防止员工通过编辑电子邮件地址接管用户帐户的最佳做法是什么?
我们正在构建一个 CRM 类型的应用程序,尽管这适用于任何有“会员”和“员工”的应用程序,例如购物网站、约会网站、Facebook 等。
在我们的应用程序中,用户可以通过重置来以通常的方式更改密码并通过电子邮件确认。用户还可以拥有多个与其帐户关联的电子邮件地址。
我们正在努力解决的是如何防止使用该系统的人员接管账户。我们希望员工能够编辑电子邮件地址(因为有人可能会打电话要求更改);那么问题是他们可以简单地将电子邮件更改为他们控制的电子邮件 - 并请求以用户身份重新设置密码。
有没有推荐的最佳实践?
We are building a CRM type app although this would apply to any application where there are "members" and "staff" e.g. a shopping site, dating site, facebook etc.
In our app, users can change their password the usual way, by resetting it with email confirmation. Users can also have more than one email address associated with their account.
What we are trying to work out is how to prevent staff using the system taking over the accounts. We want staff to be able to edit the email address (because someone may phone in and request a change); the issue then is they can simply change the email to one they control - and request a password re-set as a user.
Are there any recommended best practices for this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
![扫码二维码加入Web技术交流群](/public/img/jiaqun_03.jpg)
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您可以要求用户还通过其他方式对操作进行身份验证,例如当电子邮件地址更改时,用户会通过短信发送确认码,他们必须在某处输入该确认码。
另一种方法是仅在正确输入某些信息的情况下才允许访问该帐户。这可以是地址信息或出生日期。不太可能从姓名或帐号等信息中猜测出此信息。
You could require the user to also authenticate the action by other means, such as when the email address is changed the user is sent a confirmation code via text message that they must input somewhere.
Another means would be to only allow access to the account if certain information is inputted correctly. This could be address information or DOB. It is unlikely that this information could be guessed from something like a name or account number.
1) 添加一个愚蠢的安全问题,例如“你最喜欢的颜色是什么?”并将答案加密存储在数据库中。工作人员可以根据自己的喜好编辑电子邮件,但如果他们不知道秘密问题的答案,系统将不允许他们更改密码。如果您担心员工的可信度,那么您需要引入他们无法控制的东西作为最终网关,然后才能更改用户帐户。
我想一个简单的实现只是检查用户是否重置了密码。如果是这样,在登录时,它会向他们询问安全问题,以“验证”他们的身份,然后再允许他们继续。
2) 记录、监控和审计。记录哪些员工帐户访问了电子邮件地址更改表单、他们更改了哪些地址、他们还更改了哪些地址以及何时更改。还记录访问帐户的人员的连接信息。如果您的日志显示一个 IP 地址访问 4-5 个完全不同的帐户,您可能需要对此进行调查。 (是的,我知道你可以使用代理等来掩盖这一点。并不完美,但它会很快清除掉谷壳)。
3)雇用值得信赖的人! #2 实际上应该只需要用作针对滥用的“检查”,而不是最终全部阻止它。
1) Add one of those silly security questions like "What is your favorite color?" and store the answer, encrypted, in the database. Staff could edit the email to their heart's content, but if they didn't know the answer to the secret question the system wouldn't let them change the password. If you have concerns about staff trustworthiness, then you need to introduce something outside their control that serves as a final gateway before you can change the user account.
I imagine a simple implementation would simply check to see if the user reset their password. If so, on login, it challenges them with the security question to "authenticate" them before allowing them to proceed.
2) Logging, monitoring, and auditing. Record which staff accounts accessed the email address change form, what address(es) they changed, what they changed them too, and when they changed them. Also record the connection information of the people accessing the accounts. If your logs show one IP address accessing 4-5 completely disparate accounts, you might need to look into that. (Yes, I know you can use proxies etc. to mask this. Not perfect but it'd weed out the chaff pretty fast).
3) Hire trustworthy people! #2 should really only need to be used as a "check" against abuse instead of the end all be all to stop it.