Changing Customers Password Without Consent 435
risinganger writes "BBC News is reporting that a customer had his password changed without his knowledge. After some less than satisfactory service the customer in question changed his password to 'Llyods is pants.' At some point after that, a member of staff changed the password to 'no it's not.' Requests to change it back to 'Llyods is pants,' 'Barclays is better,' or 'censorship' were met with refusal. Personally I found the original change funny, like the customer did. After all, god forbid a sense of humour rears its ugly head in business. What isn't acceptable is the refusal to change it per the customer's requests after that."
Plaintext passwords? (Score:5, Insightful)
Re:Plaintext passwords? (Score:5, Funny)
And I thought I had a shot at getting this in first...
Maybe he should make his new password "Lloyds security is pants"
Re: (Score:3, Informative)
Not only is it being stored in plaintext (or at least not as a one-way hash), but presumably it's also visible in the administrative interface to the site. Does <input type="password" /> not have any meaning in those parts?
Re:Plaintext passwords? (Score:5, Informative)
It's a voice password. It is the employee on the phone that has to enter and verify the voice password. It is probably not being stored in plain text and it is entirely appropriate, and indeed required, that the administrative interface view the voice password as entered by other employees.
The only concern here is that an employee changed the voice password without authorization. Anytime an employee changes a password there should be records of the interaction. Call logs, voice logs, notes, etc.
Now in this case, the choice of the password might be deemed offensive. However, it seems that there was no clear and consistent policy enforced as to what a voice password could be.
Re: (Score:3, Informative)
Anytime an employee changes a password there should be records of the interaction. Call logs, voice logs, notes, etc.
What makes you think there wasn't? It's not as if they can't find the culprit due to a lack of logs; the article says they identified and fired them.
Re:Plaintext passwords? (Score:5, Informative)
I think you missed my point. There were no call logs, voice logs, notes, that identified an interaction with the customer when the voice password was changed.
The fact they know which employee modified the password means that anytime customer information is changed they log which employee was responsible for it. That's good policy.
So since the voice password was changed, and there are no records of the customer calling in and asking for it, the employee was disciplined.
I thought that was clear from my post.
Re:Plaintext passwords? (Score:5, Interesting)
Actually, LTSB verification involves being asked for (three, I think) letters from your password / passphrase. I believe that the operator has no access to the letters involved --- they are prompted to ask for three and eight, type them in, and now know what they are. If you don't know, they don't either: the letters aren't displayed to the operator. Online, you supply a username (which is related to you, not to your account) and password, and are then prompted for three characters from a passphrase as pull-down menu items (presumably to make key-loggers a little less useful). The telephone and online systems use different passphrases.
Now of course this isn't flawless: there are a lot of attacks one can envisage, mostly involving operators always asking for different letters --- ie if they already have three, five and eight, and are prompted to ask for three, five and nine, they ask for four, six and nine, supply three and five from their previous knowledge and now have six letters instead of the four they would otherwise have. By this technique they can get the password in n/3 attempts, less if (as is likely) you don't need all the letters to see what the whole word/phrase is. It's a thin attack given the chances of you arriving at the same operator, or the operator's confederate, that many times, but might be possible as a large conspiracy by a corrupt call centre (LTSB have in recent months re-on-shored all their call centres; make of that what you will). If you fail to authenticate, for whatever reason, you're asked for the same characters next time, so an attacker cannot make repeated attempts hoping to be asked for characters they already have if they don't get a favourable set the first time.
Some things about this story don't ring true, by the way. Firstly, LTSB have not, to my knowledge as a customer, had a limit on the length of pass phrases either for telephone banking or on-line banking as short as is claimed. The on-line `memorable information' (ie password) is six to fifteen characters, spaces not permitted, and I can't believe the voice system is different.
There are some things that could be improved. You can change the greeting between given name, given name plus surname and a few other options, but you can't have a custom greeting. That's a powerful phishing prevention mechanism: if I can customise my bank's website to greet me, after supplying my password but before supplying my selected characters from the passphrase, with a picture I supply (say) then that massively ups the problems a phisher faces. I have my passphrase as six random characters (ie knowledge of five doesn't provide the sixth) so that if I'm ever asked for character seven or greater I know something bad is happening, but it's not ideal. But the rest they do well: initial contact URL is https and won't work as http, ie http://online.lloydstsb.co.uk/ [lloydstsb.co.uk] doesn't answer, so anyone bookmarking it will bookmark the https. Menus don't accept keyboard accelerators. More if I could think of it before my first coffee. I checked it through pretty thoroughly before signing the ts and cs, and I'm reasonably happy.
ian
Re:Plaintext passwords? (Score:4, Insightful)
Actually, LTSB verification involves being asked for (three, I think) letters from your password / passphrase. I believe that the operator has no access to the letters involved --- they are prompted to ask for three and eight, type them in, and now know what they are. If you don't know, they don't either: the letters aren't displayed to the operator.
