Slashdot Mirror
Changing Customers Password Without Consent
risinganger writes "BBC News is reporting that a customer had his password changed without his knowledge. After some less than satisfactory service the customer in question changed his password to 'Llyods is pants.' At some point after that, a member of staff changed the password to 'no it's not.' Requests to change it back to 'Llyods is pants,' 'Barclays is better,' or 'censorship' were met with refusal. Personally I found the original change funny, like the customer did. After all, god forbid a sense of humour rears its ugly head in business. What isn't acceptable is the refusal to change it per the customer's requests after that."
What worries me more is that they are storing the passwords in plaintext.
Does UK law cover "sexual harassment"? Employers in the USA have to worry about defending themselves against claims of sexual harassment, which can be quite broadly construed, even when a customer is the source of the alleged harassment. Anything that someone, somewhere, finds offensive, can be evidence of a "hostile work environment".
Mea navis aericumbens anguillis abundat
From TFA:
A man who chose "Lloyds is pants" as his telephone banking password said he found it had been changed by a member of staff to "no it's not"
They can't store that clear text if they want to verify it.
Me failed English...
FreeBSD over Linux. If my comments seem odd, this may explain...
but that's just me
"Suppose you were an idiot...and suppose you were a member of Congress...but I repeat myself." Mark Twain
I apologize for the shortness of digital temper, I just quit smoking
I'm sorry to hear that your fingers are so testy. Maybe you could hold a pen between them?
Anywho, I'm thinking this is a voice challenge and response with the live telephone customer service agent. They'd pretty much have to have that in plaintext. Hopefully they also use a long PIN number that's stored as a hashed value.
My password is the middle step in any profit plan. Now I can't remember what it is. I hope my cookies never expire.
UTF-8: There and Back Again
Damn, that's the password on my luggage!
In the UK "pants" is the term used for underwear.
It is also slang for rubbish (that's "crap" for Americans.)
This doesn't speak well for the state of British underwear, but whatever.
Prisencolinensinainciusol. Ol Rait!
I read the article and it only reports half the story.
Sure he tells us all about his password and what he is using. But what was his account name?
Modding me -1 troll doesn't make me wrong.
You do if it's a telephone banking password
.
I called in and asked,"Can you give me my password?"
Him "Ok give us your information."
Me: I gave him my information.
Him"You want your password now?"
Me:"Yes please."
Him,"Biteme."
Me:"What?"
Him,"Biteme is your password."
Me,"Oh... Thanks..."
I made a mental note,"Do not make passwords that will embarrass me if I have to call in the phone"
God spoke to me.
Which is the same in Australia. If I ring telephone banking they ask me for my password, which they can plainly see (I know, because I forgot it once and they told me I was on character out as a gentle "reminder"). It does seem absurd that my slashdot password is probably more secure than my banking "password". Note that the telephone banking password is different to my online banking password, which appears to be stored encyrypted--as it should be (note that I connot verify this as I do not work for a bank, but my anecdotal evidence confirms it).
...that neither the submitter nor the editor (samzenpus) are able to spell the word 'Lloyds', despite it appearing a number of times in the original article.
Let's petition CmdrTaco to banish samzenpus to Idle, where his delusions of adequacy will better fit in.
Tubal-Cain smokes the white owl.
See my comment above. In Australia (at least) the banks "telephone banking password" is stored as plain text. I.e. the password is compared to the password, not the encypted-password compared to the encrypted-password. If I ring the bank, the operator can see my telephone banking password (which is obvious because they can hint at what it is, and even tell me if I answer other silly reminder questions).
for people questioning why the bank has your password in plaintext, this is because in the UK they have ALL your info in plain text.
Your complete credit card details including 3 digit security code on the back.
Your complete address, maiden name, old addresses etc etc.
They use all of this info to verify who you are before they tell you anything about your account, so you ring up and say "Can I see my balance", and they ask for random bits of the stored info.
You just have to hope that they aren't dodgy employees as they could quite easily steal it all if they wanted.
Mr. Yorkshire Bank Plc Are Fascist Bastards was able to get a judge to order Yorkshire Bank to issue him a cheque payable to his full name.
