8 days ago I tried to log in to my Amazon retail account, and received a password invalid error. As it turned out my account had been closed, as it appeared to Amazon that it had received a suspicious log in. This is the same account that I use for AWS - hosting websites critical to my business.
Today it appears I am no closer to gaining access back to my AWS account than I was on day 1, even though I have been billed as normal for my services during this time.
This should serve as a warning to anybody else who has an Amazon account that is shared between retail and AWS.
Linked is a list of every event and interaction I have had during the last 8 days with Amazon, via Twitter, email, phone and chat.
If anything this, along with similar situation(s?) with Google, should stand as a strong warning against single sign on systems across multiple services with multiple TOS.
Why do you see this as a single sign-on issue? Seems to me the issue is over reliance on large SaaS providers. Same things happens all the time to Google users.
Because you're unlikey to trigger a violation on your cloud SaaS account, but could easily run afoul of other policies like "Real Name" or "Bought a Pixel Phone and Sold It" or posting something "offensive", getting reported by other users, etc.
If the account is just for a cloud SaaS, then there's likely to be very few policies to disable your account.
But then you're storing passwords in more services, which creates more surface area for breaches.
If you shop with Amazon, host your services with Amazon, watch TV on Amazon...there's simply no way of getting around the fact that Amazon will only want to manage a password for you in one place. The issue is clearly over reliance on Amazon services.
I don't follow your logic about the breach risk. If you're using unique passwords per service (and you really should) then I would expect any breach that involved passwords would have less of an effect. If there is a breach with a centralized single sign on service then every other dependent service is also affected.
There's a big difference between what people should do, and what people actually do. Research consistently shows that a large percentage of people reuse passwords across many sites.
Sure, but I'd bet that people who have cloud services accounts are much more likely to be better at password security than the general public, as a group.
Uh, Sure, if you have one account. The point being that if you're smart, you isolate every account. myaccount-aws@domain and myaccount-retail@domain and then turn off cloud services for retail account and turn on two factor auth for saas.
That's on you. You can't get the benifit of separation if you have them do it for you.
In the same way you get one company to own your domain and one to run your email. That way when your email provider decides you're a spammer or your account get's closed for uploading a bad app to the android store, you can go else where and swap your dns.
I reset a password, then they detected "suspicious activity." I clicked "send pin via email" and the email never shows up. I've done it 3 or 4 times over the course of a week + it never works. It's a documented error + FB/Instagram refuse to addres it.
And a similar thing has happened to me with Microsoft. I needed to get to my OneDrive. I go to log in, and it says invalid password. I go to reset the password, and it never sends me an email. I go through the alternate-email update process, answer the security questions, and it doesn't believe I am who I am.
When I try to get access to real support (a person), it makes me login. Back to problem #1.
Also, I should note that the email on record is real and works. The only thing I can think of is I named it microsoft@mydomain, and they don't like the word microsoft in it?
Took me weeks to get back an Instagram account that was locked as soon as I signed up, with a phone number too. Half the forms that are meant to help you are actually broken and 500 error most of the time. After many emails I ended up having to send a photo of myself holding a sign with the username and some random code on it. So bizarre. It's not like Facebook don't know my entire life history, but hoops still had to be jumped through!
We're having the same problem, and it's been well over a month now, and despite several phone calls with Facebook support and lots of emails, nothing is working. We've sent documents, escalated, etc. Nothing works.
We've spent over 200,000 EUR on Facebook/Instagram advertising so far (I guess that's still small fish), and still can't get it resolved.
In all seriousness, email jeff@amazon.com. The most likely outcome is that some relevant managers will receive one of the infamous "?" emails from him.
If so, that'll result in two things:
1) Your problem will be resolved ASAP, managers right up the chain will be tracking it extremely closely, as they'll have to justify every action to Jeff. Everyone goes scrambling when one of those emails goes out.
2) A post-mortem will be done of everything that happened, with processes and procedures improved to ensure it doesn't happen again.
I think that's gone the way of the dodo. Last I remember, he didn't read those anymore, and they were automatically just shunted into the normal escalation flow. Too many people got wind of it and abused it.
It was certainly still active and being triggered by Jeff not long before I left Amazon (just over a year ago now), I used to be subscribed to the list where those post-mortems would appear, and they would always indicate how the escalation occurred.
Nope. Those still work the way OP described, if my recent experience is anything to go by. Not sure if @jeff reads all the emails... but he may have assitants that do and send those out, and track them?
The managers in the escalation chain might tend to panic when the "?" comes about like the OP claims going by the # of emails and phone-calls I recieved from them.
I emailed it a couple months back to complain about USPS, and got a reply and a result (all my packages arrive via UPS or some rinky dink carrier now.)
I don't care if he personally reads them or not but it worked for me in January. I was locked out and phone/email support ignored me or sent me in circles. One email to jeff@amazon.com and my account was restored in a few hours.
I've seen it happen, repeatedly, and the outcomes of it (even to the point of hardware and software engineers being sent out to visit customers to figure out what is wrong). So yeah.
> This should serve as a warning to anybody else who has an Amazon account that is shared between retail and AWS.
So much this.
I had such an account and neglected the retail side (it was linked to amazon.com as well as AWS) as I was using a different account for retail (linked to amazon.co.uk from the days that these were separate systems).
Logging on to amazon.com one day I noticed LastPass suggest I log in, so I did. To see that I hadn't ordered anything retail for 5+ years. So I requested deletion of the amazon.com account (good hygiene, delete unused accounts).
Retail happily obliged... and a week later when payment failed and dunning started I realised what I had done. The account did not exist any more, I could not login to resolve this.
This was entirely my mistake (and quite funny as well as terrifying), but the risk is real.
Should anything happen to your retail account then your AWS account can and will suffer.
I managed to resolve this, I was only using S3 and I wrote a migration tool to remotely move S3 items from one account to another, using only the auth keys that were still active. But woah... if I'd been using EC2 or anything else I would have been in a lot of trouble.
Keep accounts single purpose and obvious. Use an account that only handles your AWS purchases.
A friend had this happen to him (The unauthorized person accessing it). He sells on amazon and had all his inventory removed from being sold while this was going on. Calls did nothing.
What finally worked was the amazon facebook page. He posted on there, they PMed him and he was back up and going within a couple hours where he had been getting the run around for a week or two on the phone.
I had this happen because of a closed AWS account with 2FA that locked out my longtime Amazon.com retail account. The 2FA factor was a business phone number that I had given back to my former employer a couple of years ago.
The best that AWS/Amazon support could give me is start a new Amazon.com account. At least the AWS account wasn't billing anything.
Don't ever use services provided by a third party. That's why I cut my own hair, make my own toothpaste, and create my own electricity from coal I mine myself!
