Changing Customers Password Without Consent

risinganger writes "BBC News is reporting that a customer had his password changed without his knowledge. After some less than satisfactory service the customer in question changed his password to 'Llyods is pants.' At some point after that, a member of staff changed the password to 'no it's not.' Requests to change it back to 'Llyods is pants,' 'Barclays is better,' or 'censorship' were met with refusal. Personally I found the original change funny, like the customer did. After all, god forbid a sense of humour rears its ugly head in business. What isn't acceptable is the refusal to change it per the customer's requests after that."

Plaintext passwords?

[MiKM]

What worries me more is that they are storing the passwords in plaintext.

Re:Plaintext passwords?

[MrNaz]

Unless there is money being paid for accessing the systems

What, you mean like bank fees?

or there is an existing policy/agreement in place that says the system owners will not mess with passwords

What, you mean like the legislative requirement that banks give depositors access to their funds?

The people that own the systems have the right to do what they wish with them.

No, they don't. They doubly don't if it means banking customers' financial services are interrupted.

Does your phone company, who own the systems that your phone calls go through, have the right to let their operators listen in on your conversations and interject with witty remarks every now and then?

Re:Plaintext passwords?

[EvilIdler]

Uhm..what?! You don't store passwords in plain text, full stop. One-time passwords, alright. Generate one based on your bank card, and give it to the operator. It can't be used again. But a regular password? No way.

Re:Plaintext passwords?

[telchine]

If the operator ever needs me to prove my identity, I am asked to provide eg the 4th & 5th character, not the whole thing. Sounds like Lloyds needs to update their security procedures!

My bank als asks me for two letters from my password, and my bank is Lloyds!

How do you know for sure that your bank's operator can't see the full password when they're asking you for two letters?

Re:plaintext passwords

[jrumney]

You just have to hope that they aren't dodgy employees as they could quite easily steal it all if they wanted.

Or back it up into unencrypted ISO images on their hard drive then sell their laptop on ebay, which seems to be standard practice at UK banks, Inland Revenue and other organizations which deal with such personal information.

No changes for me, thanks.

[evilviper]

Personally I found the original change funny, like the customer did.

The change would be funny from a small company that you do some business with, but NOT FROM A BANK. Any sign of employee impropriety with sensitive information that your life savings depends on, is downright scary. And losing money might be the best outcome... A couple suspicious transactions is all it would take to raise a red-flag, and automatically trigger a police investigation for possible (drug/weapons/terrorist) money laundering.

I want nothing but monotonous, joyless, boring bastards handling all aspects of my bank account. In fact, computers would fit the bill perfectly.

Re:Clarifying for Americans

[fotbr]

American here. No, that is not anywhere NEAR the average American's grasp of geography. You're giving them far, far too much credit. Most of my countrymen below the age of about 30 have no clue about anything other than the area of the US they live in, and some vague notion of Africa being poor, and Iraq being "over there". They can't even pick out all the states, much less find Iraq on a map. They *might* be able to pick out the continent of Africa, but they'd probably be looking for a single country instead.

Our public school system has turned an entire generation into morons, who think being wrong is ok as long as they feel good about themselves.