I guess Skyetel doesn't want business
-
@Skyetel always talks about wanting relationships, but they don't. They just don't want to deal with business at all.
@scottalanmiller I keep trying to give your new toy a chance, but it continues to fail.
-
@Dashrender said in I guess Skyetel doesn't want business:
That's all fine and dandy.. but I can't sign my company up (I'm the IT Admin here) because I'm not giving you my personal cellphone for a company sign up.
Other systems have done setups that get through IVRs to internal extensions - that's what would be needed in my office.
Requiring SMS for business is seemingly absurd.
We don't require it as a means for contacting you - we never use it - its just for the signup process to verify you are a human and to prevent duplicate accounts. On the next step under "Organization Info" it will ask you for the contact information to use.
-
@Skyetel said in I guess Skyetel doesn't want business:
@Dashrender said in I guess Skyetel doesn't want business:
That's all fine and dandy.. but I can't sign my company up (I'm the IT Admin here) because I'm not giving you my personal cellphone for a company sign up.
Other systems have done setups that get through IVRs to internal extensions - that's what would be needed in my office.
Requiring SMS for business is seemingly absurd.
We don't require it as a means for contacting you - we never use it - its just for the signup process to verify you are a human and to prevent duplicate accounts. On the next step under "Organization Info" it will ask you for the contact information to use.
I don't consider this acceptable. I should never have to have anything more than I 'need' for my business to make an account with a vendor. i.e. My company doesn't need me to have a cell phone, so why should you need one for authentication - what's wrong with sending a link in email instead of via SMS? hell - according to NIST, email is MUCH more secure - assuming your both our servers are using TLS opportunistically, then the communication is sent over the internet encrypted - while SMS has been showed to be completely hackable and the NIST highly advises against using it for two factor authentication - which is basically what you're doing.
Additionally, If I used my phone for a personal account like JB did, then I wouldn't be able to use my cellphone number anyway.
-
I appreciate that you are trying to setup real, not fake accounts, please consider changing to email for confirmation instead of SMS.
I had a similar issue with Google the other day. It continues to amaze me at the amount of assumptions we run into in systems these days.
On a side note - My EHR system fully expects that every patient will have their own email address - once we ran into this issue, we started seeing how many couples share a single email address between them. It's crazy, like 2% of people share a single account, this means we run into this issue about once a month.
-
@Dashrender said in I guess Skyetel doesn't want business:
I appreciate that you are trying to setup real, not fake accounts, please consider changing to email for confirmation instead of SMS.
I had a similar issue with Google the other day. It continues to amaze me at the amount of assumptions we run into in systems these days.
On a side note - My EHR system fully expects that every patient will have their own email address - once we ran into this issue, we started seeing how many couples share a single email address between them. It's crazy, like 2% of people share a single account, this means we run into this issue about once a month.
The problem with other forms of identify verification is that it's not unique to the individual and it is not personally identifying. You can create new emails, you can create new phone numbers to call, etc. The cell phone is unique because its extremely uncommon for people to have more than one. Additionally, the system verifies that the number you specify is indeed a cell phone number prior to sending you the verification SMS.
We're not using it for 2FA - its just to verify the following:
- Your in North America (Foreign cell phone numbers wont work)
- You are actually a real human being (because you have to put it in)
- You are not planning on committing fraud.
The fraud part cannot be overstated and is worth its own post. Preventing fraud is critically important to us - and there's no way that someone who plans on using our network for illegal calling will give you their personal cell phone number. If we used emails or an automated phone call, it would be too easy for fraudsters to put in fake information using temporary information. Then all they would have to do is put in a stollen credit card, and voila!
The SMS thing is not used for future correspondence and we don't call it or use it ever again. The information we care about is on page two:
This is the information we use to contact you. The first page is just about prevent fraud and fake/duplicate accounts.
-
@Skyetel said in I guess Skyetel doesn't want business:
The first page is just about prevent fraud and fake/duplicate accounts.
Correction: The first page is just to prevent a valid business from signing up.
-
This is the business you are not getting because I cannot sign up.
(I haven't pulled the historical data to finish 2018 and start 2019.. I'm slacking)
-
Here is another company I can't even think about moving because I cannot create an account for them.
-
@Skyetel said in I guess Skyetel doesn't want business:
@Dashrender said in I guess Skyetel doesn't want business:
I appreciate that you are trying to setup real, not fake accounts, please consider changing to email for confirmation instead of SMS.
I had a similar issue with Google the other day. It continues to amaze me at the amount of assumptions we run into in systems these days.
