Slashdot Mirror
Changing Customers Password Without Consent
risinganger writes "BBC News is reporting that a customer had his password changed without his knowledge. After some less than satisfactory service the customer in question changed his password to 'Llyods is pants.' At some point after that, a member of staff changed the password to 'no it's not.' Requests to change it back to 'Llyods is pants,' 'Barclays is better,' or 'censorship' were met with refusal. Personally I found the original change funny, like the customer did. After all, god forbid a sense of humour rears its ugly head in business. What isn't acceptable is the refusal to change it per the customer's requests after that."
And I thought I had a shot at getting this in first...
Maybe he should make his new password "Lloyds security is pants"
My password is the middle step in any profit plan. Now I can't remember what it is. I hope my cookies never expire.
UTF-8: There and Back Again
I read the article and it only reports half the story.
Sure he tells us all about his password and what he is using. But what was his account name?
Modding me -1 troll doesn't make me wrong.
I called in and asked,"Can you give me my password?"
Him "Ok give us your information."
Me: I gave him my information.
Him"You want your password now?"
Me:"Yes please."
Him,"Biteme."
Me:"What?"
Him,"Biteme is your password."
Me,"Oh... Thanks..."
I made a mental note,"Do not make passwords that will embarrass me if I have to call in the phone"
God spoke to me.
That was a bit silly. Now I can just ring the bank and say my name is "Anonymous Coward" and my password is "Cottage Rd". This means I can transfer all of your funds... didn't think of that did ya!
You act like they are storing important information in the DB... like it is a BANK or something.
My Dearly Beloved Lloyds customers.
I encourage you all to change your passwords to Lloyds is pants in protest at this stupid bank's actions.
Thank you sincerely for your cooperation.
Mrs Mariam Abacha, Lagos, Nigeria
Yes, my voice password is "billy'; drop tables;", type it in muppet!
How we know is more important than what we know.
Who changed my password?
Heh, luckily I've never had problems. My password reminders (one which I use for my ISP, who use it to authenticate who I am), is usually something along the lines of...
Who the hell uses password reminders anyway, like come on, isn't there a better way?
So I need to say a line like this every time I talk to them, it often gets a bit of a laugh and provides the call with a little levity.
Let's petition CmdrTaco to banish samzenpus to Idle, where his delusions of adequacy will better fit in.
Let us start tagging idleispants.
Me lost me cookie at the disco.
Perhaps it really was Llyods, as in www.lloyds.ru, after all, they did have his password stored as plaintext.
Until a few months ago, I did some helpdesk work at a web hosting provider. When a customer calls in, we are required to make them verify that they are the account holder by telling us either the last four digits of their credit card or their hosting account password (which they specify when they're signing up for service).
One day, a new customer calls in and says he's having some trouble setting up DNS and would like some advice. He's maybe in his late teens or early twenties He gives me the account number. I notice that he makes his payments via PayPal. When I see his password, I hit mute on the phone and giggle for a few seconds. After my composure is somewhat regained, I unmute and ask him to verify his account password for security purposes.
You could almost hear him tense up. When he starts stuttering, I was sure he never stopped to consider that he might have someone
"Ummm, uh, it's fuckyou2dickhead."
I helped him through his DNS questions as politely as possible and we got along pretty well. Before hanging up, he asked if there was a way he could change his password online. I said yes, through our monitoring and billing system.
He gave a huge sigh of relief.
That was a bit silly. Now I can just ring the bank and say my name is "Anonymous Coward" and my password is "Cottage Rd". This means I can transfer all of your funds... didn't think of that did ya!
Go ahead and try. My balance is negative, so you'll end up losing money.
"I hope my cookies never expire."
That should be on a Tee-Shirt.
-FL
I prehash all my passwords. That way only the hash of the hash is stored in their db. Its more secure that way.
I still have more fans than freaks. WTF is wrong with you people?
It's called "an off-site backup".
God: An invisible friend for grown-ups.
PIN number
Yes, a Personal Identification Number number. Is that long enough?
