Changing Customers Password Without Consent

risinganger writes "BBC News is reporting that a customer had his password changed without his knowledge. After some less than satisfactory service the customer in question changed his password to 'Llyods is pants.' At some point after that, a member of staff changed the password to 'no it's not.' Requests to change it back to 'Llyods is pants,' 'Barclays is better,' or 'censorship' were met with refusal. Personally I found the original change funny, like the customer did. After all, god forbid a sense of humour rears its ugly head in business. What isn't acceptable is the refusal to change it per the customer's requests after that."

Plaintext passwords?

[MiKM (752717)]

What worries me more is that they are storing the passwords in plaintext.

Re:Plaintext passwords?

[Al Dimond (792444)]

And I thought I had a shot at getting this in first...

Maybe he should make his new password "Lloyds security is pants"

Re:Plaintext passwords?

[EdIII (1114411)]

It's a voice password. It is the employee on the phone that has to enter and verify the voice password. It is probably not being stored in plain text and it is entirely appropriate, and indeed required, that the administrative interface view the voice password as entered by other employees.

The only concern here is that an employee changed the voice password without authorization. Anytime an employee changes a password there should be records of the interaction. Call logs, voice logs, notes, etc.

Now in this case, the choice of the password might be deemed offensive. However, it seems that there was no clear and consistent policy enforced as to what a voice password could be.

Re:Plaintext passwords?

[MrNaz (730548)]

Unless there is money being paid for accessing the systems

What, you mean like bank fees?

or there is an existing policy/agreement in place that says the system owners will not mess with passwords

What, you mean like the legislative requirement that banks give depositors access to their funds?

The people that own the systems have the right to do what they wish with them.

No, they don't. They doubly don't if it means banking customers' financial services are interrupted.

Does your phone company, who own the systems that your phone calls go through, have the right to let their operators listen in on your conversations and interject with witty remarks every now and then?

Re:Plaintext passwords?

[Bender0x7D1 (536254)]

Does your phone company, who own the systems that your phone calls go through, have the right to let their operators listen in on your conversations and interject with witty remarks every now and then?

I live in the U.S. and am offended by the implications in your statement. Of course they have the right! How else would they find the terrorists?

Re:Plaintext passwords?

[EdIII (1114411)]

I think you missed my point. There were no call logs, voice logs, notes, that identified an interaction with the customer when the voice password was changed.

The fact they know which employee modified the password means that anytime customer information is changed they log which employee was responsible for it. That's good policy.

So since the voice password was changed, and there are no records of the customer calling in and asking for it, the employee was disciplined.

I thought that was clear from my post.

Re:Plaintext passwords?

[igb (28052)]

Actually, LTSB verification involves being asked for (three, I think) letters from your password / passphrase. I believe that the operator has no access to the letters involved --- they are prompted to ask for three and eight, type them in, and now know what they are. If you don't know, they don't either: the letters aren't displayed to the operator. Online, you supply a username (which is related to you, not to your account) and password, and are then prompted for three characters from a passphrase as pull-down menu items (presumably to make key-loggers a little less useful). The telephone and online systems use different passphrases.

Now of course this isn't flawless: there are a lot of attacks one can envisage, mostly involving operators always asking for different letters --- ie if they already have three, five and eight, and are prompted to ask for three, five and nine, they ask for four, six and nine, supply three and five from their previous knowledge and now have six letters instead of the four they would otherwise have. By this technique they can get the password in n/3 attempts, less if (as is likely) you don't need all the letters to see what the whole word/phrase is. It's a thin attack given the chances of you arriving at the same operator, or the operator's confederate, that many times, but might be possible as a large conspiracy by a corrupt call centre (LTSB have in recent months re-on-shored all their call centres; make of that what you will). If you fail to authenticate, for whatever reason, you're asked for the same characters next time, so an attacker cannot make repeated attempts hoping to be asked for characters they already have if they don't get a favourable set the first time.

Some things about this story don't ring true, by the way. Firstly, LTSB have not, to my knowledge as a customer, had a limit on the length of pass phrases either for telephone banking or on-line banking as short as is claimed. The on-line `memorable information' (ie password) is six to fifteen characters, spaces not permitted, and I can't believe the voice system is different.

There are some things that could be improved. You can change the greeting between given name, given name plus surname and a few other options, but you can't have a custom greeting. That's a powerful phishing prevention mechanism: if I can customise my bank's website to greet me, after supplying my password but before supplying my selected characters from the passphrase, with a picture I supply (say) then that massively ups the problems a phisher faces. I have my passphrase as six random characters (ie knowledge of five doesn't provide the sixth) so that if I'm ever asked for character seven or greater I know something bad is happening, but it's not ideal. But the rest they do well: initial contact URL is https and won't work as http, ie http://online.lloydstsb.co.uk/ [lloydstsb.co.uk] doesn't answer, so anyone bookmarking it will bookmark the https. Menus don't accept keyboard accelerators. More if I could think of it before my first coffee. I checked it through pretty thoroughly before signing the ts and cs, and I'm reasonably happy.

ian

Re:Plaintext passwords?