Your comparison, and the toaster one by the responder, are nonsensical. There's a difference between a product and a service. Toothpaste is a product, not a service. AWS is a service, not a product. You can buy toothpaste anywhere; if you want to compare with AWS, AWS is like hiring a dental hygienist to come to your house twice a day and brush your teeth for you instead of doing it yourself. The hair-cutting bit is valid, but lots of people cut their own hair, especially men. The electricity bit is only partially valid; coal is a commodity that you can buy, just like toothpaste. You can also buy solar panels and make yourself totally independent of the electric utility. But it falls down because electric utilities are utilities and are regulated as such, whereas AWS is not regulated. The toaster thing is just dumb; toasters are cheap commodities. Again, the AWS comparison is hiring a butler to make your toast for you.
There's always a danger when you rely on outside provider for something that's critical to your business or life. Sometimes you can't avoid it or it's completely infeasible to, but choose carefully.
I see too many companies using AWS for stuff they could fairly easily self-host.
Well it's not quite the same with AWS if you start making use of any of their facilities past straight EC2 instances.
AWS provides a number of SAAS offerings which, if you make use of them, tie you to Amazon specifically, as opposed to an IAAS offering which is likely to be more easily portable to another provider.
AWS created a Cambrian explosion of people hosting stuff that have no business doing so. Those people can't just go back to colocating hardware at datacenters... I wonder if they could even effectively get their equipment racked and wired up.
Having to get approval for a capital expense was a filter that prevented teams with zero ops experience from trying to just brute-force google their way through.
The teams I see the most often, in pre-cloud days got nothing done because touching a server meant going through experienced ops teams that could conduct architecture reviews, security reviews and maintenance planning but which didn't have any motivation or incentives to actually launch new products. Cloud means these teams can get things done, at the expense of not having any thought put to architecture, security, or maintenance.
Sure, it's not hard, but it's not possible for them.
GP's point is that those places still relied on power and networking from other places.
It's a counter to the broader point of not relying on others. You simply can't. Are there better ways to rely on others (e.g. specific contracts)? yes. Are there ways of not relying on single providers? yes. Are there ways of relying on no one? No.
That's fine to depend on 3rd parties, provided you have a clear binding contract you have negotiated. The problem with SAAS is that there is no such a contract, there are just TOS which means they can to kick you out for no reason.
At some level you're always relying on other companies for a service. Even Google does -- they don't own the last mile.
However, even if you expect people to CoLo, you're still relying on a the facility for power, cooling, networking, security. Moreover, AWS is a paid service, there should be some expectation of conflict resolution. It's not like Google where Gmail is free and there really isn't any reason you should be able to reach out to someone.
What you should be arguing is not that we shouldn't rely on a _single_ provider. Redundancy is fairly cheap in terms of material, even if a little time-capital expensive to set up.
As another responder astutely pointed out below, services like this aren't contractually-bound, they're subject to TOSes. Good luck getting any kind of conflict resolution with a giant company when all you have are TOS. Companies that rely on other companies for service, when they do it right, use contracts.
Your point about having multiple providers is very sound though; if all you have available is AWS-like services with TOSes, being able to easily switch between them mitigates your risk.
> As another responder astutely pointed out below, services like this aren't contractually-bound, they're subject to TOSes.
Yes, I did say it should be expected, not that it is :(
This is where large companies are most to blame -- they sell products and services, but have no support unless you pay extra. I can understand out-of-hours or technical support, but basic accounting and account issues (e.g. account lockouts) should really be unethical to not support for a paid service. (I don't quite want to say illegal, but it shouldn't be the norm like it is now.)
I've had significantly better dealings with "smaller" shops with this kind of thing. Basic account support always appears to be the first thing to the chopping block as they grow :(
If it's critical to your business, why not do your hosting elsewhere? Is it because you are locked in already? I am building a product that will help people migrate across cloud providers, so that's the context...
Presumably he built it with AWS in mind, using their proprietary services and APIs. I'm certain if it was easy to have transitioned away from AWS, he would've already done so.
Doesn't this require separate gmail addresses? If so, then that's an extremely bad idea. I already had one gmail account completely banned with no notice. I wasn't doing anything abusive -- I used it for some npm projects and a github account.
Actually, is there a reasonable free gmail alternative for situations like this? I'd like to migrate. FastMail is worth paying for, but it's too expensive for one-off side projects. And while I don't trust gmail, I think I trust most services even less.
EDIT: My point was, if you use a single account, it's far less likely to get banned. I think my account was caught in some sort of automated purge, since I certainly wasn't abusing anything. Some proof: http://i.imgur.com/H5RRkyP.png I'm not sure which policy violation they're referring to, but all appeals failed. I lost all emails in that account, which thankfully wasn't very serious because the account was still young.
eropple and drbawb pointed out that you can use plus addresses with AWS, e.g. foo+aws1@gmail.com.
No problem. Fair warning--you'll want to be pretty proactive about going in and killing all their marketing emails, because each and every account gets all of them.
Mine was banned with no notice after weeks of work. So I'm just putting this out there as a warning that gmail can crush you at any time with no recourse.
If you use a single gmail account, it seems far less likely to get banned. I think I was caught in some sort of automatic purge, since I certainly wasn't abusing anything or using it for much beyond my side projects.
This email hostage situation kind of sucks. Hopefully there's an alternative for scenarios like this.
Someone mentioned self-hosting upthread. I wonder how difficult that is.
I have numerous Gmail accounts (more than 20) and not a single one has been banned. And Google explicitly supports using multiple accounts by providing an account switcher. Perhaps your account was banned for some reason other than being a duplicate.
I didn't engage in illegal activities, malicious or deceptive practices, hate speech, harassment, distributing personal information, child exploitation, spam, ranking manipulation, distribution of sexually explicit material, violence, selling regulated goods and services, impersonation, account hijacking, or use multiple accounts to bypass the above policies. So I have no idea what I did -- Google won't say, and all attempts to get more info out of them failed.
I feel like my company is the last to not use Google and Salesforce... There are a million reasons why Google could lock you out of an account... If I lose my personal email, I will survive. I can't in good faith accept that type of liability for my business communications though.
I don't host my own email (I've had terrible experiences trying to send), I do have my own domain and let someone else host my email (In this case Google :( but since it's my domain I can change it and it doesn't matter to anyone).
Aside: It always frustrates me when I see a business with their own domain and then an @gmail.com or @aol.com address. What registrars don't offer basic email forwarding (often for free?) or cheap (~$10 email) service you can buy from them if you can't figure out Google for your Domain)?
I feel like there is a small, but profitable space here, I just can't figure out what to do to harness it.
Zoho is pretty much free for personal uses. They charge per user per month, but under 25 users is free, and if you're not a business you don't have that many users.
I have numerous personal projects that are web sites/web apps and I use Zoho to get emails at all those domains.
I don't know if this is frowned upon by Zoho, but if you don't want to use their UI, you can set up your regular personal Gmail account to act as a POP3 client and just retrieves emails from Zoho that way. (now that I wrote it out, it makes me think it can't be frowned upon, simply because POP3 is even offered as a feature there)
You're certainly not the only person, I do the same. These stories that keep popping up, about people losing access to their SSO accounts and emails convinced me that it's worth the effort.
