OPSEC: Using a fake name for a dark web marketplace purchase

Someone claiming to be an attorney gave an OPSEC lesson about using a fake name for snail mail delivery of a dark web marketplace purchase

Have you ever wanted to order something online, perhaps from a dark web marketplace, but didn’t want to give your real name? Someone claiming to be an attorney addressed the subject during an OPSEC discussion on Reddit’s DarkNetMarkets.

A computer science professor of mine once advised the class to never use your real name online. He wasn’t suggesting we go all out with fake names, but to continually tweak your "real" name such as changing the spelling, shortening it, using nicknames, adding A through Z as a middle initial, etc. That way you see who is tracking you and who is selling your information. If Joey Z Doe gets snail mail or email after registering to purchase something from an online marketplace, then you know that site is selling your information. If you get too wild with the naming convention, then the transaction cannot go through a traditional credit card payment, since it’s too far from a match.

+ Also on Network World: Merchants, buyers on dark web get their own search engine +

Those stakes are low when compared to possibly being busted when an illegal substance is mailed to your house. The dark web attorney was specifically talking about “the real deal on fake names” such as using a fake name for the snail mail delivery address after making a dark web marketplace purchase. If a vendor does require a real name, then he said to either provide it or find a different vendor.

The United States Postal Service (USPS) does reportedly conduct mass surveillance, but the alleged attorney said it was a myth that the USPS has a database that contains the names of people who live at specific addresses and that using a fake name will trigger a “red flag.”

Down in the comments, a person claiming to have been a former carrier said the database is real enough, yet it is rarely used. Most carriers will attempt to deliver to an address regardless of the name used for that address. Possible exceptions are apartment complexes and P.O. boxes where the name doesn’t match. That person’s advice is to never use a fake name because “chances are good it will not be delivered.”

The lawyer claimed that an actual red flag would be doing something exceedingly silly such as checking your tracking number via TOR or your home computer.

“If you must do it, use public Wi-Fi,” he said. “The USPS is aware of TOR.”

The attorney said a name isn’t even required for a snail mail address, but even if a vendor would permit that, the mail might stand out and the package might be held. Depending upon what is in that package, a person could practically die of paranoia if their package is held at a Post Office. But a held package doesn’t foreshadow the end is near, as it likely didn’t fit in the mailbox. If you go to retrieve it at the Post Office, and you used a fake name, then it won’t match the Notice Left card.

If the package would have fit in your mailbox, but the delivery person is requiring you to answer the door to receive it, then you might consider panicking. Nine times out of 10, that means it is a controlled delivery. The lawyer said, “Don’t accept it.”

He also advised against using the name of a previous resident or a vacant address.

Don’t worry about a signature, as only a severely confused vendor would attempt to send a package that required a signature. Depending upon what you ordered, signing could be beyond stupid.

If for some reason a delivery person won’t deliver the package and instead leaves a notice about a package being held at the Post Office, and you don’t want to go get it for whatever reason—paranoia or you used a fake name—then it will be returned to the sender.

The attorney wrote:

Usually, the sender address doesn't exist or if it does, it's some random place. This may result in the drugs being discovered. While this is certainly nerve-wracking for you and for the vendor, the reality is that a vendor's OPSEC should protect against harm coming to them. After all, if you are a vendor, and LE orders one of your packs, they will have your fake return address anyway. If this could compromise you, then your OPSEC sucks and it's only a matter of time before you get busted. From the buyer's perspective, you used a fake name so you have excellent plausible deniability. As far as law enforcement is concerned, someone could have been using your address as a drop.

Not everyone agrees with the alleged attorney, who concluded:

A fake name is generally okay to use. If the package gets held because it's too big to fit in your mailbox, you have a way to let the post office drop it off at your door. The cons to a fake name are low, but the benefits are high.

The biggest risk is to vendors. So, you might be interested in another post purportedly by a darknet task force agent. It delves into a dark web vendor bust. It seems the cops used fingerprints on the USPS envelope, tracked the credit card used to buy postage at a self-service kiosk and photos taken during the transaction to catch a heroin dealer.

Copyright © 2016 IDG Communications, Inc.

The 10 most powerful cybersecurity companies