A brief bit about reclaiming my accounts

This is honestly mostly an opportunity to vent a bit, but it's actually a tech/gaming thing that's not the sort of thing I see get covered when people do things like talk about different companies being better at customer support or whatever, so hey, I'm going to post it to Vigaroe anyway!

As I've posted previously, when I was in the process of moving my one and only device logged into my primary Google account died. Since I was in the middle of moving, I was of course not on a 'familiar network' (ie not my proven home or business network), and so Google's automated processes decided, when I logged in to a cheap laptop on hotel wifi, that I was certainly a malicious actor attempting to steal this account, rather than the person who just earlier that day had been logged in from the very same hotel and when the previously logged-in device could not possibly be in contact with the internet. (What with being dead) Apparently Google's automated processes are incapable of conceiving that a person might abruptly have a device die while afield and grab a replacement to continue with.

Anyway, I went to Google's notoriously bad customer service in the dim hope that maybe I'd get lucky and my problem would be solved by talking to Actual Google Humans. You've probably already assumed this, but no: the thread I opened got no response for multiple days, and then was quietly flagged as a 'duplicate question' (By 'quietly', I mean there was no email triggered by this, and I only knew about it at all because I kept the thread open in a separate tab and checked it regularly), with the text for this linking to a page explaining common reasons for why you don't get a response to your issue... 'this is a duplicate issue' is not one of the things listed by this page, notably.

However, even before I had pretty strong evidence Google was not going to fix this nonsense, I had already set to work regaining control of my other accounts, figuring that Google would be exactly as helpful as they turned out to be. (ie not at all) This brings us to the real meat of this post: comparing how various companies handled 'I don't have access to the email for this account anymore and want to switch it to this other email so I can actually access to'.

Some were easy:

-Itch.io did not harry me for credentials at any step. I logged in to my account, I changed the email, there you go!

-Ko-fi was comparably painless.

-To my surprise, even though Valve has accrued a reputation of being a relatively controlling company, their process for requesting an email change while not logged in worked perfectly and without any need to bother a human being.

-To my even greater surprise, Blizzard's Battle.net didn't even require me to do that much; just like Itch.io, I was able to simply log in normally and then change the email without any other steps and without any need to bother a human being.

-Assorted non-gaming, non-financial accounts of interest to me but fairly secondary to this post were also painless: log in using the old email, change to the new email, maybe have to click a link in the new email.

Some were less easy:

-Patreon required me to create an account specifically for opening support tickets. It was not obvious that this was what was being requested (I thought it wanted me to log in with my regular Patreon account), but it didn't end up mattering particularly. There was then a perfectly understandable process of explaining the problem, them requesting some information to prove I knew the account and its bank-end stuff and so was probably the actual owner, me providing that info, and then they promptly changed the email. I was quite happy, and particularly appreciate the friendliness of this process given that there are in fact people who live off their Patreon income whose lives would completely stop functioning very rapidly if they had a comparable event cut off their access to their Patreon account. (A fact I'm very aware of given I hope to someday be such a person) This is an appropriate balance of caution and swiftness in context!

-Good Old Games requested the email address, screen name of the account, and confirmation from my bank and/or Paypal of having purchased from Good Old Games. They also suggested I provide any other evidence I could think of in a fairly open-ended way, which I actually quite liked -people are going to remember specific tidbits that can be pretty strong identifiers of familiarity with an account that don't fit inside a support system's pre-defined checklist, and somebody trying to use an account recovery system to steal an account is going to have a harder time faking up correct details and/or using spyware or whatever to readily spot such details to use convincingly. So I suspect it's actually better for security, though admittedly I'd guess it's also reliant on well-trained customer service staff who have access to robust tools for checking account details, so it's presumably expensive to set up a version that actually achieves what I'm imagining. Whatever the case, this was unfortunately awkward for me because events have contrived such that I actually haven't used my GoG account very much over the years (I've primarily installed from my brother's GoG account, is the really short version) and so had limited ability to provide credentials. On the plus side, if my account were not returned to me, I'd not be terribly broken up and would just make a new account and start again on snatching up giveaways and considering someday buying some more games from it when my life circumstances make that more reasonable, so I didn't mind terribly much that I had poor ability to prove it was my account.