In this case, the system seems to have a hole somewhere:
Somehow the operator was able to substitute another password. His choice of new password indicates that he could read the entire old password.
Unless there are some other safeguards in the system that were not mentioned in TFA, I would be seriously concerned about criminal operators abusing my account (hypothetically speaking, I'm not a customer at LTSB).
Re:Plaintext passwords? (Score:5, Funny)
When you think a 'plc.' can be offended you are antropomorphizing abstract legal entities. Don't do that; they really hate it.
Re:Plaintext passwords? (Score:5, Funny)
Lloyds [lloydstsb.com] is a plc [wikipedia.org].
Go search for antropo [quotegarden.com] and see what to offend [merriam-webster.com] means.
Now try to imagine an offended Plc.
And hand in your geek card.
Pants (Score:3, Insightful)
You explained everything but the most important part. Why are pants offensive? I do not find pants to be offensive at all.
Not everyone lives in the UK or Ireland (Score:3, Informative)
Or he lives somewhere other than the United Kingdom or Republic of Ireland, and has never travelled to either of those places.
Plc is somewhat analogous to GmbH or LLC elsewhere.
Re:Plaintext passwords? (Score:5, Insightful)
What, you mean like bank fees?
What, you mean like the legislative requirement that banks give depositors access to their funds?
No, they don't. They doubly don't if it means banking customers' financial services are interrupted.
Does your phone company, who own the systems that your phone calls go through, have the right to let their operators listen in on your conversations and interject with witty remarks every now and then?
Re: (Score:3, Informative)
What, you mean like bank fees?
Most people in the UK do not pay bank fees as we have free banking - they would only pay charges in case of exceptional activity on the account (eg unauthorised overdraft, failed charge etc).
Re:Plaintext passwords? (Score:5, Funny)
Does your phone company, who own the systems that your phone calls go through, have the right to let their operators listen in on your conversations and interject with witty remarks every now and then?
I live in the U.S. and am offended by the implications in your statement. Of course they have the right! How else would they find the terrorists?
once upon a time you were right (Score:3, Interesting)
Source [bizjournals.com]
Re: (Score:3, Funny)
Re:Plaintext passwords? (Score:5, Informative)
From the article it sounds like a voice code phrase to authenticate yourself over the phone. They staff has to be able to see it to verify it. It isn't a computer password.
Re:Plaintext passwords? (Score:5, Funny)
From the article it sounds like a voice code phrase to authenticate yourself over the phone. They staff has to be able to see it to verify it. It isn't a computer password.
"I am the systems administrator. My voice is my password. Verify me."
Re: (Score:3, Funny)
"I am the systems administrator. You shall have no gods before me"
Fixed that for you.
Who, me? BOFHish?
Re: (Score:3, Interesting)
The same thought occurred to me, however would you trust an operator not to make a typo or know e.g. the difference between its and it's; would you even trust their internal system to be safe from an SQL injection?
Re:Plaintext passwords? (Score:5, Funny)
Yes, my voice password is "billy'; drop tables;", type it in muppet!
Re:Plaintext passwords? (Score:4, Funny)
No, No, No. "My voice is my passport verify me" :D
Re: (Score:3, Insightful)
Re: (Score:3, Informative)
Re: (Score:3, Informative)
I don't know about this particular system, but I have dealt with phone systems that ask you for certain letters from your password (e.g. 2nd and 5th, 3rd and 8th, etc). I wouldn't be surprised if this was the same.
Re: (Score:3, Funny)
Yes, the best plan is for the staff to have a system, perhaps built by the staff, where the staff can verify the password but without the staff being aware of it. Staff should definitely ensure that staff cannot collude with staff to actually change the customers password on their own ! Customers aren't staff and it's just not right, whatever the staff get up to with staff, in the staff canteen or where ever else is strictly the business of the staff but when it comes to customers who aren't staff well then
Re:Plaintext passwords? (Score:4, Informative)
My bank has a password to verbally verify over the phone. It's the street I grew up on, so I just say Cottage Rd. But seriously, I have to say my street name every time, and I assume the operator is looking at it to verify. I doubt they're going to type it in an verify the hashes.
