Support need sec question answers to access accounts

[Swimo]

Upon editing usergroups we should have an option to make it so when that usergroup goes to view a client's profile/page/services etc they need security question answers to get in.

 

This is useful for the following;

 

 

• Making sure support staff ask security questions to do a function on the account (e.g. cancel a service)
  
• Reduce the risk of support staff don't hack any clients accounts
  
• Useful for phone line support staff to make it sound more proffessional
  

 

It would be really good to have a feature like this and the security question answers wud be answer to their security question and summit like postcode or a web pin which they can make via the account?

[Conor Calby]

I second this, with so many hackers around nowadays, security is a big deal, and we need this!

[laszlof]

IMO, if you're worried about your support staff hacking your clients accounts, you should probably put your focus on proper staffing rather than a module/feature request.

[gearheadhost]

I have to second laszlof on this. Even before reading his response I was ready to make that comment. Module would be nice but a proper staff would be better.

[Austdata]

• Making sure support staff ask security questions to do a function on the account (e.g. cancel a service)
  
• Reduce the risk of support staff don't hack any clients accounts
  
• Useful for phone line support staff to make it sound more professional
  

 

The first and last points would be okay for larger mobs but I think, as has been said, better employment practices need to be implemented rather than point two.

 

I don't think that WHMCS need to implement anything for your points one and two to work. It should be included in support staff training.

[JohnnyD]

The first and last points would be okay for larger mobs but I think, as has been said, better employment practices need to be implemented rather than point two.

 

I don't think that WHMCS need to implement anything for your points one and two to work. It should be included in support staff training.

 

while i do agree with you i do think it would be a GREAT addon module to force SPECIFIC admin roles to do this while allowing others (Full admin and others specified) to get in without it

[Roger]

I have to go with good pre-employment screening. Background checks etc. and then monitor your logs for improper activity.

 

Additional log in security practices for admins would most likely not be beneficial. If your box is compromised the hacker doesn't need to log in. He owns it all.

 

Should your install of WHMCS ever actually be compromised itself. Additional security logins won't help because they already own your install.

 

I'm the network administrator for a mid-west city. I'm responsible for 11 servers, a clustered Exchange email system and 150+ work stations in 7 geographically diverse locations. The key to security is education. Start with having a good written security policy for employees. Ensure you implement good basic security practices like, using very strong passwords. Regulating or not allowing USB storage devices on company systems, don't allow (or regulate) personal laptops, PDA's or smart phones to be attached to company computers. At your company headquarters use reserved DHCP IP addresses (where a specific IP is matched to a specific MAC address) instead of just blindly handing out IP's to anything that plugs into your network. All will go a long way towards keeping your clients stuff secure.

 

Security is not a goal to be obtained. Security is a state of mind. The threat is constantly changing. You have to be flexible and evolve with the threat. Otherwise, you will be compromised eventually.

 

Well... sorry for the rambling.... that's my humble opinion.

 

-Roger