I guess Skyetel doesn't want business

JaredBusch

I want to sign up a client to use Skyetel. They don't have business cell phones. Even if they did, I would not put some random person's cell phone in there.

But it requires a cell phone. I put mine in there to get past the sign up, but that fails, because I have a personal acount with Skyetel. So nope.

Skyetel

This is intended behavior. The signup app is designed for the end user to sign up for themselves because they need to accept the terms and conditions; a third party can't accept them on their behalf. In order to have a client sign up, we'd ask that you please direct them to our sign up page and have them sign up for themselves. Then they can give you their credentials so you can administer the account.

Dashrender

That's all fine and dandy.. but I can't sign my company up (I'm the IT Admin here) because I'm not giving you my personal cellphone for a company sign up.

Other systems have done setups that get through IVRs to internal extensions - that's what would be needed in my office.

Requiring SMS for business is seemingly absurd.

JaredBusch

@Skyetel said in I guess Skyetel doesn't want business:

This is intended behavior. The signup app is designed for the end user to sign up for themselves because they need to accept the terms and conditions; a third party can't accept them on their behalf. In order to have a client sign up, we'd ask that you please direct them to our sign up page and have them sign up for themselves. Then they can give you their credentials so you can administer the account.

You clearly cannot read.

The client has no cell phones. This is a business. There is no cellphone to verify.

JaredBusch

Hell, I cannot even sign up @Bundy-Associates for your service because we do not have a company cell phone.

Again, I could use a personal cell phone. but then I have the problem of requiring an employee to provide their personal device for company use. Why the fuck would I add that expense (because I will have to compensate said employee for this) just to sign up for your service?

JaredBusch

@Skyetel always talks about wanting relationships, but they don't. They just don't want to deal with business at all.

@scottalanmiller I keep trying to give your new toy a chance, but it continues to fail.

Skyetel

@Dashrender said in I guess Skyetel doesn't want business:

That's all fine and dandy.. but I can't sign my company up (I'm the IT Admin here) because I'm not giving you my personal cellphone for a company sign up.

Other systems have done setups that get through IVRs to internal extensions - that's what would be needed in my office.

Requiring SMS for business is seemingly absurd.

We don't require it as a means for contacting you - we never use it - its just for the signup process to verify you are a human and to prevent duplicate accounts. On the next step under "Organization Info" it will ask you for the contact information to use.

Dashrender

@Skyetel said in I guess Skyetel doesn't want business:

@Dashrender said in I guess Skyetel doesn't want business:

That's all fine and dandy.. but I can't sign my company up (I'm the IT Admin here) because I'm not giving you my personal cellphone for a company sign up.

Other systems have done setups that get through IVRs to internal extensions - that's what would be needed in my office.

Requiring SMS for business is seemingly absurd.

We don't require it as a means for contacting you - we never use it - its just for the signup process to verify you are a human and to prevent duplicate accounts. On the next step under "Organization Info" it will ask you for the contact information to use.

I don't consider this acceptable. I should never have to have anything more than I 'need' for my business to make an account with a vendor. i.e. My company doesn't need me to have a cell phone, so why should you need one for authentication - what's wrong with sending a link in email instead of via SMS? hell - according to NIST, email is MUCH more secure - assuming your both our servers are using TLS opportunistically, then the communication is sent over the internet encrypted - while SMS has been showed to be completely hackable and the NIST highly advises against using it for two factor authentication - which is basically what you're doing.

Additionally, If I used my phone for a personal account like JB did, then I wouldn't be able to use my cellphone number anyway.

Dashrender

I appreciate that you are trying to setup real, not fake accounts, please consider changing to email for confirmation instead of SMS.

I had a similar issue with Google the other day. It continues to amaze me at the amount of assumptions we run into in systems these days.

On a side note - My EHR system fully expects that every patient will have their own email address - once we ran into this issue, we started seeing how many couples share a single email address between them. It's crazy, like 2% of people share a single account, this means we run into this issue about once a month.

Skyetel

@Dashrender said in I guess Skyetel doesn't want business:

I appreciate that you are trying to setup real, not fake accounts, please consider changing to email for confirmation instead of SMS.

I had a similar issue with Google the other day. It continues to amaze me at the amount of assumptions we run into in systems these days.

On a side note - My EHR system fully expects that every patient will have their own email address - once we ran into this issue, we started seeing how many couples share a single email address between them. It's crazy, like 2% of people share a single account, this means we run into this issue about once a month.

The problem with other forms of identify verification is that it's not unique to the individual and it is not personally identifying. You can create new emails, you can create new phone numbers to call, etc. The cell phone is unique because its extremely uncommon for people to have more than one. Additionally, the system verifies that the number you specify is indeed a cell phone number prior to sending you the verification SMS.

We're not using it for 2FA - its just to verify the following:

1. Your in North America (Foreign cell phone numbers wont work)
2. You are actually a real human being (because you have to put it in)
3. You are not planning on committing fraud.

