Regarding helpdesk security

[Kieran]

I'm a bit worried about this, so i thought i should post it up as a suggestion.


Basically - The steps required to get access to someone elses service is pretty scary.

Whenever i need support, i will _ONLY_ need to give the IP address of my VPS for the person on the end to fix something, or install something for me.


Now, to me - That is pretty worrying. Could you do something about this? Because to my knowledge - That means everyone could have theoretically have access to my server. Which really isn't that ideal

Just a heads up, that the help desk seems to just try and get problems solved as fast as possible, not minding whether sometimes it may pose a security risk.

Note: I also do not like (rarely) having to put my root login information over non-SSL site, it's not safe, and unpractical. The chat may be "Hacker proof" but that doesn't mean it's safe from people sniffing the network.

[Dan]

Quote:

Originally Posted by Kieran

I'm a bit worried about this, so i thought i should post it up as a suggestion.


Basically - The steps required to get access to someone elses service is pretty scary.

Whenever i need support, i will _ONLY_ need to give the IP address of my VPS for the person on the end to fix something, or install something for me.


Now, to me - That is pretty worrying. Could you do something about this? Because to my knowledge - That means everyone could have theoretically have access to my server. Which really isn't that ideal

Just a heads up, that the help desk seems to just try and get problems solved as fast as possible, not minding whether sometimes it may pose a security risk.

Note: I also do not like (rarely) having to put my root login information over non-SSL site, it's not safe, and unpractical. The chat may be "Hacker proof" but that doesn't mean it's safe from people sniffing the network.

They will be senior staff members, the lower staff members will require a password directly from you.

They are all staff members who have access to the servers, most working in the same building as the servers, no need to worry

[Kieran]

What i'm getting at is nothing to do with the level of the person dealing with the request, but more the person on the "support end." If they request something to be changed, and no-one asks for a PASSWORD, this random person on support is getting things installed on someone elses server.

[jon123]

Quite right Kieran, I thought it was just me that they didn't ask, as i am on it so often latelely that i thought they remembered it

I have had all kinds of things messed with on my vps, and I could have been anybody really. I never get asked for my password.

[Dan]

As a Customer, I have always either been asked for my password or email address to confirm this is myself and nobody else.

I'm sure there is a logical explanation behind it, such as IP or email recognization. We will just have to await an official reply

[Administrator]

Hacker will ask us to delete some content or he may ask for login details. We never entertain such requests on livechats. If you come on livechat and mention that your mailbox is not working then such tasks don't need any sort of verification as your request is just to fix a problem which won't create any problem for your Business.

You can test what I've said and let know if you manage to get your password changed from any of our support staff without verification.

[Dan]

Addition to this, Having your password reset will result in the password being reset to the one in your welcome email. Although you will need to provide valid information such as your email.

[John]

This is one of those situations where someone will complain either way. I have dealt with several complaints this week from people complaining that we ask for their passwords during live chats.

I would like to think we have a good balance at the moment. We ask for passwords for serious work to be carried out but if someone says they have an error message on their website(and we can see it) there is little need to ask for a password.

[Kieran]

Quote:

Originally Posted by John

This is one of those situations where someone will complain either way. I have dealt with several complaints this week from people complaining that we ask for their passwords during live chats.

I would like to think we have a good balance at the moment. We ask for passwords for serious work to be carried out but if someone says they have an error message on their website(and we can see it) there is little need to ask for a password.

How can you say that, this isn't just one of those "you have good/bad support" topics, this is regarding the security of our service.

Even small tasks can present security risks. If i asked a person on live support to install a script from xxxx.com, and i had thrown in custom code, i could litrally break everything on the server.

How can they look at it like that "it's one of those things customers will complain about either way." or "some people might like the new forum skin, others might not"


You just CAN'T.


I'd rather be safe than sorry, maybe implementing a SSL certificate to the online chat, would be a good move, making people feel more happy about giving their information via live chat, or maybe implementing some type of centralised system where every client is given a unique identifier and support staff can view this, and check their credentials.


Look into it further, test your support and see how far into someones server you can get, i can guarantee you'll be suprised. You need to ask for a password for everything, i could just get the support staff to install a bloody virus, or a torrent file and leach off of other clients bandwidth. Nice.

In fact, i might upload a 500 GB collage of animal porn.

Quote:

I have dealt with several complaints this week from people complaining that we ask for their passwords during live chats.