--
E_NOSIG
My Dearly Beloved Lloyds customers.
I encourage you all to change your passwords to Lloyds is pants in protest at this stupid bank's actions.
Thank you sincerely for your cooperation.
Mrs Mariam Abacha, Lagos, Nigeria
Who changed my password?
The customer does not own his password. As its purpose is to allow access to the services the company provides it is the property of the company. Of course changing it like that was a stupid and childish thing for an employee to do.
Heh, luckily I've never had problems. My password reminders (one which I use for my ISP, who use it to authenticate who I am), is usually something along the lines of...
Who the hell uses password reminders anyway, like come on, isn't there a better way?
So I need to say a line like this every time I talk to them, it often gets a bit of a laugh and provides the call with a little levity.
"The rules seemed to change, and they told me it had to be one word, so I tried 'censorship', but they didn't like that, and then said it had to be no more than six letters long."
I would have then asked for it to be changed to bollox and then proceeded with increasingly vulgar suggestions. Fanny would be a good choice.
Me lost me cookie at the disco.
He should let them set his password to whatever they please . . . for as long as it takes him to clear his money out of there and into another bank.
"Here's what's happening. You're starting to drive like your Dad..." - Red Green
Perhaps it really was Llyods, as in www.lloyds.ru, after all, they did have his password stored as plaintext.
New pass: "Gagged" It meets the no more than 6 letters condition.
Until a few months ago, I did some helpdesk work at a web hosting provider. When a customer calls in, we are required to make them verify that they are the account holder by telling us either the last four digits of their credit card or their hosting account password (which they specify when they're signing up for service).
One day, a new customer calls in and says he's having some trouble setting up DNS and would like some advice. He's maybe in his late teens or early twenties He gives me the account number. I notice that he makes his payments via PayPal. When I see his password, I hit mute on the phone and giggle for a few seconds. After my composure is somewhat regained, I unmute and ask him to verify his account password for security purposes.
You could almost hear him tense up. When he starts stuttering, I was sure he never stopped to consider that he might have someone
"Ummm, uh, it's fuckyou2dickhead."
I helped him through his DNS questions as politely as possible and we got along pretty well. Before hanging up, he asked if there was a way he could change his password online. I said yes, through our monitoring and billing system.
He gave a huge sigh of relief.
Linden did that to me with my Seconf Life account, after a crack of their server in 2006 IIRC. They told customers to answer a few questions about who their friends were etc to get their passwords back. I had been there only a few days and I didn't know how to spell my friends' names. Thanks to their crappy customer service I never could log back in. Luckily I didn't have a paid account. I was pretty angry at them, and rightly so I believe. It's very inconsiderate to change customer's passwords without their consent. They did it to protect their customers and I understand that, but I guess I was not the only one who was forced to make a new account.
-- Cheers!
Nice to see the editors have a chance to post AC style. Carry on. I'm sure this practice with grammar will improve the proofreading for the next article.
"I hope my cookies never expire."
That should be on a Tee-Shirt.
-FL
They have a total disregard for security by allowing the support staff to read the passwords.
The customer support people there have a horrific culture of ridiculing their customers. Nasty.
Telephone banking. Customer rings and gets asked "What's the 3rd letter of you password?". Usually get asked for two randomly selected characters in your password, plus other details, such as random digits from a customer code which is chosen by the bank when telephone banking is setup for the customer.
God: An invisible friend for grown-ups.
The change would be funny from a small company that you do some business with, but NOT FROM A BANK. Any sign of employee impropriety with sensitive information that your life savings depends on, is downright scary. And losing money might be the best outcome... A couple suspicious transactions is all it would take to raise a red-flag, and automatically trigger a police investigation for possible (drug/weapons/terrorist) money laundering.
I want nothing but monotonous, joyless, boring bastards handling all aspects of my bank account. In fact, computers would fit the bill perfectly.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Anyway, what can I say? one typo and one cut and paste (without enough proof-reading) and voilà! one /. submission.
This isn't a "help desk" it's a telephone banking system. You call up the bank. and do your banking over the phone. That means -- yes! -- that the guy you're talking to has unfettered access to your account. That's the inevitable price you pay for convenience if you want to do your banking over the phone.