On a side note - My EHR system fully expects that every patient will have their own email address - once we ran into this issue, we started seeing how many couples share a single email address between them. It's crazy, like 2% of people share a single account, this means we run into this issue about once a month.
The problem with other forms of identify verification is that it's not unique to the individual and it is not personally identifying. You can create new emails, you can create new phone numbers to call, etc. The cell phone is unique because its extremely uncommon for people to have more than one. Additionally, the system verifies that the number you specify is indeed a cell phone number prior to sending you the verification SMS.
We're not using it for 2FA - its just to verify the following:
- Your in North America (Foreign cell phone numbers wont work)
- You are actually a real human being (because you have to put it in)
- You are not planning on committing fraud.
The fraud part cannot be overstated and is worth its own post. Preventing fraud is critically important to us - and there's no way that someone who plans on using our network for illegal calling will give you their personal cell phone number. If we used emails or an automated phone call, it would be too easy for fraudsters to put in fake information using temporary information. Then all they would have to do is put in a stollen credit card, and voila!
The SMS thing is not used for future correspondence and we don't call it or use it ever again. The information we care about is on page two:
)This is the information we use to contact you. The first page is just about prevent fraud and fake/duplicate accounts.
I get all this, I really do, But SMS to a business is just to onerous. I'm also curious - since VOIP.ms sells numbers that can get SMS - are you able to tell that it's not a cell phone from them and prevent someone from signing up?
As for Non- US numbers, what prevents someone from using a US burner phone to sign up?
what about Jared's situation? where he has a personal account that he used his cellphone for, and now can't sign up again? (OK this one is likely pretty small, but definitely not zero... He - as an IT Pro might have signed up for a personal account, then upon liking it, signed up for a business account - nope.. can't because he only has one cellphone number - unless he goes and gets a burner number).
-
@Dashrender said in I guess Skyetel doesn't want business:
@Skyetel said in I guess Skyetel doesn't want business:
@Dashrender said in I guess Skyetel doesn't want business:
I appreciate that you are trying to setup real, not fake accounts, please consider changing to email for confirmation instead of SMS.
I had a similar issue with Google the other day. It continues to amaze me at the amount of assumptions we run into in systems these days.
On a side note - My EHR system fully expects that every patient will have their own email address - once we ran into this issue, we started seeing how many couples share a single email address between them. It's crazy, like 2% of people share a single account, this means we run into this issue about once a month.
The problem with other forms of identify verification is that it's not unique to the individual and it is not personally identifying. You can create new emails, you can create new phone numbers to call, etc. The cell phone is unique because its extremely uncommon for people to have more than one. Additionally, the system verifies that the number you specify is indeed a cell phone number prior to sending you the verification SMS.
We're not using it for 2FA - its just to verify the following:
- Your in North America (Foreign cell phone numbers wont work)
- You are actually a real human being (because you have to put it in)
- You are not planning on committing fraud.
The fraud part cannot be overstated and is worth its own post. Preventing fraud is critically important to us - and there's no way that someone who plans on using our network for illegal calling will give you their personal cell phone number. If we used emails or an automated phone call, it would be too easy for fraudsters to put in fake information using temporary information. Then all they would have to do is put in a stollen credit card, and voila!
The SMS thing is not used for future correspondence and we don't call it or use it ever again. The information we care about is on page two:
)This is the information we use to contact you. The first page is just about prevent fraud and fake/duplicate accounts.
I get all this, I really do, But SMS to a business is just to onerous. I'm also curious - since VOIP.ms sells numbers that can get SMS - are you able to tell that it's not a cell phone from them and prevent someone from signing up?
As for Non- US numbers, what prevents someone from using a US burner phone to sign up?
what about Jared's situation? where he has a personal account that he used his cellphone for, and now can't sign up again? (OK this one is likely pretty small, but definitely not zero... He - as an IT Pro might have signed up for a personal account, then upon liking it, signed up for a business account - nope.. can't because he only has one cellphone number - unless he goes and gets a burner number).
As you are saying, there are plenty of easy ways around SMS verification if I want to sign up for something like this.
And no, there is no way to know if the number is an actual cell phone or not. Because all they do is send a message.
-
@Skyetel said in I guess Skyetel doesn't want business:
Then they can give you their credentials so you can administer the account.
I didn't have an issue with what you were saying until here. Shared Credentials is never an acceptable practice.
At that point what you were saying about accepting the terms and conditions goes out the window as anyone with the credentials could easily rack up thousands in charges and the client would be responsible for it, even though they "shared their credentials with a trusted party" doesn't do anything to protect them or you. As those credentials could be compromised in so many ways.
