Ask HN: Dealing with forgetful users without access to their email

[cuxoco]

One of your users forgot her password and has no longer access to her email (because she signed up with a email from a company she no longer works at, or she has been hacked).

You can't authenticate her, you only have some data about her that is easy to find out: Name, email, last 4 digits of credit card, etc. You have to make a judgement call so you can be social engineered.

I am wondering how frequent are these edge cases like this, and how do you deal with them.

[greenyoda]

If you have the last 4 digits of someone's credit card number, you could ask them to perform a transaction with that credit card, which would require them to know the complete credit card number, not just the last 4 digits. (Once you've confirmed that they are the credit card holder, you can let them cancel the transaction.)

Also, if they've made credit card transactions on your site in the past, you would know their billing address. You could send a letter to that address with an authentication code that they can read back to you to confirm that they've received it.