Announcement

**harmor** · Thu 5 Jan '06, 6:53am

Well what do you suggest they do?

**Scott MacVicar** · Fri 6 Jan '06, 3:42am

We already have all these details on file and we've had cases where someone gains access to an email address and steals licenses etc. What better way to confirm than with the details you purchased it with.

**DJDarknez** · Fri 6 Jan '06, 8:57pm

If you'd like, they can set it up so you only need your e-mail address and someone can steal your license...

**Scott MacVicar** · Sat 7 Jan '06, 2:12pm

We first allowed people to change their own details, this led to huge amounts of fraud.

People would buy with person X's credit card and then sell it to someone via paypal on Webhosting Talk or a similar place for a smaller amount, the end result was we got a chargeback and someone else lost some money.

We then required you to email to have your license changed, we then had cases of people emailing us through either a hijacked email account or fake email headers to get it changed.

The final step we had to do was to verify as many details as possible though reading over the list it does some a bit excessive. I shall point Steve in this direction.

**FreshFroot_** · Sat 7 Jan '06, 5:51pm

Well in a way I agree with noppid. Lets say you change your email often since I wouldn't feel safe with say a email such as hotmail. I'd probably go with my ISP however, people change here and there with tons of ISP's out there. Therefore identifying yourself over and over again with all that private info above can be annoying at times. I'd say mabye vB should setup a legal document where the customer has an option to signup and either say if my email is hijacked it's not vB's fault and another vice versa.

I agree though I've changed my email twice due to ISP reasons I have changed from 56K twice and now DSL finally. In the end it's vB's decision as either way is good and bad. It just depends on what people think and prefer because you are protected a little better this way.

**Floris** · Mon 9 Jan '06, 2:51am

noppid: The money you pay to Jelsoft is to get a license to run the product on your web site. I do not see why you use it as argument in your first post.

**Wayne Luke** · Mon 9 Jan '06, 10:10am

By the way.... If you ask for support via the member's area or your registered email address and we need to verify for some reason, the email you get is below:

In order to locate and/or change the contact info for your license, I first need to verify that you are the proper license holder. Please respond to this ticket with the following info:

- Your current customer number
- The first 4 characters of your password
- The answer to the security question:

<question here>

If you do not know your customer number and password, you can request it be sent to your email address using this form:

http://www.vbulletin.com/members/lostpw.php

The requirements listed above, in Noppid's post, are if you access from an outside and non-registered email address and we have no connection to an account. The information required of companies is no less than what would be required if you called up your utility companies to change your service. Not only is it to verify your identity but to make sure we are working on the correct account.

**Steve Machol** · Mon 9 Jan '06, 9:37pm

The longer list is used when the request comes from an email address that is not on file for this license. We do understand and appreciate that this can present an added burden, but frankly if you knew how often people unwisely share their license info with 'friends' who then try to steal the license, you'd be amazed. One or more fraudulent requests per day is not uncommon.

In the end we decided that we need to do everything reasonable to protect our customer's rights and property. And asking for verification info only they should have is the best way to do this.

Announcement

vBulletin Account Info Change Request Insecure!

vBulletin Account Info Change Request Insecure!

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment