I receive two emails per month. One invoice, for $0.80 (I cannot remember what is running on there, but I guess it must be something). One threatening, "Your AWS Account is about to be suspended". I've been "about to be suspended" for the entire 3 years.
I want to pay the bill, I can't log in.
I emailed, I phoned. Eventually I spoke to somebody, who told me the only way I could access my account was to fill in "some paperwork". They emailed that to me. It has to be notarized. I called again, they absolutely will not accept this if it is not notarized.
I've explained to them that all I want to do is pay the ~$30 in bills I've accrued for 3 years. I don't mind if I never get access to the account - let me pay the bill and shut the account down, they won't have it. I don't have any free notary access, and I'm not willing to pay more than the AWS bill amount just to be able to pay the bill. I've explained that to them, and they don't seem to care about that either, they'd rather not have the bill payed and continue piling it up.
Until last week, when I decided that I need to use the account again. I simply clicked the recovery link on their 2FA login form. Had to enter my account details and my phone number. Within 15 minutes (as stated on the website) a member of their service team called me. I explained the situation (lost 2FA app). Not a problem, the service agent told me. He then sent me an e-mail (to my AWS-associated mail address) with some random characters, which I had to read back to him. After that he simply removed 2FA, and I was able to log in with my username/password. For me the experience was quite pleasant, but had someone else have access to my e-mail account and knew my AWS username/password, he might have been able to take over my account, bypassing 2FA. I don't quite know how to feel about that.
EDIT: Ok, this probably only works if your phone number is also already associated with your account. So an attacker additionally would need access to my phone number, making things quite a bit more secure in my view.
But I feel like asking for a notorized letter confirming you are actually "you" is quite reasonable. Otherwise it'll be all too easy for malicious social engineering.
This is not one of those "by any means, achieve the ends" type scenarios.
On that note: why hasn't the account been shut down for nonpayment?
(That price is too small for there to be a running instance; it's most likely for storage belonging to an instance that was shut down, such as a 16GB EBS snapshot. It is reasonable that Amazon would be very careful about deleting that.)
The account gets shut down
You are unfortunately on the wrong side of an asymmetric relationship here.
It's true that your credit can be damaged by false reports. It's also true that damages resulting from false reports are recoverable.
If you don't feel like you can do it yourself, hire a lawyer and have them sue Amazon to recover their fee.
You seem to be saying lawsuits are a hassle. Yes, they are.
We all read horror stories of people's accounts being compromised via trivial social engineering hacks. This will always be a balancing act. And to be honest I am all for erring on the side of caution.
Outside the US this process can be lengthy and/or expensive as it can even result in official government stamps, translations, etc.
I feel sorry for those foreign countries where notaries are either rarified or unobtainably expensive, but it doesn't apply to this thread.
That said, I think Amazon's policy of notarization (at least in the US sense and fees) seems a reasonable policy from an account security standpoint. Not sure I can sympathize with GP who voluntarily added 2FA to their own Amazon account, then no longer had access to the phone number they previously used. $20 is not unreasonable for something that GP could have prevented with some forethought.
It can save you a huge headache when you need to do something like apply for a home loan, and need tonnes of notarised papers.
Regardless of the size of the bill, comparing it to cost of a notary (which is very minimal) is irrelevant.
I was studying in Germany at the time and access to a notary public costs about 40$ USD there. I asked the AWS support on the phone if letting the payments bounce would suspend my account which they confirmed.
Unfortunately every time I disputed the payment with my bank, AWS send me a physical copy of their terms and my billing address as a proof of contract and my bank would process their payment. Eventually, 3 months in, my credit card expired anyway, solving at least that part.
They still tried to charge me for about 6 months afterwards, but I haven't heard back from them since. Interestingly, I opened a second account, with the exact same billing address, but a different credit card without problem. But I don't really use AWS anymore since then.
I totally believe that they (AWS) just stuck to their process, which was enacted in good faith. But switching my phone number should have not caused that entire fiasco.