For whatever reason, they were consistently the slowest to respond throughout the process... nonetheless, they did ultimately give me back control of my account, in spite of the comparatively limited proof I could offer that it was in fact my account, and the whole thing took just about a week in total -it didn't involve much of a back-and-forth. So that was ultimately a pleasant surprise.

Two were... very wonky.

-Epic Games initially sent me an email saying they'd sent a link in an email to... the email address I didn't have access to... and told me to click that to somehow start this process. So that was a bad start. After I sent back an understandably confused email, they asked me to name the email address tied to the account, the account's display name, and the names of any and all accounts I'd linked to the EGS account. I did so, which point they... sent me another email that re-requested all that info plus asked for the city and state I'd ordered from, some info on the bank card I'd first used to buy something on the account (Which I couldn't do because I'd changed banks in the ensuing years and so didn't have the card's info anymore), an ambiguously worded request for the Invoice IDs and/or Transaction Numbers for an unspecified number of purchases, and lastly a screenshot of the receipt for my most recent purchase. ('purchase' included giveaways explicitly, as an aside)

I proceeded to send back an email providing what information I could and explaining why I couldn't provide the info I couldn't... and to my surprise I almost immediately got an email back saying that the most vitally important thing for me to provide was the screenshot of the receipt of the most recent purchase and so until I could provide that this was a dead end. Not the part where I couldn't provide my bank card info. The screenshot.

This hopefully sounds weird all on its own, but I'm going to give some additional context anyway: the process of being able to get such a screenshot of a receipt works in the form of you going into your Epic Games account, going to a section tracking all your purchases, and then requesting an email of the receipt, automatically sent to the account's current email.

I actually happened to have another device logged into my Epic Games account when this disaster started, so I actually could provide Invoice IDs as requested (I have to wonder how many people actually lose access to their EGS-associated email while logged in to Epic Games so they can complete this step; I wouldn't expect it to be a typical scenario, personally), but the design of this whole system is such that this process for changing your email because you don't have access to your current email inexplicably requires you currently have access to your current email to complete. What?

Me talking about the above issue resulted in a pretty confusing back-and-forth where I asked for more sensible ways of proving myself, pointed out there's a fundamental issue here that really ought to be reported to whoever can produce a policy change, and pointed out that this whole thing was not protecting my account (If I was a malicious actor, I was already logged into the account) and was in fact going to ultimately take it away from me (Because any future devices need an email confirmation to get logged in, so as soon as my logged-in device was no more I'd lose access to the account if this email situation wasn't fixed), and ultimately got told that the verification process takes 7 days, suggesting I'd provided enough info to maybe get verified but just needed to wait. (So why was I told earlier that the screenshot was necessary??)

In general, talking with EGS customer support felt like talking to a chatbot. And to be clear I mean the classic kind that is terrible at being convincingly human; multiple of their responses came across like weird non-sequiturs unrelated to what had been said in my and their last emails, they were unclear and inconsistent in how they presented info ("You need to provide the screenshot, or else you can't get your account back, and I'll be closing this support ticket", then me complaining how nonsensical this requirement was, then "it takes a week to get through the confirmation process"), and sundry other weirdness. The process would've been janky and frustrating regardless, but this aspect lent a surreal quality to the experience and made it extra-difficult to stay cool, given I couldn't come to grips with any kind of sane underlying system.

9 days after I provided the verification info, I poked them somewhat passively-aggressively (Having been told it would take 'about' 7 days, and just generally frustrated with this whole interaction), and to my surprise within a few hours they informed me that the info I'd given was adequate and now I just needed to provide the email I wanted it switched to. I did so, and within 30 minutes had full control of my account once again!

So that was a confusing, frustrating journey, but this process did ultimately work.

-With Discord (Yes, I have a Discord account, no, I didn't try to tie it to Vigaroe/my Patreon, and honestly I only use it for a couple of specific things, but that might change now that I'm out of the Nightmare Apartment... well, maybe once I'm back in housing, anyway) I initially stumbled over the issue of its ticket process not making it clear what the function of providing an email was. I first provided the email of my locked-out account, since that's the one tied to my Discord account and I figured it wanted to know which Discord account was requesting support. I figured I'd get a Discord direct message or something. A few days passed in silence, I began to suspect I'd misunderstood, and I tried again but with the account I do have access to -I got a reply in less than 60 seconds this time. Unfortunately, said reply was...confusing, in part because one piece very directly stated 'if you don't have access to your email account, you're screwed' even though the support page itself was fairly direct about stating that if you didn't have access to the email tied to your Discord you should use the support page for help with that problem. Which is it?

