Denys Rtveliashvili
ai

A Horse’s Head on a Porch

Table of contents:

A Mysterious E-Mail

One late evening I noticed that an e-mail popped into my mailbox. It looked as if it was coming from a popular online retailer Nile, and it stated that a package from Yellowbird Logistics was going to be sent to me.

Ordinarily, I would not have batted an eyelid. I often order something on Nile, and I get these emails each time. However, a few red flags were raised. First, I have not ordered anything for a long time. Second, I had no clue what Yellowbird Logistics was. Are they shipping me a ship or what? Thirdly, I have multiple e-mail addresses and that e-mail was sent to an address which is not associated with my Nile account. I triple-checked the email and it looked legit. It did not look like the usual kind of phishing at all. Hm… Curious.

The Plot Thickens

Despite it being pretty late, I have decided to investigate the situation. First, I checked the tracking number in that email. Nile knew about it and their website has helpfully shown me the town it was heading to… which was the town I lived in. OK

Then I thought: “Who knows, perhaps I did in fact have a Nile account linked to that e-mail address, so why not try to reset the password and have a closer look”. I went to Nile, typed in the e-mail address, and clicked “forgot my password”. Nile sent me an OTP code to that e-mail address and I confirmed that. Nile was happy and asked for the second security question. It wanted me to type in my phone number, the one ending with “83”. It’s lovely, but I did not have such a phone number and never did. Nobody I know of had it either.

The intermediate conclusion is that Nile appears to know the account (as when I tried to reset the password it was not confused) but the phone number associated with the account is not mine. Someone, and I am pretty sure it was not me or someone I know, has opened an account with Nile using that unknown phone number and my e-mail address, and then ordered something. Curiously, that item is being sent to an address in my town. What are the odds?

So I call Nile support to clarify the situation. Here, you might tell me “Liar! Everyone knows Nile has no Customer Support you can call”, and you would be partially right. Nile does not want you to ever call them as that would incur costs on their side. If something goes wrong, you will have to deal with unhelpful bots. There is only one exception to this rule I know of: if you cannot log in (and hence cannot spend your hard-earned money), they do show you a phone number you can call to restore your benefit of paying one of the richest companies in the world.

Anyway… I call them and explain the situation. They ask me to confirm if I am the true owner of the e-mail address, which I do. They are satisfied and say that they do recognise the account and the fact that a shipment is about to be made. However, they need to investigate the situation. They opened an internal investigation and told me that I would be contacted in 48 hours (as I am writing, it’s three days after those events, and nobody called me back).

Of course, Nile support does not tell me who has opened the account or indeed any further details. This is understandable, however. Suppose John had an account with Nile, and James has hacked into John’s relevant e-mail account. James could then contact Nile and claim that he is John and that the account is fraudulent, or ask for information about that account. Nile cannot really disclose this information to James, even though James has proven effective control over John’s e-mail address. So in this case, Nile did the right thing.

It’s time to go to bed.

A Horse’s Head on My Porch (Figuratively)

The next day, I was waiting for a call from Nile. Instead, I got another email: “Your package has been delivered”. Shortly afterwards, I got an SMS telling me the same.

Now this is interesting. Veeery interesting. Yesterday I saw that an unknown phone number was linked to that mysterious Nile account, but now it is clear that my actual mobile number was also linked to it. How come? Or, perhaps, the SMS did not come from Nile at all, and was sent by someone entirely different? And where did the package end up?

A few possibilities spring to my mind:

  1. Someone has stolen a credit card, opened an account with Nile to buy something, and used a burner phone number and my e-mail address as a decoy. That’s not pleasant. But how did they manage to open an account without me seeing that? There were no e-mails about it in my mailbox. Have they managed to hack into my e-mail account and delete them? That’s unlikely. And why send something to my home town of all places?
  2. It is a bug. Or rather, it is a whole zoo of bugs, where my e-mail address and possibly postal address somehow got mixed up with the data of other people resulting in the creation of a pseudoaccount along with an order and all the relevant bits. That’s a bit too much. Each individual bug is perhaps possible, but the probability of all of them hitting at the same is negligible.

