Ask HN: Why do my online accounts keep getting banned?

265 points by lopkeny12ko ↗ HN
Hi HN. I am at my wit's end so I'm asking here. In the last few years, nearly half of all my online accounts for a variety of different services have been either restricted or banned for no reason. I have no idea what I could possibly be doing "wrong" here so I'm asking HN for help.

* Lyft. Got a generic error when requesting a ride, which told me to contact support. I contacted support and they said my account was suspended due to violation of ToS with fradulent activity. I asked exactly what they think I did to violate ToS and they would not tell me. I've taken hundreds of 5-star rides, never comitted any fraud, I don't drive for Lyft or even know anyone who does. To this day I still don't know what I did "wrong."

* Instagram. Signed up for an account a couple years ago. Followed some celebrities and friends. A week later when I try to login, it errors saying my account has been suspended with no reason and recourse for recovery. I made another account. Banned again after a couple of days. Now, whenever I try to make a new account, the SMS verification never passes. It is like they have blacklisted my IP address.

* Letgo. It's like Craiglist. I moved within San Francisco a few years ago and signed up for an account to get rid of some furniture that I would not be taking with me. Within a few days I couldn't login and support told me my account was banned due to fradulent activity. All I did was create a listing for a couch with some pictures! I hadn't even gotten responses to the post.

* Google. I tried logging in to an old account associated with some domains in Webmaster Tools. That's all I use this account for and I haven't logged in in years. I enter in the right password and am greeted with "You’re trying to sign in on a device Google doesn’t recognize, and we don’t have enough information to verify that it’s you. For your protection, you can’t sign in here right now. Try again from a device or location where you’ve signed in before.". What am I supposed to do here? Last I used this account has at an old address (different IP) and on a computer that has since been retired (motherboard swapped out, OS reinstalled).

* Twitter. I created an account several years ago. After a week when I logged in it said my account was restricted and asked me to enter a phone number for SMS verification. I complied, and even after entering the correct code, it errored saying it cannot verify my identity. Haven't used Twitter since.

* Fidelity. This morning I tried to log in to my investment account and it says my account has been blocked "for security reasons" with no other information or explanation. It says I have to call Fidelity. Over the phone they asked me to supply a ton of documents over fax for identity verification and a record of all the devices I've ever used to sign into Fidelity. They won't even tell me why my account was blocked in the first place.

This is endlessly frustrating. There must be something unique about either me or my devices. I have a regular residental ISP in San Francisco, I'm not using Tor or VPNs, I use a vanilla Mac with Firefox. I use an adblocker (uBlock) but so does everyone else. I have a bog-standard Samsung phone running bog-standard unmodified Android.

Does HN know why my accounts keep getting banned? Especially for those who work on identity/trust and safety teams in Silicon Valley who have inside knowledge of how this works.

219 comments

[ 1.7 ms ] story [ 263 ms ] thread
How often do you change your password? Do you share passwords across services?

Does your email show up on haveibeenpwned?

The only thing I can think about, are bots doing credential stuffing and successfully inputting your password

Check your IP geolocation, there might be an error in the geolocation database.
This is a good tip.

I had a friend who's home IP address was listed in a different country from where he actually was. This often tripped anti fraud detections if he used the same account on his phone (other IP address) and his home PC at the same time.

Someone might have access to your emails and is committing fraud on your accounts.
Or access to their wifi, and committing abuses via OP's IP.
Sounds like your phone number is probably banned and someone in the past with that phone number had abused it for spam or something.
Are you a Russian oligarch? Jokes aside. What are ISP are you using for internet? No nord vpn right?
Fidelity is the worrisome one. Someone could be impersonating you.