-
Like this
-
@JaredBusch said in I guess Skyetel doesn't want business:
@Dashrender said in I guess Skyetel doesn't want business:
@Skyetel said in I guess Skyetel doesn't want business:
@Dashrender said in I guess Skyetel doesn't want business:
I appreciate that you are trying to setup real, not fake accounts, please consider changing to email for confirmation instead of SMS.
I had a similar issue with Google the other day. It continues to amaze me at the amount of assumptions we run into in systems these days.
On a side note - My EHR system fully expects that every patient will have their own email address - once we ran into this issue, we started seeing how many couples share a single email address between them. It's crazy, like 2% of people share a single account, this means we run into this issue about once a month.
The problem with other forms of identify verification is that it's not unique to the individual and it is not personally identifying. You can create new emails, you can create new phone numbers to call, etc. The cell phone is unique because its extremely uncommon for people to have more than one. Additionally, the system verifies that the number you specify is indeed a cell phone number prior to sending you the verification SMS.
We're not using it for 2FA - its just to verify the following:
- Your in North America (Foreign cell phone numbers wont work)
- You are actually a real human being (because you have to put it in)
- You are not planning on committing fraud.
The fraud part cannot be overstated and is worth its own post. Preventing fraud is critically important to us - and there's no way that someone who plans on using our network for illegal calling will give you their personal cell phone number. If we used emails or an automated phone call, it would be too easy for fraudsters to put in fake information using temporary information. Then all they would have to do is put in a stollen credit card, and voila!
The SMS thing is not used for future correspondence and we don't call it or use it ever again. The information we care about is on page two:
)This is the information we use to contact you. The first page is just about prevent fraud and fake/duplicate accounts.
I get all this, I really do, But SMS to a business is just to onerous. I'm also curious - since VOIP.ms sells numbers that can get SMS - are you able to tell that it's not a cell phone from them and prevent someone from signing up?
As for Non- US numbers, what prevents someone from using a US burner phone to sign up?
what about Jared's situation? where he has a personal account that he used his cellphone for, and now can't sign up again? (OK this one is likely pretty small, but definitely not zero... He - as an IT Pro might have signed up for a personal account, then upon liking it, signed up for a business account - nope.. can't because he only has one cellphone number - unless he goes and gets a burner number).
As you are saying, there are plenty of easy ways around SMS verification if I want to sign up for something like this.
And no, there is no way to know if the number is an actual cell phone or not. Because all they do is send a message.
They clearly state that they somehow check that the number is a cellphone before sending the SMS.
-
@DustinB3403 said in I guess Skyetel doesn't want business:
@Skyetel said in I guess Skyetel doesn't want business:
Then they can give you their credentials so you can administer the account.
I didn't have an issue with what you were saying until here. Shared Credentials is never an acceptable practice.
At that point what you were saying about accepting the terms and conditions goes out the window as anyone with the credentials could easily rack up thousands in charges and the client would be responsible for it, even though they "shared their credentials with a trusted party" doesn't do anything to protect them or you. As those credentials could be compromised in so many ways.
No, that is not @skyetel's problem. that is the dumbass' problem that shared credentials.
It is @Skyetel's problem for suggesting to share credentials.
-
@DustinB3403 said in I guess Skyetel doesn't want business:
@Skyetel said in I guess Skyetel doesn't want business:
Then they can give you their credentials so you can administer the account.
I didn't have an issue with what you were saying until here. Shared Credentials is never an acceptable practice.
At that point what you were saying about accepting the terms and conditions goes out the window as anyone with the credentials could easily rack up thousands in charges and the client would be responsible for it, even though they "shared their credentials with a trusted party" doesn't do anything to protect them or you. As those credentials could be compromised in so many ways.
OK, this part I don't have an issue with. Shared creds, or unique for all users wouldn't stop anyone with account access from racking up charges... sure, you could say - hey that account I created for my trusted vendor was the one used to make all those charges, but doesn't make the business owner any less liable for them.
-
@JaredBusch said in I guess Skyetel doesn't want business:
@DustinB3403 said in I guess Skyetel doesn't want business:
@Skyetel said in I guess Skyetel doesn't want business:
Then they can give you their credentials so you can administer the account.
I didn't have an issue with what you were saying until here. Shared Credentials is never an acceptable practice.
At that point what you were saying about accepting the terms and conditions goes out the window as anyone with the credentials could easily rack up thousands in charges and the client would be responsible for it, even though they "shared their credentials with a trusted party" doesn't do anything to protect them or you. As those credentials could be compromised in so many ways.
