Results 1 to 15 of 15
  1. #1

    Live Chat Support and Security issues

    I am frustrated that my current provider allows me to log in to a web chat window and type in a name and email address and make a request.
    Of course this is very user friendly and the response time is very fast.

    However, there are MAJOR security issues with this.
    ** There is no authentication verifying I am who I say I am. I make a request and BAM its done. I have managed ftp accounts and changed .NET versions on the server through a live help chat window. I could be anyone on the street making these requests.
    There is something wrong here. I have already complained about it to my host but it happened a second time.


    It seems like the live chat is over-used in lieu of using a form that requires authentication. Is this a problem with many providers? Has anyone out there faced this issue? Why not just set up a live help password or something?

    We worry so much about firewalls, sql injections, csrf attacks, blah blah blah. Heck, you can just get the tech support people to change stuff using a live help chat for crying out loud!

    I would love to hear if this is an issue everywhere or just for me. I would also like to hear any suggestions on hosts that better security measures.

    Budget $40-$60 per month. I host about 5 to 8 low traffic sites on a mixture of Linux and Windows. I *could* go all linux if I had to.

    Very frustrated!!!

  2. #2
    We use Comm100 Hosted live chat software to provide support to our clients

    It can track visits count, geo IP, on every visitors.
    Last edited by PureVM; 04-26-2011 at 01:17 AM.

  3. #3
    Join Date
    Apr 2011
    Posts
    351
    Thats not good at all, personally I'm very strict with verification in the Live Chats at my company.

    We start with IP... if IP/hostname = same then we ask standard security,
    if IP = new then that flags payment checks etc.

    Then a repeat failure in verification will cause an email to be sent + further verification, maybe a slower process but if my clients have any intelligence at all, they'll understand the reasoning.

  4. #4
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    19,196
    Quote Originally Posted by jaybers View Post
    I am frustrated that my current provider allows me to log in to a web chat window and type in a name and email address and make a request.
    Of course this is very user friendly and the response time is very fast.

    However, there are MAJOR security issues with this.
    ** There is no authentication verifying I am who I say I am. I make a request and BAM its done. I have managed ftp accounts and changed .NET versions on the server through a live help chat window. I could be anyone on the street making these requests.
    There is something wrong here. I have already complained about it to my host but it happened a second time.


    It seems like the live chat is over-used in lieu of using a form that requires authentication. Is this a problem with many providers? Has anyone out there faced this issue? Why not just set up a live help password or something?

    We worry so much about firewalls, sql injections, csrf attacks, blah blah blah. Heck, you can just get the tech support people to change stuff using a live help chat for crying out loud!

    I would love to hear if this is an issue everywhere or just for me. I would also like to hear any suggestions on hosts that better security measures.

    Budget $40-$60 per month. I host about 5 to 8 low traffic sites on a mixture of Linux and Windows. I *could* go all linux if I had to.

    Very frustrated!!!
    I've seen it before, even at high end providers like SoftLayer where if you provide enough information that is publicly available about a company in the right fashion you could have them take actions.

    One thing you should keep in mind also is that anybody could spoof your email address, if they knew the right one, and send an email to support requesting them to do X, Y, or Z and chances are it would happen without deeper verification.

    Quote Originally Posted by PureVM View Post
    We use Comm100 Hosted live chat software to provide support to our clients
    This isn't even close to being relevant, but thanks for trying to increase your post count.
    Michael Denney - MDDHosting.com - Proudly hosting more than 37,700 websites since 2007.
    Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
    cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
    Class-leading support that responds in minutes, not days.

  5. #5
    Join Date
    Sep 2004
    Location
    Miami, FL
    Posts
    2,762
    Whatever the case might be... I still feel that most of the providers that I dealt with is doing the right thing.

    Tech Support via Live Chat is there to help you out on small issues which could be resolved in a matter of minutes and does not need real logging into the server and stuff like that.

    As soon as they need to login to your server, a ticket would be required in order to keep things in black and white. At least if something happens in between, they have a record of it and you could not deny that it isn't you requesting it. In the ticket, username, password and etc is requested as usual.

    That's the best way to do things. Not just an email and name via live chat. That's way too risky and all chat has to be logged and etc. So if some tech forgets to log the chat up, you're in deep trouble! Live chat for solving issues which requires a login to the server to me is a NO NO.
    Aaron Ong
    Dedicated Servers - 100TB Servers - 100Mbps Unmetered Servers - Web Hosting - CDN Network
    Servers in Central, East/West Coast USA, EUROPE and ASIA
    Welltodo Century
    - www.welltodocentury.com

  6. #6
    Join Date
    Jun 2010
    Location
    Philadelphia, PA
    Posts
    162
    One thing that we have done as a company is prevent issues like this from happening. All technical support and billing requests must be called-in or open a support request. From there we can address the issues. We changed our live chat support from Sales, Billing & Support to just Sales which we saw a decrease in people trying to access our client's accounts.