I'm still doing this one too - took maybe an hour to configure a simple dovecot+postfix+spamassassin setup and I don't have to touch it beyond an upgrade once every 6 months or so.
AWS requires a different email address per account yes. I don't see how it's bad? In your case, if you lost access to one gmail account with a dozen AWS accounts attached to it, that would affect all your AWS accounts? Better to have them fully separated so they can't affect each other.
One trick I like is that you can use `account+<tag>@example.com` and a lot of services will consider it a separate e-mail address, even though MTAs will transfer it to the same account; this has the added benefit of being easy to filter for on your e-mail client. I also use this tactic when signing up for web services that I anticipate will spam me. (I import a lot of merch from China/Japan; their unsubscribe systems tend to be insanely broken / borderline user hostile. Each such account gets a unique tag so that I know which service is spamming me.)
Alternatively if you want ultimate trust just run your own mailserver and set up as many aliases as you want! For $5/mo you can get a Linode box to do it, and I've yet to get an IP from them that is on an e-mail blacklist. They have great documentation[1], the most important thing is to just make sure your SMTP server requires authentication & refuses to relay for remote hosts. SPF/DKIM are necessary to get past modern spam filters, but frankly if you've ever setup a TLS cert you can probably manage to setup DKIM just fine.
I used this trick for years. However, there are downsides.
For example, sometimes a service will let you sign up with this just fine, but later when you need to do something else (such as password reset) or a phone agent has to enter it... it chokes.
Not to mention after some time passes you may forget what the special bit was and have to fall back to searching your email. Being regimented about the naming system helps, but it's not foolproof.
I'm using this trick less and less nowadays and just entering my plain email to avoid these hassles... especially for things like real life accounts. For possibly shady characters and account email consolidation, still a great trick!
This is why I have my own domain. I have a catch-all email box that just accepts everything and can make up emails on the spot, service@example.com. It makes things a lot easier down the road if I have a problem with my current provider as I can change the MX records at will. This means though that my DNS service must be under another domain for safety though but that's less of an issue.
3. write email to foobar@example.org -> get's redirected to your "real" email
This has the big advantage that you can change your real email account (I switched away from GMail two years ago) quite easily, you can track who leaks your address and filter more easily. But be prepared to leave some people stunned, I registered at my electricity provider with electricity@example.org or at my hairdresser with hairdo@example.org
In my case I'm using an old grandfathered free google apps setup. So I don't have anything to really setup/configure myself. I know it's possible to do it with postfix and other mailing agents.
I knew someone would say this. lol If you're away from your computer and haven't installed the password manager to your phone (I'm not nearly alone in this), then you may need to fall back to searching your emails. Better?
Anyway, this doesn't solve the other technical problems you may hit at some point using this trick.
I'm just giving people a heads up. It's a useful tool for certain things, but it can be overused.
Yes, this is the reason I know that the + character is %2b in a url. I've had to manually type it on so many crappy unsubscribe links (they don't realize + needs to be escaped because the web server they are using is doing the old-school + => space translation).
The nice thing about running my own email server is I configured it to use . and _ as well as +. me.xxxx@example.com and me_xxxx@example.com are pretty much guaranteed to work, and it ends up exactly the same as the +.
I would recommend not using Linode and realize your e-mail will be terribly unreliable if you run your own e-mail server (even if you setup DKIM, SPF and DMARC. Google/Microsoft don't give a shit about any of that). I wrote a post about this a while back:
I've considered moving to Vultr since they block SMTP/25 by default and individual customers have to get it enabled (which seems like it should reduce false positive spam classification as more e-mail providers).
It probably should, but I somehow ended up with two Amazon accounts (retail, not AWS) with the same email address. Changing the password I use changes which account I log in to.
Presumably it's a bug, but it's certainly confusing.
I recently managed to do that as well. This becomes very interesting if you try to recover a password, because apparently the password recovery only recovers the last account.
Eventually I got out of that by changing the mail of whatever account I could log into, using gmails feature of ignoring everything between the first + and an @ in the address. But most annoying, now my aws login is something silly like me+awsConsole42@gmai1.com.
Maybe I could change that back, but I'm too scared to touch that.
> My point was, if you use a single account, it's far less likely to get banned
Why do you think that? If anything, you have more activity you can be banned for...
And also, why you say it like gmail is the only email provider? You need separate _email_ accounts, not gmail. It can be some other service or your own domain. Google can be service provider behind your own domain, but you will control address space etc. Nobody will ban you out of your own email address (except domain registrar, but that's unlikely).
It seems like Google uses some heuristics when deciding whether to ban an account. My theory is that if you stick with your personal gmail account, you have such a long history of activity that it's unlikely to be flagged by whatever "smart" algorithm they're using.
I was quite surprised that my gmail account was banned without doing anything remotely malicious. (Certainly not anything listed in https://www.google.com/intl/en-US/%2B/policy/content.html) I suppose it's my word against Google's, which isn't a happy position to be in, but to the best of my knowledge that's what happened.
Regarding other services, I was hoping to get some recommendations about which one everyone likes using. Gmail and FastMail seem to be the two HN favorites, but FastMail gets expensive quickly for side projects. You can host your own email, but people have shared some unpleasant experiences with that route. It's true that you can still use gmail without losing your address, but you'll still lose your emails if they decide to suspend you.
> It seems like Google uses some heuristics when deciding whether to ban an account. My theory is that if you stick with your personal gmail account, you have such a long history of activity that it's unlikely to be flagged by whatever "smart" algorithm they're using.
I never saw/heard of evidence of such behavior.
> but you'll still lose your emails if they decide to suspend you
Emails are easily backupable, you can download them locally and/or forward everything to the "backup" email.
One more service to host email on your own domain is Yandex.Mail, it's free and pretty good.
Do keep in mind that Yandex falls under Russian federal law. There was an incident already with FSB getting data about backers of Navalny's anti-corruption website from Yandex Money and if you are vocal on LGBT laws you can easily run afoul of federal children protection law (to protect children from abuse, shocking materials, LGBT, anti-family values, etc.) like the founder of Deti-404 (LGBT support group that even the author of children protection law defended, ironically enough) did.
I'm personally considering hushmail (Canadian) or some other paid email in the future, for maximum piece of mind, any double digit number seems reasonable enough annually. Some out of the way liberal first world country , no superpower (and superspy) aspirations, a small paid provider (that actually needs customers and word of mouth and not throwing their weight around, Google is notorious for deleting YT channels willy nilly for 'guidelines violation' and then restoring them after a shit storm) to ensure no 'smart' 'ML' algorithm bans you. Sounds just about right.
I use fastmail to host my own domain. I alias all users to myself. Any email I get to aliases that don't end in e.g. ".s" automatically goes to a filtered folder. So blah.s@example.com goes to my inbox, blah@example.com gets filtered. $5/month is cheap. I only use one domain, but presumably you could even host multiple domains using a similar setup.
IMO this is more of a workaround for a defect which is "Customer service for these cloud feudals is an oxymoron".
