If that had been said to me in the call, I would have saved about 2 hours of frustration for absolutely no reason.

Rididculous.

Anyways, thank you for the quick response and spot on identification of the actual problem.

I will be sticking to this community for support from now on.

You’re welcome. That’s why we are here. I wish you success this time!

 Yes, the Community is valuable resource.  Quite often, I’m able to find my question already answered by a quick search of a few keywords. Just look for threads with best answers already marked!  That’s what I did trying to help you. It’s a definite time and frustration saver frequently. 

Regards,

Hmmm.  I understand your frustration.  But at least it seems there is progress.  Hopefully you can put this behind you in a couple of days.  That’s better than what you were told the first time, eh? (I’m nothing if I’m not an eternal optimist! Sorry.)

I appreciate the sentiment, but optimism does not patch holes in a potentially serious situation.

As a down-to-earth and level headed point of view; the chance of someone with my recycled number putting two and two together for malicious purposes against my account (like seriously, an MSP that uses this platform rarely anyways) is probably very slim. Unfortunately, that does not excuse the fact that this issue is being purposely ignored by the Square team. Even a 1% chance should not be ignored when it comes to cybersecurity. I now wonder if there is any cybersecurity certifications behind the scenes for this company? SOC 2 compliance? PCI-DSS? All of this now comes into question from my point of view. Square claims to be on the PCI board, but then turns around and does shady crap like this. (Heres the link: https://squareup.com/us/en/security) This as I understand it, is a chain of command issue that is not being communicated by executive level down to support level. I hope this company changes for the sake of anyone investing in this company's public stock.

This is a disaster waiting to happen, and I hope that my involvement here is non-existent. From a threat surface standpoint, it is not something that should be ignored. The CISO (should Square even have one) should be livid over something like this.

Maybe it will take some crazy popular youtuber to make a stink over this?

That is a massive consolation. Thank you for your input there.

I understand that they would be precarious, but given the circumstances, and the information that they have already changed, I don't understand why all of a sudden this is an issue? If I was a bad actor, then I would have already had access; see: I DO NOT have the recovery phone number anymore, so what is the difference between the access I already had vs not having that recovery phone number? The "bad actor" would already have had access to the account without my "recovery" phone being notified or anything.

Disguising poor internal processes as a "cybersecurity risk that you need to be saved from, because bad guys" is an overused joke in business.

The point of this issue is that support did not at any point prepare me for this roller coaster ride of a customer experience. Am I poorly communicating here, or is it because I am copping an attitude over this whole situation? (rhetorical)

For instance, I originally had 2 factor disabled. Why would your company allow a bad actor to ENABLE it? lol

For instance, I originally had 2 factor disabled. Why would your company allow a bad actor to ENABLE it? lol

 

---

It really boils down to how companies identify the owner of the account. Generally they'll use a combination of email, phone number, security info like ssn, etc. The more identifying information a scammer can wrestle from you the harder it is for Square to protect us all from bad actors.

The reality is there ARE a lot of bad actors and account hijacking is rampant and small businesses are susceptible to losing a lot of money if they get their businesses stolen from underneath them.

I'm having a hard time understanding if you're upset at the fact that they don't immediately allow you to change information or if you're upset at how they're communicating.

The precautions or speed they move at is ultimately a GOOD thing for account security because instantly allowing changes would allow a bad actor to set up two factor with THEIR info instead of yours for example.

As far as how they communicated their policies, customer service is extremely difficult on a global scale and a little patience goes a long way. Ultimately there is room for improvement and room for understanding of why businesses operate the way they do.

Best of luck!

Originally my frustration was the inability to change my recovery phone number. This was caused by the poor communication on the phone support side of Square, which is what revealed these internal processes to me i the first place. Now that I realize that waiting an extra 2 days is acceptable (because my phone number is safeguarded for 90 days) I am not as upset.

But for the principle of the matter, it just does not make sense to me. I'll take the access in 2 days, but with processes like these, they are going to have to expect some complaints like this from time to time.

In any case, the problem is in the process of being resolved; but I am not quite out of the woodwork yet. I have had a heck of a week dealing with customer support across my own business as well as those of my clients, and it seems that getting anywhere has been nothing but a hassle. Tack that on with personal frustrations, and here I am spending way too much time on these boards. We are all human, right?

Notes

I may be off with my timeline for 2 factor being enabled, I honestly can not remember if my phone number was dropped before or after 2 factor was enabled. I just did not expect to have to remember that detail; something I felt was necessary to note. (Suppose this can be tested on a new account after removing my banks from this account, instead of waiting the 2 days)