Changing Customers Password Without Consent

risinganger writes "BBC News is reporting that a customer had his password changed without his knowledge. After some less than satisfactory service the customer in question changed his password to 'Llyods is pants.' At some point after that, a member of staff changed the password to 'no it's not.' Requests to change it back to 'Llyods is pants,' 'Barclays is better,' or 'censorship' were met with refusal. Personally I found the original change funny, like the customer did. After all, god forbid a sense of humour rears its ugly head in business. What isn't acceptable is the refusal to change it per the customer's requests after that."

Plaintext passwords?

What worries me more is that they are storing the passwords in plaintext.

Re:Plaintext passwords?

And I thought I had a shot at getting this in first...

Maybe he should make his new password "Lloyds security is pants"

Re:Plaintext passwords?

It's a voice password. It is the employee on the phone that has to enter and verify the voice password. It is probably not being stored in plain text and it is entirely appropriate, and indeed required, that the administrative interface view the voice password as entered by other employees.

The only concern here is that an employee changed the voice password without authorization. Anytime an employee changes a password there should be records of the interaction. Call logs, voice logs, notes, etc.

Now in this case, the choice of the password might be deemed offensive. However, it seems that there was no clear and consistent policy enforced as to what a voice password could be.

Re:Plaintext passwords?

I think you missed my point. There were no call logs, voice logs, notes, that identified an interaction with the customer when the voice password was changed.

The fact they know which employee modified the password means that anytime customer information is changed they log which employee was responsible for it. That's good policy.

So since the voice password was changed, and there are no records of the customer calling in and asking for it, the employee was disciplined.

I thought that was clear from my post.

Re:Plaintext passwords?

From the article it sounds like a voice code phrase to authenticate yourself over the phone. They staff has to be able to see it to verify it. It isn't a computer password.

Re:Plaintext passwords?

From the article it sounds like a voice code phrase to authenticate yourself over the phone. They staff has to be able to see it to verify it. It isn't a computer password.

"I am the systems administrator. My voice is my password. Verify me."

Re:Plaintext passwords?

Yes, my voice password is "billy'; drop tables;", type it in muppet!

Re:Plaintext passwords?

You act like they are storing important information in the DB... like it is a BANK or something.

Re:Plaintext passwords?

That was a bit silly. Now I can just ring the bank and say my name is "Anonymous Coward" and my password is "Cottage Rd". This means I can transfer all of your funds... didn't think of that did ya!

Re:Plaintext passwords?

Wait, what? When was the last time you typed your password hash into a website? That doesn't mean that your passwords are stored in plain text.

When you change or set your password into a well-programmed website, it hashes the password (hopefully with a one-way algorithm), and stores the hash. When you enter your password in the future, it hashes what you enter with the same algorithm originally used, and compares the hashes, to see if they are the same. If they are, then the password is the same, or you've managed a 1 in eleventy billion chance at picking an entry that has a hash collision with your password.

GP is assuming that the mentioned institution uses this sort of password protection system, and when the operator asks for your password, they type it in and click "Check Password", and wait for the program to say either "Password Correct" or "Password Incorrect". This would mean that the hashes are being compared.

Of course, this is not a given.

Re:Plaintext passwords?

I prehash all my passwords. That way only the hash of the hash is stored in their db. Its more secure that way.

Re:Plaintext passwords?

I've had more than one website email me my password if I hadn't logged in after a week or two. Because obviously I wasn't logging in due to having forgotten the same password I use at half the websites on the internet, rather than the site sucking. Suffice to say, I've deleted my accounts at all sites where that's occurred. I wouldn't be at all surprised to see several of them vulnerable to SQL injections and I'm sure all of them did nothing but flip the 'account_active' column bit, but I felt better for a few minutes at least.

Wordpress has a pretty good forgotten password system - it emails you a unique link (something like changepass.php?user=firehed&verify=asdf903jfo2i3jf) and you get your new password form. It's never revealed in plaintext. I hope more sites adopt something along those lines - seeing my password in plaintext anywhere always freaks me out a bit. Then again, I've seen it hashed as md5 and sha1 enough times that I could spot probably my account in a 'SELECT id, pass FROM users' result.

I'm still a bit curious as to how banks haven't yet found a better system for getting you your initial ATM PIN when you get a new card than simply sending it separately from the card. Shouldn't they have some automated dial-in where I punch in the auth code they send me and the last four from my SSN (or MMDD birthday, whatever) as a verification code? If someone is stealing your mail looking for a new card, it wouldn't be difficult for them to also grab that 'discreet' envelope with that starter PIN.

Security is really quite pathetic these days. No wonder we keep hearing about millions of customer records being lost.

Clarifying for Americans

In the UK "pants" is the term used for underwear.
It is also slang for rubbish (that's "crap" for Americans.)

This doesn't speak well for the state of British underwear, but whatever.

Ok, and...

I read the article and it only reports half the story.

Sure he tells us all about his password and what he is using. But what was his account name?

I once had a funny incident with some website.

I called in and asked,"Can you give me my password?"
Him "Ok give us your information."
Me: I gave him my information.
Him"You want your password now?"
Me:"Yes please."
Him,"Biteme."
Me:"What?"
Him,"Biteme is your password."
Me,"Oh... Thanks..."