Re:Plaintext passwords? (Score:5, Funny)
Re:Plaintext passwords? (Score:5, Informative)
When you change or set your password into a well-programmed website, it hashes the password (hopefully with a one-way algorithm), and stores the hash. When you enter your password in the future, it hashes what you enter with the same algorithm originally used, and compares the hashes, to see if they are the same. If they are, then the password is the same, or you've managed a 1 in eleventy billion chance at picking an entry that has a hash collision with your password.
GP is assuming that the mentioned institution uses this sort of password protection system, and when the operator asks for your password, they type it in and click "Check Password", and wait for the program to say either "Password Correct" or "Password Incorrect". This would mean that the hashes are being compared.
Of course, this is not a given.
Re:Plaintext passwords? (Score:5, Funny)
I prehash all my passwords. That way only the hash of the hash is stored in their db. Its more secure that way.
Re:Plaintext passwords? (Score:5, Interesting)
Re:Plaintext passwords? (Score:4, Interesting)
As long as you have access to something that can generate MD5 hashes (any system with OpenSSL or GNUTLS installed, including any *NIX machine, any Mac, and some Windows machines) you can trivially regenerate your password. If you wanted to use the same password for mybank you would use hash of 'mybankpassword' which is '4281a3b1440b23b1106655dfeb849057'. Given either of these, it's very hard to recover the original input. It's a bit easier if you know that the format is {site name}{password}, but you could easily do something different, like interleave the letters, giving the hash of 'pmaysbsawnokrd'.
Re: (Score:3, Interesting)
Imagine your password is 'password.'
I don't have to imagine - after a recent spate of account hijackings to send spam, I ran a check and found 127 users with passwords of "password". This is a case where I reset their passwords without talking to them first as well as imposing some requirements on the passwords. It annoyed the call center, but it's better than getting blacklisted for spamming.
Re:Plaintext passwords? (Score:5, Funny)
Re: (Score:3, Interesting)
My former ISP mailed me my password in a letter (on paper!) in big black letters every time I changed it.
Re:Plaintext passwords? (Score:5, Interesting)
I've had more than one website email me my password if I hadn't logged in after a week or two. Because obviously I wasn't logging in due to having forgotten the same password I use at half the websites on the internet, rather than the site sucking. Suffice to say, I've deleted my accounts at all sites where that's occurred. I wouldn't be at all surprised to see several of them vulnerable to SQL injections and I'm sure all of them did nothing but flip the 'account_active' column bit, but I felt better for a few minutes at least.
Wordpress has a pretty good forgotten password system - it emails you a unique link (something like changepass.php?user=firehed&verify=asdf903jfo2i3jf) and you get your new password form. It's never revealed in plaintext. I hope more sites adopt something along those lines - seeing my password in plaintext anywhere always freaks me out a bit. Then again, I've seen it hashed as md5 and sha1 enough times that I could spot probably my account in a 'SELECT id, pass FROM users' result.
I'm still a bit curious as to how banks haven't yet found a better system for getting you your initial ATM PIN when you get a new card than simply sending it separately from the card. Shouldn't they have some automated dial-in where I punch in the auth code they send me and the last four from my SSN (or MMDD birthday, whatever) as a verification code? If someone is stealing your mail looking for a new card, it wouldn't be difficult for them to also grab that 'discreet' envelope with that starter PIN.
Security is really quite pathetic these days. No wonder we keep hearing about millions of customer records being lost.
Re: (Score:3, Informative)
Neteller [neteller.com] does that as well. If you're not familiar with the company, they're primarily a third party "wallet" service to assist with withdraws and deposits to online gambling sites (poker, sportsbook, etc) Once setup by a user, they have direct connections to bank accounts and credit cards and can charge against those accounts with no further identification than the account password.
Which is sent cleartext via email upon request.
Re:Plaintext passwords? (Score:5, Informative)
Re:Plaintext passwords? (Score:5, Insightful)
Uhm..what?! You don't store passwords in plain text, full stop. One-time passwords, alright. Generate one based on your bank card, and give it to the operator. It can't be used again. But a regular password? No way.