The fraud part cannot be overstated and is worth its own post. Preventing fraud is critically important to us - and there's no way that someone who plans on using our network for illegal calling will give you their personal cell phone number. If we used emails or an automated phone call, it would be too easy for fraudsters to put in fake information using temporary information. Then all they would have to do is put in a stollen credit card, and voila!

The SMS thing is not used for future correspondence and we don't call it or use it ever again. The information we care about is on page two:

This is the information we use to contact you. The first page is just about prevent fraud and fake/duplicate accounts.

JaredBusch

@Skyetel said in I guess Skyetel doesn't want business:

The first page is just about prevent fraud and fake/duplicate accounts.

Correction: The first page is just to prevent a valid business from signing up.

JaredBusch

This is the business you are not getting because I cannot sign up.

(I haven't pulled the historical data to finish 2018 and start 2019.. I'm slacking)

JaredBusch

Here is another company I can't even think about moving because I cannot create an account for them.

Dashrender

@Skyetel said in I guess Skyetel doesn't want business:

@Dashrender said in I guess Skyetel doesn't want business:

I appreciate that you are trying to setup real, not fake accounts, please consider changing to email for confirmation instead of SMS.

I had a similar issue with Google the other day. It continues to amaze me at the amount of assumptions we run into in systems these days.

On a side note - My EHR system fully expects that every patient will have their own email address - once we ran into this issue, we started seeing how many couples share a single email address between them. It's crazy, like 2% of people share a single account, this means we run into this issue about once a month.

The problem with other forms of identify verification is that it's not unique to the individual and it is not personally identifying. You can create new emails, you can create new phone numbers to call, etc. The cell phone is unique because its extremely uncommon for people to have more than one. Additionally, the system verifies that the number you specify is indeed a cell phone number prior to sending you the verification SMS.

We're not using it for 2FA - its just to verify the following:

1. Your in North America (Foreign cell phone numbers wont work)
2. You are actually a real human being (because you have to put it in)
3. You are not planning on committing fraud.

The fraud part cannot be overstated and is worth its own post. Preventing fraud is critically important to us - and there's no way that someone who plans on using our network for illegal calling will give you their personal cell phone number. If we used emails or an automated phone call, it would be too easy for fraudsters to put in fake information using temporary information. Then all they would have to do is put in a stollen credit card, and voila!

The SMS thing is not used for future correspondence and we don't call it or use it ever again. The information we care about is on page two:
)

This is the information we use to contact you. The first page is just about prevent fraud and fake/duplicate accounts.

I get all this, I really do, But SMS to a business is just to onerous. I'm also curious - since VOIP.ms sells numbers that can get SMS - are you able to tell that it's not a cell phone from them and prevent someone from signing up?

As for Non- US numbers, what prevents someone from using a US burner phone to sign up?

what about Jared's situation? where he has a personal account that he used his cellphone for, and now can't sign up again? (OK this one is likely pretty small, but definitely not zero... He - as an IT Pro might have signed up for a personal account, then upon liking it, signed up for a business account - nope.. can't because he only has one cellphone number - unless he goes and gets a burner number).

JaredBusch

@Dashrender said in I guess Skyetel doesn't want business:

@Skyetel said in I guess Skyetel doesn't want business:

@Dashrender said in I guess Skyetel doesn't want business:

I appreciate that you are trying to setup real, not fake accounts, please consider changing to email for confirmation instead of SMS.

I had a similar issue with Google the other day. It continues to amaze me at the amount of assumptions we run into in systems these days.

On a side note - My EHR system fully expects that every patient will have their own email address - once we ran into this issue, we started seeing how many couples share a single email address between them. It's crazy, like 2% of people share a single account, this means we run into this issue about once a month.

The problem with other forms of identify verification is that it's not unique to the individual and it is not personally identifying. You can create new emails, you can create new phone numbers to call, etc. The cell phone is unique because its extremely uncommon for people to have more than one. Additionally, the system verifies that the number you specify is indeed a cell phone number prior to sending you the verification SMS.

We're not using it for 2FA - its just to verify the following:

1. Your in North America (Foreign cell phone numbers wont work)
2. You are actually a real human being (because you have to put it in)
3. You are not planning on committing fraud.

The fraud part cannot be overstated and is worth its own post. Preventing fraud is critically important to us - and there's no way that someone who plans on using our network for illegal calling will give you their personal cell phone number. If we used emails or an automated phone call, it would be too easy for fraudsters to put in fake information using temporary information. Then all they would have to do is put in a stollen credit card, and voila!

The SMS thing is not used for future correspondence and we don't call it or use it ever again. The information we care about is on page two:
)

This is the information we use to contact you. The first page is just about prevent fraud and fake/duplicate accounts.

I get all this, I really do, But SMS to a business is just to onerous. I'm also curious - since VOIP.ms sells numbers that can get SMS - are you able to tell that it's not a cell phone from them and prevent someone from signing up?