I made a mental note,"Do not make passwords that will embarrass me if I have to call in the phone"

I know of someone who can help

Mr. Yorkshire Bank Plc Are Fascist Bastards was able to get a judge to order Yorkshire Bank to issue him a cheque payable to his full name.

Important message to Lloyds customers

My Dearly Beloved Lloyds customers.

I encourage you all to change your passwords to Lloyds is pants in protest at this stupid bank's actions.

Thank you sincerely for your cooperation.

Mrs Mariam Abacha, Lagos, Nigeria

fun with passwords

Until a few months ago, I did some helpdesk work at a web hosting provider. When a customer calls in, we are required to make them verify that they are the account holder by telling us either the last four digits of their credit card or their hosting account password (which they specify when they're signing up for service).

One day, a new customer calls in and says he's having some trouble setting up DNS and would like some advice. He's maybe in his late teens or early twenties He gives me the account number. I notice that he makes his payments via PayPal. When I see his password, I hit mute on the phone and giggle for a few seconds. After my composure is somewhat regained, I unmute and ask him to verify his account password for security purposes.

You could almost hear him tense up. When he starts stuttering, I was sure he never stopped to consider that he might have someone

"Ummm, uh, it's fuckyou2dickhead."

I helped him through his DNS questions as politely as possible and we got along pretty well. Before hanging up, he asked if there was a way he could change his password online. I said yes, through our monitoring and billing system.

He gave a huge sigh of relief.

No changes for me, thanks.

Personally I found the original change funny, like the customer did.

The change would be funny from a small company that you do some business with, but NOT FROM A BANK. Any sign of employee impropriety with sensitive information that your life savings depends on, is downright scary. And losing money might be the best outcome... A couple suspicious transactions is all it would take to raise a red-flag, and automatically trigger a police investigation for possible (drug/weapons/terrorist) money laundering.

I want nothing but monotonous, joyless, boring bastards handling all aspects of my bank account. In fact, computers would fit the bill perfectly.

Re:My Password

My password is the middle step in any profit plan. Now I can't remember what it is. I hope my cookies never expire.

Re:My Password

"I hope my cookies never expire."

That should be on a Tee-Shirt.

-FL

Re:Legal Problems

I just love the hypersensitivity out there. I was on a project years ago where there were duplicate records on companies. One fellow that I worked with wrote a drag and drop application to eliminate duplicates. The user would drag the "good" record over an icon for the good company record and drag the "bad" record over the icon for the bad company record. The good company icon was a building in white with a halo over it and the bad company icon was a building in red with horns. I told him that someone with no sense of humor is going to tell him to change the icons. Sure enough, he was told to change the icons so as to not potentially offend someone's religious faith.

Re:plaintext passwords

You just have to hope that they aren't dodgy employees as they could quite easily steal it all if they wanted.

Or back it up into unencrypted ISO images on their hard drive then sell their laptop on ebay, which seems to be standard practice at UK banks, Inland Revenue and other organizations which deal with such personal information.

Passwords are awful for security

Everybody knows passwords. We're all used to them. But they suck rather miserably for real security. They are a vast improvement over nothing at all, but they just aren't good enough, anymore.

All it takes is one leak of your password, and you're hung. Worse, you don't know that you're hung. You can't let somebody else use your password. Ever. You can't ask a family member to enter it in for you while you're on the road while they look up your bank balance on the way to the airport without disclosing your password.

And lots of people can see your password. Techies. Poorly-paid tech support people in India. System administrators. Clerks, counters, janitors, and people who dig up your stuff out of the pile of computer hardware behind XYZ large firm.

Passwords are a terrible, terrible idea for security, and have left the social environment highly vulnerable to vast compromises.

On the other hand, dual-key cryptography is rather good for security.

It doesn't matter who sees the key exchange. If somebody else gets your public key, it doesn't weaken the strength of your private key. Nobody else can see your private key. You don't need to disclose your private key to anyone to use it.

Personally, I'd like to see a password-key machine. Basically, a weak form of dual-key cryptography (at least as effective as a password) stored in a small doohickey. It has your private key. Rather than type in a password, you are given a set of characters that you need to encrypt with your doohickey. You type the characters into your doohickey, and indicate which private key you want to use. (since it's private, you really only need one)

You enter in the passphrase for your private key. You enter the response back into your website, whatever.

Weaknesses? Not many.

1) You can lose your doohickey. At which point you need to get another one, regenerate a private key, and hand out new public keys to everybody. But even with the doohickey, $RandomBadGuy can't do much without the passphrase. Which is not a "password" in the usual sense because it's only stored there, in the doohickey and cannot be seen by anybody else.

2) You can use your doohickey thru the phone. Your son-in-law is checking your bank balance for you, and you want him to - this time. He sees the challenge, and tells it to you. You enter challenge into doohickey, give him the response, and he types it in. That gives him nothing more than a login that time, because next time, the challenge will be different, and without doohickey, he can't do anything more.

3) Nobody else sees your private key. It's yours. It's private. Websites and such will have your public key, but it won't help them any since they don't have the private key that matches.

Doohickey doesn't have to be much - it could easily fit into a cell phone. Processing a small, 32-bit key isn't difficult, and the challenges don't have to be very long to well exceed the security of your average password. (EG: Wife's middle name, the street you were born on, etc)

Re:I'm more disturbed by the fact...

Let's petition CmdrTaco to banish samzenpus to Idle, where his delusions of adequacy will better fit in.

Let us start tagging idleispants.