What's purple and commutes? An Abelian grape.
The power of Ego!
This is a multi-billion dollar company. They, along with all the other banks, own Everything. --Correction; they lent the money needed to purchase Everything, and now are owed it all back with interest. God couldn't even pay that bill!
So, poor, poor Lloyds can't handle it when the slaves mutter amongst themselves? Geez! And that's it right there; the same petty fear of Everything (including the most harmless of school-yard slurs), drives their desire to control Everything. Pathetic.
-FL
Your banking auth code isn't necessarily stored as plaintext in the DB. Amazon has my credit card number stored, and I'll be damned if it's in there as 3723-7... I mean, yeah. Anyways, it's in there via a 2-way encryption algorithm - functionally identical to how SSL works, even if the methods involved are completely different.
Now of course I have no way of knowing if they store the phone-in verification codes in some sort of encrypted form, but just because someone at the bank can read it doesn't mean it's STORED as plaintext, it just means it's NOT stored after being put through a one-way hash (md5, sha1, etc). But that's just as true in your bank's DB as on Slashdot's as on that cobbled-together inventory logging system I made a couple years back for a small biz project. If you didn't have a hand in building the system, and said system isn't open-source, you just have to hope and assume that they've done things with a reasonable degree of security. (FWIW I did encrypt the passwords in that thing, even if the rest of the system was clumsy as hell)
How are sites slashdotted when nobody reads TFAs?
PIN number
Yes, a Personal Identification Number number. Is that long enough?
I don't get the person who moderated the parent posting, how on earth was that Trolling? Whom ever moderated is off their rockers.
When I tell people about passwords I always tell them that they need to use a NEW password with each service in case the people at that web site/company look at the password and then use it in identity theft. This makes your privacy more secure. Just don't leave the password information out in the open...
Everybody knows passwords. We're all used to them. But they suck rather miserably for real security. They are a vast improvement over nothing at all, but they just aren't good enough, anymore.
All it takes is one leak of your password, and you're hung. Worse, you don't know that you're hung. You can't let somebody else use your password. Ever. You can't ask a family member to enter it in for you while you're on the road while they look up your bank balance on the way to the airport without disclosing your password.
And lots of people can see your password. Techies. Poorly-paid tech support people in India. System administrators. Clerks, counters, janitors, and people who dig up your stuff out of the pile of computer hardware behind XYZ large firm.
Passwords are a terrible, terrible idea for security, and have left the social environment highly vulnerable to vast compromises.
On the other hand, dual-key cryptography is rather good for security.
It doesn't matter who sees the key exchange. If somebody else gets your public key, it doesn't weaken the strength of your private key. Nobody else can see your private key. You don't need to disclose your private key to anyone to use it.
Personally, I'd like to see a password-key machine. Basically, a weak form of dual-key cryptography (at least as effective as a password) stored in a small doohickey. It has your private key. Rather than type in a password, you are given a set of characters that you need to encrypt with your doohickey. You type the characters into your doohickey, and indicate which private key you want to use. (since it's private, you really only need one)
You enter in the passphrase for your private key. You enter the response back into your website, whatever.
Weaknesses? Not many.
1) You can lose your doohickey. At which point you need to get another one, regenerate a private key, and hand out new public keys to everybody. But even with the doohickey, $RandomBadGuy can't do much without the passphrase. Which is not a "password" in the usual sense because it's only stored there, in the doohickey and cannot be seen by anybody else.
2) You can use your doohickey thru the phone. Your son-in-law is checking your bank balance for you, and you want him to - this time. He sees the challenge, and tells it to you. You enter challenge into doohickey, give him the response, and he types it in. That gives him nothing more than a login that time, because next time, the challenge will be different, and without doohickey, he can't do anything more.
3) Nobody else sees your private key. It's yours. It's private. Websites and such will have your public key, but it won't help them any since they don't have the private key that matches.
Doohickey doesn't have to be much - it could easily fit into a cell phone. Processing a small, 32-bit key isn't difficult, and the challenges don't have to be very long to well exceed the security of your average password. (EG: Wife's middle name, the street you were born on, etc)
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Changing customers password without consent?