Re:Plaintext passwords? (Score:4, Funny)
What are you supposed to do, SHA-1 hash it in your head before reciting the hex digits over the phone to the operator?
Re: (Score:3, Insightful)
How about, have the operator type in the password as it's spoken? You'd have to have spellcheck in place each time it's entered, and maybe remove punctuation to ensure consistency, but there's no reason to display the password to a human operator.
Re:Plaintext passwords? (Score:5, Funny)
Re: (Score:3, Informative)
Re:Plaintext passwords? (Score:5, Insightful)
If the operator ever needs me to prove my identity, I am asked to provide eg the 4th & 5th character, not the whole thing. Sounds like Lloyds needs to update their security procedures!
My bank als asks me for two letters from my password, and my bank is Lloyds!
How do you know for sure that your bank's operator can't see the full password when they're asking you for two letters?
It's still retarded security (Score:5, Interesting)
So basically every single operator they've ever employed, can find or just remember your username _and_ password if they want to. And who's to stop them from calling after hours and pretending to be you?
And you don't see the problem yet?
How about: when you tell that guy your password, he types it on the computer, which compares it to a hashed (and salted, please!) value in the database. There we go. It wasn't that hard, was it?
Of course, now when you talk to an operator, you tell them your password. So now we're back to problem 1, albeit with less people having access to it.
So, better yet, how about making you type it on the phone pad? Then their PBX can extract any such keypresses and send them directly to the computer. There is no need for the human operator to ever hear or read that sequence.
So basically, you can jolly well stop pretending that crap security is anything else. Yes, it may require some 5 minutes of thinking to solve those problems, but they _are_ solvable.
This kind of thinking inside the box (basically, "it's been done so before, so I guess we'll have to do the same"), and throwing your hands up in defeat each time it requires more thought than applying verbatim what you already know, is the real problem with security nowadays. Most people don't even bother trying to think about what could go wrong, and how (if at all) it's preventable.
Re:It's still retarded security (Score:5, Funny)
And who's to stop them from calling after hours and pretending to be you?
Perhaps the fact the call center would be closed after hours?
Re:It's still retarded security (Score:5, Interesting)
I worked for a Staples Call Center for awhile. One night I took an order from some guy. At the end I asked for his credit card number, name on the card, and the billing address. He hesitated on the last question, and stated, "But if I give you all that information, there's nothing to stop you from making an order using my credit card." I had no idea how to respond to this. Yes, you are giving me all the info I need to make a purchase via credit card, because that is what you are doing. So, I really don't see this password thing as a problem. If money disappears from a customer's account, those employees will the the first suspects. They are all probably smart enough to realise this and won't be stealing the information. I, and hundreds of other employees, could have walked out of the Call Center with hundreds of people's credit card info every day.
That's still a rather fragile assumption (Score:4, Insightful)
That seems to me like a very fragile assumption.
Yes, you'd think that most people are smart enough to not do stuff where they could end up in jail, but about 1% of the population of the USA _is_ currently in jail. You'd think that most people are sane enough, but 0.4 to 0.6 of the population are schizophrenic. You'd think that most people are nice enough to their fellow human, but about 1 in 30 qualifies as sociopath, and 1 in 100 as outright complete psychopath.
You don't take those precautions against most of those call centre employees which are honest, sane, smart and nice, like you were. You take them against the schizophrenic dude who'll sell that data because the ghosts threatened to suck his soul through his nose if he doesn't. You take them against the disgruntled sociopathic admin who wants to go out with a bang. (See for example the recent news about the guy who locked a city administration out of their computers.) You take them against the idiot who'll sell an old computer on EBay without first erasing the database files or backups off it. (See the recent story.) You take them against the irresponsible (if well meaning) insurance/investment/etc salesman, who'll copy the whole damn customer database on his laptop so he can show a snappy chart to a potential customer. You take them against the idiot rent-a-coder who'll zip your whole database and post it on the web, when asking for help with some trivial formatting problem. (Yes, one dude did exactly that. Twice.) You take them against the irresponsible boss who'll copy that whole damn database on an USB stick, and give it to some programming contractor so he doesn't have to work on-site. And then said contractor loses the stick. (See the recent leak in the UK.) You take them against the irresponsible "tech savvy" guy, who'll open an insecure tunnel right through your firewall, so he can work from home, and thinks that nobody will guess the port. Etc.
