Ask HN: Why do my online accounts keep getting banned?
* Lyft. Got a generic error when requesting a ride, which told me to contact support. I contacted support and they said my account was suspended due to violation of ToS with fradulent activity. I asked exactly what they think I did to violate ToS and they would not tell me. I've taken hundreds of 5-star rides, never comitted any fraud, I don't drive for Lyft or even know anyone who does. To this day I still don't know what I did "wrong."
* Instagram. Signed up for an account a couple years ago. Followed some celebrities and friends. A week later when I try to login, it errors saying my account has been suspended with no reason and recourse for recovery. I made another account. Banned again after a couple of days. Now, whenever I try to make a new account, the SMS verification never passes. It is like they have blacklisted my IP address.
* Letgo. It's like Craiglist. I moved within San Francisco a few years ago and signed up for an account to get rid of some furniture that I would not be taking with me. Within a few days I couldn't login and support told me my account was banned due to fradulent activity. All I did was create a listing for a couch with some pictures! I hadn't even gotten responses to the post.
* Google. I tried logging in to an old account associated with some domains in Webmaster Tools. That's all I use this account for and I haven't logged in in years. I enter in the right password and am greeted with "You’re trying to sign in on a device Google doesn’t recognize, and we don’t have enough information to verify that it’s you. For your protection, you can’t sign in here right now. Try again from a device or location where you’ve signed in before.". What am I supposed to do here? Last I used this account has at an old address (different IP) and on a computer that has since been retired (motherboard swapped out, OS reinstalled).
* Twitter. I created an account several years ago. After a week when I logged in it said my account was restricted and asked me to enter a phone number for SMS verification. I complied, and even after entering the correct code, it errored saying it cannot verify my identity. Haven't used Twitter since.
* Fidelity. This morning I tried to log in to my investment account and it says my account has been blocked "for security reasons" with no other information or explanation. It says I have to call Fidelity. Over the phone they asked me to supply a ton of documents over fax for identity verification and a record of all the devices I've ever used to sign into Fidelity. They won't even tell me why my account was blocked in the first place.
This is endlessly frustrating. There must be something unique about either me or my devices. I have a regular residental ISP in San Francisco, I'm not using Tor or VPNs, I use a vanilla Mac with Firefox. I use an adblocker (uBlock) but so does everyone else. I have a bog-standard Samsung phone running bog-standard unmodified Android.
Does HN know why my accounts keep getting banned? Especially for those who work on identity/trust and safety teams in Silicon Valley who have inside knowledge of how this works.
219 comments
[ 1.7 ms ] story [ 263 ms ] threadDoes your email show up on haveibeenpwned?
The only thing I can think about, are bots doing credential stuffing and successfully inputting your password
I had a friend who's home IP address was listed in a different country from where he actually was. This often tripped anti fraud detections if he used the same account on his phone (other IP address) and his home PC at the same time.
- check your credit report for any suspicious activity
- if you are tmobile client(or network that uses tmobile underneath), check to see if your SSN and DL was leaked last year
(Didn't link the service directly for self-verification from a trusted name)
My only thought would be that your card is on the darkweb and these services are seeing it tested using their systems, blacklisting it and related accounts
Pure guess though, I can’t think of much more that would affect you across services like that
I had an email *junk*@gmail and it was sometimes flagged.
Make sure you are using MFA for any account which allows this. Don't re-use passwords, get a password manager like 1password or bit warden.
When you sign up for a service, access it from Google, not by typing the address directly.
I used the same as you do and would often get my accounts blocked. I suspect the absence of cookies offered by Firefox containers is suspect as well. Now I make sure to create accounts on these big platforms using a "normalized" setup and encounter far less issues.
- Look if you have some other location for sign-in. https://myaccount.google.com/permissions
- Likely some IoT or another device is making your house spammy.
[0] https://news.ycombinator.com/newsguidelines.html
With something this persistent I'd also be open the possibility someone in your life is hacking you (room-mate, colleague, someone left alone with your tech) or maybe a very specific app you install on everything is compromised.
I'd get rid of most the hardware you own and start a new digital life from a coffee-shop nearby.
Too full to reply in depth, though ; Privacy should not be so hard.