- check your credit report for any suspicious activity

- if you are tmobile client(or network that uses tmobile underneath), check to see if your SSN and DL was leaked last year

Assuming you haven't done anything else my guess will be something like having an IP/phone number that has been blacklisted because of a prior owner, having your personal details used by a scammer (e.g. if you've had your ID lost and then returned), you accidentally share the details with a scammer or something in that vein.
I think this is likely the issue. If so you are not being given a reason because when you are rejected by certain kinds of compliance rules (e.g. anti money laundering) it is illegal (in many jurisdictions) for them to tell you that.
Few providers will tell you why you are blocked even if it is legal to do so, because that effectively constitutes evasion instructions for scammers.
Fidelity is the one that stands out to me though. They'll have compliance obligations to answer some kinds of questions and not others (again, details depending on jurisdiction). And they'll mostly be worried about different kinds of scams from those that concern Twitter and Instagram.
This is good insight. As another commenter pointed out the common thing among all of these accounts is that I've supplied my mobile number. Any way to check if my phone number is in some kind of shared spam/scam database?
(comment deleted)
Tried just simply googling it (use several variations of the number format)? There's many online databases of bad phone numbers which usually all show up on regular search engines with a separate page for each number. I usually add the numbers of scammers that call me to these services out of frustration.
Assuming all scam phone numbers are spoofed, isn't this putting innocent people in "digital jail"?
I don’t think a phone number being associated with spam calling would be enough for Fidelity to black-list you but I suppose if they’re only blocking your online login (and not your transactions) it could be a possibility. You could get a pre-paid sim card/phone number and try signing up for Uber and Instagram with your same address, email, credit card details, etc. and see if your account gets blocked.
Do you have apps from these companies installed on your phone? Your phone's unique identifier (plus maybe associated account information like name/email/phone number/etc) might be flagged on some database used by all these apps - perhaps Sift Science?
Do you use the exact same email address across all these services? Try it with unique addresses (e.g. lopkeny12ko+lyft@gmail.com) for each... or instead of 'lyft' something harder to guess. Maybe someone is messing with you and this would make it more difficult/impossible.
Your name might be on a shared corporate or government blacklist?
If figuring out why your banned accounts are getting banned isn’t fruitful, you could take a look at the accounts that haven’t been banned yet and see if there is anything suspicious on them. Spam, weird login sessions, unknown IPs; asking site owners could work as well (eg you could ask hn@ycombinator whether there is anything weird about your account).
Are you repeating your passwords? Are they getting hacked from obscure locations. Do you use password manager? Is your email very specifically suspicious - I don’t know some keyword triggering these. Do you have any accounts that aren’t banned? - just a lurker here. Not industry insider.
Is it possible your card infos have been leaked anywhere?

My only thought would be that your card is on the darkweb and these services are seeing it tested using their systems, blacklisting it and related accounts

Pure guess though, I can’t think of much more that would affect you across services like that

If you're using the same email address across all these, it might be something in the email address that's setting these off. Companies do periodically scan email addresses to remove accounts they think are malicious or do not represent an active user.

I had an email *junk*@gmail and it was sometimes flagged.

Almost sounds like your email is compromised. Change password if you haven't done that in a while. You should also check the last account activity (gmail: https://support.google.com/mail/answer/45938?hl=en)

Make sure you are using MFA for any account which allows this. Don't re-use passwords, get a password manager like 1password or bit warden.

also: do you have any browser extensions installed? They can leak all sorts of info, including passwords.
I have uBlock, Facebook Container (from Mozilla), React devtools, Redux devtools.
Try using a more common browser (Chrome, Edge, Safari) and see if that changes anything.

When you sign up for a service, access it from Google, not by typing the address directly.

I used the same as you do and would often get my accounts blocked. I suspect the absence of cookies offered by Firefox containers is suspect as well. Now I make sure to create accounts on these big platforms using a "normalized" setup and encounter far less issues.

