Plans with Account & Access

Document Introduction

This Series & Dataroom - Anti-Hack Jobs

This document belongs to the dataroom of, Anti-Hack Jobs, of which in turn, belongs to Australian based KangaBytes as the owner and author of all content within this document.

The Anti-Hack Jobs advisory, is to advise in respect to, how best to protect the data of your customers, from hacking events.

The use of these tips, requires a license. Please visit the online dataroom at www.kangabytes.tips/pass.html for this information.

This Document - Plans with access

This document focuses on facets of online accounts, of which aim to deny quick and easy access to the data within that account.

Nothing within this document, makes use of the password field in any way.

Rather, tips featured within this document, focus on other types of account settings of which, will always hamper the hacker in their respective ways.

ACCESSDELAYS - How it Works

Opening Summary

When an account holder wants to change any of a list of settings, or, seeks to operate any of the account features, there will be a delay of time, before that change can take effect.

Sequence of Events will be as follows;
1. The customer/user, requests the change of a setting, just like how this happens now.
2. Instead of, that change happening instantly, like how things currently happen, there will be period of time known as the (Access) delay, the length of time, may be hours, days or weeks.
3. After this delay period ((Access) delay), the setting either is changed automatically, or can now be changed manually via an approve button.

The length of time, in the delay, should be at least, a few days, or can be as long as, one or two weeks.

The True Holder has this (Access) delay time, to detect this setting request, and, can then, take action to reverse this setting change request, before harmful impacts can result from that change.

AccessDelays - Wordings and Meanings

Meaning of Setting Change Delay

Means, the period of time after when the setting request has been made and, before the Delay Expiry happens.

Meaning of Delay Expiry

Means the moment of when, the Setting Change Delay period of time has come to its end. This is the moment of time, at which, the setting request can be performed.

Meaning of Delay Reversal

Means when, the True Holder reverses a Delayed Setting request.

Meaning of Delayed Setting

Means, the setting change, of which is currently being delayed, due to an Setting Change Delay event.

AccessDelays - Table-Keyword meanings

Other quick features

The options for the ENUM column, are as follows;
• New : is the default setting, for when this table row is created. Although, at this new stage, this cell should be set to either 'Auto', 'Manual' or 'Overlap'.
• Auto : The setting automatically changes as soon as, the time delay elapses.
• Manual : Requires the manual activation by the True Holder after the time delay has gone past. This setting request shall not be activated by any other means.
• Overlap : As Manual, if done between the time delay expiry, and an extra bit of time after that.
• Ready : This option may be included, to indicate that, the time delay has expired, and, is ready to accept a manual approval.
• Approved : The setting-request has been implemented. Either the Auto function has operated on time, or, the Approve button has been activated.
• Cancelled : Means, the True Holder has activated the cancel button, during the time delay period.

AccessDelays - The Customer/User

Adjust the AccessDelay itself

While logged in, the True Holder enters an area of their account, and adjusts this setting.

Please read the page AccessDelays - Handy Tips.

START the process

This is where, you make the request to change any setting, or request a service, where that setting or service is subject to a AccessDelay function.

The True Holder goes into that area of the website, and puts in the new setting, as they currently do, for that same feature of their account.

Reverse the process

Where the True Holder is to find out that there is a request to adjust a setting, of which is subject to an AccessDelay, and of which is currently in progress, that True Holder simply needs to activate a Delay Reversal by activating a Cancel button, to stop this setting change from happening.

Confirm the process

Where the setting is 'auto', the setting change will happen, moments after when, the delay time has expired.

Otherwise, once the time of the delay has been reached, the True Holder will be presented with an Approve or Ok button, to activate that change to that setting.

AccessDelays - Handy Tips

Adjusting the Setting Change Delay length

The one setting that MUST be subject to a Setting Change Delay is, the AccessDelay setting itself.

Especially when the Setting Change Delay is being reduced, there must be a delay, to the adjustment of the Setting Change Delay, the length of which MUST be, equal to the Setting Change Delay length value/setting of which at that moment, being adjusted away from.

Authentication Adjustments

Whenever there is a request to adjust a setting associated with the Authentication process, such as the email address used to log in with, you may need to accept both old and new email addresses until either the Delay Expiry or Delay Reversal happens.

