Slashdot Mirror
Changing Customers Password Without Consent
risinganger writes "BBC News is reporting that a customer had his password changed without his knowledge. After some less than satisfactory service the customer in question changed his password to 'Llyods is pants.' At some point after that, a member of staff changed the password to 'no it's not.' Requests to change it back to 'Llyods is pants,' 'Barclays is better,' or 'censorship' were met with refusal. Personally I found the original change funny, like the customer did. After all, god forbid a sense of humour rears its ugly head in business. What isn't acceptable is the refusal to change it per the customer's requests after that."
What worries me more is that they are storing the passwords in plaintext.
Does UK law cover "sexual harassment"? Employers in the USA have to worry about defending themselves against claims of sexual harassment, which can be quite broadly construed, even when a customer is the source of the alleged harassment. Anything that someone, somewhere, finds offensive, can be evidence of a "hostile work environment".
Mea navis aericumbens anguillis abundat
You do if it's a telephone banking password
.
Which is the same in Australia. If I ring telephone banking they ask me for my password, which they can plainly see (I know, because I forgot it once and they told me I was on character out as a gentle "reminder"). It does seem absurd that my slashdot password is probably more secure than my banking "password". Note that the telephone banking password is different to my online banking password, which appears to be stored encyrypted--as it should be (note that I connot verify this as I do not work for a bank, but my anecdotal evidence confirms it).
Or back it up into unencrypted ISO images on their hard drive then sell their laptop on ebay, which seems to be standard practice at UK banks, Inland Revenue and other organizations which deal with such personal information.
New pass: "Gagged" It meets the no more than 6 letters condition.
The change would be funny from a small company that you do some business with, but NOT FROM A BANK. Any sign of employee impropriety with sensitive information that your life savings depends on, is downright scary. And losing money might be the best outcome... A couple suspicious transactions is all it would take to raise a red-flag, and automatically trigger a police investigation for possible (drug/weapons/terrorist) money laundering.
I want nothing but monotonous, joyless, boring bastards handling all aspects of my bank account. In fact, computers would fit the bill perfectly.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
This isn't a "help desk" it's a telephone banking system. You call up the bank. and do your banking over the phone. That means -- yes! -- that the guy you're talking to has unfettered access to your account. That's the inevitable price you pay for convenience if you want to do your banking over the phone.
What's purple and commutes? An Abelian grape.
I don't get the person who moderated the parent posting, how on earth was that Trolling? Whom ever moderated is off their rockers.
When I tell people about passwords I always tell them that they need to use a NEW password with each service in case the people at that web site/company look at the password and then use it in identity theft. This makes your privacy more secure. Just don't leave the password information out in the open...
The first question you should ask is how a rep can change a customer password without his permission and knowledge. All you need is one with criminal connections and he'd be able to start messing with accounts for a while. Do this for a month, hit a couple of big ones at the end and disappear.
If I were the customer I'd go after the bank re. diligence failure. I couldn't care less about the pettiness (as ex Lloyds customer I agree 100% with the sentiment expressed), but I would raise serious questions about the processes involved, from HR to account management.
If I were the customer I would now insist on choosing a new password (as the entire planet knows the old one) and I think something like "You are all complete morons" would be suitable:
"What is yous password, Sir?" :-)
"You are all complete morons"
"That is correct, Sir, thank you"
Insert
"funny or not" isn't the right question to ask here.
The right question is: "Why was customer service able to access his plain text password?" - when every book about security tells you to store passwords hashed. They should never even know what his password actually is.
Assorted stuff I do sometimes: Lemuria.org
.
Two additional things are not acceptable:
American here. No, that is not anywhere NEAR the average American's grasp of geography. You're giving them far, far too much credit. Most of my countrymen below the age of about 30 have no clue about anything other than the area of the US they live in, and some vague notion of Africa being poor, and Iraq being "over there". They can't even pick out all the states, much less find Iraq on a map. They *might* be able to pick out the continent of Africa, but they'd probably be looking for a single country instead.
Our public school system has turned an entire generation into morons, who think being wrong is ok as long as they feel good about themselves.
Who are you kidding? You just fucked up somebody else's language. It's turtles all the way down.
That seems to me like a very fragile assumption.
Yes, you'd think that most people are smart enough to not do stuff where they could end up in jail, but about 1% of the population of the USA _is_ currently in jail. You'd think that most people are sane enough, but 0.4 to 0.6 of the population are schizophrenic. You'd think that most people are nice enough to their fellow human, but about 1 in 30 qualifies as sociopath, and 1 in 100 as outright complete psychopath.
You don't take those precautions against most of those call centre employees which are honest, sane, smart and nice, like you were. You take them against the schizophrenic dude who'll sell that data because the ghosts threatened to suck his soul through his nose if he doesn't. You take them against the disgruntled sociopathic admin who wants to go out with a bang. (See for example the recent news about the guy who locked a city administration out of their computers.) You take them against the idiot who'll sell an old computer on EBay without first erasing the database files or backups off it. (See the recent story.) You take them against the irresponsible (if well meaning) insurance/investment/etc salesman, who'll copy the whole damn customer database on his laptop so he can show a snappy chart to a potential customer. You take them against the idiot rent-a-coder who'll zip your whole database and post it on the web, when asking for help with some trivial formatting problem. (Yes, one dude did exactly that. Twice.) You take them against the irresponsible boss who'll copy that whole damn database on an USB stick, and give it to some programming contractor so he doesn't have to work on-site. And then said contractor loses the stick. (See the recent leak in the UK.) You take them against the irresponsible "tech savvy" guy, who'll open an insecure tunnel right through your firewall, so he can work from home, and thinks that nobody will guess the port. Etc.
It's not just you call centre guys who can see those plaintext passwords, you know. There's a whole lot of people who might end up seeing that data, some of which you'd never even think about off the top of your head. E.g., that eastern european janitor who was emptying the dustbins while you were looking up someone's plaintext password.
Security is about trying to prevent as many of those as you realistically can. Just because you call-centre guys get to hear the password as plaintext, is no reason why everyone in IT or with enough clue to run an SQL query should also be able to get to them.
A polar bear is a cartesian bear after a coordinate transform.
You explained everything but the most important part. Why are pants offensive? I do not find pants to be offensive at all.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
How about: when you tell that guy your password, he types it on the computer, which compares it to a hashed (and salted, please!) value in the database. There we go. It wasn't that hard, was it?
Let's just see how well that will work, shall we?
Operator: Can I get your password, please?
Custormer: Sure. Lloyds is pants.
O: Is that Sure, Llyods is pants, or just Lloyds is pants?
C: Just Lloyds is pants.
O: I am sorry, that is not working. Did you capitalize all of Lloyds, or just the first letter?
C: *I* didn't capitalize anything. My password is Lloyds is pants, just like I said.
O: I am sorry, sir, that password is not working.
C: Did you guys change my password on me again? I swear, every time I talk to you, my password gets changed on me or someone screws up my password. The last time I called I spent a half hour on the phone before I realized that your stupid rep typed in p-a-n-c-e instead of p-a-n-t-s for my password.
O:P-a-n-t-s? There we go. Your password is working now. I am sorry for the inconvenience. Welcome to Lloyds. How can we handle your money for you today?
Great civilizations have lived and died on false theories. Don't mess up mine with a few facts.