    Even with this change if done correctly we can still answer all support tickets virtually in real-time as the systems are monitored 24x7.

    Not trying to make references/recommendations to my company, just stating what we've done over time because of situations like this.
    DedicatedNode, LLC - Making Web Hosting Great Again!

  7. #7
    Rackspace does this well. I have email hosted with them, and I have to be logged in with my user name and password to access chat support, then tech on the live chat asks me a security question I set before making a change to my account.

    Preset security questions are really awful, as the answers are typically on people's facebook profiles. Always let clients set their own security questions.

  8. #8
    Join Date
    Jan 2011
    Posts
    292
    Guess you need quality shared hosting and I'm sure you will find the right one in the offer section.

  9. #9
    Join Date
    Dec 2010
    Location
    Schiedam, The Netherlands
    Posts
    172
    We have custom coded our live chat, which shows to the operator whether the user is logged in or not.
    If they're not logged in, we simply ask them to login into the control panel and we'll instantly see when they are authenticated (and process their request).

    Alternatively you should indeed just ask people to submit a ticket for critical things (e.g. installing/removing software, reinstalls, reboots, etc.)
    Snel.com Self-managed hosting provider
    Cloud VPS ★ Dedicated Servers ★ Colocation★
    Send an email to sales@snel.com. Call us at +31 88 3 088 099.

  10. #10
    When I worked on an IT department we only did critical stuff after phone verification. We had a list of phone numbers (mostly business phones) and we would call them with using the number we had on file, or call their office number to verify the person we were talking to was who we thought it was.

  11. #11
    Join Date
    Feb 2008
    Location
    Wilkes-Barre, PA
    Posts
    1,142
    A lot of hosts make you set a security PIN or some type of special password before they'll change any account settings. I'd make that suggestion to them.
    Loop Internet
    AS 394868 - Wilkes-Barre, PA
    █ Fiber Internet and Colocation
    99.999% Uptime SLA - 24/7/365 Support

  12. #12
    I suppose that is always correct and good idea to use live chat for general questions. And ask client to send any billing or account related info only using Email.
    I suppose in this situation customers feel more protected.

  13. #13
    Join Date
    Apr 2011
    Posts
    351
    I don't really work like this, the Live Chat is mainly for Sales, but also in emergencies it means our techies can solve issues while keeping the client updated, the ticket/email process is slower and certainly not real-time in many cases.

    When I was with HostGator I dealt with everything over Live Chat, it basically meant I was guaranteed a reply.
    I was verified each time though and thats all that really matters.

    Another thing is tickets can be really annoying, I instruct my staff to create the initial ticket for the client, then all the client has todo is sit and wait for a reply, HostGator does the same, which is right.
    Why would any client want to login to Live Chat just to be instructed to go somewhere else? It's not good service.

  14. #14
    We use WHMCS Live Chat Addon so we can see whether they are logged into their WHMCS account or not (they are logged in 9/10), if they are logged in then there is no need to ask them for their password. We only ask for their email/password if they are not logged in to their account.

    If they say they have forgotten their password we just send something like

    You will need to login at http://www.domain.com/support/

    If you've forgotten your password, please use https://www.domain.com/support/pwreset.php

    The email we have on file is <email>

    Once you have logged in, goto https://www.domain.com/support/clien...ction=products and click on the green arrow button for the domain <domain>. There you can update your password, etc.
    HostXNow - Shared Web Hosting | Semi Dedicated Hosting | Enterprise Reseller Hosting | VPS Hosting

  15. #15
    Join Date
    May 2002
    Location
    Moscow
    Posts
    1,602
    Depend from problem operator must forward customer to right destination. If server down (operator must check this) and live chat visitor would like reboot it there is no reason to refuse his request and ask him to open support ticket, provide pin etc. If customer want reinstall his server then only way which will be right is opening support ticket with account id, pin code or any other information which could confirm that request is legitimate.
    TK Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR

Similar Threads

  1. IMsupporting: Affordable Live support / Live chat software
    By lynxus in forum Software & Scripts Offers
    Replies: 0
    Last Post: 04-21-2011, 04:50 PM
  2. Replies: 2
    Last Post: 09-15-2010, 05:36 PM
  3. PHP LIVE CHAT & weird issues
    By UnrealSilence in forum Hosting Security and Technology
    Replies: 0
    Last Post: 03-30-2006, 05:38 PM
  4. Replies: 0
    Last Post: 07-22-2004, 06:27 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •