Daily life

An email attack, a Hilton hack, and a few lessons learned.

I’d love to say it was a dark and stormy night, but the afternoon of August fourth started off like any other. I was busy working when I received an email on my personal email account, we’ve all gotten these sorts of emails, they say something like, “Thank you for subscribing to our newsletter, click the following link to confirm your subscription.”. I didn’t recognize the name of the newsletter, so I deleted the email and decided to get back to work. A few minutes later, I got another similar email and while I thought it was a bit strange to get two Emails from newsletters I’d never heard of before, I deleted that one as well. About ten minutes later, Emails wanting me to confirm my subscription to various Email newsletters and mailing lists were coming in by the dozens and my phone was going crazy pinging me with notification after notification. I had no idea what was happening, or why it was happening, or what to really do about any of it and so I started deleting Email after Email. It soon became apparent that Emails were coming in way faster than I could delete them; I was clearly under some kind of attack, for some reason I didn’t understand.

It can be scary when this sort of thing happens, unsolicited Emails coming in like a constant flood with no end in sight. I’m generally a pretty calm person, but I was feeling an increasing sense of panic: Would I ever be able to use my Email address, the one I’ve had for over twenty years again? Would I need to change my Email address with all my online accounts and services and if so, where would I even begin with that? After feeling completely hopeless about all this for a few minutes, I decided to become a bit more proactive. After all, this was my Email address and I was going to do whatever I could to defend it. First, I created a number of messaging rules to try and cut down on the incoming stream of messages. For those who may not be familiar, just about all Email services and applications allow users to create rules which can move or perform an action on messages based on their content or some other trigger. In my case, I created a quick rule that would filter any messages containing the words “click” or “confirm” or “subscribed” directly to my deleted items. I realized this was only a temporary fix as eventually I actually will want to subscribe to something and I’ll likely have to confirm that subscription, but for the moment, these rules had an immediate impact on cutting down the incoming flood and made me feel like I had a tiny bit of control over the situation. Between the multiple rules I created and manually deleting Email, I soon had my inbox in some semblance of order. By the end of the day, over 2000 messages were either deleted manually by me, or by the rules I created.

While most of the messages had to do with confirming my supposed subscriptions to various newsletters and mailing lists, I did also receive an Email from Hilton confirming my reservation for Friday evening. Figuring that this too was spam, and still terrified that I might need to change my Email address with hundreds of individuals and accounts, I deleted this message as well and didn’t give it another thought, that is, until I got a push notification on my phone from the Hilton app pertaining to my apparent up-coming stay. That certainly got my attention, and I opened the app to find that in fact I did have a reservation on my account for that very evening, at the Hampton Inn Birmingham/Trussville. According to the Hilton app, me, and another guest, with a name I didn’t recognize, had booked a room using my Hilton points and, to cover an additional $5 which my points apparently weren’t enough to cover, an additional credit card, also not mine. I immediately contacted the hotel directly and tried to explain the situation to one of the most unsympathetic people I’ve encountered in years. She told me that she encounters “people like me” all the time, people who come up with stories like this to try and circumvent the hotel’s last-minute cancellation/no refund policies. I explained that this was not the case here, but she had already hung up on me. I contacted Hilton’s customer service and after explaining the situation to two customer service agents, I eventually got one of them to understand that this was a fraud situation and I really needed to speak with a fraud specialist. Eventually, after explaining the situation yet again, Hilton finally opened a fraud case and told me I would hear something back in a few days. Not wanting anyone to get a free stay while the fraud stuff worked its way through the system, I again called the hotel directly and got the same unsympathetic woman as before, yay me. 😦 I let her know that a fraud case had been opened and explained that I was only calling to let her know in case someone actually tried to use the reservation. I certainly didn’t have to call the hotel a second time, I was just trying to do a good thing.

“I’ll let the front desk know.”, she said before hanging up on me for the second time.

Lessons learned

From all this, I’ve learned a few lessons which I’d like to share. First, to the lady at the Birmingham/Trussville Hampton Inn, not everyone is guilty until proven innocent. Sure, maybe you do get quite a few customers trying to circumvent cancellation policies, but taking a few moments to listen to me, and to look at the way this particular fraudulent reservation was constructed, might have helped you to see that this isn’t always the case. Having never encountered a situation like this before, I really could have used your help and guidance, not your judgement. If ever I find myself in Trussville, wherever that is, I certainly know where I will not be staying.