[Lonewolf666 (259450)]

Actually, LTSB verification involves being asked for (three, I think) letters from your password / passphrase. I believe that the operator has no access to the letters involved --- they are prompted to ask for three and eight, type them in, and now know what they are. If you don't know, they don't either: the letters aren't displayed to the operator.
In this case, the system seems to have a hole somewhere:
Somehow the operator was able to substitute another password. His choice of new password indicates that he could read the entire old password.

Unless there are some other safeguards in the system that were not mentioned in TFA, I would be seriously concerned about criminal operators abusing my account (hypothetically speaking, I'm not a customer at LTSB).

Re:Plaintext passwords?

[MrMr (219533)]

Now in this case, the choice of the password might be deemed offensive
When you think a 'plc.' can be offended you are antropomorphizing abstract legal entities. Don't do that; they really hate it.

Re:Plaintext passwords?

[MrMr (219533)]

Seriously. I love to explain jokes.
Lloyds [lloydstsb.com] is a plc [wikipedia.org].
Go search for antropo [quotegarden.com] and see what to offend [merriam-webster.com] means.
Now try to imagine an offended Plc.
And hand in your geek card.

Re:Plaintext passwords?

[chill (34294)]

From the article it sounds like a voice code phrase to authenticate yourself over the phone. They staff has to be able to see it to verify it. It isn't a computer password.

Re:Plaintext passwords?

[Jedi Alec (258881)]

From the article it sounds like a voice code phrase to authenticate yourself over the phone. They staff has to be able to see it to verify it. It isn't a computer password.

"I am the systems administrator. My voice is my password. Verify me."

Re:Plaintext passwords?

[QuantumG (50515)]

Yes, my voice password is "billy'; drop tables;", type it in muppet!

Re:Plaintext passwords?

[Warshadow (132109)]

No, No, No. "My voice is my passport verify me" :D

Re:Plaintext passwords?

[Firehed (942385)]

I've had more than one website email me my password if I hadn't logged in after a week or two. Because obviously I wasn't logging in due to having forgotten the same password I use at half the websites on the internet, rather than the site sucking. Suffice to say, I've deleted my accounts at all sites where that's occurred. I wouldn't be at all surprised to see several of them vulnerable to SQL injections and I'm sure all of them did nothing but flip the 'account_active' column bit, but I felt better for a few minutes at least.

Wordpress has a pretty good forgotten password system - it emails you a unique link (something like changepass.php?user=firehed&verify=asdf903jfo2i3jf) and you get your new password form. It's never revealed in plaintext. I hope more sites adopt something along those lines - seeing my password in plaintext anywhere always freaks me out a bit. Then again, I've seen it hashed as md5 and sha1 enough times that I could spot probably my account in a 'SELECT id, pass FROM users' result.

I'm still a bit curious as to how banks haven't yet found a better system for getting you your initial ATM PIN when you get a new card than simply sending it separately from the card. Shouldn't they have some automated dial-in where I punch in the auth code they send me and the last four from my SSN (or MMDD birthday, whatever) as a verification code? If someone is stealing your mail looking for a new card, it wouldn't be difficult for them to also grab that 'discreet' envelope with that starter PIN.

Security is really quite pathetic these days. No wonder we keep hearing about millions of customer records being lost.

Re:Plaintext passwords?

[by Anonymous Coward]

My bank has a password to verbally verify over the phone. It's the street I grew up on, so I just say Cottage Rd. But seriously, I have to say my street name every time, and I assume the operator is looking at it to verify. I doubt they're going to type it in an verify the hashes.

Re:Plaintext passwords?

[Psychotria (953670)]

That was a bit silly. Now I can just ring the bank and say my name is "Anonymous Coward" and my password is "Cottage Rd". This means I can transfer all of your funds... didn't think of that did ya!

Re:Plaintext passwords?

[beav007 (746004)]

Wait, what? When was the last time you typed your password hash into a website? That doesn't mean that your passwords are stored in plain text.

When you change or set your password into a well-programmed website, it hashes the password (hopefully with a one-way algorithm), and stores the hash. When you enter your password in the future, it hashes what you enter with the same algorithm originally used, and compares the hashes, to see if they are the same. If they are, then the password is the same, or you've managed a 1 in eleventy billion chance at picking an entry that has a hash collision with your password.

GP is assuming that the mentioned institution uses this sort of password protection system, and when the operator asks for your password, they type it in and click "Check Password", and wait for the program to say either "Password Correct" or "Password Incorrect". This would mean that the hashes are being compared.

Of course, this is not a given.

Re:Plaintext passwords?

[AuMatar (183847)]

I prehash all my passwords. That way only the hash of the hash is stored in their db. Its more secure that way.

Re:Plaintext passwords?

[ei4anb (625481)]

That is actually one of the schemes that I use. I have a keyword that I use to generate the password for all websites; I concatenate the keyword and the site's domain name and use an hash of that and allow Firefox to store it. That way I get a different pwd for each site yet I can regenerate it if I need to.

Re:Plaintext passwords?

[TheRaven64 (641858)]

It's easy. Imagine your password is 'password.' To get a password for Slashdot, you concatenate it with the site name, giving 'slashdotpassword'. You then hash it with a well-known hashing algorithm, such as MD5, giving '4f9e0b445242debaefaea692318e7f05'.