That sounds a bit like this guy: BOFH
"I find your lack of faith disturbing"
Even in the US, I believe "Lloyd" is the usual form of this name. TFA (the BBC) of course spells it correctly, and includes a photo of the bank's logo.
..try "Lloyds ist toten hosen"
They probably won't change that one.
My bank asks me the jth and kth letters of my password and never (and corresponds regularly to tell me so) asks for my complete password. Whilst this suggests they they do have the plain text stored on their system, could one devise a system that encrypted each letter of the password in some way that did not compromise the security of the stored hashes any more than the original hash?
Assuming a "strong" 8 letter password and two letters for verification it means that there is a 1 in 676 chance of a client guessing correctly in a single operator/client session. Not an unreasonable risk given the securiity that could be built into the session to avoid brute strength attacks.
I am having a bit of a think about it and I can think of a couple of techniques, but I am not sure that they are worthwhile. For example;
Just store the all the encrypted pairs (NC2) where N is password length, assuming 8 characters, only 28 combinations. Can these be stored without compromising the crackability of the whole password? I guess it would but by how much is a bit beyond my thumbnail calculating ability. Or;
Can we build a sufficiently strong transposition cypher so that we can compare specific letter positions encrypted without knowledge of the other letters?
My other bank uses SMS messages with one time codes to do verification. That seems to be very effective.
"The first thing to do when you find yourself in a hole is stop digging."
They should have allowed him/her to set this password as this is a password and needs to be kept secret! Now they are not passwords and the whole world knows about them :)
haha!
At TD Canada Trust, the have an excellent web interface, where you can customize many aspects.
For example, when I load my profile, my greeting message is "DON'T SAY PLEASE FUCKHEAD!" (a quote from Blue Velvet), my credit card account is called "Devil's Due", and my line of credit is called "Slush Funds".
War as we knew it was obsolete
Nothing could beat complete denial
- Emily Haines
The first question you should ask is how a rep can change a customer password without his permission and knowledge. All you need is one with criminal connections and he'd be able to start messing with accounts for a while. Do this for a month, hit a couple of big ones at the end and disappear.
If I were the customer I'd go after the bank re. diligence failure. I couldn't care less about the pettiness (as ex Lloyds customer I agree 100% with the sentiment expressed), but I would raise serious questions about the processes involved, from HR to account management.
If I were the customer I would now insist on choosing a new password (as the entire planet knows the old one) and I think something like "You are all complete morons" would be suitable:
"What is yous password, Sir?" :-)
"You are all complete morons"
"That is correct, Sir, thank you"
Insert
"funny or not" isn't the right question to ask here.
The right question is: "Why was customer service able to access his plain text password?" - when every book about security tells you to store passwords hashed. They should never even know what his password actually is.
Assorted stuff I do sometimes: Lemuria.org
Does one have "rights" on a website not owned by a government entity? Even in the U.K.? Is there a TOS to support this, or some statement to the contrary? Yes, this sucks and is unprofessional, at best, but I have a hard time believing that you have any right to anything on a website unless you are specifically granted such rights by some particular means. Need more information, without reading TFA, of course.
This is a hacked account, for which the owner can not be held responsible.
Guys, let me clear this up. I have a Lloyds bank account, when you phone their phone banking system, they ask you "Whats your password". May not be secure, but thats how they do it.
So basically every single operator they've ever employed, can find or just remember your username _and_ password if they want to. And who's to stop them from calling after hours and pretending to be you?
And you don't see the problem yet?
How about: when you tell that guy your password, he types it on the computer, which compares it to a hashed (and salted, please!) value in the database. There we go. It wasn't that hard, was it?
Of course, now when you talk to an operator, you tell them your password. So now we're back to problem 1, albeit with less people having access to it.
So, better yet, how about making you type it on the phone pad? Then their PBX can extract any such keypresses and send them directly to the computer. There is no need for the human operator to ever hear or read that sequence.
So basically, you can jolly well stop pretending that crap security is anything else. Yes, it may require some 5 minutes of thinking to solve those problems, but they _are_ solvable.
