BlueHost, Breakdown in Security?

[routed]

Today I called BH tech support. I needed some MX records changed on my domain. The response time was great [less than 3 hours for completion], but what concerned me was what appeared to be a lack of security BH has in place.

Upon calling I stated that I needed MX records changed for a domain
- BH then asked for the domain name, which I gave them.
- BH asked for the new MX info, which I gave.

BH then proceded to initiate the internal request for my MX record change, the whole time never having verified ANY yup zip, zero, zilch, of my account information. This is a huge oversight in security and policies/procedures that BlueHost should have in place IMO.

In summary, anyone can call BH, give a domain name (or who know's what else?) and proceed to make changes to it. It is scary knowing that BH has what appeared to be poor security policies in this instance regarding call in support.

My question for BH staff is if they will make changes to their standard operating procedures and policies to prevent something like this from happening in the future?

[areidmtm]

Every time that I have called or emailed, they wanted the last 4 digits of the CC that I used when signing up with.

[Sai]

Every time that I have called or emailed, they wanted the last 4 digits of the CC that I used when signing up with.

what if we use paypal and not cc? cause i order with paypal

[areidmtm]

i guess they would ask for, the paypay account number, or some other form of verification

[nine]

I noticed that too routed. That happened to me twice. Once I asked the guy to delete a file, and he did, and another time they just told me a bunch of information about my account when I asked. Everything is cool, except they never asked for my password, not even my name All that was needed was my domain.

bad for BH customers, good for social engineers... unfortunately...

[routed]

Still waiting for an official BH response, I'm sure BH has read this by now.

[alligosh]

Still waiting for an official BH response, I'm sure BH has read this by now.

You should all know by now that there is no "official" bluehost responses, stance, policy, etc, in these forums. They are strictly for customers to help customers, and any BLuehost employee intervention in here is to be helpful, but in no way constitutes the opinion or policy of Bluehost the company.

Having said that, general policy in the support areas is to be more secure, but we have had a lot of hires lately. It is being looked into and will be addressed with better training in that area.

At least, that's what I heard.

[macgyver2]

You should all know by now that there is no "official" bluehost responses, stance, policy, etc, in these forums. They are strictly for customers to help customers, and any BLuehost employee intervention in here is to be helpful, but in no way constitutes the opinion or policy of Bluehost the company.

Perhaps a statement similar to that one should be put in the policy that one must agree to upon registration. Apparently, there is some confusion about what the statement on the main page--"Use these forums to help each other out with your questions about BlueHost.com"--means. Having it in the "fine print" may not help alleviate much of the misconception (most people don't read fine print), but it would shift the burden to the forum user...there would be no way someone could have a valid claim of ignorance in regards to the purpose of these forums.

[routed]

You should all know by now that there is no "official" bluehost responses, stance, policy, etc, in these forums. They are strictly for customers to help customers, and any BLuehost employee intervention in here is to be helpful, but in no way constitutes the opinion or policy of Bluehost the company.

Having said that, general policy in the support areas is to be more secure, but we have had a lot of hires lately. It is being looked into and will be addressed with better training in that area.

At least, that's what I heard.

Hi Steve, that is all fine and great. I understand the role that these forum's fill, but what would be the "proper" way to address an issue such as this? Fill a support ticket out?? I would think not. Post on Mheaton's blog? If so I can do that. I know Matt himself has come on these forum's to address specific issue's and this is one issue that he should come have a look at for himself.

Bottom line, BlueHost did not use or does not have proper procedure's in place that address IMO the simpliest securtiy issue. I am sincerely concerned about the welfare of my and everyone's site's that you host due to this. A cookie cutter reply of "we've had a lot of hires lately etc." is just not acceptable and appears to me that BH fail's to properly train new hire's. That concern's me even more than before. As you can see by a previous poster my issue is not isolated.

Moving forward, Bluehost MUST implement and maintain better security practices for it's customers, no Exceptions. For example, my advice to BH for support issues via phone should have a system that requires you to give a password before support can proceed. Easy to implement and painfree for the customer.

[BrandonK]

Today I called BH tech support. I needed some MX records changed on my domain. The response time was great [less than 3 hours for completion], but what concerned me was what appeared to be a lack of security BH has in place.

Upon calling I stated that I needed MX records changed for a domain
- BH then asked for the domain name, which I gave them.
- BH asked for the new MX info, which I gave.

BH then proceded to initiate the internal request for my MX record change, the whole time never having verified ANY yup zip, zero, zilch, of my account information. This is a huge oversight in security and policies/procedures that BlueHost should have in place IMO.

In summary, anyone can call BH, give a domain name (or who know's what else?) and proceed to make changes to it. It is scary knowing that BH has what appeared to be poor security policies in this instance regarding call in support.

My question for BH staff is if they will make changes to their standard operating procedures and policies to prevent something like this from happening in the future?

This might just be a mistake with the tech support represenative. BlueHost always trys to ensure saftey and security for all their clients. They've always asked me for the last 4 # on my CC.