Comment by NikolaNovak
1 day ago
Oh man. The infinite loops of impossible verification by large companies that should know better are massive pain peeve of mine.
This goes right to the top for me, along the ubiquitous "please verify your account" emails with NO OPTION to click "that's NOT me, somebody misused my email". Either people who do this for a living have no clue how to do their job, or, depressingly more likely, their goals are just completely misaligned to mine as a consumer and it's all about "removing friction" (for them).
Oh man we had a person leave unexpectedly who controls our Apple organization for our dev accounts. I'm several months into me making requests, getting responses at least a week later for each email where the responder ... didn't really read my message. Then they ask for documents ... but they forgot to send me the secure link ... another week+ for them to do what they said they were going to do. Now one of my documents didn't include a sentence they needed ...
One of the requests was for a business card ... I haven't had a business card made with my name on it in 20 years.
The amazing thing is that I bet scammers working this system can get through this faster than I can.
At this point they should just give me control because no way would some scammer fail this much at this ungodly process.
Scammers can definitely get through it faster than you can. Whenever you attempt to address abuse in a system by increasing the complexity of that system, you implicitly bias it towards those with the time and inclination to study it, which always includes those with intent to abuse it, and generally does not include your users.
I'm in a similar boat...and over the weeks where i have been sending the requested docs/files...Apple reps come back and state that one of docs i sent them was not valid...so i ask them to clarify their "definition" of the doc..and they just either reply with unhelpful comments, or delay a little and delay things further. When someone asks for a copy of a payslip and you send it...but then Apple says its not a payslip, i genuinely am sad about the overall state of the world...I dislike apple and all these big tech providers for their abusive control/power and at the same time vast layers and levels of incompetence. :-(
I’ve been shocked by the poor support.
I didn’t expect speed but what I’ve experienced has been what feels like bottom of the barrel outsourced support you get from some no name brand company….
1 reply →
> Oh man. The infinite loops of impossible verification by large companies that should know better are massive pain peeve of mine.
I got hit by this from google.
1. Gmail added requirement for 2FA on my primary email address. Since I had no phone number on file, it instead used my recovery email address. Thankfully, I still had the password for my recovery email address, and could continue to (2).
2. Gmail added requirement for 2FA on my recovery email address. Since I had no phone number on file, it instead used by recovery's recovery email address. Thankfully, I still had the password for my recovery's recovery email address, and could continue to (3).
3. SBC Communications no longer exists, as it merged with AT&T in 2005. Email addresses at `sbcglobal.net` were maintained up until around 2021-ish, when they started purging any mailboxes that had been idle for more than 12 months.
Fundamentally, this was google's fault for misusing a recovery email for 2FA. Unfortunately, the only way to fix it would be to contact AT&T, asking them to pretty please update the email settings for somebody who hadn't been a paying customer for two decades.
Google made it very clear years ago that they shouldn't be trusted with anything irreplaceable/that would cause major problems if you lost access.
Once it became clear that they'd shifted from "crappy customer service" to (IMNSHO) "we fetishize the complete absence of customer service" it became dangerous to depend on them. Really, what's the worst that could happen? Maybe someone spams emojis in live chat on a game livestream at the request of the streamer on a personal account, it gets banned for abuse, Google recognizes that it's linked to other services and locks down everything? But that's so unrealistic I'm sure it could never happen.
It's not like they also have the ability to identify links between multiple accounts accessed by the same person and have automated processes that might stomp the associated accounts as well. Why, that would probably require something like allowing poorly-understood automated agents to take actions on their own!
> Fundamentally, this was google's fault for misusing a recovery email for 2FA.
While this would absolutely suck and I sympathise with anyone getting hit by this out of the blue, it's pretty clearly your fault, not Google's. What should they have done? Just permit everyone to avoid upgrading to 2FA indefinitely? That would result in relatively more account hacks overall, for which they would inevitably be roasted in the court of public opinion.