So what if I use the same account, if there is a lock-out event I should be notified and there should be an actual customer service agent that can solve my problem taking care of the issue...
This is what happens when you tie yourself to a single point of failure. Sure, AWS is usually pretty damn stable... But if there are issues with the company and access, a simple bit can be flipped to stop you cold in your tracks. And that's what seemed to happen here.
What's the answer? Well, there isn't one now, aside begging on twitter and HN (which is undoubtedly your last option). But prior to manufactured disaster, you should have had offsite backups of all critical data. And if you were to design a cluster that used AWS, Azure, and GCE, you would be relatively immune to "We don't like you" threats.
But alas, this does nothing now to ameliorate your data right now. But hopefully, you will consider a proper evaluation of SPOF, regardless if it's technical, or "arbitrary decision" based. Both lead to the same result: catastrophic downtime.
Stories like this are frustrating and a symptom of the impact very large companies can have on multiple facets of our lives.
One possible approach is to keep accounts separate for personal and each business that you are involved with. For example, you probably have at least a separate personal checking account and business checking account. Likewise, it would make sense to have all accounts used for a given business to only be used for that business.
In addition to providing some safety against automated action, division of accounts provides a nice legal line, wherein if a court order requires you to disclose information, you can simply dump everything on the account without touching any of the other businesses or personal documents.
Stymieing this, of course, is companies (Facebook?) that have a policy of prohibiting a single real person from having distinct accounts.
Write to Fred Wilson fred@usv.com (investor in coinbase)
Guaranteed that you will see the escalation that you need. You may want to provide links to others complaints about the same that you can find but make it short and simple.
Jeff Bezos himself said if you are having problems you should mail him directly. Behind this address there is a full team investigating the issue and if it's something they want to handle will actually lead to improvements for all customers.
I think if Jeff actually cared he would have put some personnel in place to back up "Your feedback is helping us build Earth's Most Customer-Centric Company".
It's odd though, in my experience customer support on Amazon is amazingly good.
Mine hasn't been. I've had all sorts of petty issues with their customer support. Basically any time something falls outside of the norm or if anything is genuinely wrong with site functionality, their remedial processes are poor.
The moral of the story is that your AWS account and your personal amazon buying account should be separate.
As well, if you use Kindle Direct Publishing, are an Amazon Seller, work for Amazon Flex, or use the Amazon Affiliates program, each of these should also be on an independent Amazon account.
This way, problems on one won't affect problems on the other.
I am not convinced such a separation would be effective. Accounts identified as being associated with a "problem" account (shared CC, addresses, etc) could also justifiably be closed. The idea being to keep "abusive" individuals from just opening a new account and resuming their abusive behavior.
The only long term solution is to get a person with enough power to make their own decisions to look at your claims, but that takes quite some time and is not guaranteed to be successful.
I've had the same issue with buying and selling accounts - my buying account got locked out, which prevented me from logging in to my selling account, with 50 pending orders at the time. Luckily I emailed jeff@amazon.com and got my main account unlocked within 2 days and my buying eventually got back a week or two later.
Seems like they still haven't fixed the underlying issue of bots locking accounts across services.
Also having problem with AWS - can't access it and they keep billing me for something there I want to shut it down (EC2?) but I can't.
I recently moved from Brazil to UK (new address) and changed phone + sim card (Authenticator after restore from backup lost all 2 factor auth entries).
This is the moment when you realise that you're outside of predefined use cases of The Machine and you're fucked. Nobody is here to help you. I've tried, nobody gives a shit at Amazon. They have procedures, you know.
I blame 2FA and I think it's great if you don't have problems but it's shit if you have, ie. you move places, change phones etc. in your life. Something there in the process is missing like "next of kin" recovery that should be mandatory when enabling 2FAs.
I had 2FA activated, changed phones and lost it. I couldn't log in to my account, so I contacted support. Within about 30 min they had put me back into my account.
The dude who helped me was super chill and understanding as well.
What is the purpose of 2FA when social engineering the support team circumvents it? This should not be possible! Lost your phone? That’s what 2FA backup codes are for.
Unless you have written backup codes, there should not be a resolution possible. You either remember to changes phone #s before you change them, or you are locked out. Deal with the phone company.
If you're sending me a bill, you need to provide a way for me to resolve an issue such as this. "There is not a resolution possible, we will continue billing you in perpetuity thank you good day" is not acceptable. (It's AWS and they do, so maybe it is, but... try building a new service that isn't AWS with that attitude, and see how far it gets you!)
I kind of see chargeback as a potential resolution for this. If you lost access to your account and can't shut down billing via the normal route, you could still stop payments from your bank or credit card. That is the ultimate source of truth anyway, in regards to payments, so you could "prove" who you are by stopping all continuing payments to the service.
So say I do this, and later my account is sent to collections. Can you think of a worse possible outcome when your phone is dropped in the toilet if you have no scheme for 2FA recovery?
My cloud-hosted business gets shut down, credit score tanks, because of the combination of my butter fingers and your secure authentication scheme! Might as well not employ any CSR drones at all if you're not going to handle this case. Maybe I'm exaggerating, but this is not a great strategy for customer satisfaction or retention.
To the extent that in a dispute situation, who pays the bill =/= whomever holds the keys, my preferred customer service strategy would tend to favor who is paying the bill.
I haven't heard of hosting companies sending anyone to a collection agency. It could happen, sure a but I think it's more likely they just cancel your account and suspend all continued hosting (which, if you believe 2fa should be impossible to circumnavigate, this is probably the ideal outcome). From there you would probably open a new account and start over.
I could see the argument either way on if this is the most optimal solution or not.
Hell no, without 2FA those are the only things protecting my account! Why would I want to post them publicly? That doesn't even make sense.
I do business with 4 banks and have no less than 4 credit cards, and I'm pretty sure that none of them offer proper 2FA with tokens for the online accounts. Now that you mention it, this is a serious question. Why does Comcast get there before any of the major and/or local banks?
I'll admit, if I can protect my Comcast account and as a result, I never have to speak to another one of their Customer Service Reps, it would be a huge victory! This is probably part of their retention strategy, to be fair.
It's telling that there's no mention of on any document, or interface to Comcast's 2FA settings (that I can find anyway) that speaks to how to use it for protecting the set-top box from ordering Pay-Per-View content.
If I turn on 2FA, I'm pretty sure I won't have the option to use it when ordering PPV. It looks like they have a PIN lock instead. Maybe I can disable PPV and protect it with the second factor?
I honestly have no idea why it's even an option. Are swatters gonna log into my Comcast account, upgrade my XFINITY connection to the maximum bandwidth, and sign me up for all of the premium channels?
Or are they hacking my account so they can pay the bill for me :-D
That if you lose access to all of the 2FA methods you have available, you should just lose access to your account and there be no way to recover it.
If there is a way to recover it, that has to be secured too and, there are only a limited number of ways you can do that (and the more that are enabled, the harder it is to secure). Most services with 2FA offer a set of one-time codes that you can write down and store securely at multiple locations (safes in different places, safe deposit box etc). It is not that hard to avoid losing access if you care. If you don't care enough about the account to do this, just accept losing access, cancel the card payment authorisation and, lose it.