I had to cancel that credit card in the end as I couldn't get access to the account and their support is, as far as I can tell, automated email responses. I also had the threat to suspend my account over many days (to which I was responding, 'Yes, please do'), but they stubbornly just kept threatening instead of closing the account. The support person did not seem to respond to what I wrote in my replies at all, just pasted a stock response that didn't make sense in context.
They really cannot seem to handle their scale in terms of their customer support (and I wonder how many people are getting bitten for small chunks of cash).
I guess if it goes to collections you'll at least then be able to pay the debt collector -- but you'll still take a credit hit ...
While it might be a nuisance to get a document notarized, it's not some extraordinary hardship. The policy is there to prevent abuse. If he prefers to let his bill go unpaid as a result of locking himself out of his account, that's his choice.
Not paying your bills because you lost access to your own account does not change this situation. The same way as that having no income or car or phone or internet and can't pay your other bills doesn't excuse those liabilities either.
It's not uncommon for one of the assistants or the office manager to get certified as a notary. It's very useful for small office situations and short deadlines.
Today it appears I am no closer to gaining access back to my AWS account than I was on day 1, even though I have been billed as normal for my services during this time.
This should serve as a warning to anybody else who has an Amazon account that is shared between retail and AWS.
Linked is a list of every event and interaction I have had during the last 8 days with Amazon, via Twitter, email, phone and chat.
If so, that'll result in two things:
1) Your problem will be resolved ASAP, managers right up the chain will be tracking it extremely closely, as they'll have to justify every action to Jeff. Everyone goes scrambling when one of those emails goes out.
2) A post-mortem will be done of everything that happened, with processes and procedures improved to ensure it doesn't happen again.
The managers in the escalation chain might tend to panic when the "?" comes about like the OP claims going by the # of emails and phone-calls I recieved from them.
and a little bit here: https://www.quora.com/Whats-it-like-to-receive-a-question-ma...
No one inside Amazon wants to receive a question mark email from Jeff, and a number of the VPs have picked up the habit too.
So much this.
I had such an account and neglected the retail side (it was linked to amazon.com as well as AWS) as I was using a different account for retail (linked to amazon.co.uk from the days that these were separate systems).
Logging on to amazon.com one day I noticed LastPass suggest I log in, so I did. To see that I hadn't ordered anything retail for 5+ years. So I requested deletion of the amazon.com account (good hygiene, delete unused accounts).
Retail happily obliged... and a week later when payment failed and dunning started I realised what I had done. The account did not exist any more, I could not login to resolve this.
This was entirely my mistake (and quite funny as well as terrifying), but the risk is real.
Should anything happen to your retail account then your AWS account can and will suffer.
I managed to resolve this, I was only using S3 and I wrote a migration tool to remotely move S3 items from one account to another, using only the auth keys that were still active. But woah... if I'd been using EC2 or anything else I would have been in a lot of trouble.
Keep accounts single purpose and obvious. Use an account that only handles your AWS purchases.
I reset a password, then they detected "suspicious activity." I clicked "send pin via email" and the email never shows up. I've done it 3 or 4 times over the course of a week + it never works. It's a documented error + FB/Instagram refuse to addres it.
When I try to get access to real support (a person), it makes me login. Back to problem #1.
Also, I should note that the email on record is real and works. The only thing I can think of is I named it microsoft@mydomain, and they don't like the word microsoft in it?
Then, when they send the PIN to the same email - it never actually shows up. Ugh.
Thankfully the "we turned on 2-factor" email gives you a link to turn it back off within 30 days or I would have been in some trouble.
We've spent over 200,000 EUR on Facebook/Instagram advertising so far (I guess that's still small fish), and still can't get it resolved.
If the account is just for a cloud SaaS, then there's likely to be very few policies to disable your account.
If you shop with Amazon, host your services with Amazon, watch TV on Amazon...there's simply no way of getting around the fact that Amazon will only want to manage a password for you in one place. The issue is clearly over reliance on Amazon services.
That's on you. You can't get the benifit of separation if you have them do it for you.
In the same way you get one company to own your domain and one to run your email. That way when your email provider decides you're a spammer or your account get's closed for uploading a bad app to the android store, you can go else where and swap your dns.
Yeah, it's convenient to have only one, but it seems it's dangerous as well
There are trade-offs to every security approach, but storing passwords at every web service is 100x worse.