AccessDelays - What you do need

Within the Account Area
• Common Setting : Where your website has one Setting Change Delay setting for all other settings, then, the AccessDelay needs to have its own form field.
• OTHERWISE, you need to have an input tag, located next to each respective setting, or each group of respective settings, depending upon how the AccessDelay works with what, within your website.

Account Entry-Foyer area
• This MUST be located, somewhere of which, will be shown to the True Holder, as the True Holder enters their account. This MUST be, directly after the log in authentication stage.
• This box, MUST always show, somewhere near the top of, where a True Holder is to land, once the Authentication process is complete. This box MUST always be shown here, including when there are no changes pending.

Automatic script
• This is only required where and if, your website is to have the setting change, performed automatically. Should everything in your website need the user to manually click an approved button, then please ignore this list.
• This script needs to check, each setting change request, check their Delay Expiry date, and if that is past, then, perform the setting change as requested.

Approve Script
• This script needs to run, whenever the True Holder activates the Approve, button, to finalise the approval process.
• As a safety feature, this script needs to check that, the True Holder is logged in, and the request has not been cancelled.
• Now is the time to change the setting.

Cancel Script
• This script needs to run, whenever the True Holder activates the Cancel, button.
• The Script needs to check that, this setting change has not yet been approved.
• The script will then, flag this setting change request, to ensure that, the approve script will never conduct a setting change on that setting.

AccessDelays - What you also need

Additional Database Table Columns
• For each account feature or setting of which is subject to an AccessDelay function, you need three new table columns.
• With SQL, you need two DATETIME columns. First of these is to register when the request was made. The other of the two, is when the delay expires, meaning the time of when the account setting can be adjusted to the request.
• Third column, is what, the True Holder has requested to, change the setting to.

A new Database Table
• You need to have a table, of which is to register each of these requests.
• Either you have one table, to list the requests for all setting changes, OR, have one of these table for each setting type of which you have.
• Where you have one table for them all, in SQL, you need something line an ENUM column, of which lists each setting of which there is to change.
• In either case, you need two colums with datestamps, one is when the request is made, the other, is when the Delay Expiry is due.
• You will also need something like {ENUM('New','Auto','Manual','Overlap','Ready','Approved','Cancelled') default 'New'}, to record the current status of that setting change.
• Lastly, you need two columns, one is to register the existing/old setting, and the other, is to register what the proposed or new setting is going to be.

Event Registration Table
• This table is to register each time, that the True Holder activates the Approve button, and for each time the Approve Script is operated.
• This table is also to be used, to regisetr when the Automatic Script, is to approve a setting change.
• You must record, Time of this event, IP address of whoever made this request
• There is also a need to register both the old setting, and new setting too. This is important, in case of errors, or for the need to track events.

Registration of Cancel Requests
• This table is to register each time, that the True Holder activates the Cancel button, and for each time the Cancel Script is operated.
• You must record, Time of this event, IP address of whoever made this request.

AccessDelays - Alturnate Options & Ways

Some options include;
• Mandatory delays : You may, require a fixed delay length, of whatever account settintgs you wish for this to be so with.
• Minimum and Maximum : You set a minimum delay length, and a maximum delay length. You let your customer to adjust their delay length to something that is within that range.

AccessDelays - The Hacker

The Hacker

Whenever a hacker seeks to get into an account, and take over that same account, with the aim of locking out the True Holder via the hacker adjusting the log in details.

When those same log in settings are subject to a Setting Change Delay, the True Holder has the option of, getting into their account, and, getting their access back before the true damage can be done.

AccessDelays - Some Risks of Note

This system will fail, whenever the True Holder visits their account, less often than, what the delay length is.

The True Holder MUST always be going to visit their accout, at least as often as, the shortest setting delays, of which their account has, to ensure that, the True Holder will always have enough of that time required, for the True Holder to react to, any adverse setting request, when they happen.

Please Note: This list of risks may NOT be complete. You are advised by us, to seek your own, independent advice in respect to this.

SESSION NEEDS - How it Works

The True Holder, is able to determine as to what their access needs are for their time inside their account, and, are thereby, restricted to operate within only those areas of their account, for the length of this log in session.

