What contact info did you use? My partner is the author of this blog post, and neither of us has been contacted by Cloudflare that we know of.
My original ticket number was 3029706 but it seems to have disappeared after the support platform migration.
Hello from Gandi! Thanks for the recommendation. You should contact our corporate services team, as they might be able to make this happen for you :)
gandi.net/corporate
Hi, if you were paying through our international payment processor, you should give it another try, as we have a payment processor in the US now.
And if you were paying through our US processor, I'd love to have the support ticket number to look into it, as we're really working to eliminate such payment issues.
Hi, AJ from Gandi. That sounds terrible, and not like us at all. Do you think you could provide the ticket number from the subject line of the support email so we can investigate further?
For the record: we can provide a callback upon request, and we have live chat support as well.
Hey AJ -- if you're "Alexis J" from support, I think you and I exchanged a couple of messages on this issue: #5926006. It was a little messy:
1. I was using Gandi for, I think, only the second time, and I initiated the account creation process from a domain transfer (account #1).
2. During the account creation process, I think there was a small field labeled something like, "Create a new Gandi handle", which to me sounded like a pretty good idea: I could create something more memorable for my client rather than a random-numbered GANDI- account, so I used the shortened form of my client's primary domain. This created account #2.
3. What actually happened was that both account #1 and account #2 were created, account #2 was an ordinal number away from account #1 (so, SS00003 and SS00004 for example), and the password was clobbered on account #1.
4. I then signed in to account #2 to look at the domain transfer status and found that no domains were listed there. Odd. So I tried signing in to account #1 and couldn't, and I don't remember why but the password reset function wasn't working (I probably wasn't receiving the emails).
At this point I thought the UI was a little confusing but it wasn't a big deal. I've dealt with almost exactly this same issue with GoDaddy and it just took a phone call and they sorted it out in a few minutes. I was less happy to realize you don't have a phone support option, but that's on me -- I should've checked that first. I refuse to use live chat because my experience with that has been universally bad; live chat always gets shunted to support people that are restricted to a script and can apologize a lot but never actually fix anything.
5. So I started a support request and was polite at first, explaining the situation. What I got back was a request for "company documentation establishing you as a representative of the company [...]" and "articles of incorporation, and a scan copy of the government issued identification of one of the signing parties on said document".
6. That got a slightly less polite response from me saying that under no circumstances would I burden my client with a paperwork request over this, and reiterating again that it should be clear that I created both account #1 and account #2, that my credit card and billing information was used to pay for the process, that I successfully initiated a transfer of four different domains, and that I thought this should be reasonable and sufficient evidence of access on their behalf.
7. After that there were a couple of more exchanges between Dante A. and Alexis J. and me; Dante wrote a polite long email repeating that there was no way for Gandi to confirm that I created account #1 and giving me a tip for using Gandi in the future, and Alexis J. chimed in to say that Gandi doesn't retain payment information "for security reasons".
At this point I was slightly horrified at the experience, especially in the context of having received significantly more useful support from GoDaddy of all places in the past for almost exactly this same issue (merging two accounts). I couldn't imagine sticking a client with this kind of support. I have to navigate support channels for lots of different companies on a regular basis, that's part of my job, and it's unusual for me to get completely stymied by support anymore.
It didn't help that all four domains were close to expiration and that one of them appeared to have a transfer problem but you couldn't give me any information on the transfer status of that domain. I was left with one of two choices: either wait and see if the domain transfers first or expires first, or try to initiate an immediate transfer with another registrar and potentially complicate matters even further. I opted for waiting and fortunately that turned out OK, but I had several days to stew over not being able to tell what was going on.
I did get one thing wrong in my complaint upthread though, when going back over the email thread I realized your turnaround was pretty OK, there's just shy of four and a half hours elapsed between your initial support response and the second-to-last message in the thread, for a total of 8 messages back and forth.
Given the support response, I can't tell if Gandi support was refusing to help for policy reasons, or if support actually doesn't have access to the information that they need to sort out problems like this.
If it's the first, Gandi's support personnel need to be trained to handle exceptions IMO. That's why there are humans in support, and not automated Q&A forms. I'm fully aware of the security risks posed by poorly-trained personnel attempting to evaluate a security-related situation, but I think that refusing to think about anything related to security is an even worse response.
If it's the second, Gandi's systems need some tweaking. The UI for the account signup process is a bit confusing; "create a new Gandi handle" should do a better job of explaining exactly what's about to happen, and it shouldn't clobber the password for the first account that was created. There's no "security reasons" for not retaining at least the last 4 of the credit card number used for a transaction, and maybe even a billing name and/or zip code. It should also be easy for support personnel to see that one Gandi account created another Gandi account, and if someone sends in a request with a problem like mine, you should be able to say, "oh, ok, you have access to account #2 but everything's stuck in account #1, hang on, let me merge those for you, sorry for the trouble."