This kind of thinking inside the box (basically, "it's been done so before, so I guess we'll have to do the same"), and throwing your hands up in defeat each time it requires more thought than applying verbatim what you already know, is the real problem with security nowadays. Most people don't even bother trying to think about what could go wrong, and how (if at all) it's preventable.
A polar bear is a cartesian bear after a coordinate transform.
The customer misremembered his password as "Lloyds is pants". He rang up to make a transaction, but when he gave his (wrong) password, they said "no its not". He asked to change it to "Barclays is bank", but they weren't sure if it was really him, so they refused. Case solved! And no, I didn't read the article.
I'm not entirely sure how it ended up happening the other way, it smells a bit of urban myth to me.
You're quite probably correct - I only have knowledge of how this works from the customer point-of-view.
In these cases using hashes would be pointless, as the entire password would be required giving the operator that information - this method being more "secure".
A method whereby the customer was asked for three, and had to get at least two of them correct may be more secure from the customers standpoint, as the operator wouldn't know which of the three (if any) didn't fit the password. (I could be wrong, I'm no cryptographer or statistician).
God: An invisible friend for grown-ups.
I worked at an ISP helldesk, and all the passwords for user accounts (including their e-mail addresses) were displayed in plaintext for any staff member to see.
I even had a few customers phone me up wondering "uh.. what's to stop staff members from looking at my e-mails?", and I had to tell them "technically... nothing"
That's just the way it is at some places.
My ISP's solution seemed to have been to keep the call volume/staff ratio so high nobody had time to peek about user accounts.
120 characters should be enough for anybody
Hey, it's six letters.
Damn, I must stop posting complete business plans.
America, Home of the Brave.
Or he lives somewhere other than the United Kingdom or Republic of Ireland, and has never travelled to either of those places.
Plc is somewhat analogous to GmbH or LLC elsewhere.
The Future of Human Evolution: Autonomy
.
Two additional things are not acceptable:
So go to Cafepress or Zazzle and put it on one!
So go to Cafepress or Zazzle and put it on one!
I didn't say I wanted it on mine. I'm happy with, "The Angels have the Phone Box." All the rage in the egg forums.
-FL
3. pants This word can have two meanings if you are from the UK. It either means 1. The British word for panties, underpants, etc 2. Rubbish, bad 1. "I bought some new pants and a matching bra." 2. "This film is pants!"
Isn't it strange/scary/odd that someone is looking at passwords?
On a similar note, every time I have to reboot a Windows box or have to enter a reason for a shut down/restart I enter "Microsoft sucks" or "F%$#k you Bill Gates" (without the censorship)
I think more people should do this. :-)
I would be extremely leery of any security system that allowed _anyone_ to read passwds unless for verbal authentication. Otherwise, they should be always be cryptohashes.
is the fact that anyone in the company can see customer passwords in the first place. So much for security.
90% of the working world has employees that can see customer passwords. The world isn't composed of unemployed slashdotters who never have any reason to access customer/client information.
If I told a Fortune 500 exec that I can't remind him what his password was for an account with my company, he'd think I was retarded. Typically, people with money would rather be reminded of what their password is in the 1 second it would take than have you reset it and send them some gibberish password they'll have to change (or send them somewhere else to reset their password). They have enough at risk to recognize security is more or less an illusion over apathy. Inconvenience, however, is not.
tl;dr: hashing passwords is popular on slashdot, not so much in real life.
I am the richest astronaut ever to win the superbowl.
Source
You better watch out, there may be dogs about . .
That seems to me like a very fragile assumption.
Yes, you'd think that most people are smart enough to not do stuff where they could end up in jail, but about 1% of the population of the USA _is_ currently in jail. You'd think that most people are sane enough, but 0.4 to 0.6 of the population are schizophrenic. You'd think that most people are nice enough to their fellow human, but about 1 in 30 qualifies as sociopath, and 1 in 100 as outright complete psychopath.