What finally worked was the amazon facebook page. He posted on there, they PMed him and he was back up and going within a couple hours where he had been getting the run around for a week or two on the phone.
The best that AWS/Amazon support could give me is start a new Amazon.com account. At least the AWS account wasn't billing anything.
I recently moved from Brazil to UK (new address) and changed phone + sim card (Authenticator after restore from backup lost all 2 factor auth entries).
This is the moment when you realise that you're outside of predefined use cases of The Machine and you're fucked. Nobody is here to help you. I've tried, nobody gives a shit at Amazon. They have procedures, you know.
I blame 2FA and I think it's great if you don't have problems but it's shit if you have, ie. you move places, change phones etc. in your life. Something there in the process is missing like "next of kin" recovery that should be mandatory when enabling 2FAs.
wouldn't this just weaken the second factor? Services that have bypasses to 2FA wind up rendering it useless.
Google Authenticator has never restored these properly, ever. Encrypted backups or not.
If you're going to use Google Authenticator anyway, at least unlock your bootloader before you initialize the identities. You can't get to the key database without being rooted, even if you're doing a full backup with adb, and unlocking/relocking the bootloader wipes the device.
Another problem with the Google authenticator, at least for Google accounts, is that you have to add a phone number to your account to use it I think and, they then allow access by SMS, which is not so hard to circumvent.
The dude who helped me was super chill and understanding as well.
If there is a way to recover it, that has to be secured too and, there are only a limited number of ways you can do that (and the more that are enabled, the harder it is to secure). Most services with 2FA offer a set of one-time codes that you can write down and store securely at multiple locations (safes in different places, safe deposit box etc). It is not that hard to avoid losing access if you care. If you don't care enough about the account to do this, just accept losing access, cancel the card payment authorisation and, lose it.
Companies should not grant access to accounts with 2FA by letting you call support unless they at least take proper steps to ensure that you are the account owner, which is pretty impractical in most cases (it is either too costly to be worth it or, too hard to do well enough). Demonstrating that you are the account owner to recover it if you have lost 2FA access should at least require a visit, in person, with photo ID being checked with the relevant authorities (for example the passport service examining your passport to check it is not a forgery) and, multiple people who can attest that you are in fact the person in the photo, to recover an account, for which they would presumably have to charge hundreds of dollars. It seems easier to just not offer recovery in most cases.
This guy works in customer service. LOL
If you're sending me a bill, you need to provide a way for me to resolve an issue such as this. "There is not a resolution possible, we will continue billing you in perpetuity thank you good day" is not acceptable. (It's AWS and they do, so maybe it is, but... try building a new service that isn't AWS with that attitude, and see how far it gets you!)
My cloud-hosted business gets shut down, credit score tanks, because of the combination of my butter fingers and your secure authentication scheme! Might as well not employ any CSR drones at all if you're not going to handle this case. Maybe I'm exaggerating, but this is not a great strategy for customer satisfaction or retention.
To the extent that in a dispute situation, who pays the bill =/= whomever holds the keys, my preferred customer service strategy would tend to favor who is paying the bill.
I could see the argument either way on if this is the most optimal solution or not.
not if you want it to provide real security.
I do business with 4 banks and have no less than 4 credit cards, and I'm pretty sure that none of them offer proper 2FA with tokens for the online accounts. Now that you mention it, this is a serious question. Why does Comcast get there before any of the major and/or local banks?
I'll admit, if I can protect my Comcast account and as a result, I never have to speak to another one of their Customer Service Reps, it would be a huge victory! This is probably part of their retention strategy, to be fair.
It's telling that there's no mention of on any document, or interface to Comcast's 2FA settings (that I can find anyway) that speaks to how to use it for protecting the set-top box from ordering Pay-Per-View content.
If I turn on 2FA, I'm pretty sure I won't have the option to use it when ordering PPV. It looks like they have a PIN lock instead. Maybe I can disable PPV and protect it with the second factor?
I honestly have no idea why it's even an option. Are swatters gonna log into my Comcast account, upgrade my XFINITY connection to the maximum bandwidth, and sign me up for all of the premium channels?