Also, I just realized I never actually did transfer those domains from Gandi. Oops. Doing that now.
I'm not Alexis, but we just looked over your ticket together. I think the initial place where this became more complicated was the assumption made during the first reply to your ticket, which was that you had already exhausted the password reset attempts. You mentioned (here, not in the ticket) not receiving them; maybe we should have tried harder to figure out why the password reset option wasn't working for you.
At any rate, once that point is reached, we act with the security of the domain in mind. If the handle in question belongs to an individual and you have access to the email associated with the account, it's as easy as sending a copy of your ID. In this case it was a company handle, which requires some proof that you're authorized to act on behalf of the company.
This kind of situation is exactly why we offer reseller-type accounts (free of charge), which allow you to control your clients' domains and handles from one place, while leaving the domains in their name.
Given that there may have been an easier solution available, I'm sorry this went down the way it did. But at the same time, we don't think it's unreasonable to ask for proof of ID when you're trying to gain access to an account: We don't have access to any payment information that could reliably identify you, as it all goes directly through our payment processor. We understand when you explain the situation, but such explanations are all too often indistinguishable from social engineering, and so we take it a step further--for the sake of the security of people's domains.
We are humans, but we're paranoid humans, and a great deal of our customers appreciate that.
If you ever decide to give us another chance, you can reach me at aj (at) gandi.net. I can help you set up a reseller account (and do my best to restore your faith in us).
I understand wanting to verify my identity; if you had asked me to just send a copy of my personal identification and then checked that against the payment information that you could have on file in a totally secure way, I would have groused but probably done it without too much complaint. (I might have pointed out how easy it is to falsify a scan of a driver's license, and how that makes this all smell a bit like security theater rather than real security...)
I didn't consider a reseller account because in this particular case the plan was just to be the guy that set up the account for the client and then hand everything off to the client, since that's what they wanted. Maybe that would've worked better.
I dig that Gandi takes social engineering into consideration and it's great that you want to do your best to make sure your customers don't have their domains stolen by bad actors, but I think there might be some room for improvement in figuring out who is and isn't a bad actor. This experience with Gandi was unusual compared to a lot of other companies I have to deal with, most of whom have to have some level of data security policies in place.
> We don't have access to any payment information that could reliably identify you, as it all goes directly through our payment processor.
That seems odd. I wonder if this is a technical limitation of your payment processor, or just something that's not implemented on your end, or if there's some other consideration that's keeping you from making it work. I'm pretty sure authorize.net makes transaction information available in a secure way to vendors, as does Stripe and a small number of other forgettable payment gateways I've had to write code for over the years.
If you did have the ability to see the last four of the credit card used to create the account (and I understand you didn't/don't), you could have asked that in a challenge/response manner and I think that would be even better than asking me to send fakeable images of identification -- which violates my personal security, because I have no guarantees whatsoever for what a company does with a scan of my driver's license after they receive it.
Anyway, I do appreciate you reaching out and taking the time to look into this, that shows you do care about your reputation.
Hi, AJ from Gandi here. Do you have the ticket number from the subject line of the support email? If we made a mistake like that, we should make it right.
Thanks. I just looked at your situation, and you're right, that was our mistake. I took action and replied to your ticket with details; hope that helps.
Would you buy a car from a dealer that required you to sign a contract stating they could take your car back if you carry a passenger who says something racist? Would you do so even if they promise they don't enforce that clause, when there's ten other dealers in your town that don't make you sign anything like that?
[Speaking for myself, not Gandi, and IANAL]
To answer your question, I'd probably read the contracts of the other dealers, find their clause saying they reserve the right to take the car back for whatever reason they damn well please, sigh in helpless frustration at the state of contract law, and make my decision based on all available factors, including the actual experience of other people who purchased cars from that dealer.
For the record, we found out about tld-list.com via this thread. We don't pay for advertising as a matter of principle. We don't even have an affiliate program (though we get so many requests for it that we're considering it).
@timbowhite: Nice work on the site. Feel free to contact us, we'd love to send you some swag! Is the code open source, by the way?
Unrelated to the topic, but has Gandi decided to stop hijacking users domains and holding them hostage? I had Gandi seize a fairly decent domain of mine for "abuse" (Which is funny because the domain wasn't even in use) and communicating with the support was just a truly horrible experience, they wouldn't even tell me what the domain was actually suspended for.
Not sure what you mean by "holding them hostage," but we don't take down domains without a good reason. In the rare case that we do suspend a domain, we always tell you why. If that's not what happened in your case, please contact us or reply here with your ticket number so we can look into it.