With Session Needs, the True Holder, makes their selection, from within the log in page, as the True Holder is in the process of, gaining access into their account.

As, other areas of the website/account area have access closed to them, nobody can get into those area(s) of the online account, and therefore, no hacker is able to get in to those areas either, despite the fact that, the True Holder is at that moment, making use of another area or feature of their online services.

Session Needs - The Customer/User

The True-Holder

What the True-Holder does,
• Within the log-in page, the true-user, gets presented with, a list of jobs of which they want to do whilst they are logged in.
• The True-Holder simply selects from this list, as part of their log in process.
• All activity is thereby, restricted to those selected activities only.

The True Holder will then, perform whater tasks/jobs of which their Session Needs will permit the True Holder to perform.

Should the True Holder seek to work within an area of their account, of which are closed/blocked by their current session requests, then, that True Holder will need to log out, and then log back in, with a different Session Needs request.

Session Needs - What you need

The Database
• An Extra database column, with the log in registration table, to indicate as to what areas are open for this customer during this log in session.
• Something like the SQL {SET()}. An online store like Ebay, would have the options of 'Buy','Sell','Start an Auction','Message Sellers'. Whereas a social media site will have ('Start new Thread','Add new posts','Do Like/love/hate').
• You may also include something like this SQL column {ENUM('read only','write new','update','all')} too. (See ENUM Options in the following page of this document).

The Login page
• Extra form field, of which lists the valid activity types for that website.
• One of those fields need to be, 'open to everything' (or 'Full Access').
• Another option needs to be, 'read only', as this will prevent any damage done to the account area.
• You may, have a series of checkboxes, each one, connected to a respective activity of which your website has.

The Authenticator Script
• The only time that, the Authenticator script does anything with Session Needs is, when the log in request has been fully authenticated.
• Then, the Authenticator script will simply need to set the cells (as The Database above).

Session Needs - Wordings and Meanings

Meaning of Full Access (Session)

This is the first of the two most important Session Needs settings, of which there are.

Under this mode, all features and functions are switched on, with full access, to the account user/operator.

Meaning of Read Only (Session)

This is the second of the two most important Session Needs settings of which there are.

This is where, the account user, is permitted to only read from the account. Nobody is permitted to change any settings, send messages/emails, make purchases or payments of any kind.

The only possible non-read activity there can be, is to send help messages.

Meaning of Update Only (Session)

ENUM Options include,
• Write New : gives permission to write new content, but not go over existing content. Such as, be able to write a new email/message, however you will not be able to update or edit any existing email/message.
• Update : Shold be, to include both write new, and update any existing works.
• All : This is the wildcard option. Ensures the True Holder has access to every account feature, service and function.

Session Needs - Alturnate Options & Ways

Combine with other tips

There are many handy ways, in which some websites may be able to combine Session Needs with other tips of mine, such as ModeCode.

Session Needs, is focused on, the setting you make, as you start a new session, and, you decide what you want, at that moment. Whereas ModeCode, are preset settings, made some time before the respective session.

Session Needs - Handy Tips

Option of Full Access

Your website MUST still have available, the full account access option, for those users of who have a lot to do. This means, to have a checkbox or button, of which is clearly marked, 'Full Access', and will always grant full access to every feature and area of a persons online account.

Simple Read Only setting

One of the most handy restrictions to have, is to have a Read Only option.

This setting, will prevent any risks associated with, somebody sending a payment from a bank account, or to place a large order in an online retailer.

Session Needs - The Hacker

The Hacker

How this feature functions with the Hacker,
• Should the hacker attack whilst the True-holder is online, that hacker will be limited to, only the specific job(s) of which the True-holder has selected to do.
• There is a strong chance that, the hacker shall not want, whatever access rights there are for that moment.

How this hampers the hacker
• The hacker can only access information on the times of when this access is requested.
• All other days, the hacker is blocked.

Session Needs - Some Risks of Note

Please Note: This list of risks may NOT be complete. You are advised by us, to seek your own, independent advice in respect to this.

Damage can still be done

Where a hacker has followed their way in, right behind the True Holder, as the True Holder enters their account, the hacker can still inflict damage to the area(s) of which the True Holder has selected as their Session Needs for that session.