Or are they hacking my account so they can pay the bill for me :-D
You will get a new login page and username to log in with and not need an email address specific account.
As well, if you use Kindle Direct Publishing, are an Amazon Seller, work for Amazon Flex, or use the Amazon Affiliates program, each of these should also be on an independent Amazon account.
This way, problems on one won't affect problems on the other.
The only long term solution is to get a person with enough power to make their own decisions to look at your claims, but that takes quite some time and is not guaranteed to be successful.
One possible approach is to keep accounts separate for personal and each business that you are involved with. For example, you probably have at least a separate personal checking account and business checking account. Likewise, it would make sense to have all accounts used for a given business to only be used for that business.
In addition to providing some safety against automated action, division of accounts provides a nice legal line, wherein if a court order requires you to disclose information, you can simply dump everything on the account without touching any of the other businesses or personal documents.
Stymieing this, of course, is companies (Facebook?) that have a policy of prohibiting a single real person from having distinct accounts.
Jeff Bezos himself said if you are having problems you should mail him directly. Behind this address there is a full team investigating the issue and if it's something they want to handle will actually lead to improvements for all customers.
It's odd though, in my experience customer support on Amazon is amazingly good.
IMHO 2 problems with how AWS handles customer support (vs. other co's):
1. Different support rep every time = following the same script with every phone call. I'm sure assigning first available rep speeds up response times but for you, if the problem can't be resolved in 1 phone call it's like talking to someone with Alzheimer's, you're constantly re-answering the same 15 questions to a new person every time.
2. Customers are not allowed to directly interface with level 2+ support, only the nontechnical level 1 support can do that. Good luck getting them to communicate your technical issue correctly.
For example, every single support rep asked me if I had 2FA disabled for my Amazon retail account (I did). After re-answering this question with every single rep, they'd file tickets with the next level of support...only to be rejected later because level 2+ said it was most likely because I had 2FA on on my Amazon retail account (I did not). It was nearly impossible to bridge this disconnect.
Customer support is not easy to do well so I hesitate to widely impugn Amazon's efforts, but if you're an AWS customer and you have an issue that's an edge case outside of the scripts these support reps are using prepare to waste weeks or months of your life trying to resolve it.
I've got quite a few ebooks I've bought via Amazon Kindle. If amazon one day decided to delete/lock my account, I would lose access to all that content which I had "bought".
The more data people store in various cloud providers systems, the more the need for some kind of recovery mechanism / dispute resolution process becomes apparent.
Whilst its relatively easy, in many cases, for more technical users to ensure they have backups of data that they control, less technical users could have a lot of their information tied up in these systems, and loss of it could be quite bad for them.
I'd look up some of the free tools out there and backup/un-DRM your Amazon/Nook/Google e-books. There are some guides out there for extracting your books notes as well.
People are, for better or worse, entrusting more and more of their content to cloud services, things like photographs, documents they've created, music etc etc.
It's not renting really. If I rent a physical book (or house, etc), I have exclusive access to it. Nobody else can possess it. It's for this privilege that I'm paying. Obviously, this is not true of ebooks because 'X' persons can "rent" at the same time.
You're just licensing them. You're just paying for a license which can be revoked at Amazon's whim.
Guaranteed that you will see the escalation that you need. You may want to provide links to others complaints about the same that you can find but make it short and simple.
Letting the wrong person in to an account? You're fucked.
Locking the right person out of an account? You're fucked.
Given that data can't be reversed as charges can, arresting an account may be slightly preferable, but it remains highly disrupting.
I've been through the experience a few times myself, largely with Google. Out of a fit of pique, the temporary account I created for myself (and through which I negotiated for recovery) was "The Real Slim Shady". Several of my G+ contacts noted that they could be pretty certain that this was in fact me, though I'm a little frightened whichever way that works out.
(I did have other profiles through which I could announce my plight.)
I still think that the matter of idientification, or rather, the more primary matters of authentication, authorisation, integrity, validation, payment authorisation, ownership, receipts rights, and similar associations, need to be worked out.