I make a phone call, I am told that indeed, someone allegedly from Nile came and left a package on my porch.

Alright… Why would someone open an account on Nile with my email address and my phone number, and then deliver something to my door, likely at someone else’s expense? The previous two theories quickly transform into the other two:

  1. Someone bought something on Nile using a stolen card to have it delivered to me so that they could quickly snatch it when it arrives. In that case, it would look as if I bought it (both e-mail address and postal address point at me). But isn’t it a bit too elaborate for a random criminal?
  2. Someone wants to tap me on the shoulder and tell me: “We know your personal details, we know where you live, and here is a chopped-off head of a horse to remind you about it“. This is not totally impossible, and there are people who could have done it, but they are not that subtle, and presumably, I am not at the top of their priority list at the moment.

Unboxing the Horse’s Head

In the evening, I was told how the story unfolded.

Yes, there was a package, and yes, it was delivered by Nile. However, very fortunately, there were big letters “Rathermoist” on the package. And then it clicked. Recently, I have ordered some stuff on Rathermoist. So it must be that stuff. Yet it was delivered by Nile, and somehow a mysterious firm Yellowbird Logistics were involved.

The Finale

Clearly, everything was triggered by me when I bought something on Rathermoist. At that point, they had my e-mail address, my postal address, and my phone number. It appears that they had an agreement in place so that Nile was delivering the items as Rathermoist did not have the capability to deliver packages on their own and had to contract someone for that.

All of that, by itself, is all right. It’s the details that look awful.

  1. My personal data was passed to Nile and, most likely to Yellowbird Logistics. I would not be surprised if it was passed to even more parties on a semi-plausible pretext.
  2. Nile have silently opened a Nile account linked to my e-mail address, “ordered” the item from Rathermoist on my behalf, and somehow yet another company was involved. The phone number on that fake-ish account is not mine so I cannot even close it down.

Meanwhile, I guess that Nile account is going to stay open. One day, someone might hack it and then impersonate someone. Me, most likely. How lovely. Thank you very much.

Now let’s transport ourselves from this world of madness to a world of sanity for a moment. How would the mechanism look like with Rathermoist making use of Nile’s logistics? I suppose it would have gone like this:

  1. They sign some papers first.
  2. Each time Rathermoist needs to send something to their customers, they would pass the details to Nile, and Nile would initiate the delivery.
  3. Presumably, the goods would be in Nile’s warehouse for efficiency. So they would pick what’s needed, and deliver it.
  4. Meanwhile, they will keep both Rathermoist and the end customer (me) about the progress of the delivery.
  5. At no point will the end customer be told that they are being delivered something from Yellowbird Logistics. Nile would be 100% clear that they are delivering a parcel from Rathermoist, and would mention Rathermoist’s order number as well.
  6. Rathermoist would meanwhile enjoy full transparency via a nice B2B application which shows them the status of every single delivery initiated by Rathermoist.
  7. At no point, under absolutely no circumstances, would someone in Nile be opening pseudo-accounts and confusing the living light out of people.

Alas, we live in the real world of real negligence. Inevitably, there is only one plausible explanation for the events.

Someone in Nile decided that it would be great to make a quick buck by offering their existing logistical capabilities to other businesses (a commendable goal, by the way). However, instead of doing the right thing, they thought along the lines of “Why spend time on decent B2B software and handling this business case properly if one can violate the existing flow by creating fake Nile accounts and placing orders on behalf of the customers of Rathermoist? Once an account is there and the order is sort of placed, the rest will just work.” And it did work. It worked like a plough-dragging asthmatic horse with a jet engine tied to its hind leg.

Should we be surprised? No, of course not. After all, we are talking about the same Nile that opened a network of A.I.-powered groceries where people do not even need to swipe a card — they just take what they want, and the bill comes to them a bit later. And we all know that the mighty A.I. in question was a large number of people somewhere in Asia forced to do the debilitating work of looking at oblivious people half a Globe away picking produce from the shelves.

Someone once said that malice should not be attributed to things explained by incompetence. That is true. But let’s not forget about negligence and greed.