As long as you have access to something that can generate MD5 hashes (any system with OpenSSL or GNUTLS installed, including any *NIX machine, any Mac, and some Windows machines) you can trivially regenerate your password. If you wanted to use the same password for mybank you would use hash of 'mybankpassword' which is '4281a3b1440b23b1106655dfeb849057'. Given either of these, it's very hard to recover the original input. It's a bit easier if you know that the format is {site name}{password}, but you could easily do something different, like interleave the letters, giving the hash of 'pmaysbsawnokrd'.

Re:Plaintext passwords?

[brianjlowry (1015645)]

You act like they are storing important information in the DB... like it is a BANK or something.

Re:Plaintext passwords?

[Cassius Corodes (1084513)]

RTFA, its a phone banking password - as this is done via a operator, they are going to know the password anyway so its displayed to them.

Re:Plaintext passwords?

[EvilIdler (21087)]

Uhm..what?! You don't store passwords in plain text, full stop. One-time passwords, alright. Generate one based on your bank card, and give it to the operator. It can't be used again. But a regular password? No way.

Re:Plaintext passwords?

[by Anonymous Coward]

What are you supposed to do, SHA-1 hash it in your head before reciting the hex digits over the phone to the operator?

Re:Plaintext passwords?

[orgelspieler (865795)]

I think you just failed the Turing Test.

Re:Plaintext passwords?

[telchine (719345)]

If the operator ever needs me to prove my identity, I am asked to provide eg the 4th & 5th character, not the whole thing. Sounds like Lloyds needs to update their security procedures!

My bank als asks me for two letters from my password, and my bank is Lloyds!

How do you know for sure that your bank's operator can't see the full password when they're asking you for two letters?

It's still retarded security

[Moraelin (679338)]

So basically every single operator they've ever employed, can find or just remember your username _and_ password if they want to. And who's to stop them from calling after hours and pretending to be you?

And you don't see the problem yet?

How about: when you tell that guy your password, he types it on the computer, which compares it to a hashed (and salted, please!) value in the database. There we go. It wasn't that hard, was it?

Of course, now when you talk to an operator, you tell them your password. So now we're back to problem 1, albeit with less people having access to it.

So, better yet, how about making you type it on the phone pad? Then their PBX can extract any such keypresses and send them directly to the computer. There is no need for the human operator to ever hear or read that sequence.

So basically, you can jolly well stop pretending that crap security is anything else. Yes, it may require some 5 minutes of thinking to solve those problems, but they _are_ solvable.

This kind of thinking inside the box (basically, "it's been done so before, so I guess we'll have to do the same"), and throwing your hands up in defeat each time it requires more thought than applying verbatim what you already know, is the real problem with security nowadays. Most people don't even bother trying to think about what could go wrong, and how (if at all) it's preventable.

Re:It's still retarded security

[by Anonymous Coward]

And who's to stop them from calling after hours and pretending to be you?

Perhaps the fact the call center would be closed after hours?

Re:It's still retarded security

[Clovis42 (1229086)]

So basically every single operator they've ever employed, can find or just remember your username _and_ password if they want to. And who's to stop them from calling after hours and pretending to be you?

I worked for a Staples Call Center for awhile. One night I took an order from some guy. At the end I asked for his credit card number, name on the card, and the billing address. He hesitated on the last question, and stated, "But if I give you all that information, there's nothing to stop you from making an order using my credit card." I had no idea how to respond to this. Yes, you are giving me all the info I need to make a purchase via credit card, because that is what you are doing. So, I really don't see this password thing as a problem. If money disappears from a customer's account, those employees will the the first suspects. They are all probably smart enough to realise this and won't be stealing the information. I, and hundreds of other employees, could have walked out of the Call Center with hundreds of people's credit card info every day.

That's still a rather fragile assumption

[Moraelin (679338)]

That seems to me like a very fragile assumption.

Yes, you'd think that most people are smart enough to not do stuff where they could end up in jail, but about 1% of the population of the USA _is_ currently in jail. You'd think that most people are sane enough, but 0.4 to 0.6 of the population are schizophrenic. You'd think that most people are nice enough to their fellow human, but about 1 in 30 qualifies as sociopath, and 1 in 100 as outright complete psychopath.

You don't take those precautions against most of those call centre employees which are honest, sane, smart and nice, like you were. You take them against the schizophrenic dude who'll sell that data because the ghosts threatened to suck his soul through his nose if he doesn't. You take them against the disgruntled sociopathic admin who wants to go out with a bang. (See for example the recent news about the guy who locked a city administration out of their computers.) You take them against the idiot who'll sell an old computer on EBay without first erasing the database files or backups off it. (See the recent story.) You take them against the irresponsible (if well meaning) insurance/investment/etc salesman, who'll copy the whole damn customer database on his laptop so he can show a snappy chart to a potential customer. You take them against the idiot rent-a-coder who'll zip your whole database and post it on the web, when asking for help with some trivial formatting problem. (Yes, one dude did exactly that. Twice.) You take them against the irresponsible boss who'll copy that whole damn database on an USB stick, and give it to some programming contractor so he doesn't have to work on-site. And then said contractor loses the stick. (See the recent leak in the UK.) You take them against the irresponsible "tech savvy" guy, who'll open an insecure tunnel right through your firewall, so he can work from home, and thinks that nobody will guess the port. Etc.

