Slashdot Mirror
Changing Customers Password Without Consent
risinganger writes "BBC News is reporting that a customer had his password changed without his knowledge. After some less than satisfactory service the customer in question changed his password to 'Llyods is pants.' At some point after that, a member of staff changed the password to 'no it's not.' Requests to change it back to 'Llyods is pants,' 'Barclays is better,' or 'censorship' were met with refusal. Personally I found the original change funny, like the customer did. After all, god forbid a sense of humour rears its ugly head in business. What isn't acceptable is the refusal to change it per the customer's requests after that."
From TFA:
A man who chose "Lloyds is pants" as his telephone banking password said he found it had been changed by a member of staff to "no it's not"
They can't store that clear text if they want to verify it.
Me failed English...
FreeBSD over Linux. If my comments seem odd, this may explain...
From the article it sounds like a voice code phrase to authenticate yourself over the phone. They staff has to be able to see it to verify it. It isn't a computer password.
Learning HOW to think is more important than learning WHAT to think.
In the UK "pants" is the term used for underwear.
It is also slang for rubbish (that's "crap" for Americans.)
This doesn't speak well for the state of British underwear, but whatever.
Prisencolinensinainciusol. Ol Rait!
My bank has a password to verbally verify over the phone. It's the street I grew up on, so I just say Cottage Rd. But seriously, I have to say my street name every time, and I assume the operator is looking at it to verify. I doubt they're going to type it in an verify the hashes.
for people questioning why the bank has your password in plaintext, this is because in the UK they have ALL your info in plain text.
Your complete credit card details including 3 digit security code on the back.
Your complete address, maiden name, old addresses etc etc.
They use all of this info to verify who you are before they tell you anything about your account, so you ring up and say "Can I see my balance", and they ask for random bits of the stored info.
You just have to hope that they aren't dodgy employees as they could quite easily steal it all if they wanted.
Not only is it being stored in plaintext (or at least not as a one-way hash), but presumably it's also visible in the administrative interface to the site. Does <input type="password" /> not have any meaning in those parts?
How are sites slashdotted when nobody reads TFAs?
Wait, what? When was the last time you typed your password hash into a website? That doesn't mean that your passwords are stored in plain text.
When you change or set your password into a well-programmed website, it hashes the password (hopefully with a one-way algorithm), and stores the hash. When you enter your password in the future, it hashes what you enter with the same algorithm originally used, and compares the hashes, to see if they are the same. If they are, then the password is the same, or you've managed a 1 in eleventy billion chance at picking an entry that has a hash collision with your password.
GP is assuming that the mentioned institution uses this sort of password protection system, and when the operator asks for your password, they type it in and click "Check Password", and wait for the program to say either "Password Correct" or "Password Incorrect". This would mean that the hashes are being compared.
Of course, this is not a given.
Linden did that to me with my Seconf Life account, after a crack of their server in 2006 IIRC. They told customers to answer a few questions about who their friends were etc to get their passwords back. I had been there only a few days and I didn't know how to spell my friends' names. Thanks to their crappy customer service I never could log back in. Luckily I didn't have a paid account. I was pretty angry at them, and rightly so I believe. It's very inconsiderate to change customer's passwords without their consent. They did it to protect their customers and I understand that, but I guess I was not the only one who was forced to make a new account.
-- Cheers!
It's a voice password. It is the employee on the phone that has to enter and verify the voice password. It is probably not being stored in plain text and it is entirely appropriate, and indeed required, that the administrative interface view the voice password as entered by other employees.
The only concern here is that an employee changed the voice password without authorization. Anytime an employee changes a password there should be records of the interaction. Call logs, voice logs, notes, etc.
Now in this case, the choice of the password might be deemed offensive. However, it seems that there was no clear and consistent policy enforced as to what a voice password could be.
Telephone banking. Customer rings and gets asked "What's the 3rd letter of you password?". Usually get asked for two randomly selected characters in your password, plus other details, such as random digits from a customer code which is chosen by the bank when telephone banking is setup for the customer.
God: An invisible friend for grown-ups.
Anytime an employee changes a password there should be records of the interaction. Call logs, voice logs, notes, etc.
What makes you think there wasn't? It's not as if they can't find the culprit due to a lack of logs; the article says they identified and fired them.
What's purple and commutes? An Abelian grape.
I don't know about this particular system, but I have dealt with phone systems that ask you for certain letters from your password (e.g. 2nd and 5th, 3rd and 8th, etc). I wouldn't be surprised if this was the same.
It's official. Most of you are morons.
I think you missed my point. There were no call logs, voice logs, notes, that identified an interaction with the customer when the voice password was changed.
The fact they know which employee modified the password means that anytime customer information is changed they log which employee was responsible for it. That's good policy.
So since the voice password was changed, and there are no records of the customer calling in and asking for it, the employee was disciplined.
I thought that was clear from my post.
Neteller does that as well. If you're not familiar with the company, they're primarily a third party "wallet" service to assist with withdraws and deposits to online gambling sites (poker, sportsbook, etc) Once setup by a user, they have direct connections to bank accounts and credit cards and can charge against those accounts with no further identification than the account password.
Which is sent cleartext via email upon request.
Any sufficiently advanced technology is indistinguishable from a rigged demo.
RTFA, its a phone banking password - as this is done via a operator, they are going to know the password anyway so its displayed to them.
Control is an illusion, order our comforting lie. From chaos, through chaos, into chaos we fly
What, you mean like bank fees?
Most people in the UK do not pay bank fees as we have free banking - they would only pay charges in case of exceptional activity on the account (eg unauthorised overdraft, failed charge etc).
The headline; "Changing Customers Password Without Consent" needs a possessive apostrophe ("Customer's") and in the text:
"a sense of humour rears it's ugly head" should NOT have an apostrophe.
Slashdot "editors"? Where can I get a job like that you can do blind drunk while playing video games?
My bank's phone service makes me type in my passcode via the keypad. If the operator ever needs me to prove my identity, I am asked to provide eg the 4th & 5th character, not the whole thing. Sounds like Lloyds needs to update their security procedures! Passwords should never be exposed in any way (in full at least), that has to be the bottom line.
http://xkcd.com/327/ - One of my favourites
Or he lives somewhere other than the United Kingdom or Republic of Ireland, and has never travelled to either of those places.
Plc is somewhat analogous to GmbH or LLC elsewhere.
The Future of Human Evolution: Autonomy
RTFA. VOICE password. The person answering the phone for the bank needs to be able to see it to verify the caller is indeed the account holder.