Companies should not grant access to accounts with 2FA by letting you call support unless they at least take proper steps to ensure that you are the account owner, which is pretty impractical in most cases (it is either too costly to be worth it or, too hard to do well enough). Demonstrating that you are the account owner to recover it if you have lost 2FA access should at least require a visit, in person, with photo ID being checked with the relevant authorities (for example the passport service examining your passport to check it is not a forgery) and, multiple people who can attest that you are in fact the person in the photo, to recover an account, for which they would presumably have to charge hundreds of dollars. It seems easier to just not offer recovery in most cases.
I don't think I've seen any backup codes when enabling 2FA on AWS - do they provide them? Support people haven't mentioned anything about those. If they show them I must have put them somewhere...
I learned this the hard way when google authenticator failed to restore my keys after a phone upgrade. Now I make sure I copy the data from those QR codes and store them in a GPG encrypted file (I store the data and the QR code itself as utf-8 art in the file).
This anecdote makes me very happy with AWS. I want loss of 2FA to completely revoke access to my account. Otherwise any smart hacker can social engineer Amazon support with some fake drivers license photo and steal all my BTC (for example).
Use the backup codes they provided you with when you set up 2FA. Or does Amazon not have those? (If not that seems really strange, every other service I've set up 2FA on has that recovery method.)
I use Authy as my TOTP client. It has a encrypted backup feature and allows me to share tokens between my devices (computer, phone, iPad, etc.) It's saved me on more than one occasion. :)
Google Authenticator is a bad 2FA app. Authenticator+ costs a couple of bucks but has many features that make it much easier to use, including the ability to back up an encrypted copy of your 2FA keys (standard disclaimers about risk of compromise to this file, yadda yadda yadda). When you change phones, you just download that, decrypt, and pick up where you left off; no hassle trying to replace the 2FA generators, which is a PITA when you have one 2FA, let alone going through that process for several accounts.
If you're going to use Google Authenticator anyway, at least unlock your bootloader before you initialize the identities. You can't get to the key database without being rooted, even if you're doing a full backup with adb, and unlocking/relocking the bootloader wipes the device.
Mobile phone authenticator apps are not that great anyway. They rely on the security of a phone that is connected to the net to keep the keys secure. If someone can get code running on the phone and exploit a privilege escalation vulnerability to get root, they can read the keys. A hardware token like a Yubikey or similar is probably more secure.
Another problem with the Google authenticator, at least for Google accounts, is that you have to add a phone number to your account to use it I think and, they then allow access by SMS, which is not so hard to circumvent.
I didn't know you can do that, I thought it generates device (app) hashed codes that are synced with first code or some other magic, just today I learned it's just based on this initial code (presented as qr usually) so you can do as you say, just record it in multiple places, great idea, especially that there are even command line tools for it. I'll replicate it on my desktop next time. For now I have to go to notary and send signed docs to amazon, hopefully that'll work to get back access.
You should try Authy. I switched over to it after I got burned by Google Authenticator deleting all my tokens after an upgrade. It can store your tokens in a encrypted central location and allows you to share tokens between devices (computer, phone, tablet, etc.) It kinda freaked me out at first but now I really like it.
I like to think "thank god I have a google voice number" but then I realize if google just decides to shaft google voice, as the have to countless of their projects in the past, I am totally fucked in regards to the many things that 2fa off it.
I had this situation. I had an AWS account linked to some email I no longer had access to and could not get into the account. I opened a support ticket and they sent an email to the old address, after 10 days of no response they sent it to "Legal" for review. The account was then closed by them which resolved it for me.
"Who are you?" is the most expensive question in technology. No matter how you get it wrong, you're fucked.
Letting the wrong person in to an account? You're fucked.
Locking the right person out of an account? You're fucked.
Given that data can't be reversed as charges can, arresting an account may be slightly preferable, but it remains highly disrupting.
I've been through the experience a few times myself, largely with Google. Out of a fit of pique, the temporary account I created for myself (and through which I negotiated for recovery) was "The Real Slim Shady". Several of my G+ contacts noted that they could be pretty certain that this was in fact me, though I'm a little frightened whichever way that works out.
(I did have other profiles through which I could announce my plight.)
I still think that the matter of idientification, or rather, the more primary matters of authentication, authorisation, integrity, validation, payment authorisation, ownership, receipts rights, and similar associations, need to be worked out.
I'm also strongly in favour of a system in which a physical token -- and I think a signet ring with a very-near-field chip and accompanying sensors on mobile, laptop, and desktop devices would be just about perfect -- should be part of that systme.
Not an insertable device (as with Yubikey), or something requiring keying in a value (as with RSA fobs). But something which is worn (so: on you at all times), replaceable, destroyable, discardable, but also exceedingly difficult to duplicate or appropriate, or to read without intention on the part of the owner.
Expected from the earths most customer centric company. Here in India, my first order at Amazon was a fraud done by Amazon with its JV firm CloudTail.
tl dr: Amazon Fulfilled product sold at fake discount and MRP mentioned on site was higher than printed MRP.
Hypothetical: I have filed incorporation with a single share and deposited a Benjamin into the capital account, exactly what powers have I conjured for myself here?
Didn't you have backup codes or a backup phone number? Bearing in mind I have no idea how 2FA for DO works, but all services where I'm using 2FA have these options, although I've yet to fall into a similar situation I imagine that it should turn out fine thanks to these options.
I am incredibly happy that Digital Ocean made you go to those lengths to get your account back. The last thing we need is web services companies requiring less security. Social engineering attacks are typically the method of entry to hosting providers such as Digital Ocean.
Frankly I would be totally fine if they required another form of ID (such as a passport) or another form of address/name verification (such as a utility bill). Or perhaps even a picture of the card on file.
What is NOT okay is a lack of response, which this article is describing.
Some great advice in here about creating multiple accounts with a + sign in the email address. One thing I didn't see mentioned that is a standard best practice for AWS is to create a separate IAM account for your day to day usage and NEVER log into your root account (unless you need to open a billing support ticket) after creating the IAM account.
You will get a new login page and username to log in with and not need an email address specific account.
The best option I know is rebuilding your services in a new AWS account. That will let you can keep using the same Amazon retail account as before, and transfer your assets in AWS to an account tied to your production organization.
CloudFormer[0] might be able to automate some of the process - it analyzes your existing VPC and generates a CloudFormation[1] template. You could then take this template and deploy the stack in your new account, and you'd only have to rebuild the remaining few items.
Then you could redeploy all your applications, test, and migrate production services to your freshly-tested instance. Finally, you must be aggressive in shutting down the old services. It would be agonizing to have your entire site down because one server remains in the old account, and the account had some issue. Feel free to contact me for more specific advice.
I believe it's as simple as changing the email address for your AWS account, which can be done within the account settings. You can confirm that this does the trick by updating the password and ensuring it doesn't change your retail password.
