Getting clients back into their account

[malfunction]

So out of curiosity, how do you guys handle getting clients (securely) back into their WHMCS account when the account email address is not functional? For example they forgot their WHMCS password and the account email address is not up to date, suspended or whatever. We have had quite a few unpleasant exchanges with clients who think we can send a new password to some random free email account and get all bent out of shape when we seek ID verification of some kind.

[DavidBee]

Well we have a process that i can't really disclose however you should add custom fields to your installation and have options for lets say a support pin/

[malfunction]

I see there's some discussion in the feature requests area regarding the use of support pins and suchlike, although in a somewhat different context (verification for phone/chat support when they do have account access).

 

But leaving the aside the security issues with having a visible/editable pin code both admin and client side, don't they just forget them? I mean they changed their their email address and forgot to update it in their account, they forgot their password and they forgot to set a security question so how likely is it they remember some pin code?

 

Some of our folks have never logged in since they signed up and we get this recurring nightmare years later, where we come out as the bad guys just because we are trying to protect the client's assets from possible abuse/social engineering/whatever.

[easyhosting]

you could ask then details about the address held on their account or you could telephone the number they gave you and listed on their account.

 

But a client should remember something on their account such as pin numbers as they should use a number they can easily remember. But is also up to the client to make sure that they keep their details held by you upto date

[malfunction]

Thanks for weighing in. Sure, they should keep their details up to date, we tell them to and even have it in the ToS, but they don't - and you're not going to be able to make them. More stuff like PIN numbers to remember probably isn't going to help.

 

The address verification idea is a non starter, I think, as that's public data and easily acquired by a third party. Phone number is better, we use that sometimes, but it's far from foolproof as people may have many numbers, home/work/cell/developer/etc and they can change from time to time. That also makes it a manual process which isn't really something we want to spend valuable time on, it doesn't scale and it's generally a pain in the rear having to call people up and try and make decisions about their identity. Maybe our clients have a higher than average incidence of amnesia, but this is a daily event

 

I'm starting to think we need a feature request for a second/third email address field and maybe an SMS number, along the lines of a Google account which has a primary, alternate and recovery email address setup, plus an SMS number. This is more than custom fields as it needs regular reminders to force people to do it and keep it up to date - otherwise they just ignore it all. Until they can't get in and they get on to us a rage...

[easyhosting]

I'm starting to think we need a feature request for a second/third email address field and maybe an SMS number,

 

You can already add these.

 

1) add them as custom fields ( so you have the details)

2) in client profile open the Contacts tab and set these details as a secondary contact on their account.

 

but calling clients on the number on their account is the only way if they have an outdated email address, so cant use the request password details.

 

I would find it strange if they have an outdated email and an outdated phone number on their account.

[malfunction]

Like I said, custom fields don't work as you need a way to force them to enter details and keep them updated. If you have a Google account or whatever you'll be familiar with the reminders every few months to keep this information up to date, why it is important and what will happen in the event the main email account is inaccessible. I'm also not interested in opening a sub-account on their behalf and setting a lot of permissions, this isn't a sub-account, it's data that belongs with the main user record.

 

Provided their site and their mail works, many people have no need to contact us for years on end. Not so strange that they could move and not think to update their details in our system, and it doesn't get noticed until they need help because their card expired, need tech support etc.

[easyhosting]

reminders every few months to keep this information up to date,

 

If a client has changed email addresses then how would this work as they would just bounce back. so the only other way as i stated is to telephone the number they have on your account.

[jclarke]

What about trying to SMS or call the customer at the telephone number they have listed as verification plus confirming payment details?

[easyhosting]

When you call them, you can ask them for their Date of Birth and see if it matches what they have on your account as surely they should remember that

[And then there was one les]

Somebody already mentioned above the easiest step which is to call the telephone number they have on account although all this does is prove they have access to the phone could be a mobile and could be lost right? The pin number option is fairly simple actually as long as its a regular part of the security steps this helps to imprint it in memory.

 

If you have irate clients over security matters then you really need to learn how to speak to those clients. You will need to quite firmly but politely decline their request for sending to an alternate email address. Make it very clear that the reason these protocols are in place are to protect the clients account from unauthorised access.

 

Outside of this there are other means, Checking the last transaction id from the gateway, its unlikely they would forget that password also unless they set up both at the same time.

 

I find though the easiest for the client if other methods are unavailable would be for them to photograph a recent utility bill from their listed address which they can submit by a ticket or send by email. passports/driving license are another good option for a photograph

[easyhosting]

Somebody already mentioned above the easiest step which is to call the telephone number they have on account although all this does is prove they have access to the phone could be a mobile and could be lost right?

 

but just think when you get phoned by your utility companies, they will ask you questions etc. to prove they are taking to the account holder.

 

so you call them and then ask specific questions regarding their account.

 

DOB

Security question

if they are resellers ask them to name a couple of sites held under their account apart from their own site.

[malfunction]

All these ideas really do is confirm the need for a better system

 

* DOB -- privacy issue for some but not hard for a social engineer to get hold of, we don't know their DOB, how do we get that, whose DOB anyway - the developer that opened the account and quit years ago?

* Security question -- frequently not known, mis-spelled or not set

* if they are resellers ask them to name a couple of sites held under their account apart from their own site. - and if they are not? Easy enough for an outsider to find that information from name servers.