I know, lets fufill their requests and tell the live support desk staff to not ask for a password, see how stupid they'd seem then.

_Sort_ it out, how hard is it?

Quote:

Originally Posted by Administrator

Hacker will ask us to delete some content or he may ask for login details.

I can see it now "Delete content from ___.com because i'm a hacker, and thats what i ask" of course it's not that straight foward, nice security procedure.

[Dan]

Quote:

Originally Posted by Kieran

How can you say that, this isn't just one of those "you have good/bad support" topics, this is regarding the security of our service.

Even small tasks can present security risks. If i asked a person on live support to install a script from xxxx.com, and i had thrown in custom code, i could litrally break everything on the server.

How can they look at it like that "it's one of those things customers will complain about either way." or "some people might like the new forum skin, others might not"


You just CAN'T.


I'd rather be safe than sorry, maybe implementing a SSL certificate to the online chat, would be a good move, making people feel more happy about giving their information via live chat, or maybe implementing some type of centralised system where every client is given a unique identifier and support staff can view this, and check their credentials.


Look into it further, test your support and see how far into someones server you can get, i can guarantee you'll be suprised. You need to ask for a password for everything, i could just get the support staff to install a bloody virus, or a torrent file and leach off of other clients bandwidth. Nice.

In fact, i might upload a 500 GB collage of animal porn.



I know, lets fufill their requests and tell the live support desk staff to not ask for a password, see how stupid they'd seem then.

_Sort_ it out, how hard is it?







I can see it now "Delete content from ___.com because i'm a hacker, and thats what i ask" of course it's not that straight foward, nice security procedure.

You do seem to be coming across rather rude. How do you suggest it is dealt with? It's okay throwing complaints but what would you do in such a situation to boost "Security"?

[John]

Hello,

I'm quite satisfied with the level of our security. I maintain that we ask for a password for all serious work and such things that could divert traffic. If someone comes on live chat and says their VPS is down, we really don't need a password to check that a VPS is down, it's common sense.

[Kieran]

Quote:

Originally Posted by John

Hello,

I'm quite satisfied with the level of our security. I maintain that we ask for a password for all serious work and such things that could divert traffic. If someone comes on live chat and says their VPS is down, we really don't need a password to check that a VPS is down, it's common sense.

No, thats where you're wrong.

You should be asking for a password for everything, if i asked you to setup a email fowarded for "accounts@site.com" to be fowarded to "random@gmail.com"

You WOULD do it. I've actually just tested this, imagine _JUST_ imagine if emails about accounts, bank details and such were being relayed through this email, is it common sense now? I THINK NOT.


I'm not having a go at you, i'm just suggesting you do something about it. It's a security hole, and you need to fix it. I've also asked someone to restart my VPS, and he/she has - Yet, again that can cause problems to the company.

How annoyed would clients be if one by one, i asked the servers to be rebooted, or i ask Live support to change emails to an unrouted address, how much business would they lose?


It's not about whether you're satisfied, it's not about being satisfied at this point in time. You need to look further ahead, otherwise problems will arise.

Think about it, and actually accept you've been proven wrong. This isn't a game, it's actually very dangerous.

[John]

Hello,

I assume you saved a copy of the chat transcript, if so, PM me it. Or, failing that, give me the approximate time you came on chat and the name you used on chat. Also please include the name of the agent you spoke to.

[dansgalaxy]

hmm, i have to admit im both ways on this issue, i been using the live chat support much more recently and its pretty good (usually).. altho i have to admit every now and then it seems i wake the operators up :/ seems a mix some are amazingly helpful others not so much...

anyway, i have to admit i was a little suprised at some of the stuff they do without asking for a password... BUT then again because often i use the live chat support in enviorments where i dont want to have to type out my password in plain text, so any tom dick or harry can read it (such as college) and lets face it... not many people what another random 16 yr old college kid having root access to their server!

So i think there should be some way to authenticate without having to hand over the root pass.

Dan

[John]

Hi,

It depends what you ask them to do.

If you come on livechat to say your VPS is down, they don't need a password. They will be able to see for themselves if it's down. If you say a domain isn't working, this is something they can easily check.

However, if you have asked for major changes to be made to your VPS, or things to be deleted, a password should be asked for.

If you have experience an instance where this has happened, please message me with the details. Include the date and time, the operator you spoke to and the name you used on live chat.