How Not to do Tech Support, Customer Service and Security

? 2022 Bob Carver, CISM, CISSP, M.S.

I have been a user of Nord VPN on and off for many years. There was a time if there were any login issues, you could simply get a password reset sent to your email. Those days seem to be over.

I can understand with the increased cyberattacks that the process may have to be modified, however, there is a difference between common sense and excessive "Security Theater" wasting many hours of a customer's time and not providing additional security for a customer or for Nord VPN.

I have had difficulty logging on from time-to-time, but in the past the glitch appeared to work itself out after a day or two and I was able to login to the system, again.

Admittedly, I haven't been using the product that much lately, since some have indicated that VPN's might not give the level of security that we once thought they could.

However, recently, I thought I would attempt using the service on occasion for some somewhat sensitive searches.

In my most important accounts, including email, I have enabled 2FA or MFA, but for some reason I never enabled it on this account. Recently I attempted to login to Nord VPN and I was presented a screen asking for a 2-factor authentication code. I had never set up 2FA for this account.

I went to see if I could reset the account by having it point to a link in my email and this was not possible. I later went to the online chat and they indicated I would have to let them know 1) the date I purchased Nord VPN, the credit card number I used and the exact amount I paid for that transaction.

I asked why did I have to prove all of this information when I still had a secure login to my email account? Then they said, "go to https://haveibeenpwned.com and look up your email." Your email shows up in that website as being compromised. I said, "Do you realize that companies that held my email address were compromised and that my actual email had never been comprised?" After online chats with more than one representative, all repeated the inaccurate mantra, "Your email has been compromised, just check out https://haveibeenpwned.com. That is probably how your 2FA got enabled."

I did indicate that I have no problem logging into to obtain a 2FA prompt with no indication my password had been compromised. (My password is complex an most likely better than the vast majority of Nord VPN customers.)

Next, I spent nearly two hours on a call attempting to get ALL of the original payment information that Nord VPN requested from my bank. (This was because the transaction was over one year old and not available online.)

Now, I thought I was finally close to getting access to my account, having tech support turn off 2FA off and then I would properly set up 2FA and have it all recorded in my appropriate systems. I went into the chat and re-explained my situation (they claimed they had no information or ticket number regarding my situation despite provided my email in multiple previous chats.) I provided the following as previously requested:

1. The credit card used in the payment to Nord VPN.
2. The date of the transaction.
3. The exact amount of the transaction.

I thought I was close to the finish line since I had provided all of the information they originally requested.

Now they asked for more information. 1) "What was the expiration date of your credit card?" I gave them the current expiration date of that card. "Sir, that is not the expiration during that transaction." I said, "You realize that when new cards are issued they have new expiration dates and most normal people destroy the old cards? I don't have the date on the destroyed card." The representative insisted I need to provide the expiration date of the card used in that transaction.

Next they stated I needed a digital copy of the transaction from the bank. I asked "Why wasn't that mentioned in earlier chat conversations?" They responded, "that is what we need if you want 2FA turned off."

I later received a request in an email for the credit card number and the date and the exact dollar amount to be provided back in an email, even though the first six digits were provided in a chat.

Later I was also told in an email that there was no record of me providing the original payment information in the chat logs.

1) Question to Nord VPN: Does anyone there realize that providing the entire credit card number in an email is insecure? (even providing first six in chat is not really ideal either.)

2) Comment to Nord VPN: Once I have given the credit card number, the date of the transaction and the exact purchase amount, later asking for additional information the expiration date of an old credit card and a digital copy does not provide any additional assurance in real life.

2a) Most reasonable people destroy credit cards when they are replaced with a new cards with a new expiration date.

2b) Anyone can "make" a digital copy of a bank transaction with Adobe or other software tools (this is simply "security theater" that provides no additional reduction of risk.)

3) Question to Nord VPN: Why would someone break into a Nord VPN account and keep the password the same and then turn on 2FA?...Better yet, how could they do that when there is no indicator my email is compromised (despite representatives continued misinformation on how they are using and interpreting https://haveibeenpwned.com?)

4) Comment to Nord VPN: If 2FA or MFA is turned on without a customer's knowledge or action either you have some poorly coded software or worse yet, a possible security vulnerability in your system. Please fix it!

5) Comment to Nord VPN: Requiring an email for username is quite simply bad practice and assists bad actors in "brute force" password spraying attacks. Could this be one of your issues? You might want to allow users to create a unique username, instead of having email addresses for usernames.

6) Question to Nord VPN: I recently received an email from Noa Mondero from the customer success team and she indicated that there was no record of me providing the first six digits of my credit card used for payment, the transaction date and the dollar amount in the chat logs. How could that be? Evidence disappeared? Just like how 2FA got turned on without my knowledge?

7) Question to Nord VPN: Is this how you treat all of your customers? If so, perhaps I am better off no longer being a customer.

I did notify Nord VPN that they need to come up with a reasonable solution to reset my account within 48 hours or I would be posting this story on social media. The only communication I received was an email that stated they had no record of me providing my banking transaction records in the chat logs and that I should provide all that information insecurely in an email.

Based on my recent experience of wasting many hours and utilizing questionable security/privacy practices I can no longer recommend your services, despite having used it for many years.