When handling support tickets and issues, we sometimes receive calls from anxious clients who want a quick solution for a minor fix. When we are not able to verify their identity or we are talking to someone other than the registered customer, we always ask them to open a support ticket to address their issue. Although they may get troubled by this procedure, it is one of the most essential security measures, which all web hosts should follow.
Humans are the weakest link in the security chain. This means that humans can be easily manipulated to reveal information or perform certain actions by deceiving them. The web hosting company’s support staff is always at risk of being targeted by social engineers who attempt to get them to reset passwords, remove accounts or redirect accounts by portraying themselves to be customers. This article explains why web hosts must enforce certain security measures although they may be inconvenient for users.
Although most web hosts offer online chat for technical support issues and also offer phone support for customers, for larger issues customers are always requested to open a support ticket. One of the main reasons for this is so that there is an extra level of protection and logging when a support ticket is opened. IP Addresses are logged, passwords are authenticated and a record of all communication stays in the account of the user. Hence, if a hacker or attacker wanted to access a customer’s account, he would first need to access their online support system account. If he doesn’t know the password, he has to reset the password, using the email address registered. If he doesn’t have access to the email address, his evil stops there. Similarly, every major action is confirmed by sending an email alert to the registered email address. This means that if the email address is compromised, the attacker has access to a lot of information.
Many hosts have started implementing 2 factor authentication to enable an extra layer of security for login into their billing and management systems. This may be seen as a hindrance or inconvenience to many users, but the truth is that this extra layer of security makes all the difference. Even if a password leaks or is compromised, the second layer of authentication will prevent the attacker from gaining unauthorized entry into the system.
Long passwords are tougher to crack or guess, which is why most hosting companies have a minimum password strength policy to ensure that your password is not easy to break into. For different purposes, a different complexity level maybe set, so as to ensure maximum security. For example a complexity of 80 maybe set for your control panel and FTP Password, whereas daily use email passwords maybe of a lesser complexity at about 60 or 70. This means that a more difficult combination of letters, numbers and characters are required.
Many web hosts don’t allow you to directly reset your passwords for each service. You are expected to reset the passwords only through their administration portal. This helps to ensure that your employees, staff or developers cannot lock you out of your own services, unless they get a hold of your administration password. It also allows tracking and monitoring of password resets, so that in case of misuse, they can track from where and how the passwords were reset or account was logged into. It also ensures that customers have a one-point of contact for all their issues and they will be less likely to fall prey to a phishing mail.
If you think that these threats are over-hyped or exaggerated, think again. In the past 4 years, major companies and organizations have fallen prey to such scams. If they had followed simple security procedures when dealing with customer’s, their identity verification would have immediately identified the fraudsters.