I'm also strongly in favour of a system in which a physical token -- and I think a signet ring with a very-near-field chip and accompanying sensors on mobile, laptop, and desktop devices would be just about perfect -- should be part of that systme.
Not an insertable device (as with Yubikey), or something requiring keying in a value (as with RSA fobs). But something which is worn (so: on you at all times), replaceable, destroyable, discardable, but also exceedingly difficult to duplicate or appropriate, or to read without intention on the part of the owner.
Once through, being persistent eventually (it took a week or so) saw us regain access to the account.
Actually, is there a reasonable free gmail alternative for situations like this? I'd like to migrate. FastMail is worth paying for, but it's too expensive for one-off side projects. And while I don't trust gmail, I think I trust most services even less.
EDIT: My point was, if you use a single account, it's far less likely to get banned. I think my account was caught in some sort of automated purge, since I certainly wasn't abusing anything. Some proof: http://i.imgur.com/H5RRkyP.png I'm not sure which policy violation they're referring to, but all appeals failed. I lost all emails in that account, which thankfully wasn't very serious because the account was still young.
eropple and drbawb pointed out that you can use plus addresses with AWS, e.g. email@example.com.
Alternatively if you want ultimate trust just run your own mailserver and set up as many aliases as you want! For $5/mo you can get a Linode box to do it, and I've yet to get an IP from them that is on an e-mail blacklist. They have great documentation, the most important thing is to just make sure your SMTP server requires authentication & refuses to relay for remote hosts. SPF/DKIM are necessary to get past modern spam filters, but frankly if you've ever setup a TLS cert you can probably manage to setup DKIM just fine.
For example, sometimes a service will let you sign up with this just fine, but later when you need to do something else (such as password reset) or a phone agent has to enter it... it chokes.
Not to mention after some time passes you may forget what the special bit was and have to fall back to searching your email. Being regimented about the naming system helps, but it's not foolproof.
I'm using this trick less and less nowadays and just entering my plain email to avoid these hassles... especially for things like real life accounts. For possibly shady characters and account email consolidation, still a great trick!
1. register domain at a registrar that supports email catch all (I use namecheap, not affiliated)
2. setup email catch all (https://imgur.com/a/PTlzv) with redirect to your "real" email
3. write email to firstname.lastname@example.org -> get's redirected to your "real" email
This has the big advantage that you can change your real email account (I switched away from GMail two years ago) quite easily, you can track who leaks your address and filter more easily. But be prepared to leave some people stunned, I registered at my electricity provider with email@example.com or at my hairdresser with firstname.lastname@example.org
The nice thing about running my own email server is I configured it to use . and _ as well as +. email@example.com and firstname.lastname@example.org are pretty much guaranteed to work, and it ends up exactly the same as the +.
A password manager solves this problem
Anyway, this doesn't solve the other technical problems you may hit at some point using this trick.
I'm just giving people a heads up. It's a useful tool for certain things, but it can be overused.
I've considered moving to Vultr since they block SMTP/25 by default and individual customers have to get it enabled (which seems like it should reduce false positive spam classification as more e-mail providers).
Aside: It always frustrates me when I see a business with their own domain and then an @gmail.com or @aol.com address. What registrars don't offer basic email forwarding (often for free?) or cheap (~$10 email) service you can buy from them if you can't figure out Google for your Domain)?
I feel like there is a small, but profitable space here, I just can't figure out what to do to harness it.
I have numerous personal projects that are web sites/web apps and I use Zoho to get emails at all those domains.
I don't know if this is frowned upon by Zoho, but if you don't want to use their UI, you can set up your regular personal Gmail account to act as a POP3 client and just retrieves emails from Zoho that way. (now that I wrote it out, it makes me think it can't be frowned upon, simply because POP3 is even offered as a feature there)
Having catchalls at bullshit domains is great.
I was like 10th from the last. :)
Why do you think that? If anything, you have more activity you can be banned for...
And also, why you say it like gmail is the only email provider? You need separate _email_ accounts, not gmail. It can be some other service or your own domain. Google can be service provider behind your own domain, but you will control address space etc. Nobody will ban you out of your own email address (except domain registrar, but that's unlikely).
I was quite surprised that my gmail account was banned without doing anything remotely malicious. (Certainly not anything listed in https://www.google.com/intl/en-US/%2B/policy/content.html) I suppose it's my word against Google's, which isn't a happy position to be in, but to the best of my knowledge that's what happened.
Regarding other services, I was hoping to get some recommendations about which one everyone likes using. Gmail and FastMail seem to be the two HN favorites, but FastMail gets expensive quickly for side projects. You can host your own email, but people have shared some unpleasant experiences with that route. It's true that you can still use gmail without losing your address, but you'll still lose your emails if they decide to suspend you.
I never saw/heard of evidence of such behavior.
> but you'll still lose your emails if they decide to suspend you
Emails are easily backupable, you can download them locally and/or forward everything to the "backup" email.
One more service to host email on your own domain is Yandex.Mail, it's free and pretty good.
I'm personally considering hushmail (Canadian) or some other paid email in the future, for maximum piece of mind, any double digit number seems reasonable enough annually. Some out of the way liberal first world country , no superpower (and superspy) aspirations, a small paid provider (that actually needs customers and word of mouth and not throwing their weight around, Google is notorious for deleting YT channels willy nilly for 'guidelines violation' and then restoring them after a shit storm) to ensure no 'smart' 'ML' algorithm bans you. Sounds just about right.
It probably should, but I somehow ended up with two Amazon accounts (retail, not AWS) with the same email address. Changing the password I use changes which account I log in to.
Presumably it's a bug, but it's certainly confusing.
Eventually I got out of that by changing the mail of whatever account I could log into, using gmails feature of ignoring everything between the first + and an @ in the address. But most annoying, now my aws login is something silly like me+awsConsole42@gmai1.com.
Maybe I could change that back, but I'm too scared to touch that.
FastMail will let you create multiple aliases, either at your own domain, or one of theirs, linked to your account.
This email hostage situation kind of sucks. Hopefully there's an alternative for scenarios like this.
Someone mentioned self-hosting upthread. I wonder how difficult that is.
Here's the closest thing to a list of reasons I could find: https://www.google.com/intl/en-US/%2B/policy/content.html
I didn't engage in illegal activities, malicious or deceptive practices, hate speech, harassment, distributing personal information, child exploitation, spam, ranking manipulation, distribution of sexually explicit material, violence, selling regulated goods and services, impersonation, account hijacking, or use multiple accounts to bypass the above policies. So I have no idea what I did -- Google won't say, and all attempts to get more info out of them failed.
So what if I use the same account, if there is a lock-out event I should be notified and there should be an actual customer service agent that can solve my problem taking care of the issue...
Seems like they still haven't fixed the underlying issue of bots locking accounts across services.
One email address... And i use one password for audble, one for amazon, one for aws, and one for amazon affiliate. If I password reset on any one of those services, my accounts are all bricks. I've made that mistake once and had to frantically call audible support & climb through the support chains until someone could basically undo my password change.
During the process, they offered to try and deduplicate my accounts, but I think we're going to need a team of senior-level DBAs to sort this shit out.
He will probably naturally see this thread over the course of the day though if it get's popular anyway....
If you can't keep your passwords in check and use 2FA you ought to lose the account & make a new one. Some kind of consistency, e.g 2FA or password is needed to keep it secure.
Wouldn't Amazon have locked your AWS account for unauthorized login as well? I don't see how the retail activity matters here.
So I'm thinking of centralizing all non-business to gmail.com and the rest to gordon.com.
CloudFormer might be able to automate some of the process - it analyzes your existing VPC and generates a CloudFormation template. You could then take this template and deploy the stack in your new account, and you'd only have to rebuild the remaining few items.
Then you could redeploy all your applications, test, and migrate production services to your freshly-tested instance. Finally, you must be aggressive in shutting down the old services. It would be agonizing to have your entire site down because one server remains in the old account, and the account had some issue. Feel free to contact me for more specific advice.
Guess this idea applies to AWS as well.
I am incredibly happy that Digital Ocean made you go to those lengths to get your account back. The last thing we need is web services companies requiring less security. Social engineering attacks are typically the method of entry to hosting providers such as Digital Ocean.