I'm tired of 2FA. Absolutely the worst when setting up a new phone after losing the old one. A whole bunch of mixed methods, in 2 hours between installing all the apps again, getting text messages, installing authenticators, scanning IDs, taking selfies, receiving phone calls with spoken codes, grabbing another device that still somehow has access, twenty emails about new suspicious activity, grabbing recovery codes, or scrambling to find the Yubikey I used when registering for the simplest and most benign services that have no connections to my personal data or payment.
Google will insist on sending a notification to a phone you have no longer access to, and regaining access always feels like hacking yourself. I dread the day I lose a phone together with my SIM card and ID during travel. I will never be able to go back and will have to start a new life as an illegal immigrant, living as a hermit in some deep forest.
Personally, if their 2FA doesn't work, then they should definitely permit everyone to avoid upgrading to 2FA indefinitely.
2FA isn't an upgrade, it's an annoyance. If your organization needs secure authentication, it's useful, but as an individual I have only ever been enraged. Making me check my email and phone to log in is a great way to ensure I never use your service again.
> What should they have done? Just permit everyone to avoid upgrading to 2FA indefinitely?
Yes. I've had online accounts for nearly as long as there's been an "online". The only time I've ever lost control of an account was due to 2FA.
2FA should always be optional for one's personal accounts. [0] People who can securely manage passwords simply don't need it. And if Organized Crime or Mossad wants access to my accounts, 2FA is not going to stop them.
[0] Corporate accounts and hardware are a different matter. You manage those however your employer commands you to manage them.
> Fundamentally, this was google's fault
Or yours, for not caring about 2FA. It's been a common practice for many years, and strongly recommended by most identity services, as well as OWASP and NIST recommendations.
What would you do in Google's place?
I have the same issue. At the time I created the account that I'm locked out of, Google said nothing about these "recovery" email addresses as 2FA. Years passed without any notice that maybe they were going to lock me out of an account I have the password for. No notice that I had better have access to that "recovery" email address that I hadn't bothered to keep up to date because I never thought I'd need to "recover" the account from Google. (In my case, it's an old .edu email address that I was promised "for life".)
If Google wanted to lock me out of my account for my own good until I enabled 2FA, fine. But as GP stated, they abused the recovery email addresses to force 2FA on people and ended up locking some people out of their accounts.
5 replies →
Not add 2fa automatically, but instead prompt with options to add it.
This probably doesn't comply with the relevant recommendations, but cutting a user of from their email is worse in my opinion.
4 replies →
2FA falls under the same criteria as mandatory password rotation, and "has to have special characters". Those were NIST recommended for a long time too.
nonsense. any feature should have acceptable failure modes. blaming the customer for a fault they have no control over is not acceptable. many people know nothing about 2FA. it is not their responsibility. 2FA is a symptom of shitty designed systems which are inherently insecure and companies who dont give a shit about that and let their customers shoulder the burden by shoving complexity down their throats.
if you make an app it is not your customers responsibility to secure it with additional actions from their side..if it is, you need to make it mandatory and guide them step by step.
you cant after a while enable some toggle.and tell people to fuck off and its the fault of their ignorance to not know some technical details.
most consumers of these services dont know shit about IT and they should not be burdened with it..any product that demands it is either only meant for tech savy people or more likely lazily and badly engineered by money hungry people who see opportunity to make more money in user's issues.
3 replies →
Not force nonconsensual authentication methods onto users.
Google is one of the rare places I actually see positive value to 2FA. Compare with say banks, where it being demanded actually decreases my security. But regardless, it should not be forced.
3 replies →
Someone constantly adds my Gmail address as their Gmail account's backup address.
I constantly remove it whenever Gmail sends me the notification.
I can't help but think there is some method for the other person to steal my Gmail account if I never remove my email as their backup.
I have an "OG" mac.com account (got it about five minutes after Steve announced it). My wife actually has her first name.
We both get hit with "OG Hell," where people are constantly entering our emails. I think most time, it is accidental (maybe they meant "XXX1234", and forgot the number).
What makes it worse, is that Apple aliases mac.com, icloud.com, and me.com together, and there's no way to turn off one of the aliases.
mac.com is really in retirement. No one sets up new ones, but the miscreants typo icloud.com, which gets routed to me.
I have a rule, where I shitcan every mail to icloud.com, but I wish I could simply turn off the forwarder.