MODECODE - How it Works

A ModeCode, is set, and becomes associated with a specific list of account access features and areas, of which in turn is to enable the True Holder to log into their account, without any disclosure of what their account access requirements are.

There are two main types, as thus;
• Preset access selections : The webmaster has one or more, specific access combinations, and, has the True holder to set their ModeCode to each of these.
• Custom access selections : The True holder has the ability to, select a custom combination of access needs for each ModeCode they set.

ModeCode - Cross-tip notes

Compared with Session Needs

Compared with Session Needs, the True Holder selects their needs for that session, as they are doing their other authentication matters to start that log-in session with.

Where as with ModeCode, the True Holder enters a code during log in, and that code corresponds to, a pre-set list of access needs.

ModeCode - Marketing and Pitching

Public Vs Private

A True Holder may be able to have one ModeCode for when they are at home, and another ModeCode for when they out and about.

ModeCode - The Customer/User

During log in
• In addition to putting in their username and password, as we currently do as part of our log in procedure, the True user will also need to, put in their ModeCode into a third input field too.

Within their account area;
• There should be somewhere within the account area, in which, the user can set their ModeCodes with, as well as, what types of access of which, that code is to be associated with.
• The layout of this page, depends upon the website having, Preset Selections, or Custom Selections (See next two lists).

Account Area - Preset Selections
• You will have a list of specific access combinations, from which your customer MUST select one of these.
• With each one of these, you will have one {input type=text} tag, so the cusomter can select what ModeCode they want with that respective access combinations.

Account Area - Custom Selections
• The quantity of these, depends upon website policy.
• The web page must be done in a table style of layout, of which will have one {input type=text} tag in one column, for the ModeCode to be set for that selection.
• Other columns in this same webpage table, will have whatever combination of checkboxes and/or radio-button lists for each area of access you have to grant within your website.

ModeCode - What you need

Log In Page
• You need to have one extra (a third) {input type=text} field, although you may chose to use, {input type=password}?? instead. This is for the entry of the ModeCode.

How the Authenticator Script needs to work
1. Firstly, needs to perform the Authentication process, against whatever user name and password system(s) you have. Where this is a pass, the script continus on to the next point.
2. Then, needs to check the database, and check the entered ModeCode against each of the ModeCodes for that user.
3. When a match is found, the next step is to copy the associated access combination next to that ModeCode, to the log in register, of which will in turn, control the access staus of the respective website areas or zones.

Database tables
• Each account, needs a table row, where that table focuses on ModeCode.
• Where your website permits say four ModeCodes per customer/account, then, you need to have four sets of these columns on each row. One of these column sets, is as shown in the following list.

Each column set needs the following,
• Column one, needs to be either a {TINYTEXT} or {CHAR(?)} column to contain the respective ModeCode.
• Column two, needs to hold the access rights of which are associated with that ModeCode. This column needs to match whatever you use for the actual access controls for a log in session.
• This second column, needs to be either an ENUM or a SET, of which matches the session access rights column for the current log in session, to ensure a quick copy of the settings from one table to the other.

ModeCode - Alturnate Options & Ways

Blank Entry Default

You need to work out, what your website will do, where a log in request is made, without there being a ModeCode provided.

Summary of ideas include,
• Trigger an error, and, access is bloked
• Default to, full access
• Default to read only
• Default to some other access combination

In combination with password TimeCycle passwords

With TimeCycle passwords, you may say that, specific settings/features can only used on particular days when, the TimeCycle password gets used.

ModeCode - The Hacker

The main area of focus here is, where a hacker is watching a True Holder, with the aims of accessing that account while the True Holder is logged in.

As with other tips in this document, the hacker will be restricted in what they can do, as, various areas will remain logged out.

Such as, where the True Holder is there to read only, the Hacker shall be Logged Out in respect to wanting to write anything within the account.

The one main difference with Session Needs is, the hacker has no way of knowing, as to what areas of the account, will be logged in or out, as, the hacker will not be able to read the contents of a log-in form, as can happen with the Session Needs advisory.

ModeCode - Some Risks of Note

Please Note: This list of risks may NOT be complete. You are advised by us, to seek your own, independent advice in respect to this.

As Hackable as Passwords

Where a hacker is able to get in, and get the passwords from that account, that same hacker is just as able to get the ModeCodes too.