Why does Kayako need my members password?

[PureSecurity]

Hi All,

I have an existing sales support query where the country code on my account in members.kayako.com is incorrect. I am being advised that I need to provide the password to my members account in order to have this changed. Why??? Surely I shouldn't need to provide my password to have an administrative detail changed. I certainly didn't need to provide it during my evaluation.

Is this standard Kayako practice? Is anyone else concerned by this?

[craigbrass]

Kayako need this for secutity although I agree it is somewhat insecure as many people use the same password for many different systems / sites.

My suggestion is to have a "Support Code" listed inside the members area (randomly generated) that you provide to them for any account changes.

[Jamie Edwards]

Hi there,

This is indeed standard practice. We ask for the e-mail address and password to verify users via live chat and sales ticket queries (obviously this does not need to be done for support tickets, as you need to be logged into the member's area to submit them).

[craigbrass]

What about my suggestion? Wouldn't that be a better way?

[PureSecurity]

Jamie,

That is really poor security practice. Especially as the password can only be sent via email and this is not a secure means of transfer. There are much better ways of validating identity, and it seems doubly silly for a piece of administrative information (i.e. what country I'm in!) that can be verified through a number of different ways.

As a process, it makes me wonder about Kayako's commitment to securing the integrity of my data, as well as whether their products are concerned enough with the security of the information contained within them generally. For Kayako's sake, I would hope that they had some commitment to these ideas, because the damage to their corporate reputation were someone to exploit something like this could be devastating.

[Jamie Edwards]

Hi PureSecurity,

I agree that asking for the password is not the ideal solution, but will think over the issue and come up with a solution.

[craigbrass]

Isn't that what I did above?

[Jamie Edwards]

Quote:

Originally Posted by craigbrass

Isn't that what I did above?

Yes, but I said we will think it over and come up with a solution (thank you for your suggestion), and I was also giving PureSecurity an official response.

Thanks,

[craigbrass]

Ah ok.

[Kristie]

what suggest if a person password doesnt work is setup a system where it verifys a person as the owner of the account by requesting users email adderess and then do a password request though phone/live chat too verify who they say they are.

[Jamie Edwards]

Thank you for the suggestion, but I think that system may be a bit over-complicated, especially where quick live chats / short tickets are concerned.

[PureSecurity]

In the same support issue, I was asked to create an admin user so they could check settings related to the SMS Gateway setup. Considering that email isn't particlarly secure, I think the last thing I would want to do is provide an unrestricted rights user access to my system, especially to a third party I don't have direct knowledge of and by an insecure means. This is also a practice that disturbs me...

As an additional piece of feedback, please provide some form of support and troubleshooting config file that can be compiled and used for diagnostic purposes. And then provide a secure means of transferring this!

R.

[Jamie Edwards]

Hi PureSecurity,

To send the information securely, use http://members.kayako.net to submit a support ticket or http://support.kayako.com to update an existing one using an SSL connection.

Administrator access is often needed so that a technician can assess your configuration.

[PureSecurity]

How about then a read-only administrator account? By default, all admins are read/write, which means that providing this access gives carte blanche to the person who has it to make changes. This is not a good thing for Kayako or the User, especially if a change made in the context of a support call breaks functionality.

Also, how can I audit what this person can do, and what they look at? I don't think I like the idea of a third-party potentially using this access to look at items that they shouldn't be, without a suitable audit trail around their access.

[PeteV]

We are facing the same problems. Indeed, in terms of security-related accountability, Kayako does not provide much comfort.

For example: We give Kayako our Administrator password to look at or fix a problem. We then discover that some confidential information has been leaked shortly afterwards. We contact Kayako, who then denies everything of course. Now what do we do?! It will be difficult for us to prove anything. For that matter, if Kayako was indeed innocent, they could still end up with angry/suspicious customers this way.

In fact, Kayako is our only software vendor that requires Administrator login without an audit trail.

There definitely needs to be some type of audit trail, or read-only Auditor account.