It's not just you call centre guys who can see those plaintext passwords, you know. There's a whole lot of people who might end up seeing that data, some of which you'd never even think about off the top of your head. E.g., that eastern european janitor who was emptying the dustbins while you were looking up someone's plaintext password.

Security is about trying to prevent as many of those as you realistically can. Just because you call-centre guys get to hear the password as plaintext, is no reason why everyone in IT or with enough clue to run an SQL query should also be able to get to them.

Re:That's still a rather fragile assumption

[spun (1352)]

Fragile assumptions are the building blocks of society.

Re:It's still retarded security

[mhall119 (1035984)]

Better yet, read your public key to the teller, who then generates some random data, encrypts it with your public key and the bank's private key, then reads out both the cipher text and their public key over the phone to you. You then decrypt the data, and re-encrypt it with their public key plus your private key, and read the cipher text back to them, over the phone.

Of course, you'd want to call them first thing in the morning, so you can finish the transaction before close of business.

For efficiency, you can both keep a copy of each other's public keys after the first transaction, but you'll then need to read the contents of your respective revocation lists to each other, to make sure they're still valid.

Re:Plaintext passwords?

[Cow Jones (615566)]

RTFA, its a phone banking password

So, unless I misread TFA, we now know that Mr. Steve Jetley from Shrewsbury has a phone banking account with Lloyds, and is unable to change his password to anything else than "no it's not". Mr Jetley said he was still trying to find a suitable password which met the conditions.

Excuse me, I have to make a phone call...

Legal Problems

[Detritus (11846)]

Does UK law cover "sexual harassment"? Employers in the USA have to worry about defending themselves against claims of sexual harassment, which can be quite broadly construed, even when a customer is the source of the alleged harassment. Anything that someone, somewhere, finds offensive, can be evidence of a "hostile work environment".

Re:Legal Problems

[Ixitar (153040)]

I just love the hypersensitivity out there. I was on a project years ago where there were duplicate records on companies. One fellow that I worked with wrote a drag and drop application to eliminate duplicates. The user would drag the "good" record over an icon for the good company record and drag the "bad" record over the icon for the bad company record. The good company icon was a building in white with a halo over it and the bad company icon was a building in red with horns. I told him that someone with no sense of humor is going to tell him to change the icons. Sure enough, he was told to change the icons so as to not potentially offend someone's religious faith.

Sounds to me like

[tuxgeek (872962)]

a big UP YOURS is in order ...

but that's just me

Clarifying for Americans

[RevWaldo (1186281)]

In the UK "pants" is the term used for underwear.
It is also slang for rubbish (that's "crap" for Americans.)

This doesn't speak well for the state of British underwear, but whatever.

Re:Clarifying for Americans

[ben0207 (845105)]

Does anyone else find it quaint when yanks try to comment on the English language?

They always manage something that is nearly completely wrong, but right enough to see where they were going before they were distracted by something to eat or a TV.

Re:Clarifying for Americans

[QuantumG (50515)]

Wow, so basically your world view is that there are people from the UK and there are people from the US and no-one else exists?

I guess that's almost better than the average American's grasp of geography.

Re:Clarifying for Americans

[fotbr (855184)]

American here. No, that is not anywhere NEAR the average American's grasp of geography. You're giving them far, far too much credit. Most of my countrymen below the age of about 30 have no clue about anything other than the area of the US they live in, and some vague notion of Africa being poor, and Iraq being "over there". They can't even pick out all the states, much less find Iraq on a map. They *might* be able to pick out the continent of Africa, but they'd probably be looking for a single country instead.

Our public school system has turned an entire generation into morons, who think being wrong is ok as long as they feel good about themselves.

What the hell?

[Penguinisto (415985)]

Since when does staff have unfettered access to user passwords? The absolute most that the help desk can do is reset the thing, not view it.

Seriously - they got bigger problems than being insulted via password if the friggin' help desk can call up passwords at will and whim.

/P

Re:What the hell?

[SEMW (967629)]

This isn't a "help desk" it's a telephone banking system. You call up the bank. and do your banking over the phone. That means -- yes! -- that the guy you're talking to has unfettered access to your account. That's the inevitable price you pay for convenience if you want to do your banking over the phone.

Ok, and...

[narcberry (1328009)]

I read the article and it only reports half the story.

Sure he tells us all about his password and what he is using. But what was his account name?

I once had a funny incident with some website.

[CrazyJim1 (809850)]

I called in and asked,"Can you give me my password?"
Him "Ok give us your information."
Me: I gave him my information.
Him"You want your password now?"
Me:"Yes please."
Him,"Biteme."
Me:"What?"
Him,"Biteme is your password."
Me,"Oh... Thanks..."

I made a mental note,"Do not make passwords that will embarrass me if I have to call in the phone"

I'm more disturbed by the fact...

