Today I called BH tech support. I needed some MX records changed on my domain. The response time was great [less than 3 hours for completion], but what concerned me was what appeared to be a lack of security BH has in place.

Upon calling I stated that I needed MX records changed for a domain
- BH then asked for the domain name, which I gave them.
- BH asked for the new MX info, which I gave.

BH then proceded to initiate the internal request for my MX record change, the whole time never having verified ANY yup zip, zero, zilch, of my account information. This is a huge oversight in security and policies/procedures that BlueHost should have in place IMO.

In summary, anyone can call BH, give a domain name (or who know's what else?) and proceed to make changes to it. It is scary knowing that BH has what appeared to be poor security policies in this instance regarding call in support.

My question for BH staff is if they will make changes to their standard operating procedures and policies to prevent something like this from happening in the future?

Every time that I have called or emailed, they wanted the last 4 digits of the CC that I used when signing up with.

Every time that I have called or emailed, they wanted the last 4 digits of the CC that I used when signing up with.
what if we use paypal and not cc? cause i order with paypal

i guess they would ask for, the paypay account number, or some other form of verification

I noticed that too routed. That happened to me twice. Once I asked the guy to delete a file, and he did, and another time they just told me a bunch of information about my account when I asked. Everything is cool, except they never asked for my password, not even my name :confused: All that was needed was my domain.

bad for BH customers, good for social engineers... unfortunately...

Still waiting for an official BH response, I'm sure BH has read this by now.

Still waiting for an official BH response, I'm sure BH has read this by now.

You should all know by now that there is no "official" bluehost responses, stance, policy, etc, in these forums. They are strictly for customers to help customers, and any BLuehost employee intervention in here is to be helpful, but in no way constitutes the opinion or policy of Bluehost the company.

Having said that, general policy in the support areas is to be more secure, but we have had a lot of hires lately. It is being looked into and will be addressed with better training in that area.

At least, that's what I heard. ;)

You should all know by now that there is no "official" bluehost responses, stance, policy, etc, in these forums. They are strictly for customers to help customers, and any BLuehost employee intervention in here is to be helpful, but in no way constitutes the opinion or policy of Bluehost the company.
Perhaps a statement similar to that one should be put in the policy that one must agree to upon registration. Apparently, there is some confusion about what the statement on the main page--"Use these forums to help each other out with your questions about BlueHost.com"--means. Having it in the "fine print" may not help alleviate much of the misconception (most people don't read fine print), but it would shift the burden to the forum user...there would be no way someone could have a valid claim of ignorance in regards to the purpose of these forums.

You should all know by now that there is no "official" bluehost responses, stance, policy, etc, in these forums. They are strictly for customers to help customers, and any BLuehost employee intervention in here is to be helpful, but in no way constitutes the opinion or policy of Bluehost the company.

Having said that, general policy in the support areas is to be more secure, but we have had a lot of hires lately. It is being looked into and will be addressed with better training in that area.

At least, that's what I heard. ;)

Hi Steve, that is all fine and great. I understand the role that these forum's fill, but what would be the "proper" way to address an issue such as this? Fill a support ticket out?? I would think not. Post on Mheaton's blog? If so I can do that. I know Matt himself has come on these forum's to address specific issue's and this is one issue that he should come have a look at for himself.

Bottom line, BlueHost did not use or does not have proper procedure's in place that address IMO the simpliest securtiy issue. I am sincerely concerned about the welfare of my and everyone's site's that you host due to this. A cookie cutter reply of "we've had a lot of hires lately etc." is just not acceptable and appears to me that BH fail's to properly train new hire's. That concern's me even more than before. As you can see by a previous poster my issue is not isolated.

Moving forward, Bluehost MUST implement and maintain better security practices for it's customers, no Exceptions. For example, my advice to BH for support issues via phone should have a system that requires you to give a password before support can proceed. Easy to implement and painfree for the customer.

Today I called BH tech support. I needed some MX records changed on my domain. The response time was great [less than 3 hours for completion], but what concerned me was what appeared to be a lack of security BH has in place.

Upon calling I stated that I needed MX records changed for a domain
- BH then asked for the domain name, which I gave them.
- BH asked for the new MX info, which I gave.

BH then proceded to initiate the internal request for my MX record change, the whole time never having verified ANY yup zip, zero, zilch, of my account information. This is a huge oversight in security and policies/procedures that BlueHost should have in place IMO.

In summary, anyone can call BH, give a domain name (or who know's what else?) and proceed to make changes to it. It is scary knowing that BH has what appeared to be poor security policies in this instance regarding call in support.

My question for BH staff is if they will make changes to their standard operating procedures and policies to prevent something like this from happening in the future?


This might just be a mistake with the tech support represenative. BlueHost always trys to ensure saftey and security for all their clients. They've always asked me for the last 4 # on my CC.

I work for a help desk company for a large printing company(I won't say it unless you guess. lol) Policy says I can NOT change a users password without their employee ID number AND date of birth (minus year). I don't care if their supervisor calls, employee helping another employee out, or someone speaks bad english. Basically there is NO exceptions. Now - If someone calls me and says they have a paper jam and needs someone to look at the printer (where were just level 1 help desk) then I can just get name/phone/details of the problem and just send over a ticket to their local IT staff.

In my opinion - Bluehost should verify EVERYONE's last four digits of their phone number, Credit Card, Date of birth, SOMETHING to just to put in their notes "Verified users CC" or something. Thats how we do it at my help desk. When I check someone's identity I would put "Verified users EID/DOB" so if there is any problems - its logged. Also, they do record all our phone calls so even if i did/didn't the supervisor can say "you didn't ask them this" and im sure i can get written up for it because its part of my job. Thats why I don't do it for any other reason w/out proper verification. I'm not sure if BH use a ticket program when people call them or not, im kind of curious to see what kind actually. I been with the helpdesk for 1 year and 6 months now and enjoy it. I learned so much with help desk troubleshooting since i been there...now i know what questions to ask :-)

Anyways, this is almost all basic stuff here, common sense more like it. All techs who work at the BH helpdesk should be required to ask these security questions UNLESS its a simple question but if it requires changing, cancelling, password changes then ask for something. Thats when the manager/supervisor should be stepping up.

As far as this forum goes. I love it. I rather use this then the ticket program. I think the ticket program should only be used by the helpdesk itself. This forum should be used by not only customers but employee's as well. I rather jump here, ask a question, read about it from someone/anyone and move on. Ticket program is much more work. PLUS. You might have the same question/problem as someone else...ticket program you can't backlog how someone fixed the problem. Although, forum you can do searches and all.

I think Bluehost should just sit down one day and say "OK - were going to use ticket program for these kind of issues" , "OK - Were going to use the forum for these kind of issues", "OK - Matt's blog is this" . Basically i see no organization here. I do but not the way it should be. This forum shouldn't be strickly for customer-customer relationships it should be with staff and customer as well.

All this is my two cents though. heh heh...American Idol is almost on...so time to go! :-)

-Jason

It IS policy to veryfy the caller/emailer is a valid representative of the account before any information is given out, or anything is changed. It has been reiterated to the staff. Training shall continue.

If it continues to happen, please let us know in a manner that does not scream to the world that there may be untapped security holes in the system. :)

Sorry, Brandon.
Level 1's still are not routinely asking for password, and no option to use password ONLY or a unique passcode instead of cc #

So ... if you only have one main credit card you use, all one's sites are always at risk, no matter how good the password -- you just need to guess and social-hack the owner via the local Costco, etc. Why make Bluehost the weak link in the chain?