282 comments
[ 3.4 ms ] story [ 282 ms ] threadToday it appears I am no closer to gaining access back to my AWS account than I was on day 1, even though I have been billed as normal for my services during this time.
This should serve as a warning to anybody else who has an Amazon account that is shared between retail and AWS.
Linked is a list of every event and interaction I have had during the last 8 days with Amazon, via Twitter, email, phone and chat.
There are trade-offs to every security approach, but storing passwords at every web service is 100x worse.
If the account is just for a cloud SaaS, then there's likely to be very few policies to disable your account.
If you shop with Amazon, host your services with Amazon, watch TV on Amazon...there's simply no way of getting around the fact that Amazon will only want to manage a password for you in one place. The issue is clearly over reliance on Amazon services.
[1] http://www.jbonneau.com/doc/DBCBW14-NDSS-tangled_web.pdf
Yeah, it's convenient to have only one, but it seems it's dangerous as well
That's on you. You can't get the benifit of separation if you have them do it for you.
In the same way you get one company to own your domain and one to run your email. That way when your email provider decides you're a spammer or your account get's closed for uploading a bad app to the android store, you can go else where and swap your dns.
I reset a password, then they detected "suspicious activity." I clicked "send pin via email" and the email never shows up. I've done it 3 or 4 times over the course of a week + it never works. It's a documented error + FB/Instagram refuse to addres it.
https://medium.com/@joelrunyon/instagrams-security-features-...
When I try to get access to real support (a person), it makes me login. Back to problem #1.
Also, I should note that the email on record is real and works. The only thing I can think of is I named it microsoft@mydomain, and they don't like the word microsoft in it?
Thankfully the "we turned on 2-factor" email gives you a link to turn it back off within 30 days or I would have been in some trouble.
Then, when they send the PIN to the same email - it never actually shows up. Ugh.
We've spent over 200,000 EUR on Facebook/Instagram advertising so far (I guess that's still small fish), and still can't get it resolved.
If so, that'll result in two things:
1) Your problem will be resolved ASAP, managers right up the chain will be tracking it extremely closely, as they'll have to justify every action to Jeff. Everyone goes scrambling when one of those emails goes out.
2) A post-mortem will be done of everything that happened, with processes and procedures improved to ensure it doesn't happen again.
https://www.google.com/search?q=bezos+question+mark+email
https://www.inc.com/bill-murphy-jr/customer-service-jeff-bez...
and a little bit here: https://www.quora.com/Whats-it-like-to-receive-a-question-ma...
No one inside Amazon wants to receive a question mark email from Jeff, and a number of the VPs have picked up the habit too.
The managers in the escalation chain might tend to panic when the "?" comes about like the OP claims going by the # of emails and phone-calls I recieved from them.
So much this.
I had such an account and neglected the retail side (it was linked to amazon.com as well as AWS) as I was using a different account for retail (linked to amazon.co.uk from the days that these were separate systems).
Logging on to amazon.com one day I noticed LastPass suggest I log in, so I did. To see that I hadn't ordered anything retail for 5+ years. So I requested deletion of the amazon.com account (good hygiene, delete unused accounts).
Retail happily obliged... and a week later when payment failed and dunning started I realised what I had done. The account did not exist any more, I could not login to resolve this.
This was entirely my mistake (and quite funny as well as terrifying), but the risk is real.
Should anything happen to your retail account then your AWS account can and will suffer.
I managed to resolve this, I was only using S3 and I wrote a migration tool to remotely move S3 items from one account to another, using only the auth keys that were still active. But woah... if I'd been using EC2 or anything else I would have been in a lot of trouble.
Keep accounts single purpose and obvious. Use an account that only handles your AWS purchases.
What finally worked was the amazon facebook page. He posted on there, they PMed him and he was back up and going within a couple hours where he had been getting the run around for a week or two on the phone.
The best that AWS/Amazon support could give me is start a new Amazon.com account. At least the AWS account wasn't billing anything.
I see too many companies using AWS for stuff they could fairly easily self-host.
Obviously, web-hosting stuff is a little different. AWS is a lot more than just web hosting: it's a cloud computing provider.
As you do with AWS...
> and created our env
As you do with AWS...
> And it was super easy to move from one provider to another.
Which is easier on cloud hosting than it ever was when dealing with colocation providers.
AWS provides a number of SAAS offerings which, if you make use of them, tie you to Amazon specifically, as opposed to an IAAS offering which is likely to be more easily portable to another provider.
Having to get approval for a capital expense was a filter that prevented teams with zero ops experience from trying to just brute-force google their way through.
The teams I see the most often, in pre-cloud days got nothing done because touching a server meant going through experienced ops teams that could conduct architecture reviews, security reviews and maintenance planning but which didn't have any motivation or incentives to actually launch new products. Cloud means these teams can get things done, at the expense of not having any thought put to architecture, security, or maintenance.
Sure, it's not hard, but it's not possible for them.
It's a counter to the broader point of not relying on others. You simply can't. Are there better ways to rely on others (e.g. specific contracts)? yes. Are there ways of not relying on single providers? yes. Are there ways of relying on no one? No.
However, even if you expect people to CoLo, you're still relying on a the facility for power, cooling, networking, security. Moreover, AWS is a paid service, there should be some expectation of conflict resolution. It's not like Google where Gmail is free and there really isn't any reason you should be able to reach out to someone.
What you should be arguing is not that we shouldn't rely on a _single_ provider. Redundancy is fairly cheap in terms of material, even if a little time-capital expensive to set up.
Your point about having multiple providers is very sound though; if all you have available is AWS-like services with TOSes, being able to easily switch between them mitigates your risk.
Yes, I did say it should be expected, not that it is :(
This is where large companies are most to blame -- they sell products and services, but have no support unless you pay extra. I can understand out-of-hours or technical support, but basic accounting and account issues (e.g. account lockouts) should really be unethical to not support for a paid service. (I don't quite want to say illegal, but it shouldn't be the norm like it is now.)
I've had significantly better dealings with "smaller" shops with this kind of thing. Basic account support always appears to be the first thing to the chopping block as they grow :(
By default, no. But you can get contracts in place.
Actually, is there a reasonable free gmail alternative for situations like this? I'd like to migrate. FastMail is worth paying for, but it's too expensive for one-off side projects. And while I don't trust gmail, I think I trust most services even less.
EDIT: My point was, if you use a single account, it's far less likely to get banned. I think my account was caught in some sort of automated purge, since I certainly wasn't abusing anything. Some proof: http://i.imgur.com/H5RRkyP.png I'm not sure which policy violation they're referring to, but all appeals failed. I lost all emails in that account, which thankfully wasn't very serious because the account was still young.
eropple and drbawb pointed out that you can use plus addresses with AWS, e.g. foo+aws1@gmail.com.
This email hostage situation kind of sucks. Hopefully there's an alternative for scenarios like this.
Someone mentioned self-hosting upthread. I wonder how difficult that is.