It's not just you call centre guys who can see those plaintext passwords, you know. There's a whole lot of people who might end up seeing that data, some of which you'd never even think about off the top of your head. E.g., that eastern european janitor who was emptying the dustbins while you were looking up someone's plaintext password.
Security is about trying to prevent as many of those as you realistically can. Just because you call-centre guys get to hear the password as plaintext, is no reason why everyone in IT or with enough clue to run an SQL query should also be able to get to them.
Re:That's still a rather fragile assumption (Score:5, Interesting)
Fragile assumptions are the building blocks of society.
Re: (Score:3, Insightful)
Last year, there was only one case where one of those transactions was from a stolen credit card number.
That you know of.
There could be literally hundreds of undetected and/or unreported cases.
Re: (Score:3, Interesting)
i've canceled membership in forums and other sites because they sent my PW in plain text. Followed by a nastygram sent to their "Contact Us" or "Help" link. It's inexcusable for PW to ever be in plain text, particularly on the side of the people hosting the service.
Re:It's still retarded security (Score:5, Funny)
Better yet, read your public key to the teller, who then generates some random data, encrypts it with your public key and the bank's private key, then reads out both the cipher text and their public key over the phone to you. You then decrypt the data, and re-encrypt it with their public key plus your private key, and read the cipher text back to them, over the phone.
Of course, you'd want to call them first thing in the morning, so you can finish the transaction before close of business.
For efficiency, you can both keep a copy of each other's public keys after the first transaction, but you'll then need to read the contents of your respective revocation lists to each other, to make sure they're still valid.
Re: (Score:3, Insightful)
How about: when you tell that guy your password, he types it on the computer, which compares it to a hashed (and salted, please!) value in the database. There we go. It wasn't that hard, was it?
Let's just see how well that will work, shall we?
Operator: Can I get your password, please?
Custormer: Sure. Lloyds is pants.
O: Is that Sure, Llyods is pants, or just Lloyds is pants?
C: Just Lloyds is pants.
O: I am sorry, that is not working. Did you capitalize all of Lloyds, or just the first letter?
C: *I* didn't capitalize anything. My password is Lloyds is pants, just like I said.
O: I am sorry, sir, that password is not working.
C: Did you guys change my password on me again? I swear, every time I talk to
Re: (Score:3, Interesting)
even then it should never be in plaintext.
hash it, the operator asks for the pass, types it in, it's checked against the hash and if it matches it's correct.
People reuse passwords too much for this to be safe .
Re:Plaintext passwords? (Score:5, Funny)
RTFA, its a phone banking password
So, unless I misread TFA, we now know that Mr. Steve Jetley from Shrewsbury has a phone banking account with Lloyds, and is unable to change his password to anything else than "no it's not". Mr Jetley said he was still trying to find a suitable password which met the conditions.
Excuse me, I have to make a phone call...
Legal Problems (Score:3, Insightful)
Re:Legal Problems (Score:5, Interesting)
I just love the hypersensitivity out there. I was on a project years ago where there were duplicate records on companies. One fellow that I worked with wrote a drag and drop application to eliminate duplicates. The user would drag the "good" record over an icon for the good company record and drag the "bad" record over the icon for the bad company record. The good company icon was a building in white with a halo over it and the bad company icon was a building in red with horns. I told him that someone with no sense of humor is going to tell him to change the icons. Sure enough, he was told to change the icons so as to not potentially offend someone's religious faith.
Clarifying for Americans (Score:5, Informative)
It is also slang for rubbish (that's "crap" for Americans.)
This doesn't speak well for the state of British underwear, but whatever.
Re: (Score:3, Funny)
Re: (Score:3, Informative)
rubbish.
when abbreviating, a=b*c/4 is "a is b by c over 4", which is perfectly legible.
repeating "by" for two separate meanings would be stupid.
also, "often shorten words to the right" ? can you provide another example? "multiply by" is not a word.
Re:Clarifying for Americans (Score:5, Funny)
Does anyone else find it quaint when yanks try to comment on the English language?
They always manage something that is nearly completely wrong, but right enough to see where they were going before they were distracted by something to eat or a TV.
Re:Clarifying for Americans (Score:5, Funny)
Wow, so basically your world view is that there are people from the UK and there are people from the US and no-one else exists?
I guess that's almost better than the average American's grasp of geography.