[Aardpig (622459)]

...that neither the submitter nor the editor (samzenpus) are able to spell the word 'Lloyds', despite it appearing a number of times in the original article.

Let's petition CmdrTaco to banish samzenpus to Idle, where his delusions of adequacy will better fit in.

Re:I'm more disturbed by the fact...

[zobier (585066)]

Let's petition CmdrTaco to banish samzenpus to Idle, where his delusions of adequacy will better fit in.

Let us start tagging idleispants.

plaintext passwords

[Fusen (841730)]

for people questioning why the bank has your password in plaintext, this is because in the UK they have ALL your info in plain text.

Your complete credit card details including 3 digit security code on the back.

Your complete address, maiden name, old addresses etc etc.

They use all of this info to verify who you are before they tell you anything about your account, so you ring up and say "Can I see my balance", and they ask for random bits of the stored info.

You just have to hope that they aren't dodgy employees as they could quite easily steal it all if they wanted.

Re:plaintext passwords

[jrumney (197329)]

You just have to hope that they aren't dodgy employees as they could quite easily steal it all if they wanted.

Or back it up into unencrypted ISO images on their hard drive then sell their laptop on ebay, which seems to be standard practice at UK banks, Inland Revenue and other organizations which deal with such personal information.

Re:plaintext passwords

[Arimus (198136)]

What hacks me off the most is that where I work (defence contractor) we have to have baseline encryption on our entire laptop drives and a second encrypted area for the more sensitive stuff. USB drives have to be encrypted as well, and PDA type (so ipod's phones etc) devices can't connect unless you are in the priviledged few who need to share data with external agencies or with our test systems.

(My personal laptop (the one I'm typing this on) I've got my own encrypted linux filesystem on, only the windows bit isn't encrypted and bar photoediting its not used much)

Why if we have to jump through various hoops or lose our supplier status can't the UK government departments and contractors working directly on their behalf do the same? (And ditto for banks.)

Everyone involved with handling personal data needs to look into data minimization and data protection (integrity, access control, non-repudation, auditing, the whole shooting match), and any company found not doing so should be banned from handling personal data ever again. Government departments are harder to control (after all the MPs won't vote in a law which would neuter the IRS ;) ) - so make the law such that the minister and the civil servant in charge of the affected department face a 1 month jail sentance for every 100 records lost, loss of pension rights, barred from being company directors etc...

Passwords are awful for security

[mcrbids (148650)]

Everybody knows passwords. We're all used to them. But they suck rather miserably for real security. They are a vast improvement over nothing at all, but they just aren't good enough, anymore.

All it takes is one leak of your password, and you're hung. Worse, you don't know that you're hung. You can't let somebody else use your password. Ever. You can't ask a family member to enter it in for you while you're on the road while they look up your bank balance on the way to the airport without disclosing your password.

And lots of people can see your password. Techies. Poorly-paid tech support people in India. System administrators. Clerks, counters, janitors, and people who dig up your stuff out of the pile of computer hardware behind XYZ large firm.

Passwords are a terrible, terrible idea for security, and have left the social environment highly vulnerable to vast compromises.

On the other hand, dual-key cryptography is rather good for security.

It doesn't matter who sees the key exchange. If somebody else gets your public key, it doesn't weaken the strength of your private key. Nobody else can see your private key. You don't need to disclose your private key to anyone to use it.

Personally, I'd like to see a password-key machine. Basically, a weak form of dual-key cryptography (at least as effective as a password) stored in a small doohickey. It has your private key. Rather than type in a password, you are given a set of characters that you need to encrypt with your doohickey. You type the characters into your doohickey, and indicate which private key you want to use. (since it's private, you really only need one)

You enter in the passphrase for your private key. You enter the response back into your website, whatever.

Weaknesses? Not many.

1) You can lose your doohickey. At which point you need to get another one, regenerate a private key, and hand out new public keys to everybody. But even with the doohickey, $RandomBadGuy can't do much without the passphrase. Which is not a "password" in the usual sense because it's only stored there, in the doohickey and cannot be seen by anybody else.

2) You can use your doohickey thru the phone. Your son-in-law is checking your bank balance for you, and you want him to - this time. He sees the challenge, and tells it to you. You enter challenge into doohickey, give him the response, and he types it in. That gives him nothing more than a login that time, because next time, the challenge will be different, and without doohickey, he can't do anything more.

3) Nobody else sees your private key. It's yours. It's private. Websites and such will have your public key, but it won't help them any since they don't have the private key that matches.

Doohickey doesn't have to be much - it could easily fit into a cell phone. Processing a small, 32-bit key isn't difficult, and the challenges don't have to be very long to well exceed the security of your average password. (EG: Wife's middle name, the street you were born on, etc)

I know of someone who can help

[Rupert (28001)]

Mr. Yorkshire Bank Plc Are Fascist Bastards was able to get a judge to order Yorkshire Bank to issue him a cheque payable to his full name.

Important message to Lloyds customers

[by Anonymous Coward]

My Dearly Beloved Lloyds customers.

I encourage you all to change your passwords to Lloyds is pants in protest at this stupid bank's actions.

