Michael Posted June 27, 2013 Report Posted June 27, 2013 Ok so this may not ever happen to Blesta but I think it would make this billing system one step further away from the competitiors. I believe it should be an extra module like you pay for it like the Licensing system (In development). Non Admins: You click a client's ID, you are then greeted with a box (Modal) asking you to enter the following: - Client Postcode - Clients Support Password If you click cancel you are re-directed to the client list. If you enter the correct information you can then see the client's account. Just like if you was phoning up Virgin Mobile (UK) or Sprint (US) you are asked for information before they can see your account, if you fail to do so they can't do anything to your account or even see it. However Admins: If you ticked the box on the Access Control List to allow Administrators to bypass Client Protection. They can view the client details just like now, edit their information too. ------------------------------------- However the Support Password is NEVER shown to the administrators, just the client who can change it at any time. - Encrypted to ensure security. They first set it up on registration. John, rinaprine and FRH Dave 3
Paul Posted June 27, 2013 Report Posted June 27, 2013 I actually quite like this idea, though not sure how widely used it would be. It would prevent staff from viewing accounts that no user was calling about. Interesting, curious what everyone else thinks. Bit Bayou 1
Michael Posted June 27, 2013 Author Report Posted June 27, 2013 I actually quite like this idea, though not sure how widely used it would be. It would prevent staff from viewing accounts that no user was calling about. Interesting, curious what everyone else thinks. Yeah but that staff doesn't need to see it well without permission but then the admins can do that. And I thought it would be a good paid addon because like you say not everyone would use it, and it would take some time to code if I'm honest but someone can use your software for call center functions as-well as the billing system, etc, they can give the information by ticket if they wished but the client has to remember their password since they wouldn't be able to see it. They can change it if they know it.
Cody Posted June 27, 2013 Report Posted June 27, 2013 You'd have to have a separate staff group with super limited access, and this feature would have to be tied into the permission system somehow. The question asked "Enter Zip/Postal Code" would have to be entirely configurable, possibly even based off of custom client fields. There would be a lot involved (UI-wise).
Michael Posted June 27, 2013 Author Report Posted June 27, 2013 You'd have to have a separate staff group with super limited access, and this feature would have to be tied into the permission system somehow. The question asked "Enter Zip/Postal Code" would have to be entirely configurable, possibly even based off of custom client fields. There would be a lot involved (UI-wise). Can't it check it against the database mate? For example this: Customer First Name: [Michael] Date of Birth: [21-01-1992] Zip / Postal Code: [b49 6BE] Customer Password: [****************] Checks fields against database == True Shows message: Thank you for confirming the information.. Click here to continue or something
Michael Posted June 27, 2013 Author Report Posted June 27, 2013 I think you just illustrated what I said. Oh ;D Oh yeah so the custom fields you said means like we can pick which fields to check?
Cody Posted June 27, 2013 Report Posted June 27, 2013 Another thing that would have to be done for this is a logging mechanism to keep track of when staff users access client profiles. Michael 1
Michael Posted June 27, 2013 Author Report Posted June 27, 2013 Another thing that would have to be done for this is a logging mechanism to keep track of when staff users access client profiles. Love that idea mate
John Posted June 28, 2013 Report Posted June 28, 2013 I love this idea! This is exactly what our company needs. It would prevent a lot of PCI headaches. Michael 1
Paul Posted June 28, 2013 Report Posted June 28, 2013 Just a note on this in terms of PCI -- Blesta logs all credit card accesses by staff under "/admin/tools/logs/accountaccess/", as well as all contact changes, and much more. You can always see when a staff member accesses a credit card, and only those staff members who have the key can view them anyway. Michael, Bit Bayou, John and 1 other 4
John Posted June 30, 2013 Report Posted June 30, 2013 Just a note on this in terms of PCI -- Blesta logs all credit card accesses by staff under "/admin/tools/logs/accountaccess/", as well as all contact changes, and much more. You can always see when a staff member accesses a credit card, and only those staff members who have the key can view them anyway. Awesome! This also will help quite a bit!