Here's the closest thing to a list of reasons I could find: https://www.google.com/intl/en-US/%2B/policy/content.html
I didn't engage in illegal activities, malicious or deceptive practices, hate speech, harassment, distributing personal information, child exploitation, spam, ranking manipulation, distribution of sexually explicit material, violence, selling regulated goods and services, impersonation, account hijacking, or use multiple accounts to bypass the above policies. So I have no idea what I did -- Google won't say, and all attempts to get more info out of them failed.
Aside: It always frustrates me when I see a business with their own domain and then an @gmail.com or @aol.com address. What registrars don't offer basic email forwarding (often for free?) or cheap (~$10 email) service you can buy from them if you can't figure out Google for your Domain)?
I feel like there is a small, but profitable space here, I just can't figure out what to do to harness it.
I have numerous personal projects that are web sites/web apps and I use Zoho to get emails at all those domains.
I don't know if this is frowned upon by Zoho, but if you don't want to use their UI, you can set up your regular personal Gmail account to act as a POP3 client and just retrieves emails from Zoho that way. (now that I wrote it out, it makes me think it can't be frowned upon, simply because POP3 is even offered as a feature there)
I was like 10th from the last. :)
Having catchalls at bullshit domains is great.
Alternatively if you want ultimate trust just run your own mailserver and set up as many aliases as you want! For $5/mo you can get a Linode box to do it, and I've yet to get an IP from them that is on an e-mail blacklist. They have great documentation[1], the most important thing is to just make sure your SMTP server requires authentication & refuses to relay for remote hosts. SPF/DKIM are necessary to get past modern spam filters, but frankly if you've ever setup a TLS cert you can probably manage to setup DKIM just fine.
[1]: https://www.linode.com/docs/email/postfix/
For example, sometimes a service will let you sign up with this just fine, but later when you need to do something else (such as password reset) or a phone agent has to enter it... it chokes.
Not to mention after some time passes you may forget what the special bit was and have to fall back to searching your email. Being regimented about the naming system helps, but it's not foolproof.
I'm using this trick less and less nowadays and just entering my plain email to avoid these hassles... especially for things like real life accounts. For possibly shady characters and account email consolidation, still a great trick!
1. register domain at a registrar that supports email catch all (I use namecheap, not affiliated)
2. setup email catch all (https://imgur.com/a/PTlzv) with redirect to your "real" email
3. write email to foobar@example.org -> get's redirected to your "real" email
This has the big advantage that you can change your real email account (I switched away from GMail two years ago) quite easily, you can track who leaks your address and filter more easily. But be prepared to leave some people stunned, I registered at my electricity provider with electricity@example.org or at my hairdresser with hairdo@example.org
https://www.cyberciti.biz/faq/howto-setup-postfix-catch-all-...
A password manager solves this problem
Anyway, this doesn't solve the other technical problems you may hit at some point using this trick.
I'm just giving people a heads up. It's a useful tool for certain things, but it can be overused.
The nice thing about running my own email server is I configured it to use . and _ as well as +. me.xxxx@example.com and me_xxxx@example.com are pretty much guaranteed to work, and it ends up exactly the same as the +.
http://penguindreams.org/blog/how-google-and-microsoft-made-...
I've considered moving to Vultr since they block SMTP/25 by default and individual customers have to get it enabled (which seems like it should reduce false positive spam classification as more e-mail providers).
It probably should, but I somehow ended up with two Amazon accounts (retail, not AWS) with the same email address. Changing the password I use changes which account I log in to.
Presumably it's a bug, but it's certainly confusing.
Eventually I got out of that by changing the mail of whatever account I could log into, using gmails feature of ignoring everything between the first + and an @ in the address. But most annoying, now my aws login is something silly like me+awsConsole42@gmai1.com.
Maybe I could change that back, but I'm too scared to touch that.
Why do you think that? If anything, you have more activity you can be banned for...
And also, why you say it like gmail is the only email provider? You need separate _email_ accounts, not gmail. It can be some other service or your own domain. Google can be service provider behind your own domain, but you will control address space etc. Nobody will ban you out of your own email address (except domain registrar, but that's unlikely).
I was quite surprised that my gmail account was banned without doing anything remotely malicious. (Certainly not anything listed in https://www.google.com/intl/en-US/%2B/policy/content.html) I suppose it's my word against Google's, which isn't a happy position to be in, but to the best of my knowledge that's what happened.
Regarding other services, I was hoping to get some recommendations about which one everyone likes using. Gmail and FastMail seem to be the two HN favorites, but FastMail gets expensive quickly for side projects. You can host your own email, but people have shared some unpleasant experiences with that route. It's true that you can still use gmail without losing your address, but you'll still lose your emails if they decide to suspend you.
I never saw/heard of evidence of such behavior.
> but you'll still lose your emails if they decide to suspend you
Emails are easily backupable, you can download them locally and/or forward everything to the "backup" email. One more service to host email on your own domain is Yandex.Mail, it's free and pretty good.
I'm personally considering hushmail (Canadian) or some other paid email in the future, for maximum piece of mind, any double digit number seems reasonable enough annually. Some out of the way liberal first world country , no superpower (and superspy) aspirations, a small paid provider (that actually needs customers and word of mouth and not throwing their weight around, Google is notorious for deleting YT channels willy nilly for 'guidelines violation' and then restoring them after a shit storm) to ensure no 'smart' 'ML' algorithm bans you. Sounds just about right.
FastMail will let you create multiple aliases, either at your own domain, or one of theirs, linked to your account.
So what if I use the same account, if there is a lock-out event I should be notified and there should be an actual customer service agent that can solve my problem taking care of the issue...
What's the answer? Well, there isn't one now, aside begging on twitter and HN (which is undoubtedly your last option). But prior to manufactured disaster, you should have had offsite backups of all critical data. And if you were to design a cluster that used AWS, Azure, and GCE, you would be relatively immune to "We don't like you" threats.
But alas, this does nothing now to ameliorate your data right now. But hopefully, you will consider a proper evaluation of SPOF, regardless if it's technical, or "arbitrary decision" based. Both lead to the same result: catastrophic downtime.
He will probably naturally see this thread over the course of the day though if it get's popular anyway....
One possible approach is to keep accounts separate for personal and each business that you are involved with. For example, you probably have at least a separate personal checking account and business checking account. Likewise, it would make sense to have all accounts used for a given business to only be used for that business.
In addition to providing some safety against automated action, division of accounts provides a nice legal line, wherein if a court order requires you to disclose information, you can simply dump everything on the account without touching any of the other businesses or personal documents.
Stymieing this, of course, is companies (Facebook?) that have a policy of prohibiting a single real person from having distinct accounts.
Guaranteed that you will see the escalation that you need. You may want to provide links to others complaints about the same that you can find but make it short and simple.
Jeff Bezos himself said if you are having problems you should mail him directly. Behind this address there is a full team investigating the issue and if it's something they want to handle will actually lead to improvements for all customers.
It's odd though, in my experience customer support on Amazon is amazingly good.