* Phone number - CDJ says this is not foolproof (and I already pointed that out)

* PIN number - disagree, too easy to forget. What about existing customers where we don't have one? Plus at least half will use their credit card PIN which will then be stored unencrypted in the database

* transaction ID, where would they get a gateway transaction ID?

* Utility bill - not everyone has those and doesn't work for a corporate environment where most of our business is

* Passport/drivers license - I certainly would not send my federal or state ID to some spotty kid at a hosting company, wouldn't expect anyone else to either

 

WHMCS should know better than anybody the consequences of weak security protocols after the Hostgator fiasco. And none of these suggestions scale. I have better things to do with my time than arse around with fax copies of utility bills and phone calls to irate clients. This can and should be automated.

 

If you have irate clients over security matters then you really need to learn how to speak to those clients. You will need to quite firmly but politely decline their request for sending to an alternate email address. Make it very clear that the reason these protocols are in place are to protect the clients account from unauthorised access.

Err, we do that (firmly, but politely), that's what sends them into a rage...

[easyhosting]

 

* DOB -- privacy issue for some but not hard for a social engineer to get hold of, we don't know their DOB, how do we get that, whose DOB anyway - the developer that opened the account and quit years ago?

This should be setup in the registration form and should be the DOB of the account holder, if a developer quit years ago then no one else should have access to his account as they are not the account holder. If a company hands the account to someone else then that person should have all their details set on the account.

* Security question -- frequently not known, mis-spelled or not set

that is the clients problem, but their again you should be marking these as required items

* if they are resellers ask them to name a couple of sites held under their account apart from their own site. - and if they are not? Easy enough for an outsider to find that information from name servers.

Not really as the nameservers would only should what sites are on the server and not what accounts are owner by what reselller

* Phone number - CDJ says this is not foolproof (and I already pointed that out)

use the phone number that they used to verify their account ( if you use maxmind then the number they hold)

* PIN number - disagree, too easy to forget. What about existing customers where we don't have one? Plus at least half will use their credit card PIN which will then be stored unencrypted in the database

Pin numbers are one of the easiest things to remember.

* transaction ID, where would they get a gateway transaction ID?

The Payment provider like Paypal

 

WHMCS should know better than anybody the consequences of weak security protocols

 

This has nothing to do with WHMCS this has to do with your clients not remembering their login details or security items.

[And then there was one les]

If you think they would use their credit card pin, thats easy, dont allow them to enter a 4 digit pin, when faced with a pin that requires more than 4 they are more likely to enter a completely different pin.

 

There are people that no matter what you do will get locked out, the only thing i can suggest in such a case it to take as many steps as it takes to make you 100% certain that the person you are speaking to i either the account holder or an authorised agent.

 

I understand your remarks about the system, i do believe that security all over the system should be as high as possible, this would include use of pins, clearance levels etc to gain access to secure or personal information.

 

But that i believe is a whole sideline to subject matter.

[malfunction]

easyhosting: If I have a problem then I have a problem and I believe WHMCS could do better to help me with it, by way of feature improvements. I don't really need you telling me I don't have a problem. Putting you back on "ignore".

 

CDJ: yes, agreed, but I'd rather have more options to handle it automatically so I don't have to waste staff time on it at all - customers are also happier if they can help themselves resolve something in minutes instead of jumping through verification hoops.

[stormy]

* Passport/drivers license - I certainly would not send my federal or state ID to some spotty kid at a hosting company, wouldn't expect anyone else to either

 

Well, I'm sure _you_ wouldn't lose your email address AND your password either

 

In my experience, asking for a photo ID has worked every time and so far we have had zero customer complaints. It's a drag, but it works perfectly, and these days everyone has a phone with a camera that can send the thing with minimal hassle.

[malfunction]

Posted as a feature request:

 

https://requests.whmcs.com/responses/back-up-email-address-for-primary-account-holder

 

vote early, vote often...

[Si]

Been using WHMCS for about 8 years now. When a customer can't login because they no longer have access to the email they used, they contact us via the site. We ask them to raise a ticket to a dept we created specifically for this.

 

WHY? WHMCS logs their IP address.

 

We check that IP location (explained below)

 

We ask them for:

1) their reason for change (this is vital)

2) a new email address

3) their security answer (which is mandatory in whmcs now anyhow)

4) a past invoice number and their method of payment

 

It has never failed yet that customers cannot provide this information.

 

Finally depending on the answer to question 1 we can see if they have a similar IP to the one recorded when they last logged in. It's not foolproof on it's own, (for obvious reasons) but it adds another layer of security and I would estimate 50% of customers are still with the same ISP in the same area.

 

I suppose something more automated and fandangled would add to the user experience, but the above is made in answer to the original question by the thread starter.

[malfunction]

I suppose something more automated and fandangled would add to the user experience...

Yes it would. Thanks for the input and great that you're happy with a process that, by your own admission, is not foolproof and adds a bunch of administrative steps, but I'm not looking for more work. There's no reason this can't be fully automated for the majority of cases, it's better for the clients and it's better for staff. Not really sure why everybody wants to fight me on this and insist their laborious home brewed manual method is superior.

 

Do you suppose Google have buildings full of people looking at IP addresses, verifying state IDs, utility bills, making phone calls, checking birth dates, sending texts and all that every time someone forgets their Google account password?