Second, no matter how many times we hear it over and over and over again, password security really does matter. Use strong passwords always and don’t be afraid to change them from time to time. If keeping track of multiple passwords is a challenge, know that there are numerous password managers available, (some free and some paid), that can help. Password managers can even help generate complex passwords for you; modern browsers even have utilities integrated to help make this task even easier. No matter what kind of password you might be able to come up with in your head, it’s probably not as good as generating unique, randomly generated passwords for each site, service, or app you use. Maybe the accessibility of various password managers might make for a good future blog post? Another good best practice is to enable 2-factor authentication wherever available. For those who have never used it, 2-factor authentication generally requires that in addition to providing your login credentials such as username and password, you must also provide a code which is sent to your mobile phone or other device. This additional code changes frequently and generally can only be used once. While this may seem annoying, the idea here is that even if a person was to obtain your username and password, such as in a data breach, they would not have physical access to the device needed to get the additional code. Ironically, I did have 2-factor authentication enabled on my Hilton account, but while it didn’t help in my specific scenario, it’s still a best practice that I highly recommend.

Third and probably most important, no matter how bad it may seem if you’re unfortunate enough to find yourself in this sort of situation, try and remember that it’s not the end of the world, as I thought it might be for a few panicky minutes. I admit, it was scary watching Email after Email come in, with no idea of why or of what I could do about any of it. And the prospect of suddenly needing to change my Email address everywhere, with no plan in place, seemed absolutely daunting. Truth is though, this all would have been incredibly doable. Annoying, yes, but still doable. One thing that I’ve started doing which others might want to do as well, is to create a list of everywhere my Email address is being used, either as my login ID, or for communication purposes. The list is definitely not complete, but it gives me a place to add to as I think of other sites and services that might have my Email address on file. My thought is that if ever I want to change my Email address, whether planned or unplanned, I’ll have an organized list from which to start.

Ultimately, I’m still not exactly sure what happened or why. If I were to hazard a guess, it would be that somehow, my Hilton password was discovered on the “Dark Web”, and to mask an attempt to use my Hilton points to conduct a fraudulent transaction, a flood of Email was generated. Whether this was the intended tactic or not, it almost worked as had I not gotten the follow-up notification from the Hilton app on my phone, I would not have given the reservation confirmation Email another thought, figuring it was just one of many unwanted messages that flooded my inbox. This has definitely served as a reminder to me to be ever vigilant about password security, and I hope my writing this post will encourage others to do the same. Any tips or tricks you use to help with password management? Share in the comments as your solution might be the perfect solution for someone else reading this post.

Daily life

A new day, a new week, a new job

This post is actually a few weeks in coming, but I can finally announce that I have accepted a new job, a position with HealthPartners, as their Digital Accessibility Lead. I’m really excited to have this opportunity because I feel that I can continue making a real difference in the accessibility of healthcare and based on my own past experiences, I know how incredibly important that is. I actually held this same position once before as a contractor, and so for the first time ever, I’m also a bit of a boomerang. 🙂

What I really wanted to write about today though is *why* I decided to change jobs. Indeed my former employer offered excellent pay, fantastic benefits, and being able to work remotely — from just about anywhere in the US — was a definite plus. The thing is, I just wasn’t happy and wasn’t feeling very fulfilled on a personal level. This came to a head for me when I looked at my calendar for an up-coming two-eek period and realized that it contained nothing that would bring me any kind of joy. At first, I felt guilty about feeling this way. After all, I was very fortunate to have had such a great job, was working with great colleagues, and I certainly had nothing to complain about where pay and benefits were concerned. Not being happy though is a very powerful thing and I started to realize that it was impacting my non-work life in addition to my work one. This made sense to me when I considered that I spend more time working than doing anything else in life, arguably including sleeping. I realize that work can’t always be fun and games, but upon realizing that the thing that consumes the most time in my life was no longer making me happy, I realized that it was time to make a change, even if that change could be a difficult one.

I held off publishing this post for a while because I wanted to give myself some time to evaluate whether this job change would really solve the problem of how I was feeling and I can honestly say that it has. Sure this new role will have its challenges and there will be aspects that will cause their own struggles, but isn’t that the case with every job? Ultimately though, I am happier and being happier at work means I’m happier in life. I’m finding that I’m calmer, I’m more optimistic, I feel able to more easily face challenges both professionally and personally, and I actually look forward to going to work after the weekend.