Further conversation clarified that yes, you just straight-up need your email to be able to modify your email, no possibility of customer service helping. I guess it's lucky I barely used Discord up to this point; I promptly nuked the account and set up one tied to an email address I do have access to.

So that's... not great. Notably, I could log into my Discord account just fine, and otherwise mess with it; it was only this specific function of changing the email that actually triggered a test of whether I had access to my email. So... an attacker could've gotten into my account and read private conversations and impersonated me, changed the password without issue, otherwise generally caused trouble for me, and even permanently delete my account so long as they cracked the email/password combo in the first place... the only thing they couldn't have done was actually swap the email.

I'm having trouble imagining the logic here; 'can't change email without email' offers literally zero useful protection against an attacker causing trouble, but it sure does create annoying jank for legitimate owners who lose access to the assigned email.

-----------------------------------

So now let's talk a bit more about what started this mess: Google locking me out of my account.

Possibly the thing that drives me most up the wall isn't how much stuff I had tied up in this account to lose, but rather how this whole thing was a stupid, nonsensical sucker-punch, where Google's own decisions created this screw-you much more than my own.

Like, you're supposed to have a recovery email. I had one. Inexplicably, Google seems to have quietly stopped acknowledging this. What's especially galling is that the account I'm currently using also did not want to let me in initially, but once I correctly identified this account's recovery email it let me in just fine -without even bothering to send an email to the recovery email address! (Which was important, as the recovery email was the account I'm still locked out of) If Google hadn't apparently forgotten my recovery email without bothering to let me know, I'd still have access to my account!

By a similar token, I was completely blindsided by the 'Google doesn't recognize this computer and wifi' challenge. This hadn't happened at any point prior; apparently when I did change devices after this system was implemented, I was quietly passing this security test due to my wifi being 'trusted'. Meanwhile, Google never once emailed me to let me know the security logic for Google accounts was changing; they emailed me plenty about changing their terms of service, but not about stuff that could lock me out of my account if I don't know about it? Excuse me?

This is especially infuriating for me in particular as tying up so much of my writing and whatnot with Google was previously protective in literally the exact circumstances it's now screwed me; for whatever exact collage of reasons, it's long been the case that my computing devices have a tendency to die fairly abruptly. Usually I get enough warning to backup some stuff, but I have had a couple occasions where a device seemed fine one day, then simply refused to boot no matter what on the following day. Having my writing and all be heavily in Google meant that generally the worst consequence of this was that I lost maybe an afternoon of work -and now instead it's cost me years and years of work, and would've cost me more if it weren't for a kind of dumb confluence of events!

Anyway...

Similarly, apparently Google phased out security questions entirely sometime after I last interacted with the system. Again: Google didn't email me about this, and I only learned of it when I was trying to dig for online help on recovering a Google account... and I strongly suspect they broke something when they discontinued security questions, as my security question is not what I set.

And so too was I not informed of the 'confirm yourself with an already-trusted device' method of confirmation coming into existence -I had access to another device and would've logged in on it as a precaution ages ago if Google had bothered to inform me at any point.

It'd be one thing if I'd lost access to my account because of my own negligence; I'd obviously still want my account back if possible, but that would just be my problem.

In actuality, though, Google is employing a series of bad practices that all but guarantee people Doing All The Right Things will still end up losing access to their account without warning because they were never notified of what they needed to do to stay secure. And then their nonexistent customer service makes the problem worse -normally when a big company makes this kind of mistake, customer service reduces the damage while the company course-corrects their ill-considered policy decisions, but not so with Google.

So in retrospect I'm not really surprised this happened to me -variations on my experience are probably happening to a lot of people, and will continue to do so until either somebody successfully takes Google to task over this nonsense or Google internally recognizes these are bad practices and they need to get better about things like communicating major changes that their users need to adapt to if they don't want to be screwed.

And I have doubts either will happen particularly quickly, unfortunately.