As well, if you use Kindle Direct Publishing, are an Amazon Seller, work for Amazon Flex, or use the Amazon Affiliates program, each of these should also be on an independent Amazon account.
This way, problems on one won't affect problems on the other.
The only long term solution is to get a person with enough power to make their own decisions to look at your claims, but that takes quite some time and is not guaranteed to be successful.
Once through, being persistent eventually (it took a week or so) saw us regain access to the account.
Seems like they still haven't fixed the underlying issue of bots locking accounts across services.
I recently moved from Brazil to UK (new address) and changed phone + sim card (Authenticator after restore from backup lost all 2 factor auth entries).
This is the moment when you realise that you're outside of predefined use cases of The Machine and you're fucked. Nobody is here to help you. I've tried, nobody gives a shit at Amazon. They have procedures, you know.
I blame 2FA and I think it's great if you don't have problems but it's shit if you have, ie. you move places, change phones etc. in your life. Something there in the process is missing like "next of kin" recovery that should be mandatory when enabling 2FAs.
wouldn't this just weaken the second factor? Services that have bypasses to 2FA wind up rendering it useless.
https://faq.nearlyfreespeech.net/section/login/losteverythin...
The dude who helped me was super chill and understanding as well.
This guy works in customer service. LOL
If you're sending me a bill, you need to provide a way for me to resolve an issue such as this. "There is not a resolution possible, we will continue billing you in perpetuity thank you good day" is not acceptable. (It's AWS and they do, so maybe it is, but... try building a new service that isn't AWS with that attitude, and see how far it gets you!)
My cloud-hosted business gets shut down, credit score tanks, because of the combination of my butter fingers and your secure authentication scheme! Might as well not employ any CSR drones at all if you're not going to handle this case. Maybe I'm exaggerating, but this is not a great strategy for customer satisfaction or retention.
To the extent that in a dispute situation, who pays the bill =/= whomever holds the keys, my preferred customer service strategy would tend to favor who is paying the bill.
I could see the argument either way on if this is the most optimal solution or not.
not if you want it to provide real security.
I do business with 4 banks and have no less than 4 credit cards, and I'm pretty sure that none of them offer proper 2FA with tokens for the online accounts. Now that you mention it, this is a serious question. Why does Comcast get there before any of the major and/or local banks?
I'll admit, if I can protect my Comcast account and as a result, I never have to speak to another one of their Customer Service Reps, it would be a huge victory! This is probably part of their retention strategy, to be fair.
It's telling that there's no mention of on any document, or interface to Comcast's 2FA settings (that I can find anyway) that speaks to how to use it for protecting the set-top box from ordering Pay-Per-View content.
If I turn on 2FA, I'm pretty sure I won't have the option to use it when ordering PPV. It looks like they have a PIN lock instead. Maybe I can disable PPV and protect it with the second factor?
I honestly have no idea why it's even an option. Are swatters gonna log into my Comcast account, upgrade my XFINITY connection to the maximum bandwidth, and sign me up for all of the premium channels?
Or are they hacking my account so they can pay the bill for me :-D
If there is a way to recover it, that has to be secured too and, there are only a limited number of ways you can do that (and the more that are enabled, the harder it is to secure). Most services with 2FA offer a set of one-time codes that you can write down and store securely at multiple locations (safes in different places, safe deposit box etc). It is not that hard to avoid losing access if you care. If you don't care enough about the account to do this, just accept losing access, cancel the card payment authorisation and, lose it.
Companies should not grant access to accounts with 2FA by letting you call support unless they at least take proper steps to ensure that you are the account owner, which is pretty impractical in most cases (it is either too costly to be worth it or, too hard to do well enough). Demonstrating that you are the account owner to recover it if you have lost 2FA access should at least require a visit, in person, with photo ID being checked with the relevant authorities (for example the passport service examining your passport to check it is not a forgery) and, multiple people who can attest that you are in fact the person in the photo, to recover an account, for which they would presumably have to charge hundreds of dollars. It seems easier to just not offer recovery in most cases.
If you're going to use Google Authenticator anyway, at least unlock your bootloader before you initialize the identities. You can't get to the key database without being rooted, even if you're doing a full backup with adb, and unlocking/relocking the bootloader wipes the device.
Another problem with the Google authenticator, at least for Google accounts, is that you have to add a phone number to your account to use it I think and, they then allow access by SMS, which is not so hard to circumvent.
Google Authenticator has never restored these properly, ever. Encrypted backups or not.
Letting the wrong person in to an account? You're fucked.
Locking the right person out of an account? You're fucked.
Given that data can't be reversed as charges can, arresting an account may be slightly preferable, but it remains highly disrupting.
I've been through the experience a few times myself, largely with Google. Out of a fit of pique, the temporary account I created for myself (and through which I negotiated for recovery) was "The Real Slim Shady". Several of my G+ contacts noted that they could be pretty certain that this was in fact me, though I'm a little frightened whichever way that works out.
(I did have other profiles through which I could announce my plight.)
I still think that the matter of idientification, or rather, the more primary matters of authentication, authorisation, integrity, validation, payment authorisation, ownership, receipts rights, and similar associations, need to be worked out.
I'm also strongly in favour of a system in which a physical token -- and I think a signet ring with a very-near-field chip and accompanying sensors on mobile, laptop, and desktop devices would be just about perfect -- should be part of that systme.
Not an insertable device (as with Yubikey), or something requiring keying in a value (as with RSA fobs). But something which is worn (so: on you at all times), replaceable, destroyable, discardable, but also exceedingly difficult to duplicate or appropriate, or to read without intention on the part of the owner.
https://www.reddit.com/r/dredmorbius/comments/2w618r/how_to_...
https://medium.com/@snaushads/my-first-order-at-amazon-in-5c...
So I'm thinking of centralizing all non-business to gmail.com and the rest to gordon.com.
Look at a companys stock price. If it's in the triple digits, avoid it, because they can and will screw you over.
Should your rule be written to use market cap?
I am incredibly happy that Digital Ocean made you go to those lengths to get your account back. The last thing we need is web services companies requiring less security. Social engineering attacks are typically the method of entry to hosting providers such as Digital Ocean.
Frankly I would be totally fine if they required another form of ID (such as a passport) or another form of address/name verification (such as a utility bill). Or perhaps even a picture of the card on file.
What is NOT okay is a lack of response, which this article is describing.
You will get a new login page and username to log in with and not need an email address specific account.
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practic...
CloudFormer[0] might be able to automate some of the process - it analyzes your existing VPC and generates a CloudFormation[1] template. You could then take this template and deploy the stack in your new account, and you'd only have to rebuild the remaining few items.
Then you could redeploy all your applications, test, and migrate production services to your freshly-tested instance. Finally, you must be aggressive in shutting down the old services. It would be agonizing to have your entire site down because one server remains in the old account, and the account had some issue. Feel free to contact me for more specific advice.
[0] https://www.linkedin.com/pulse/how-why-use-aws-cloudformer-a...
[1] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGui...