A lot of problems have been popping up lately, dealing with the hijacking of staff members' accounts.
Someone with malicious intent could log one of your staff's accounts and ask for their IP to be updated.
Do you take precautions to verify that the person asking for the IP change is who you think they are? No, very few (if any) people do.
To prevent giving RC access to hijackers, follow these steps to ensure the person on the account is who you think they are:
- Compare their old IP(s) to their new IP using a who-is tool such as ARIN WHOIS. If the ISP has suddenly changed or teleported across the country, something is probably wrong.
- Compare their computer ID to their old computer ID. There's no way to see previous computer IDs they logged on with, so it's a good idea to list their regular computer ID somewhere such as comments.
- Talk to them and ask questions only they would know. If their typing seems to be strange (i.e. someone who normally uses punctuation and grammar not using it) or they can't answer your questions, it should be obvious they aren't the account's owner.
If you check all of these things over and something is wrong, inquire about it.
For example: if their ISP doesn't match, ask questions such as why they changed ISPs and what their old ISP was.
If you follow these steps to verify the person, your server should stay safe from account hijackers.
09-25-2006, 03:06 PM
Threaded Mode