Thank you sincerely for your cooperation.

Mrs Mariam Abacha, Lagos, Nigeria

Ownership

[ikkonoishi (674762)]

The customer does not own his password. As its purpose is to allow access to the services the company provides it is the property of the company. Of course changing it like that was a stupid and childish thing for an employee to do.

Password reminders

[by Anonymous Coward]

Heh, luckily I've never had problems. My password reminders (one which I use for my ISP, who use it to authenticate who I am), is usually something along the lines of...

Who the hell uses password reminders anyway, like come on, isn't there a better way?

So I need to say a line like this every time I talk to them, it often gets a bit of a laugh and provides the call with a little levity.

Six letters? Bollox.

[zobier (585066)]

"The rules seemed to change, and they told me it had to be one word, so I tried 'censorship', but they didn't like that, and then said it had to be no more than six letters long."

I would have then asked for it to be changed to bollox and then proceeded with increasingly vulgar suggestions. Fanny would be a good choice.

Nope!

[beadfulthings (975812)]

He should let them set his password to whatever they please . . . for as long as it takes him to clear his money out of there and into another bank.

New password

[AndyFewt (694753)]

New pass: "Gagged" It meets the no more than 6 letters condition.

fun with passwords

[Eil (82413)]

Until a few months ago, I did some helpdesk work at a web hosting provider. When a customer calls in, we are required to make them verify that they are the account holder by telling us either the last four digits of their credit card or their hosting account password (which they specify when they're signing up for service).

One day, a new customer calls in and says he's having some trouble setting up DNS and would like some advice. He's maybe in his late teens or early twenties He gives me the account number. I notice that he makes his payments via PayPal. When I see his password, I hit mute on the phone and giggle for a few seconds. After my composure is somewhat regained, I unmute and ask him to verify his account password for security purposes.

You could almost hear him tense up. When he starts stuttering, I was sure he never stopped to consider that he might have someone

"Ummm, uh, it's fuckyou2dickhead."

I helped him through his DNS questions as politely as possible and we got along pretty well. Before hanging up, he asked if there was a way he could change his password online. I said yes, through our monitoring and billing system.

He gave a huge sigh of relief.

SL did that to me

[tsa (15680)]

Linden did that to me with my Seconf Life account, after a crack of their server in 2006 IIRC. They told customers to answer a few questions about who their friends were etc to get their passwords back. I had been there only a few days and I didn't know how to spell my friends' names. Thanks to their crappy customer service I never could log back in. Luckily I didn't have a paid account. I was pretty angry at them, and rightly so I believe. It's very inconsiderate to change customer's passwords without their consent. They did it to protect their customers and I understand that, but I guess I was not the only one who was forced to make a new account.

What are they doing being able to read passwords?

[itsybitsy (149808)]

They have a total disregard for security by allowing the support staff to read the passwords.

The customer support people there have a horrific culture of ridiculing their customers. Nasty.

No changes for me, thanks.

[evilviper (135110)]

Personally I found the original change funny, like the customer did.

The change would be funny from a small company that you do some business with, but NOT FROM A BANK. Any sign of employee impropriety with sensitive information that your life savings depends on, is downright scary. And losing money might be the best outcome... A couple suspicious transactions is all it would take to raise a red-flag, and automatically trigger a police investigation for possible (drug/weapons/terrorist) money laundering.

I want nothing but monotonous, joyless, boring bastards handling all aspects of my bank account. In fact, computers would fit the bill perfectly.

For your benefit I hit delete.

[Fantastic Lad (198284)]

The power of Ego!

This is a multi-billion dollar company. They, along with all the other banks, own Everything. --Correction; they lent the money needed to purchase Everything, and now are owed it all back with interest. God couldn't even pay that bill!

So, poor, poor Lloyds can't handle it when the slaves mutter amongst themselves? Geez! And that's it right there; the same petty fear of Everything (including the most harmless of school-yard slurs), drives their desire to control Everything. Pathetic.

-FL

BOFH?

[Tazor (775513)]

Changing customers password without consent?
That sounds a bit like this guy: BOFH [theregister.co.uk]

Lloyds, not "'Llyods"

[1u3hr (530656)]

Even in the US, I believe "Lloyd" is the usual form of this name. TFA (the BBC) of course spells it correctly, and includes a photo of the bank's logo.

Re:Lloyds, not "'Llyods"

[1u3hr (530656)]

And while I'm at it:
The headline; "Changing Customers Password Without Consent" needs a possessive apostrophe ("Customer's") and in the text:
"a sense of humour rears it's ugly head" should NOT have an apostrophe.

Slashdot "editors"? Where can I get a job like that you can do blind drunk while playing video games?

Next time..

[Stormie (708)]

..try "Lloyds ist toten hosen"

They probably won't change that one.

Plain text password necessary?

[awol (98751)]

My bank asks me the jth and kth letters of my password and never (and corresponds regularly to tell me so) asks for my complete password. Whilst this suggests they they do have the plain text stored on their system, could one devise a system that encrypted each letter of the password in some way that did not compromise the security of the stored hashes any more than the original hash?