Don't get your knickers in a twist.
From the article it sounds like a voice code phrase to authenticate yourself over the phone. They staff has to be able to see it to verify it. It isn't a computer password.
"I am the systems administrator. My voice is my password. Verify me."
People replying to my sig annoy me. That's why I change it all the time.
..try "Lloyds ist toten hosen"
They probably won't change that one.
Does anyone else find it quaint when yanks try to comment on the English language?
They always manage something that is nearly completely wrong, but right enough to see where they were going before they were distracted by something to eat or a TV.
cmd-q.co.uk - some sort of stupid fucking internet bullshit
Now in this case, the choice of the password might be deemed offensive
When you think a 'plc.' can be offended you are antropomorphizing abstract legal entities. Don't do that; they really hate it.
Yes, the best plan is for the staff to have a system, perhaps built by the staff, where the staff can verify the password but without the staff being aware of it. Staff should definitely ensure that staff cannot collude with staff to actually change the customers password on their own ! Customers aren't staff and it's just not right, whatever the staff get up to with staff, in the staff canteen or where ever else is strictly the business of the staff but when it comes to customers who aren't staff well then the staff should have ensured that rules were in place for the staff and being enforced by the staff so the staff couldn't get away with this behaviour with someone who isn't even staff.
Seriously. I love to explain jokes.
Lloyds is a plc.
Go search for antropo and see what to offend means.
Now try to imagine an offended Plc.
And hand in your geek card.
Wow, so basically your world view is that there are people from the UK and there are people from the US and no-one else exists?
I guess that's almost better than the average American's grasp of geography.
How we know is more important than what we know.
And who's to stop them from calling after hours and pretending to be you?
Perhaps the fact the call center would be closed after hours?
Damnit, now I have to change the combination on my luggage!
No, No, No. "My voice is my passport verify me" :D
4c6c6f79642773206973207374696c6c2070616e7473.
Assume I was drunk when I posted this.
RTFA, its a phone banking password
So, unless I misread TFA, we now know that Mr. Steve Jetley from Shrewsbury has a phone banking account with Lloyds, and is unable to change his password to anything else than "no it's not". Mr Jetley said he was still trying to find a suitable password which met the conditions.
Excuse me, I have to make a phone call...
Ah, arrogance and stupidity, all in the same package. How efficient of you. -- Londo Mollari
Not really, since 1234 is explicitly banned when creating a PIN number in the first place - so any thief attempting to use 1234 as a PIN number would have to be a complete moron.
You mean, on an ATM machine ??
"You're not talking about shagging are you?"
No, he's talking about fucking - please try to keep up.
"As God is my witness, I thought turkeys could fly." A. Carlson
In the UK "pants" is the term used for underwear.
It is also slang for rubbish (that's "crap" for Americans.)
This doesn't speak well for the state of British underwear, but whatever.
I thought it was just their teeth that were brown, yellow and disgusting!
"I am the systems administrator. You shall have no gods before me"
Fixed that for you.
Who, me? BOFHish?
Does your phone company, who own the systems that your phone calls go through, have the right to let their operators listen in on your conversations and interject with witty remarks every now and then?
I live in the U.S. and am offended by the implications in your statement. Of course they have the right! How else would they find the terrorists?
Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.
Better yet, read your public key to the teller, who then generates some random data, encrypts it with your public key and the bank's private key, then reads out both the cipher text and their public key over the phone to you. You then decrypt the data, and re-encrypt it with their public key plus your private key, and read the cipher text back to them, over the phone.
Of course, you'd want to call them first thing in the morning, so you can finish the transaction before close of business.
For efficiency, you can both keep a copy of each other's public keys after the first transaction, but you'll then need to read the contents of your respective revocation lists to each other, to make sure they're still valid.
http://www.mhall119.com
Now that's a name that ranks right up there with PenIsland and ExpertsExchange.
What are you supposed to do, SHA-1 hash it in your head before reciting the hex digits over the phone to the operator?
I think you just failed the Turing Test.