No, that is not @skyetel's problem. that is the dumbass' problem that shared credentials.
It is @Skyetel's problem for suggesting to share credentials.
That's my point, even suggesting sharing credentials puts Skyetel in the way of liability, and to state that they want to "prevent fraud" but are cool with sharing credentials is the opposite of wanting to prevent fraud.
What systems in place does Skyetel have to know that [email protected] is actually logged into his Skyetel account and not someone else who just happened to get Bob's account details for Skyetel?
-
@DustinB3403 said in I guess Skyetel doesn't want business:
@JaredBusch said in I guess Skyetel doesn't want business:
@DustinB3403 said in I guess Skyetel doesn't want business:
@Skyetel said in I guess Skyetel doesn't want business:
Then they can give you their credentials so you can administer the account.
I didn't have an issue with what you were saying until here. Shared Credentials is never an acceptable practice.
At that point what you were saying about accepting the terms and conditions goes out the window as anyone with the credentials could easily rack up thousands in charges and the client would be responsible for it, even though they "shared their credentials with a trusted party" doesn't do anything to protect them or you. As those credentials could be compromised in so many ways.
No, that is not @skyetel's problem. that is the dumbass' problem that shared credentials.
It is @Skyetel's problem for suggesting to share credentials.
That's my point, even suggesting sharing credentials puts Skyetel in the way of liability, and to state that they want to "prevent fraud" but are cool with sharing credentials is the opposite of wanting to prevent fraud.
What systems in place does Skyetel have to know that [email protected] is actually logged into his Skyetel account and not someone else who just happened to get Bob's account details for Skyetel?
Apparently that a SMS was sent to Bob.
-
@Dashrender said in I guess Skyetel doesn't want business:
@Skyetel said in I guess Skyetel doesn't want business:
@Dashrender said in I guess Skyetel doesn't want business:
I appreciate that you are trying to setup real, not fake accounts, please consider changing to email for confirmation instead of SMS.
I had a similar issue with Google the other day. It continues to amaze me at the amount of assumptions we run into in systems these days.
On a side note - My EHR system fully expects that every patient will have their own email address - once we ran into this issue, we started seeing how many couples share a single email address between them. It's crazy, like 2% of people share a single account, this means we run into this issue about once a month.
The problem with other forms of identify verification is that it's not unique to the individual and it is not personally identifying. You can create new emails, you can create new phone numbers to call, etc. The cell phone is unique because its extremely uncommon for people to have more than one. Additionally, the system verifies that the number you specify is indeed a cell phone number prior to sending you the verification SMS.
We're not using it for 2FA - its just to verify the following:
- Your in North America (Foreign cell phone numbers wont work)
- You are actually a real human being (because you have to put it in)
- You are not planning on committing fraud.
The fraud part cannot be overstated and is worth its own post. Preventing fraud is critically important to us - and there's no way that someone who plans on using our network for illegal calling will give you their personal cell phone number. If we used emails or an automated phone call, it would be too easy for fraudsters to put in fake information using temporary information. Then all they would have to do is put in a stollen credit card, and voila!
The SMS thing is not used for future correspondence and we don't call it or use it ever again. The information we care about is on page two:
)This is the information we use to contact you. The first page is just about prevent fraud and fake/duplicate accounts.
I get all this, I really do, But SMS to a business is just to onerous. I'm also curious - since VOIP.ms sells numbers that can get SMS - are you able to tell that it's not a cell phone from them and prevent someone from signing up?
As for Non- US numbers, what prevents someone from using a US burner phone to sign up?
what about Jared's situation? where he has a personal account that he used his cellphone for, and now can't sign up again? (OK this one is likely pretty small, but definitely not zero... He - as an IT Pro might have signed up for a personal account, then upon liking it, signed up for a business account - nope.. can't because he only has one cellphone number - unless he goes and gets a burner number).
The ideal situation is to have the end user create their own account and have the IT team administer it. You don't have to share an account - you can create a new account for the IT Administrator and he can administer it directly without sharing credentials. (Thats what @scottalanmiller does)
We are able to determine whether or not a phone number is a true cell phone number pretty accurately. There are industry databases we can query to look that kind of information up.
-
@Dashrender said in I guess Skyetel doesn't want business:
Apparently that a SMS was sent to Bob.
Except it's only used for account creation and not verification of account changes/charges/etc/etc/etc
@Skyetel said in I guess Skyetel doesn't want business:
The SMS thing is not used for future correspondence and we don't call it or use it ever again.
-
Just for kicks, I tried using my Google Voice number and it failed.