Assuming a "strong" 8 letter password and two letters for verification it means that there is a 1 in 676 chance of a client guessing correctly in a single operator/client session. Not an unreasonable risk given the securiity that could be built into the session to avoid brute strength attacks.

I am having a bit of a think about it and I can think of a couple of techniques, but I am not sure that they are worthwhile. For example;

Just store the all the encrypted pairs (NC2) where N is password length, assuming 8 characters, only 28 combinations. Can these be stored without compromising the crackability of the whole password? I guess it would but by how much is a bit beyond my thumbnail calculating ability. Or;

Can we build a sufficiently strong transposition cypher so that we can compare specific letter positions encrypted without knowledge of the other letters?

My other bank uses SMS messages with one time codes to do verification. That seems to be very effective.

Silly

[szundi (946357)]

They should have allowed him/her to set this password as this is a password and needs to be kept secret! Now they are not passwords and the whole world knows about them :) haha!

Quite the opposite in Canada

[dontmakemethink (1186169)]

At TD Canada Trust, the have an excellent web interface, where you can customize many aspects.

For example, when I load my profile, my greeting message is "DON'T SAY PLEASE FUCKHEAD!" (a quote from Blue Velvet), my credit card account is called "Devil's Due", and my line of credit is called "Slush Funds".

Umm - it starts earlier than that..

[cheros (223479)]

The first question you should ask is how a rep can change a customer password without his permission and knowledge. All you need is one with criminal connections and he'd be able to start messing with accounts for a while. Do this for a month, hit a couple of big ones at the end and disappear.

If I were the customer I'd go after the bank re. diligence failure. I couldn't care less about the pettiness (as ex Lloyds customer I agree 100% with the sentiment expressed), but I would raise serious questions about the processes involved, from HR to account management.

If I were the customer I would now insist on choosing a new password (as the entire planet knows the old one) and I think something like "You are all complete morons" would be suitable:

"What is yous password, Sir?"
"You are all complete morons"
"That is correct, Sir, thank you" :-)

wrong tree

[Tom (822)]

"funny or not" isn't the right question to ask here.

The right question is: "Why was customer service able to access his plain text password?" - when every book about security tells you to store passwords hashed. They should never even know what his password actually is.

Wait a minute...

[uvajed_ekil (914487)]

Does one have "rights" on a website not owned by a government entity? Even in the U.K.? Is there a TOS to support this, or some statement to the contrary? Yes, this sucks and is unprofessional, at best, but I have a hard time believing that you have any right to anything on a website unless you are specifically granted such rights by some particular means. Need more information, without reading TFA, of course.

Bollox

[Nyckname (240456)]

Hey, it's six letters.

Profit

[Stooshie (993666)]

1. Get job in phone banking office
2. Change customer's passwords so they can't log in and you can
3. Call up from another phone
4. Profit

Damn, I must stop posting complete business plans.

Acceptable

[QuietLagoon (813062)]

What isn't acceptable is the refusal to change it per the customer's requests after that."
.

Two additional things are not acceptable:

1. the customer service rep having access to the plain text password (corollary: passwords being stored in plain text)
2. the customer service rep changing a customer's password without the permission of the customer

For those not from the UK and curious

[JTsyo (1338447)]

3. pants This word can have two meanings if you are from the UK. It either means 1. The British word for panties, underpants, etc 2. Rubbish, bad 1. "I bought some new pants and a matching bra." 2. "This film is pants!"

Why are people looking at passwords?

[mlwmohawk (801821)]

Isn't it strange/scary/odd that someone is looking at passwords?

On a similar note, every time I have to reboot a Windows box or have to enter a reason for a shut down/restart I enter "Microsoft sucks" or "F%$#k you Bill Gates" (without the censorship)

I think more people should do this. :-)

Human readable passwds???

[redelm (54142)]

I would be extremely leery of any security system that allowed _anyone_ to read passwds unless for verbal authentication. Otherwise, they should be always be cryptohashes.

Whats not acceptable

[SoulRider (148285)]

is the fact that anyone in the company can see customer passwords in the first place. So much for security.

This did happen to me

[muckdog (607284)]

At one point a had a password with a company that was " sucks" where competitor was the competitors name. The company in question dropped "sucks" off of my password. Pretty sure it was a customer service rep. Probably because she was an uppity bitch.

breach of privacy policy

[DragonTHC (208439)]

a password is a personal piece of information. a CSR's knowledge of your password is a violation of the terms of their privacy policy.

or the simple answer is, have them set it to something simple and change it manually via their web interface later.

If it were me...

[g0bshiTe (596213)]

"The rules seemed to change, and they told me it had to be one word, so I tried 'censorship', but they didn't like that, and then said it had to be no more than six letters long."

At that point I would have chosen, "TOSSER"

Choose your security phrase carefully...

[dissolved (887190)]

When I worked for a helpdesk for a large ISP in the UK we had a chap with the security phrase:
"Who am I talking to?"
with the answer " scum".

Yes, it's that level of mutual respect that will make helpdesk staff want to talk to you...

what isn't acceptable is

[josepha48 (13953)]

that someone else knew what his password was. That means that they track and can read your password. I don't think that would make me feel comfortable. I would hope that passwords were stored encrypted and not decryptable by staff.