I do use a password manager with a unique generated password for all my online accounts. I've checked my Gmail and Google account activity and everything looks ok. I do have Yubikey for Google MFA which I've been using for several years.
You dont have any forwarding rule or app token which is comprimised, right ?
You’ve got to think what could possibly link all of the accounts. E-mail, phone number, or name. That’s it. I suggest you change all three.
How can he check his account activity if Google won't log him in?
Well, he's clearly signing up for new services (which all require email verification) so he has another email account.
Not sure how that helps with the original account, though.
Presumably OP user would be content with entering a future world where he is no longer banned on new accounts.
It just seems like a chicken and egg thing. How can you identify activity that led to account bans on a new account that hasn't been banned yet?
Or maybe a Tor exit node running on his IP address?
Make sure you don't have any unwanted forwarding rules or alternate security helpers.
Or a device in their lan is compromised.
This was my first instinctive reason to look for. If fraud is beeing reported across couple of services, something could be poisoning traffic comming out of the OP’s appartment, rendering his public IP ill.
Because someone is most likely using your dynamic IP address, aka the ISP you are on is possibly hosting a TOR node or perhaps spammers using your IP. I'd contact your ISP.
Did you do all this from the same phones/computers? My guess is you've got a persistent virus that's dedicated to staying with you whilst waiting for a big payoff or just proxying crap through your devices.

With something this persistent I'd also be open the possibility someone in your life is hacking you (room-mate, colleague, someone left alone with your tech) or maybe a very specific app you install on everything is compromised.

I'd get rid of most the hardware you own and start a new digital life from a coffee-shop nearby.

Start with a new phone you paid cash for and a new SIM. Do that once you move, don't bring your old phone to your new pad for the first few weeks.
What.. that sounds a little bit over the top lol
Yeah but no.

Too full to reply in depth, though ; Privacy should not be so hard.

Fin.

It’s not hard, just don’t send your data to other people.
With fresh VPN account for good measure.
Fidelity is the one to focus on immediately because it's the most serious-- by far-- and they have walk-in locations where a real account rep can help you. The downtown SF location near Market & 2nd has excellent staff in my experience.

Fidelity might turn up something about identity theft, or credit reports, or red flags, or similar. If so, you can handle these. If not, then ask a private investigator for help; a good PI has research tools to find problems then help you fix them.

It's really insane if you need to hire a PI to find out what you did wrong.
To find out what people think you did wrong
Privatized justice is great, isn't it?

I would go after the most important accounts on the real government based Justice system (and forget about any non-important one). But I'm not from the US and I don't know how binding are those agreements that you won't seek the Judiciary. (Anyway, arbitrage should be fair enough to let your point through, but I don't know how accessible it is.)

Agreed, this is the most important. And go ahead and bring key documents - driver license, passport, lease/rental agreements, last year's taxes, a previous statement you have from them, whatever.

Anything that will help you prove: a) you are who you say you are and b) this is your account will be useful.

And if you're physically in their office, they can and will follow the backchannels to get a better result faster than you can over the phone.

Agree with the other comments here and would like to add that the OP may have the same name as a person on one of those government lists like OFAC and are getting identity confused with a "known terrorist". US Gov requires certain companies to check the list before doing business with people.
I can confirm I had issues flying for about the first four years post 9-11. The first flight I took, there was kind of a panic and security showed up. Every time I flew, there was always some kind of issue and a call for assist, though each time it got less and less of a panic. One time the desk attendant lamented, “more and more of these every day”. I asked why this keeps happening. He said my name or ssn was close enough to someone on the govt watch list that I was effectively on the list.
I had the same issue post 9/11 for a few years. I was unable to check-in to flights or receive boarding passes. I had to get a "gate pass" from a baggage agent to go through security and then check-in with the gate agent to be assigned a boarding ticket. This also applied on every connection and they required identification and occasionally additional questions each time.
Exact same for me for about four or five years post. I eventually came across my (extremely normal) name in an article about common names that were on the watch list and causing issues for many Americans. Even members of Congress were caught by it. Unfortunately, that article came out a few years of no airline agent being able to tell be why I couldn’t check in for my flight. They were cagey every time I asked.
One of the gate agents told me I must share a name with someone on a terrorist watch list early on. I have a common name as well so I figured that was it. Most gate agents thought nothing of it but being unable to get a seat assignment until near boarding meant I was stuck in the middle a lot. Several were awesome and took pity by upgrading me, but a few power tripping ones treated it like an interrogation. I can easily see how much worse it was for those with Middle Eastern names or appearance.
We need to remember this every time some politician says "if you're on the terrorist watch list, you shouldn't be able to..."
Or just better fund actual security.

