Slashdot Mirror
Changing Customers Password Without Consent
risinganger writes "BBC News is reporting that a customer had his password changed without his knowledge. After some less than satisfactory service the customer in question changed his password to 'Llyods is pants.' At some point after that, a member of staff changed the password to 'no it's not.' Requests to change it back to 'Llyods is pants,' 'Barclays is better,' or 'censorship' were met with refusal. Personally I found the original change funny, like the customer did. After all, god forbid a sense of humour rears its ugly head in business. What isn't acceptable is the refusal to change it per the customer's requests after that."
From the article it sounds like a voice code phrase to authenticate yourself over the phone. They staff has to be able to see it to verify it. It isn't a computer password.
Learning HOW to think is more important than learning WHAT to think.
In the UK "pants" is the term used for underwear.
It is also slang for rubbish (that's "crap" for Americans.)
This doesn't speak well for the state of British underwear, but whatever.
Prisencolinensinainciusol. Ol Rait!
My bank has a password to verbally verify over the phone. It's the street I grew up on, so I just say Cottage Rd. But seriously, I have to say my street name every time, and I assume the operator is looking at it to verify. I doubt they're going to type it in an verify the hashes.
Wait, what? When was the last time you typed your password hash into a website? That doesn't mean that your passwords are stored in plain text.
When you change or set your password into a well-programmed website, it hashes the password (hopefully with a one-way algorithm), and stores the hash. When you enter your password in the future, it hashes what you enter with the same algorithm originally used, and compares the hashes, to see if they are the same. If they are, then the password is the same, or you've managed a 1 in eleventy billion chance at picking an entry that has a hash collision with your password.
GP is assuming that the mentioned institution uses this sort of password protection system, and when the operator asks for your password, they type it in and click "Check Password", and wait for the program to say either "Password Correct" or "Password Incorrect". This would mean that the hashes are being compared.
Of course, this is not a given.
It's a voice password. It is the employee on the phone that has to enter and verify the voice password. It is probably not being stored in plain text and it is entirely appropriate, and indeed required, that the administrative interface view the voice password as entered by other employees.
The only concern here is that an employee changed the voice password without authorization. Anytime an employee changes a password there should be records of the interaction. Call logs, voice logs, notes, etc.
Now in this case, the choice of the password might be deemed offensive. However, it seems that there was no clear and consistent policy enforced as to what a voice password could be.
I think you missed my point. There were no call logs, voice logs, notes, that identified an interaction with the customer when the voice password was changed.
The fact they know which employee modified the password means that anytime customer information is changed they log which employee was responsible for it. That's good policy.
So since the voice password was changed, and there are no records of the customer calling in and asking for it, the employee was disciplined.
I thought that was clear from my post.
RTFA, its a phone banking password - as this is done via a operator, they are going to know the password anyway so its displayed to them.
Control is an illusion, order our comforting lie. From chaos, through chaos, into chaos we fly
The headline; "Changing Customers Password Without Consent" needs a possessive apostrophe ("Customer's") and in the text:
"a sense of humour rears it's ugly head" should NOT have an apostrophe.
Slashdot "editors"? Where can I get a job like that you can do blind drunk while playing video games?