As for Non- US numbers, what prevents someone from using a US burner phone to sign up?

what about Jared's situation? where he has a personal account that he used his cellphone for, and now can't sign up again? (OK this one is likely pretty small, but definitely not zero... He - as an IT Pro might have signed up for a personal account, then upon liking it, signed up for a business account - nope.. can't because he only has one cellphone number - unless he goes and gets a burner number).

As you are saying, there are plenty of easy ways around SMS verification if I want to sign up for something like this.

And no, there is no way to know if the number is an actual cell phone or not. Because all they do is send a message.

DustinB3403

@Skyetel said in I guess Skyetel doesn't want business:

Then they can give you their credentials so you can administer the account.

I didn't have an issue with what you were saying until here. Shared Credentials is never an acceptable practice.

At that point what you were saying about accepting the terms and conditions goes out the window as anyone with the credentials could easily rack up thousands in charges and the client would be responsible for it, even though they "shared their credentials with a trusted party" doesn't do anything to protect them or you. As those credentials could be compromised in so many ways.

JaredBusch

Like this

Dashrender

@JaredBusch said in I guess Skyetel doesn't want business:

@Dashrender said in I guess Skyetel doesn't want business:

@Skyetel said in I guess Skyetel doesn't want business:

@Dashrender said in I guess Skyetel doesn't want business:

I appreciate that you are trying to setup real, not fake accounts, please consider changing to email for confirmation instead of SMS.

I had a similar issue with Google the other day. It continues to amaze me at the amount of assumptions we run into in systems these days.

On a side note - My EHR system fully expects that every patient will have their own email address - once we ran into this issue, we started seeing how many couples share a single email address between them. It's crazy, like 2% of people share a single account, this means we run into this issue about once a month.

The problem with other forms of identify verification is that it's not unique to the individual and it is not personally identifying. You can create new emails, you can create new phone numbers to call, etc. The cell phone is unique because its extremely uncommon for people to have more than one. Additionally, the system verifies that the number you specify is indeed a cell phone number prior to sending you the verification SMS.

We're not using it for 2FA - its just to verify the following:

1. Your in North America (Foreign cell phone numbers wont work)
2. You are actually a real human being (because you have to put it in)
3. You are not planning on committing fraud.

The fraud part cannot be overstated and is worth its own post. Preventing fraud is critically important to us - and there's no way that someone who plans on using our network for illegal calling will give you their personal cell phone number. If we used emails or an automated phone call, it would be too easy for fraudsters to put in fake information using temporary information. Then all they would have to do is put in a stollen credit card, and voila!

The SMS thing is not used for future correspondence and we don't call it or use it ever again. The information we care about is on page two:
)

This is the information we use to contact you. The first page is just about prevent fraud and fake/duplicate accounts.

I get all this, I really do, But SMS to a business is just to onerous. I'm also curious - since VOIP.ms sells numbers that can get SMS - are you able to tell that it's not a cell phone from them and prevent someone from signing up?

As for Non- US numbers, what prevents someone from using a US burner phone to sign up?

what about Jared's situation? where he has a personal account that he used his cellphone for, and now can't sign up again? (OK this one is likely pretty small, but definitely not zero... He - as an IT Pro might have signed up for a personal account, then upon liking it, signed up for a business account - nope.. can't because he only has one cellphone number - unless he goes and gets a burner number).

As you are saying, there are plenty of easy ways around SMS verification if I want to sign up for something like this.

And no, there is no way to know if the number is an actual cell phone or not. Because all they do is send a message.

They clearly state that they somehow check that the number is a cellphone before sending the SMS.

JaredBusch

@DustinB3403 said in I guess Skyetel doesn't want business:

@Skyetel said in I guess Skyetel doesn't want business:

Then they can give you their credentials so you can administer the account.

I didn't have an issue with what you were saying until here. Shared Credentials is never an acceptable practice.

At that point what you were saying about accepting the terms and conditions goes out the window as anyone with the credentials could easily rack up thousands in charges and the client would be responsible for it, even though they "shared their credentials with a trusted party" doesn't do anything to protect them or you. As those credentials could be compromised in so many ways.

No, that is not @skyetel's problem. that is the dumbass' problem that shared credentials.

It is @Skyetel's problem for suggesting to share credentials.

Dashrender

@DustinB3403 said in I guess Skyetel doesn't want business:

@Skyetel said in I guess Skyetel doesn't want business:

Then they can give you their credentials so you can administer the account.

I didn't have an issue with what you were saying until here. Shared Credentials is never an acceptable practice.

At that point what you were saying about accepting the terms and conditions goes out the window as anyone with the credentials could easily rack up thousands in charges and the client would be responsible for it, even though they "shared their credentials with a trusted party" doesn't do anything to protect them or you. As those credentials could be compromised in so many ways.

OK, this part I don't have an issue with. Shared creds, or unique for all users wouldn't stop anyone with account access from racking up charges... sure, you could say - hey that account I created for my trusted vendor was the one used to make all those charges, but doesn't make the business owner any less liable for them.