Re:Clarifying for Americans (Score:5, Insightful)
American here. No, that is not anywhere NEAR the average American's grasp of geography. You're giving them far, far too much credit. Most of my countrymen below the age of about 30 have no clue about anything other than the area of the US they live in, and some vague notion of Africa being poor, and Iraq being "over there". They can't even pick out all the states, much less find Iraq on a map. They *might* be able to pick out the continent of Africa, but they'd probably be looking for a single country instead.
Our public school system has turned an entire generation into morons, who think being wrong is ok as long as they feel good about themselves.
Re: (Score:3, Insightful)
Who are you kidding? You just fucked up somebody else's language. It's turtles all the way down.
Ok, and... (Score:5, Funny)
I read the article and it only reports half the story.
Sure he tells us all about his password and what he is using. But what was his account name?
I once had a funny incident with some website. (Score:5, Funny)
Him "Ok give us your information."
Me: I gave him my information.
Him"You want your password now?"
Me:"Yes please."
Him,"Biteme."
Me:"What?"
Him,"Biteme is your password."
Me,"Oh... Thanks..."
I made a mental note,"Do not make passwords that will embarrass me if I have to call in the phone"
Re: (Score:3, Funny)
Re: (Score:3, Funny)
You want to get rickrolled when you have to call in and have your password changed? I'd much rather be told how nice I look today or that the kind phone attendant would like to do something with me that's considered impolite on a public forum.
Most unfortunately, I haven't found a good way to set conditionals in password reset utilities that will prompt a vastly different response from a female assistant than a male. As such, avoid calling from a speakerphone, or you could end up having a very, very intere
Re: (Score:3, Funny)
Or set it to "wannafuck" and hope the one on the other end sounds like a hot member of the opposite sex.
A bit risky plan though.
I'm more disturbed by the fact... (Score:3, Interesting)
...that neither the submitter nor the editor (samzenpus) are able to spell the word 'Lloyds', despite it appearing a number of times in the original article.
Let's petition CmdrTaco to banish samzenpus to Idle, where his delusions of adequacy will better fit in.
Re:I'm more disturbed by the fact... (Score:5, Funny)
Let's petition CmdrTaco to banish samzenpus to Idle, where his delusions of adequacy will better fit in.
Let us start tagging idleispants.
plaintext passwords (Score:3, Informative)
Your complete credit card details including 3 digit security code on the back.
Your complete address, maiden name, old addresses etc etc.
They use all of this info to verify who you are before they tell you anything about your account, so you ring up and say "Can I see my balance", and they ask for random bits of the stored info.
You just have to hope that they aren't dodgy employees as they could quite easily steal it all if they wanted.
Re:plaintext passwords (Score:5, Insightful)
Or back it up into unencrypted ISO images on their hard drive then sell their laptop on ebay, which seems to be standard practice at UK banks, Inland Revenue and other organizations which deal with such personal information.
Re:plaintext passwords (Score:5, Interesting)
What hacks me off the most is that where I work (defence contractor) we have to have baseline encryption on our entire laptop drives and a second encrypted area for the more sensitive stuff. USB drives have to be encrypted as well, and PDA type (so ipod's phones etc) devices can't connect unless you are in the priviledged few who need to share data with external agencies or with our test systems.
(My personal laptop (the one I'm typing this on) I've got my own encrypted linux filesystem on, only the windows bit isn't encrypted and bar photoediting its not used much)
Why if we have to jump through various hoops or lose our supplier status can't the UK government departments and contractors working directly on their behalf do the same? (And ditto for banks.)
Everyone involved with handling personal data needs to look into data minimization and data protection (integrity, access control, non-repudation, auditing, the whole shooting match), and any company found not doing so should be banned from handling personal data ever again. Government departments are harder to control (after all the MPs won't vote in a law which would neuter the IRS ;) ) - so make the law such that the minister and the civil servant in charge of the affected department face a 1 month jail sentance for every 100 records lost, loss of pension rights, barred from being company directors etc...
Passwords are awful for security (Score:5, Interesting)
Everybody knows passwords. We're all used to them. But they suck rather miserably for real security. They are a vast improvement over nothing at all, but they just aren't good enough, anymore.
All it takes is one leak of your password, and you're hung. Worse, you don't know that you're hung. You can't let somebody else use your password. Ever. You can't ask a family member to enter it in for you while you're on the road while they look up your bank balance on the way to the airport without disclosing your password.