These scenarios always result from watering down actual security.

I'm pretty sure I run into this any time I fly internationally. Our group always gets held up, a manager gets called, and we're approved.

One time the manager pointed at me and said with a smile, "You're trouble."

There was a (presumed dead) Canadian terrorist with my name.

> ssn was close enough to someone on the govt watch list that I was effectively on the list

This is exceedingly dumb if true. Numerical adjacency of SSNs is completely meaningless.

Yes, but if I was looking to make a fake identity, I would steal a real one and fudge something like the SSN plus or minus one on a random digit. Then you can blame the mismatch on their people making a typo, and they would be less likely to look closer at my forged SSN card/Passport/Drivers License.
Okay but the issue here is SSNs close to one that's already flagged also get flagged apparently. If you know your social is flagged and are giving a fake one why would you make it anything remotely similar to your own already flagged one?
It’s what I remember the desk agent telling me. Who knows how much that person knew about the system (and even if my memory is 100% accurate).
I guess Elon Musk had the right idea giving his kid a non-alphabetic name.. less chances of this stupidity to affect them.

(The above is a joke, I'm guessing US government systems can't handle non-ASCII characters, and a German named Müller would have to be Mueller or Muller)

It's definitely not a terrible idea to have a unique(ish) name. Your name is somewhat like your username for non digital things, or at least part of your username.

I don't have a particularly common name but when I google it I share it with an English football player and someone from South Africa who has been convicted of real estate fraud.

I've never been to South Africa but I have worked for a real estate portal, and it's on my LinkedIn (which I barely use, but still). I can see how someone outside would not be able to separate the two.

Or the opposite, I imagine a name like "John Smith" couldn't have this issue because there would be so many matches.
I had issues travelling a few years ago, nothing serious just lots of back-to-back secondary screening. I contacted DHS and was notified weeks later my case had been reviewed. They never explained what happened but the screenings stopped.
Ouch. I can't think of any other plausible explanation. If so, is that a problem that can actually be fixed except by changing your name? They're not going to strike the name from the list (and all its copies) just because it's a nuisance to someone.

It kinda makes one wonder if anyone getting into a bit of terrorism for a hobby wouldn't do well to change their name to that of someone in the US congress first: no way that name would stay on a blacklist for long.

> If so, is that a problem that can actually be fixed except by changing your name?

It wouldn't shock me if even changing your name didn't do it, the name change records are surely data available to the algorithms.

Agree that Fidelity is the most serious but they cannot help OP anymore. OP's situation sounds like his/her SSN and CC is circulating on the dark web forums.

OP, you should buy an Equifax or Experian credit package immediately, review every account, and put a freeze on your credit report. This will be the best twenty bucks spent in your situation.

Shouldn’t requesting the free credit report from each bureau be the first step before going to the paid one?
Absolutely - don't use the paid one ever, that's basically submitting to their protection racket. It's a problem they created in the first place.
You can check your credit for free, and the freezes are also free.
Instagram and Google would not even have their SSN or credit card number (if OP is being honest about how little they used those accounts), so I don't see how you can conclude that one of those is the factor...
(comment deleted)
Instagram, Google and Twitter probably have a different cause. Everyone gets accounts disabled on these services, if one doesn't use them often.
It can feel like you're being attacked with a list like this, but it's highly likely the tech items are just coincidence.
the google one is normal if you haven't logged in in years, especially if you're in a different place now. Google is perfectly happy to lock people out of their accounts with the correct password
What kinds of non-public research tools do PIs have access to?
Also set up 2fa on your fidelity account. Don’t use SMS, use their app.
Don’t expect too much from the personal approach. I had a similar problem with Bank of America where they wouldn’t open a business account for me because the risk management department vetoed it. Visiting the local branch didn’t help: the local staff was friendly and tried to assist, but were equally stonewalled by the home office.