Frankly I would be totally fine if they required another form of ID (such as a passport) or another form of address/name verification (such as a utility bill). Or perhaps even a picture of the card on file.
What is NOT okay is a lack of response, which this article is describing.
First was an old pre-Atlassian BitBucket one that just broke due to shenanigans with Atliassian accounts integration or SOMETHING. But big props to them. I complain and I get it fixed super quick. Just how it should be. Solid 4 out of 5 (5 is for guys who managed to not lock my account due to weird mergers, I'm even OK with the weird "don't use FRex, form now on login with your email: email@example.com" I get on attempting 'FRex' + password).
Second is Twitter. FUCK THEM so hard. Excuse my French but I have no other words for how idiotic this situation is, it'd make a saint mad.
I make an Twitter account using my secondary/side gmail account that has been phone verified and 2FA using Google Auth for Andoird, verified my Twitter account by clicking link in the email they sent there, connect it to my YouTube account that has been phone verified, send out the welcoming tweet they propose (something like "Hello Twitter!", I think it was just a button press or a combo box to pick from but I might be wrong now) and I get banned for (exact wording may vary) 'suspicious/possibly automated activity' (mhmm... these huge botnets of phone verified 2FA gmail and YT accounts operating out of EU ips... good job catching me Twitter).
I could of course act like a good peon and provide them a phone number and be graciously allowed by the Twitter Heavenly Emperors to use my 10 minutes old account. I write to their support via some super idiotically hidden panel of theirs on twitter while still in my 'locked' account and.. I get an automated (!) email to my gmail (!!) telling me in steps how to just fuck off and enter my phone number (!!!) and to ask for help if I don't have it unlocked after providing a phone number and waiting a few minutes ('fucktastic' was the word of the day that day, seriously, that made my day). I wrote another one, telling them to shove it (in kinder words and with zero profanity but firmly making it clear I'd not provide my number on account I did literally nothing on and want to use for YouTube connectivity to a verified channel and created on a 2FA and phone verified gmail account I verified by clicking the link in the email) and got another bot email and no reply since then (about a month ago). Total human replies: 0. Bot replies: 3+ (see below). And I'm the one running an automated operation in here.
And the cherry on top: I still get trending political BS tweets (because that's what trending where I live every week) sent to my social tab in gmail and can't disable it since my account is locked and throws me to 'provide a number' screen that only has 'help' (blabbering about how I must be the one in the wrong here but if I provide a phone number..) and 'log out' available. Good fucking riddance. I truly dodged a bullet by using my alternate gmail!
And all this on a service that has users that are outright bots, Nazis, terrorists (ISIS itself), hacktivists (you can argue some of it is a positive force for change or securing up but it's still highly illegal and often done just for lulz) and the like.
Of course I'm not going to give in to this BS. I can sort of understand Google/YouTube with their stuff and it actually helped me once by requiring SMS verification when my kinda weak old password got cracked/guessed but what Twitter did is downright dumb extortion ("gib phon number! gib, gib, don't write support requests! 1st gib!") or them being idiots (what did I do that's suspicious exactly.. make a Twitter account in 2017?) and grossly neglecting their users (0 human reply, ever). Twitter fortunately would just be a nice-to-have for my side hobby of YTing and I have the privilege of saying "fuck no" to them for this and shitting on them on every occasion but if this was my mail gmail it'd do me in for weeks before I recovered all of my stuff.
There are horror stories on YT too, see Millbee (let's plays) or I Hate Everything a.k.a. IHE(critique/shitposting), banned overnight (Millbee for a nip snip in an anime game despite all the nudity, GONE SEXUAL and borderline CP on YT going unpunished and IHE for 'community guidelines' for a video of smashing a film DVD that was later hand judged as not in violation), both returned after a social shitstorm but with no apology, explanation, nothing. I bet if I was a high up in some company and had a company account tweet what BS I went through it'd all suddenly be fixed in a jiffy with no need for my phone number. But what are internet and real life rank and file tech nobodies supposed to do..?
Look at a companys stock price. If it's in the triple digits, avoid it, because they can and will screw you over.
Should your rule be written to use market cap?