And lots of people can see your password. Techies. Poorly-paid tech support people in India. System administrators. Clerks, counters, janitors, and people who dig up your stuff out of the pile of computer hardware behind XYZ large firm.
Passwords are a terrible, terrible idea for security, and have left the social environment highly vulnerable to vast compromises.
On the other hand, dual-key cryptography is rather good for security.
It doesn't matter who sees the key exchange. If somebody else gets your public key, it doesn't weaken the strength of your private key. Nobody else can see your private key. You don't need to disclose your private key to anyone to use it.
Personally, I'd like to see a password-key machine. Basically, a weak form of dual-key cryptography (at least as effective as a password) stored in a small doohickey. It has your private key. Rather than type in a password, you are given a set of characters that you need to encrypt with your doohickey. You type the characters into your doohickey, and indicate which private key you want to use. (since it's private, you really only need one)
You enter in the passphrase for your private key. You enter the response back into your website, whatever.
Weaknesses? Not many.
1) You can lose your doohickey. At which point you need to get another one, regenerate a private key, and hand out new public keys to everybody. But even with the doohickey, $RandomBadGuy can't do much without the passphrase. Which is not a "password" in the usual sense because it's only stored there, in the doohickey and cannot be seen by anybody else.
2) You can use your doohickey thru the phone. Your son-in-law is checking your bank balance for you, and you want him to - this time. He sees the challenge, and tells it to you. You enter challenge into doohickey, give him the response, and he types it in. That gives him nothing more than a login that time, because next time, the challenge will be different, and without doohickey, he can't do anything more.
3) Nobody else sees your private key. It's yours. It's private. Websites and such will have your public key, but it won't help them any since they don't have the private key that matches.
Doohickey doesn't have to be much - it could easily fit into a cell phone. Processing a small, 32-bit key isn't difficult, and the challenges don't have to be very long to well exceed the security of your average password. (EG: Wife's middle name, the street you were born on, etc)
I know of someone who can help (Score:5, Interesting)
Mr. Yorkshire Bank Plc Are Fascist Bastards was able to get a judge to order Yorkshire Bank to issue him a cheque payable to his full name.
Important message to Lloyds customers (Score:5, Funny)
My Dearly Beloved Lloyds customers.
I encourage you all to change your passwords to Lloyds is pants in protest at this stupid bank's actions.
Thank you sincerely for your cooperation.
Mrs Mariam Abacha, Lagos, Nigeria
Six letters? Bollox. (Score:3, Interesting)
"The rules seemed to change, and they told me it had to be one word, so I tried 'censorship', but they didn't like that, and then said it had to be no more than six letters long."
I would have then asked for it to be changed to bollox and then proceeded with increasingly vulgar suggestions. Fanny would be a good choice.
New password (Score:3, Insightful)
fun with passwords (Score:5, Funny)
Until a few months ago, I did some helpdesk work at a web hosting provider. When a customer calls in, we are required to make them verify that they are the account holder by telling us either the last four digits of their credit card or their hosting account password (which they specify when they're signing up for service).
One day, a new customer calls in and says he's having some trouble setting up DNS and would like some advice. He's maybe in his late teens or early twenties He gives me the account number. I notice that he makes his payments via PayPal. When I see his password, I hit mute on the phone and giggle for a few seconds. After my composure is somewhat regained, I unmute and ask him to verify his account password for security purposes.
You could almost hear him tense up. When he starts stuttering, I was sure he never stopped to consider that he might have someone
"Ummm, uh, it's fuckyou2dickhead."
I helped him through his DNS questions as politely as possible and we got along pretty well. Before hanging up, he asked if there was a way he could change his password online. I said yes, through our monitoring and billing system.
He gave a huge sigh of relief.
SL did that to me (Score:4, Informative)
Linden did that to me with my Seconf Life account, after a crack of their server in 2006 IIRC. They told customers to answer a few questions about who their friends were etc to get their passwords back. I had been there only a few days and I didn't know how to spell my friends' names. Thanks to their crappy customer service I never could log back in. Luckily I didn't have a paid account. I was pretty angry at them, and rightly so I believe. It's very inconsiderate to change customer's passwords without their consent. They did it to protect their customers and I understand that, but I guess I was not the only one who was forced to make a new account.