If I could say one thing to my readers based on this experience it would be to never feel guilty about how you feel. I realize that changing jobs isn’t an easy thing, and it may not even be a practical thing, but none of that invalidates whatever you may be feeling. The logistics of finding a job, interviewing, being turned down for positions, interviewing again, debating whether or not to take a pay cut — and ultimately taking one, were certainly challenges, but for me, the biggest and hardest challenge was taking that very first step and admitting to myself that I needed to make a change. The way I figure it, I can’t be authentic with the world until I’m OK being authentic with myself, and that realization alone is proof enough that I made the right decision for me.

Daily life

I had a really good day and I thought you all should know

As I think about going to bed, I just wanted to let you all know I had a really good day today. I got most of my project work done by 9 AM, I got to attend meetings that were productive, got to help others smile and laugh, got to eat some really good food, got to experience some pretty good weather, and now I get to sleep knowing that I accomplished everything today I had hoped to accomplish and more. So, why am I posting this? It seems that almost everywhere I look on social media these days, all I see are negaTive posts, or posts in which people are just complaining about something and so I figured that while I can’t change all of social media, I can change a small part of it, my part of it, and fill at least my small corner with some positive. Maybe I won’t be able to fill my corner with positivity tomorrow, but right now I am able to and so why not take the opportunity? And who knows, maybe someone reading this will have a similar opportunity and maybe that someone will post something positive and then there will be yet another corner of positivity on social media, can you imagine? Thank you for reading, be well, be safe, and good night.

Daily life

The surprising accessibility possibilities of mobile check deposits

Recently, I had a conversation with a blind friend of mine who finds herself in an interesting situation.  She has received paper checks, however because everything is locked down, depositing them has become a real issue.  That got me to wondering how accessible mobile check deposits might be; it seems that just about every bank offers this option, but is it an accessible one?  Thinking it over, a few possible challenges immediately came to mind:

  1. Knowing exactly where to endorse the back of the check and writing “for mobile deposit” or similar which many banks now require.
  2. Aligning the camera so that the front and back images of the check are properly captured.
  3. Knowing one way or the other that the deposit has been accepted.

While I certainly can’t test every banking app out there, I did try a test with Wells Fargo’s app and was extremely impressed.  Wells Fargo has somehow implemented camera guidance, so that VoiceOver helps the user position the camera correctly for the check image to be captured.  Even better, when everything is aligned, the photo is automatically taken and, before final submission, the user gets notified if the photos need to be re-taken because of quality or other factors.  

So, how does it work?  First, the app asked me to capture the front of the check.  I discovered that I needed to hold my phone in portrait mode (left to right) which is something I hadn’t expected.  Since a check is small, I assumed — wrongly it would seem — that the phone could be held in portrait orientation.  As I lifted my camera away from the front of the check, VoiceOver started providing me with guidance information, “move closer” “move right” “move down” and finally, the picture was taken.  The process then repeated itself to capture the image of the back of the check.  Unfortunately, the part that remained inaccessible for me was properly endorsing the back of the check and writing “For mobile deposit only” which the bank requires.  Maybe this could have been accomplished with the help of a service like Be My Eyes or Aira?  


I was surprised that the process of mobile check deposits, at least with Wells Fargo, was not as inaccessible as I feared.  Unfortunately, I tried with a few other banking apps and met with very different results.  I also did not test with Android.  In summary though, the process of mobile check deposits can be made mostly accessible as demonstrated by Wells Fargo’s app.  If you try this with your bank and meet with different results, it might be worth sending them a support message and encouraging them to further investigate the possibilities of making their process more accessible.  While the technical details surpass my development abilities, my understanding is that Apple makes various APIs available to developers who want to incorporate camera guidance in their applications.  

Has anyone else tried mobile check deposit recently?  If so, what have your experiences been?


Daily life

A blind person renting a car? Apparently, that idea isn’t as shocking as I once thought 

Recently, I traveled to New York where the plan was for me to connect with one of my colleagues and then travel to visit a client. Since we were arriving from different airports and since we would be needing a car, it made the most sense for us to meet up at the car rental counter. I was amused thinking of the reactions I would likely get from people as I, a blind guy, asked for directions to car rental. The reaction I got from one guy though really made me stop and think, he said, “oh, you must be going to rent one of those new autonomous cars, that’s got to be so neat.”. To him, the idea that a blind person might be renting a vehicle wasn’t very far fetched at all. I casually mentioned my destination to a few other people just to see what kind of reaction I might get. Strangely enough, the only somewhat negative reaction came from a woman who was all concerned that I could get hurt crossing the street which needed to be crossed in order to get to car rental. My take-away from the day? There remain people skeptical that blind people can independently cross streets, but the idea that blind people could possibly be renting cars is no longer the unbelievable concept it might once have been.