Fin.
Fidelity might turn up something about identity theft, or credit reports, or red flags, or similar. If so, you can handle these. If not, then ask a private investigator for help; a good PI has research tools to find problems then help you fix them.
I would go after the most important accounts on the real government based Justice system (and forget about any non-important one). But I'm not from the US and I don't know how binding are those agreements that you won't seek the Judiciary. (Anyway, arbitrage should be fair enough to let your point through, but I don't know how accessible it is.)
Anything that will help you prove: a) you are who you say you are and b) this is your account will be useful.
And if you're physically in their office, they can and will follow the backchannels to get a better result faster than you can over the phone.
Go to this tool and check to see if your name is coming up with any returns.
These scenarios always result from watering down actual security.
One time the manager pointed at me and said with a smile, "You're trouble."
There was a (presumed dead) Canadian terrorist with my name.
This is exceedingly dumb if true. Numerical adjacency of SSNs is completely meaningless.
(The above is a joke, I'm guessing US government systems can't handle non-ASCII characters, and a German named Müller would have to be Mueller or Muller)
I don't have a particularly common name but when I google it I share it with an English football player and someone from South Africa who has been convicted of real estate fraud.
I've never been to South Africa but I have worked for a real estate portal, and it's on my LinkedIn (which I barely use, but still). I can see how someone outside would not be able to separate the two.
It kinda makes one wonder if anyone getting into a bit of terrorism for a hobby wouldn't do well to change their name to that of someone in the US congress first: no way that name would stay on a blacklist for long.
It wouldn't shock me if even changing your name didn't do it, the name change records are surely data available to the algorithms.
OP, you should buy an Equifax or Experian credit package immediately, review every account, and put a freeze on your credit report. This will be the best twenty bucks spent in your situation.
They refused to give me any clue how to address their concerns, so I just moved my accounts — all of them — to another bank. But that was mostly out of spite, not because I believe the new bank doesn’t have equally troublesome possibilities.
BTW, I have got to be about the least risky imaginable person to open an account for.
Try creating a new email, and do not give anyone that email, keep it secret. Use this email to sign up for all new accounts. It will be a laborious process, but it's worth a try. If you want to be super paranoid rule out remote access to your devices or computers too -- get a new phone and do everything on there.
https://sneak.berlin/20201029/stop-emailing-like-a-rube/
I know it. You're using Protonmail in the post.
But overall you're a Fastmail user. So why recommending Protonmail and using Fastmail?
Personally, I chose Fastmail over Protonmail for features and pricing. I didn't need the PM->PM encryption that Protonmail offers, at least not for my primary email. Fastmail was more feature-rich everywhere else.
1. Register domain name (Namecheap, Route53, Google Domains, etc.)
2. Sign up for Fastmail, choose at least "Standard" plan to support custom domain. Sign up with <yourdesiredname>@<yourdomain>. This will more or less serve as your "main" email. I use <firstname>@<domain>
3. In Fastmail settings, add your domain. Fastmail will guide you through the MX and TXT records that need to be added and how to do it.
4. (This may be done by default in Fastmail): Set up an "Alias" to configure *@<domain> to deliver to your email.
5. Start changing your accounts to whateveryouwant@<domain>
The "to" field of any received email will always show what is being sent to, even in third party clients. You can then also configure rules and filters based on the "to" field.
In the Fastmail clients (web and mobile), you can also reply from the same address that an email was sent to. In IMAP clients, it'll reply from your actual registered address (such as <firstname>@<domain>)
Maybe also try checking your IP against various geolocation sites, just in case one is returning something wrong, or searching for it - see if it pops up on any sites as 'bad'
When was the last time you updated your router firmware or changed your wifi password?
Is it possible your name or email address could be getting caught up in filters as a bad word or associated with something these businesses are against?
It seems very odd that this keeps happening over years, I'm really curious if some people from the companies mentioned will read this, and figure out what they have in common.
Is your email or phone number used for anything besides personal activities? If your "work" is polluting your email, it may be getting caught on that.
You could try a new email that you never access from your phone, but if it is your phone number that is triggering it, that may not help.
The SMS never arriving is suspicious - are you on a major provider with a normal US phone number, or is it some other setup?