No changes for me, thanks. (Score:5, Insightful)
The change would be funny from a small company that you do some business with, but NOT FROM A BANK. Any sign of employee impropriety with sensitive information that your life savings depends on, is downright scary. And losing money might be the best outcome... A couple suspicious transactions is all it would take to raise a red-flag, and automatically trigger a police investigation for possible (drug/weapons/terrorist) money laundering.
I want nothing but monotonous, joyless, boring bastards handling all aspects of my bank account. In fact, computers would fit the bill perfectly.
Next time.. (Score:3, Funny)
..try "Lloyds ist toten hosen"
They probably won't change that one.
Plain text password necessary? (Score:4, Interesting)
My bank asks me the jth and kth letters of my password and never (and corresponds regularly to tell me so) asks for my complete password. Whilst this suggests they they do have the plain text stored on their system, could one devise a system that encrypted each letter of the password in some way that did not compromise the security of the stored hashes any more than the original hash?
Assuming a "strong" 8 letter password and two letters for verification it means that there is a 1 in 676 chance of a client guessing correctly in a single operator/client session. Not an unreasonable risk given the securiity that could be built into the session to avoid brute strength attacks.
I am having a bit of a think about it and I can think of a couple of techniques, but I am not sure that they are worthwhile. For example;
Just store the all the encrypted pairs (NC2) where N is password length, assuming 8 characters, only 28 combinations. Can these be stored without compromising the crackability of the whole password? I guess it would but by how much is a bit beyond my thumbnail calculating ability. Or;
Can we build a sufficiently strong transposition cypher so that we can compare specific letter positions encrypted without knowledge of the other letters?
My other bank uses SMS messages with one time codes to do verification. That seems to be very effective.
Umm - it starts earlier than that.. (Score:4, Insightful)
The first question you should ask is how a rep can change a customer password without his permission and knowledge. All you need is one with criminal connections and he'd be able to start messing with accounts for a while. Do this for a month, hit a couple of big ones at the end and disappear.
If I were the customer I'd go after the bank re. diligence failure. I couldn't care less about the pettiness (as ex Lloyds customer I agree 100% with the sentiment expressed), but I would raise serious questions about the processes involved, from HR to account management.
If I were the customer I would now insist on choosing a new password (as the entire planet knows the old one) and I think something like "You are all complete morons" would be suitable:
"What is yous password, Sir?" :-)
"You are all complete morons"
"That is correct, Sir, thank you"
wrong tree (Score:3, Insightful)
"funny or not" isn't the right question to ask here.
The right question is: "Why was customer service able to access his plain text password?" - when every book about security tells you to store passwords hashed. They should never even know what his password actually is.
Re: (Score:3, Informative)
RTFA. VOICE password. The person answering the phone for the bank needs to be able to see it to verify the caller is indeed the account holder.
Acceptable (Score:3, Insightful)
.
Two additional things are not acceptable:
what isn't acceptable is (Score:3)
Re:How did they even know his password to begin wi (Score:4, Informative)
From TFA:
A man who chose "Lloyds is pants" as his telephone banking password said he found it had been changed by a member of staff to "no it's not"
They can't store that clear text if they want to verify it.
Re: (Score:3, Insightful)
You do if it's a telephone banking password
Re:How did they even know his password to begin wi (Score:4, Insightful)
Re: (Score:3, Interesting)
Your banking auth code isn't necessarily stored as plaintext in the DB. Amazon has my credit card number stored, and I'll be damned if it's in there as 3723-7... I mean, yeah. Anyways, it's in there via a 2-way encryption algorithm - functionally identical to how SSL works, even if the methods involved are completely different.
Now of course I have no way of knowing if they store the phone-in verification codes in some sort of encrypted form, but just because someone at the bank can read it doesn't mean it
Re:My Password (Score:5, Funny)
Re:My Password (Score:5, Funny)
"I hope my cookies never expire."
That should be on a Tee-Shirt.
-FL
abscissa here (Score:3, Funny)
Who changed my password?
Re: (Score:3, Funny)
Re:What the hell? (Score:4, Insightful)
Re:Lloyds, not "'Llyods" (Score:5, Informative)
The headline; "Changing Customers Password Without Consent" needs a possessive apostrophe ("Customer's") and in the text:
"a sense of humour rears it's ugly head" should NOT have an apostrophe.
Slashdot "editors"? Where can I get a job like that you can do blind drunk while playing video games?