The combination is what kills.

[sillypixie (696077)]

This is a case of cumulative disaster, frankly. These guys have done a whole bunch of not-so-smart things that together combine into real stupidity -- they are advocating both password sharing and they are allowing a help desk person to INTERPRET a plaintext password. Not to mention instantiating password polices requiring a single dictionary word with a limit of 6 characters!

This means that punctuation probably doesn't count. Capitalization doesn't count. Spelling probably doesn't count. If an attacker can come up with a reasonably approximate phonetic representation of the password, then chances are, the help desk will assume the caller is the right person. After all -- if there was a requirement for an exact match, then the help desk person could just type in exactly what the user tells them and get a yes/no answer back without ever seeing the password, and the plaintext requirement wouldn't exist.

Once you have the password for account viewing, how much money do you want to bet that a significant proportion of customers use the SAME password for all their other activities with the bank? But don't worry -- that second, possibly identical password is protected with "full security procedures"...

Could be worse...

[Kabuthunk (972557)]

Back when I was doing tech support for Worldnet dialup internet, we could change people's passwords when requested (and we could also just read off what it's currently set to). I got a call once from someone saying they couldn't log in, and wanted me to read off their password. After the usual verifying security, I gave 'em their password... which was at the moment set to... umm... let's just say another way of saying "homosexual lover", since putting the actual password would likely set off the swear filter. Yeah, THAT was an awkward call.

The system logs the tech's login for any changes made to an account, so it was easy to see what happened. Someone, on their last day of work, changed some people's passwords to either racist, homosexual, or other various types of things.

Because of that incident, they stopped us from being able to either read passwords, or even create them to what someone wanted. If someone forgot a password, we could randomly generate a new one. That's it.

How was it noticed?

[deets101 (1290744)]

Now, I'm not about to do something crazy like RTFA, but.....

Beyond the fact that the password was changed, how did the rep see it? Was he going through all the accounts looking at the passwords and see this one?

Re:How did they even know his password to begin wi

[Architect_sasyr (938685)]

Heh. Truly a RTFA moment.

From TFA:

A man who chose "Lloyds is pants" as his telephone banking password said he found it had been changed by a member of staff to "no it's not"

They can't store that clear text if they want to verify it.

Re:How did they even know his password to begin wi

[Psychotria (953670)]

Which is the same in Australia. If I ring telephone banking they ask me for my password, which they can plainly see (I know, because I forgot it once and they told me I was on character out as a gentle "reminder"). It does seem absurd that my slashdot password is probably more secure than my banking "password". Note that the telephone banking password is different to my online banking password, which appears to be stored encyrypted--as it should be (note that I connot verify this as I do not work for a bank, but my anecdotal evidence confirms it).

Re:How did they even know his password to begin wi

[mr_mischief (456295)]

I apologize for the shortness of digital temper, I just quit smoking

I'm sorry to hear that your fingers are so testy. Maybe you could hold a pen between them?

Anywho, I'm thinking this is a voice challenge and response with the live telephone customer service agent. They'd pretty much have to have that in plaintext. Hopefully they also use a long PIN number that's stored as a hashed value.

Re:My Password

[halcyon1234 (834388)]

My password is the middle step in any profit plan. Now I can't remember what it is. I hope my cookies never expire.

Re:My Password

[Fantastic Lad (198284)]

"I hope my cookies never expire."

That should be on a Tee-Shirt.

-FL

Re:My Password

[martinw89 (1229324)]

Damn, that's the password on my luggage!

No wonder it didn't work!

[EmbeddedJanitor (597831)]

Shit.

abscissa here

[by Anonymous Coward]

Who changed my password?

Re:Lloyd's

[jrumney (197329)]

Perhaps it really was Llyods, as in www.lloyds.ru, after all, they did have his password stored as plaintext.

Re:Fail2o8s

[hedwards (940851)]

Nice to see the editors have a chance to post AC style. Carry on. I'm sure this practice with grammar will improve the proofreading for the next article.

Re:least of their problems

[andy.ruddock (821066)]

Telephone banking. Customer rings and gets asked "What's the 3rd letter of you password?". Usually get asked for two randomly selected characters in your password, plus other details, such as random digits from a customer code which is chosen by the bank when telephone banking is setup for the customer.

Re:How did they even know his password to begin wi

[DaveDerrick (1070132)]

Guys, let me clear this up. I have a Lloyds bank account, when you phone their phone banking system, they ask you "Whats your password". May not be secure, but thats how they do it.

Re:Uhm, secure?

[CorporateSuit (1319461)]

90% of the working world has employees that can see customer passwords. The world isn't composed of unemployed slashdotters who never have any reason to access customer/client information.

If I told a Fortune 500 exec that I can't remind him what his password was for an account with my company, he'd think I was retarded. Typically, people with money would rather be reminded of what their password is in the 1 second it would take than have you reset it and send them some gibberish password they'll have to change (or send them somewhere else to reset their password). They have enough at risk to recognize security is more or less an illusion over apathy. Inconvenience, however, is not.

tl;dr: hashing passwords is popular on slashdot, not so much in real life.