They refused to give me any clue how to address their concerns, so I just moved my accounts — all of them — to another bank. But that was mostly out of spite, not because I believe the new bank doesn’t have equally troublesome possibilities.

BTW, I have got to be about the least risky imaginable person to open an account for.

I don't know about Fidelity specifically, but it seems like these days, most of the staff at the in-person bank offices don't do anything but guide you through the same web forms you could fill out yourself.
My first thought is that you have an enemy who is messing with your online accounts.

Try creating a new email, and do not give anyone that email, keep it secret. Use this email to sign up for all new accounts. It will be a laborious process, but it's worth a try. If you want to be super paranoid rule out remote access to your devices or computers too -- get a new phone and do everything on there.

Even better, while you're making a new email, get a domain name and attach it to a service like Fastmail. Create a wildcard rule to forward anything @yourdomain.com to you, and start changing services to be facebook@yourdomain.com, fidelity@yourdomain.com, etc.
That's an intriguing idea. Do you think you could go into a little bit more detail on how to do that?
I wrote a blog post with step by step instructions:

https://sneak.berlin/20201029/stop-emailing-like-a-rube/

Thanks. Nice title by the way.
Hi,

I know it. You're using Protonmail in the post.

But overall you're a Fastmail user. So why recommending Protonmail and using Fastmail?

You may be confusing the person you're replying to with me, who initially recommended Fastmail.

Personally, I chose Fastmail over Protonmail for features and pricing. I didn't need the PM->PM encryption that Protonmail offers, at least not for my primary email. Fastmail was more feature-rich everywhere else.

Someone else answered with their blog post, but I'll go into high level:

1. Register domain name (Namecheap, Route53, Google Domains, etc.)

2. Sign up for Fastmail, choose at least "Standard" plan to support custom domain. Sign up with <yourdesiredname>@<yourdomain>. This will more or less serve as your "main" email. I use <firstname>@<domain>

3. In Fastmail settings, add your domain. Fastmail will guide you through the MX and TXT records that need to be added and how to do it.

4. (This may be done by default in Fastmail): Set up an "Alias" to configure *@<domain> to deliver to your email.

5. Start changing your accounts to whateveryouwant@<domain>

The "to" field of any received email will always show what is being sent to, even in third party clients. You can then also configure rules and filters based on the "to" field.

In the Fastmail clients (web and mobile), you can also reply from the same address that an email was sent to. In IMAP clients, it'll reply from your actual registered address (such as <firstname>@<domain>)

How many times have you issued chargebacks on your credit cards?
There are various sites that can check if your IP address is on any blacklists, might be worth a look.
You could try checking on https://haveibeenpwned.com/ if anything appears in there - or maybe just google for you email / phone number and see if it pops up anywhere?

Maybe also try checking your IP against various geolocation sites, just in case one is returning something wrong, or searching for it - see if it pops up on any sites as 'bad'

Maybe there is something/someone doing something bad on your network, and every time one of your accounts logs in from the same IP they get associated with your phone number,browser fingerprint, and whatever other identifiable info they have about you.

When was the last time you updated your router firmware or changed your wifi password?

Is it possible your name or email address could be getting caught up in filters as a bad word or associated with something these businesses are against?

It seems very odd that this keeps happening over years, I'm really curious if some people from the companies mentioned will read this, and figure out what they have in common.

Something common is affecting it - do you use your own domain for email? Is anything associated with that domain pointing at a "spammy" or "scammy" site? Switch to a provider like gmail perhaps?

Is your email or phone number used for anything besides personal activities? If your "work" is polluting your email, it may be getting caught on that.

You could try a new email that you never access from your phone, but if it is your phone number that is triggering it, that may not help.

The SMS never arriving is suspicious - are you on a major provider with a normal US phone number, or is it some other setup?