I logged in several times to other people's accounts and reset their passwords. But it's too tiring, people keep adding my email.
I hope it's because I have small simple email and not because they want to steal it.
Have you tried sending them emails asking/telling them to stop?
10 replies →
You’re confessing to several actual felonies here, may want to change strategies.
20 replies →
My Gmail account is a funny word in Spanish that I got when there was still plenty of names available.
I get TONS of emails of people trying to join services that use my address as a "fake email".
We call this the Scunthorpe problem. Stupid "rude word" detectors use simple rules that fail on actual words.
Way back I was working on a loyalty card system that had the entire UK electoral roll and Post Office data and we had to validate people; names and addresses. A "comedian" decided to sign themselves up for the system using a stupid name, and when the loyalty card duly arrived at their (correct) address with their (incorrect) name, they went to the papers and it became a slow news day human interest story.
We had to implement a Scunthorpe filter, and that was really difficult. We ended up with a human looking at the data and hitting a button if they thought this was a made-up "funny" name or address.
You would be amazed at English place names and surnames. Velvet Bottom is a real place in the UK. There are many people wandering around with names that you can't say in polite company.
This happens to me several times a month. I'm more concerned about account termination, in that if their Gmail account is terminated for some reason, mine would be as well due to it being the backup email address.
You could try stealing theirs. Surely, one of the forgot-password flows must use the recovery email.
[dead]
A couple of years ago someone associated my email with their bank account in Santander UK. I tried to get in touch with Santander but turned out that the only way to do so is to either make an international call (I don't live in UK) or send them a paper letter. I gave up and just routed these emails to separate folder.
I meticulously report every single of emails like this as spam. Every single one. If it _could_ be read as a phishing attempt, I report them as phishing.
Etc.
"Wrong recipient" seems beyond the scope of what you can expect a spam filter to handle with accuracy. Wouldn't marking it as spam just degrade the signal to noise ratio of legitimate email? I'd rather get a few misses here and there than have to trawl through my spam folder which I only check once or twice a year when something doesn't show up right away.
> along the ubiquitous "please verify your account" emails with NO OPTION to click "that's NOT me, somebody misused my email"
What would you expect clicking that "wasn't me" link to do?
In 99% of cases, the user who signed up with your address already can't do any more with that account unless you positively confirm it was you; and the site also won't send you any more email because they don't consider the email verified (and so sending to it might result in their emails getting sent to spam -> their email-sending reputation score going down.) So things are already in the state you'd want them to be in, no?
The only problem I can think of with that state is that now you can't sign up "fresh" for an account with the same provider, because now there's already an account associated with your email address sitting there in their DB in the pending-email-verification state. (But you still can acquire that account, by clicking "forgot/reset password" and going through that flow, which will inevitably go through your email, as anything like a 2FA setup flow always waits behind email verification.)
> and the site also won't send you any more email because they don't consider the email verified
Netflix, for one, didn't do this. They kept allowing this guy to "resend his confirmation email" periodically over several months (I never had a Netflix account).
My theory is that it was an affiliate scam of some sort; someone probably got paid for everyone who signed up with his code. So he "signed up" thousands of random mails in the hope that some of them would click through on the "you're almost ready to start your Netflix journey!" mail and actually subscribe to Netflix.
I'm currently in the endless email loop because someone named Raymond used one of my Gmail names to register with State Farm. One of their agents even emails me directly when he gets really behind on his payments but won't do anything when I tell them it's the wrong email.
In the past when this happens I usually reset the password and change the email to some anon throwaway but I can't do that without Raymonds DOB (don't quote me on that, been a while since I tried).
This exact thing happened to me with a State Farm agent.
After a few months, I told them I was concerned about the privacy ramifications and would have to report it to their state insurance regulator, and it was very quickly fixed.
No need to look for malicious intentions, this is just a feature that costs money so it's very low (or zero) priority for profit driven organisations.
I wonder if finding people responsible and spamming then with their own service emails would make the team care enough to fix this. But of course that's mostly dubious, probably illegal, and shouldn't be a responsibility of some vigilante hacker
> No need to look for malicious intentions, this is just a feature that costs money so it's very low (or zero) priority for profit driven organisations.