silvatech Posted June 30, 2013 Report Posted June 30, 2013 I love this idea, as for an example , if lets say a hacker happens to find out one of your employees logins this prevents that individual from stealing peoples information as easily. Paswords not viewable to me is just a must, customer can have it reset instead. To me it is a common practice everywhere but the web hosting industry. Michael 1
ryguy222 Posted July 27, 2013 Report Posted July 27, 2013 We don't get a lot of phone calls, but we are big on live chats, and in order for us to render support via live chat we require the customer give us their live chat pin and zipcode (which they setup during registration) to verify identity. If they refuse we require them to login and put in a ticket.
Michael Posted July 27, 2013 Author Report Posted July 27, 2013 We don't get a lot of phone calls, but we are big on live chats, and in order for us to render support via live chat we require the customer give us their live chat pin and zipcode (which they setup during registration) to verify identity. If they refuse we require them to login and put in a ticket. This would work for you too as long as they give you their correct support password.
Scott Horsley Posted July 27, 2013 Report Posted July 27, 2013 I have a question relating to this.. It works well when you have a phone call support/sales/whatever request, yet giving your name/password/DOB over an email or chat client is a 'huge' NO NO in my books. There isn't a way to dictate whether it was being logged somewhere or intercepted. What happens when a client sends an email into the support system and your staff can't see the client page? What happens when a client is using a live chat system? I like the idea overall but I still believe it falls down in some areas.
Michael Posted July 27, 2013 Author Report Posted July 27, 2013 I have a question relating to this.. It works well when you have a phone call support/sales/whatever request, yet giving your name/password/DOB over an email or chat client is a 'huge' NO NO in my books. There isn't a way to dictate whether it was being logged somewhere or intercepted. What happens when a client sends an email into the support system and your staff can't see the client page? What happens when a client is using a live chat system? I like the idea overall but I still believe it falls down in some areas. It's not their personal password, it's a special password. If the client can provide the information over live support they can give them the information or if Blesta makes on then a popup securely allows them to enter it without the staff touching their account. Tickets, if the client submits a ticket, staff can see the product / client name / email. But can't access their account without being a Manager / senior staff.
JoieDeMort Posted October 8, 2013 Report Posted October 8, 2013 FYI During the most miserable 16 months of my life when I worked in a call center for [the biggest phone company in the US] handling all of their premium customers including cell service and tv, we could see everything on any account we pleased. The "so that we can access your account" was pure BS. Asking for account passwords/SSNs et cetera was simply to verify the identity of the caller. We could make any changes we wanted to anyone's account at any time. However, they logged who accessed what and when for liability and prosecution purposes. The obvious problem of a hidden password a tech has to enter is if someone spells something differently than the tech enters or if someone can't exactly remember the password, the tech accessing their account has no ability to use common sense and discretion. The feature seems to be needed most for support outsourced to third world countries out of the reach of prosecution - or am I missing something?
EidolonHost Posted October 26, 2013 Report Posted October 26, 2013 I would like to also 1+ this. It's great for added PCI-DSS compliance. That said... I would say that this is something that should be made standardized, in addition to the option of enabling 2-factor authentication.
Michael Posted October 26, 2013 Author Report Posted October 26, 2013 I would like to also 1+ this. It's great for added PCI-DSS compliance. That said... I would say that this is something that should be made standardized, in addition to the option of enabling 2-factor authentication. It's a lot of work to make it part of the core software, I wouldn't say the time and effort would be worth releasing it free, which is why I suggested it should be a paid plugin like the licensing system. EidolonHost 1
EidolonHost Posted October 26, 2013 Report Posted October 26, 2013 It's a lot of work to make it part of the core software, I wouldn't say the time and effort would be worth releasing it free, which is why I suggested it should be a paid plugin like the licensing system. I agree, and it should be that way.
DandyDandy Posted October 29, 2013 Report Posted October 29, 2013 I like this idea although using the passwords might become tricky specially if it's a random 12 string password using upper & lower case
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now