

After Christmas, I wanted to buy a new motherboard for my 3D-printer. I picked a shop a friend recommended, found the part I was looking for (with WiFi and everything) and went to purchase. When I got to the “shop as guest” part of the ordering process, I noticed that unlike other shops, where first and last name are separate values, this one had just “Name”. I thought for a bit and realized that the form didn’t even look for a space in the name. So I put in some random name, let’s say Paul.

I placed my order (using an e-mail address I had access to) and selected the cheapest drop point I could. The post office. So far so good, I thought. The package was going to take a week to arrive, so I put it out of my head and waited for the e-mail to arrive. That e-mail was I don’t own, but m4iler is the username. Keep this in mind, it will come into play later.

The week passed quite quickly, and I got my passcode and a message saying to pick up my package. I took a break from picking my nose and running network scans, went down to the post office, and walked up to the counter. The exchange went something like this:

“Hi, I have a package here. The passcode is 123456”

The lady looked at me, typed the code into an old, beige computer and asked a question that stumped me.

“Mr. Miller, is it?”

I never used Miller as my last name anywhere, so this was a surprise. I didn’t even consider Miller to be a name I could use up until that point. I got a bit nervous. Am I going to pick up someone else’s package? That’s not what I want, I want my package, this Miller guy, whoever he is, doesn’t matter to me. I don’t want to steal from him, though!

Then I thought: The lady only knows the code, and the code ties me to the package. Nothing else. She couldn’t care less what my name is, she’s not checking me for identity, she is just being diligent and making sure whose name to look for. I gave a shrug, smiled and said:

“Could be, I’m picking it up for a friend and he’s weird.”

Self-deprecation. Works every time.

The lady just nodded, looked at me funny, and went in the back to look for my package. When she came back, she handed it to me and I walked out the door, happy that I had my package in hand. The code matched, that must be my motherboard!

Just out the door, I looked at the address. Yup, some middle-of-nowhere town, bad street name and a number that wouldn’t be there. Good. What did surprise me, though, was the name on the package. It said “Paul Miler”. One L.

What happened was that the shop picked up the order as usual, but lacking a last name (something the post usually requires), they figured that the e-mail may be my last name. So they used that. The username was m4iler, which would seem odd, to have a number in a last name. So they cut it out! That day, a Paul Miler was born in some automated delivery-shipping system. If it was done by hand, I will never know, but if you’re out there, Paul Miler thanks you. The motherboard is working fine.

Lessons learned: Always remember your fake name, be ready to improvise, but stand your ground. Blame it on the sender that they misread your name,you ordered on the phone. As Monty Python says:

It is spelled Raymond Luxury-Yacht, but is actually pronounced Throatwobbler Mangrove

The day UPS fucked up twice

This one started very similarly to the last one, but had a great big twist, courtesy of a lazy UPS driver. I put in my address (this package I wanted to pick up myself, I was lazy to go to the post office or some tobacconist’s), e-mail, and a phone number. This number was mine, from a VoIP service, so I could get a call, go to the front door and pick my stuff up.

A few days passed, and one evening, I got a message from UPS. It said the following:

Your delivery was not completed. Please call our support line. Reason for missed delivery: Recipient not found.

I double checked the address. It matched. I checked my phone number, it worked and calls were coming through. What could have happened?

The next day (the e-mail was sent at 9PM, way past UPS bedtime), I rang the support line I found on their site.

Hello, UPS, how may I help you?
Hi, I got a missed delivery message. Could you explain what happened?

I told the guy last 5 digits of my tracking code, and he came back with:

Yes, the driver couldn’t find your name on the doorbell. Do you have your name on the doorbell, Mr… Alfredovitch?

Damn. I picked a shitty name that time. But I had to roll with it.

No, I just moved in. Does the delivery guy not have my phone number to call me? Why didn’t they call?
I do not know, Mr Alfredovitch. I apologize for the inconvenience, the package is now in a warehouse, we will attempt delivery in the next 3-4 days, Mr Alfredovitch.
Well, I’m going away for business at that time (I was, holidays). The warehouse is close enough for me, I can drive there and pick it up!
See, Mr Alfredovitch, we would have to move the delivery from front-door delivery to a warehouse pickup, so you cannot go there today. We can have it ready for tomorrow, Mr Alfredovitch!

This Alfredovitch fellow is really starting to piss me off, the support guy really wanted to be polite, so he used psychology 101: Use the other person’s name as often as possible. Only issue, it was not my name, and while at the start it was funny, now I’m starting to hate my poor name choice.

That won’t work. Do you have a drop-off point near me you could use?
Sure thing, Mr Alfredovitch! (I’m laughing, crying, and cursing in my head at this point)

After 7 more Alfredovitch’s and about 4 minutes of arranging, I was told my package would wait for me at a café. I know the place, I’ve been there before. Okay, let’s go pick it up!

When I got back from my holidays, filled with optimism, I walked into the café, ready to pick up my package. This time, the name Alfredovitch was burned into my brain in a way I could never hope for memorizing.

At the café, I met the barista and announced I’m picking up my package.

Okay, give me the last 5 numbers of your order.
Good. Mr Alfredovitch, is it? I’ll need to see some ID.

This hit me like a bag of bricks. What do you mean, ID? I’ve picked up dozens of packages in my time staying here, and all of them were happy with a code! Am I a joke to you? Do you expect two Alfredovitches to be in the same timezone?

Um, I don’t have one on me at the moment. Why is that needed?
To verify who you are, obviously!
I don’t have one, any other way to verify me?
You could give me your address.

I gave the man the delivery address. Not really my problem, Mr Alfredovitch doesn’t live there. Surprisingly enough, the name and order code was not enough, but add an address to it, and everything’s peachy!

I got the package, walked out of the door, and now I can only laugh about it.

Keep in mind: This barista did not do anything wrong. He kept his guard up, and wanted to make absolutely sure that no one other than Mr Alfredovitch got his package. This guy went by the book, which is good, and while I could hate on him for intruding my private sphere, it all worked out in the end.

Lessons learned: If you order using a new delivery service, check them first on a small package you don’t mind losing if you cannot get it. Chances are you’ll get your money back, so no harm done, but this was, at least for me, a black swan event. Never happened before, never happened since. Be ready to haggle, these people don’t want to check your identity for hours when they have other business to take care of and you’re holding up the cappuccino line. They’ll help you, since that’s what humans want to do, and it’s what social engineers exploit.

In closing

Hope you got a kick out of this, and who knows, maybe you’ll start using these methods in the future as well!