Last week we learned that one of our female classmates was being stalked. (The stalking preceded this classmate joining our site.) My classmate reported that the stalker bragged to her he had joined the site by hijacking a name. Prior to getting notice of the problem, we had not made identity verification a step in registering to the site.

After learning of the situation, I promptly a) identified what I concluded to be the hijacked name, b) changed the site preference setting to require the identity be confirmed, and c) placed a notice of the new policy on the homepage. I then confirmed my conclusion regarding the hijacked name. I removed the hijacked name and then reentered his information.

This afternoon we received notice that a woman "joined" our site. The notice included the first, maiden and married names of the “member” and a changed email address. I did some half-ass verification and approved the new member. I then wrote “her” an email that bounced. I then called the woman whose name I believed was hijacked. She confirmed she hadn’t joined the site. I then deleted the name from the class roster, following which I replaced her name on the class list. I am pretty sure the same person who hijacked a name last week is the same person who tried to hijack a name today.

With that as a background, I have a couple of questions. First, if I do not accept someone’s registration attempt, what needs to happen so the real person can register at a later time? Do I have to delete/replace the person’s name?

Does Class Creator wait until the registration is accepted before sending the opt-in email? In the situation today, the hijacked name was a site member for about an hour. Had Class Creator sent an opt-in email? Did it bounce?

If an opt-in email bounces, does Class Creator let the administrator know beyond the notification of bounced emails that appears on the homepage?

What techniques do administrators use to identify/verify hijacked names?

Barry Levinsky

1) In the verification area of the profile you are given a chance to delete the false registrant and reset the account. Name stays on list awaiting real classmate.

2) Yes we send the opt in email prior to verification. Most of the time it's the real person joining so we do want that email to go out immediately. Even if it's a hijacker, all the hijacker is doing is confirming they have access to some email box. This has nothing to do with the verification process though and isn't an issue.

3) The person might have been a member, but they were an unverified member. I.E. they couldn't see any private info (just what the public can see) and couldn't do much of anything else either. Non verified classmates can do virtually nothing. Same answer as #2 on the opt in email. Yes it was sent, but if a hijacker verifies they have access to some email box, doesn't have anything to do with the verification process.

4) If the opt in email sent to the hijacker bounced you would have received a bounceback notice.

5) You can see bounced email notices on your home page as you stated, as well as in the Email the Class area.

6) The surest way is to call the person on the telephone. Some admins send an email with a question or two. Some admins just look at the profile and go "Yep, this has got to be real" and approve it. If somebody is telling school stories that ring real, posting pictures or videos that look real, that's usually enough for most admins to click the approve button.

Thanks for the info and the follow-up details. Security of our info and site is "Job 1" for all admins.

We do likewise. We don't ever want our classmates to feel their security/privacy has been compromised.
JohnL

Along similar lines, when we have someone claiming to be a 'class member' wanting to join, but did not graduate, we ask a few 'leading questions' of the person wanting to join.
This does NOT prevent a class member from joining as another classmate d posing as them, [they would know the answers to the questions], but it is another 'layer of protection' that we can use.

Sad state of affairs that we have to take these measures, isn't it?

Hey Barry,
We had a problem with profile hi-jacking when we first launched our site in 2009. We were not verifying new members and an impostor assumed the name of a classmate and started sending spam notices to our membership.
We deleted the classmates profile, set it back up, and started verifying new members. In our join page we instruct new members to include contact information, address, and phone number. We further let them know that they can "hide" that information in their profile setup. If they don't include the information, we send them a stock letter that we can not activate their profile until they do so.
Since 2009 we have not had another occurrence (knocking on wood here!).

One of the questions I ask is where did they live when they went to our school. I have all our classmates names & address in Book that was provided to everyone at the school during there time there. Also I will ask several classmates if they remember the individual. Simple questions will catch someone up,