Malicious in-attention then, by the profit driven org? :)
If bartenders are legally (including criminally!) liable in some jurisdictions for their customers, then certainly a chain of legal liability can exist in other industries.
Yes but bartenders overserving is a crime done by a working-class person and not a wealthy business.
What are you envisioning exactly?
1 reply →
What is the word for harming other people in order to make more money for yourself, if not "malicious"?
With AI these days it’d cost almost zero money. /s
It's entirely on us as citizens to leaving them as pet peeves instead of crafting them into strategic law that makes them not only illegal but shunned. A little bit of structure goes a long way here.
Once got one of those with a disclaimer that clicking any link was giving permission to subscribe me…
I believe they included the “unsubscribe” link too…
A chronic problem is the idea that if something can't be automated with a human in the loop then it simply can't be done at scale. Technologists will do anything except employ humans to solve social problems.
s/technologists/venture capitalists/
I prefer "please verify your account" to "thanks for joining" by a lot. The former presumably does not verify when I ignore it. The latter should be illegal but somehow isn't.
I do wish there was a requirement for some sort of "no" button that would stop sending sign up requests entirely.
Any idea what the incentive is for them to put in an email address they can't access?
I run a few websites that accept an email address (all noncommercial, I have no interest in spamming anyone). One of them is the "contact me" feature on my personal website. To prevent spam, I had people just put in their email address and it'll automatically email them my email address. This works perfectly to this day, haven't got a single spam email on any of the addresses I've handed out, but the ratio of emails sent out to received is probably 50 to 1. Why would anyone put an email address in there if not to contact me? I've been wondering if it's used by mail bombing services, idk if that's a thing but I know of the concept of annoying someone by signing them up for a hundred newsletters. My site doesn't send recurring emails, though, and it doesn't allow putting more than two email addresses per month in, per /24 IPv4 block (and even more strict on v6). It's useless for mail bombing services but the (presumed) bots keep submitting a steady rate of maybe 2 new email addresses per day, each time from a new ISP in a random country. No email addresses is ever submitted twice. No rhyme or reason to it. If anyone can make sense of this, that might help me in stopping the abuse
One way to do phishing attacks is to inject some payload in an automated mailing so malicious content comes from a valid email address. I wonder if they're testing whatever mail entry they can find with addresses they have access to in attempt to find something usable?
> The former presumably does not verify when I ignore it.
That doesn't prevent a huge majority of them from sending you notification emails all the time even if you never verify.
Ah the old "reverse identity theft".
Relevant xkcd:
https://xkcd.com/1279/
Yeah, I get the same regularly.
Smartly, I got firstnamemiddleinitiallastname@gmail.com. I never get anybody else' details.
On the other hand... Occasionally someone gets my info because some careless person entered my email address into their system incorrectly. You'd think this problem would be solved by moving to a custom domain, but I still once in a while find someone completely ignore what I put into the form and sign me up as firstnamelastname@gmail.com.
happens with apple products all the time
The point of the system is what it does.
They can't just say "we don't want to deal with small timers who will not pay us big bucks doing nonstandard things" without pushback but they can write the policy so that a huge fraction of those use cases fall into some crack that can only be got out of by incurring the kind of expense that's a non-starter for those users. Your municipal code is rife with examples of this.
This is a catchy aphorism, but not really true. Things can be badly implemented so that they fail to achieve their purpose.
People often have trouble with this saying, and that trouble often boils down to the difference between intent and purpose.
The people who create a system have some intent for it. The system may or may not effectively achieve that intent, may or may not outlive the initial conditions that surrounded its creation, and may or may not have side effects.
Purpose is something humans assign. It is sometimes linked to intent. A carpenter's hammer is intended to drive and pull nails, and that is often also its purpose. The purpose of the hammer I keep in my basement is breaking open walnuts.
The phrase is stating that the purpose we should assign to systems when judging them is their outcome, and not the intent behind them.
1 reply →
> Either people who do this for a living have no clue how to do their job,
how naive. most of the world work to survive, not because its their dream vocation. they probably dont care as much as you do