You don't take those precautions against most of those call centre employees which are honest, sane, smart and nice, like you were. You take them against the schizophrenic dude who'll sell that data because the ghosts threatened to suck his soul through his nose if he doesn't. You take them against the disgruntled sociopathic admin who wants to go out with a bang. (See for example the recent news about the guy who locked a city administration out of their computers.) You take them against the idiot who'll sell an old computer on EBay without first erasing the database files or backups off it. (See the recent story.) You take them against the irresponsible (if well meaning) insurance/investment/etc salesman, who'll copy the whole damn customer database on his laptop so he can show a snappy chart to a potential customer. You take them against the idiot rent-a-coder who'll zip your whole database and post it on the web, when asking for help with some trivial formatting problem. (Yes, one dude did exactly that. Twice.) You take them against the irresponsible boss who'll copy that whole damn database on an USB stick, and give it to some programming contractor so he doesn't have to work on-site. And then said contractor loses the stick. (See the recent leak in the UK.) You take them against the irresponsible "tech savvy" guy, who'll open an insecure tunnel right through your firewall, so he can work from home, and thinks that nobody will guess the port. Etc.
It's not just you call centre guys who can see those plaintext passwords, you know. There's a whole lot of people who might end up seeing that data, some of which you'd never even think about off the top of your head. E.g., that eastern european janitor who was emptying the dustbins while you were looking up someone's plaintext password.
Security is about trying to prevent as many of those as you realistically can. Just because you call-centre guys get to hear the password as plaintext, is no reason why everyone in IT or with enough clue to run an SQL query should also be able to get to them.
A polar bear is a cartesian bear after a coordinate transform.
But it is not as brain dead as in the litigious US of A.
In the UK you'll find there is still some degree of banter in most offices and people know when something is meant as a joke or as an offence, in most cases where involuntary offence is caused an apology will suffice.
Unfortunately US corporate is permeating UK corporate culture by means of European Head Offices of USian companies based in London and other parts of Europe.
These companies bring with them all their legal baggage and I am sad to say that UK people are catching up pretty fast.
IANAL but write like a drunk one.
For slashdot I don't care if somebody gets my password.
For my bank I am willing to take a token, card or whatever makes my account as secure as possible.
IANAL but write like a drunk one.
At one point a had a password with a company that was " sucks" where competitor was the competitors name. The company in question dropped "sucks" off of my password. Pretty sure it was a customer service rep. Probably because she was an uppity bitch.
I am invincible!
Um, who modded this troll? "Holding a pen" + "I am invincible" = Slashdot mods are slugheads.
You don't have the "right" to a secure website and a professional interaction with your bank, no.
Your bank doesn't have a "right" to stay in business after driving off customers either.
a password is a personal piece of information. a CSR's knowledge of your password is a violation of the terms of their privacy policy.
or the simple answer is, have them set it to something simple and change it manually via their web interface later.
They're using their grammar skills there.
At that point I would have chosen, "TOSSER"
I am Bennett Haselton! I am Bennett Haselton!
You explained everything but the most important part. Why are pants offensive? I do not find pants to be offensive at all.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
When I worked for a helpdesk for a large ISP in the UK we had a chap with the security phrase:
"Who am I talking to?"
with the answer " scum".
Yes, it's that level of mutual respect that will make helpdesk staff want to talk to you...
And its amazing that the descriptive language to denote one also defines the other...
I use a limited number of random alphanumeric strings that I forced myself to memorize (it was a time consuming "pain-in-the-butt"(TM)® to set up but its pretty secure. The characters are meaningless and they are unguessable and there is an algorithm for the number-letter pairing.)
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
the obvious misspellings. It's "Lloyds" not "Llyods".
Banks set traps now with fees to essentially "take back" the interest payments made. It's no longer a case of a bank's interest in loans covering the interest they pay out in savings - now fees make up 40% of that revenue.
This has changed the fundamental relationship between most banks and their customers. For example - if I mess up and accidentally make one too many transactions from my savings account, the fee associated with transaction 10 will not only wipe out the interest generated that month, but the two months prior.
The idea that they "pay us" for our money is cute and they'll defend it, but the hidden fees and the contortions required of customers to avoid such fees betray the true profit centers.
You better watch out, there may be dogs about . .
that someone else knew what his password was. That means that they track and can read your password. I don't think that would make me feel comfortable. I would hope that passwords were stored encrypted and not decryptable by staff.
Only 'flamers' flame!
Does slashdot hate my posts?
This is a case of cumulative disaster, frankly. These guys have done a whole bunch of not-so-smart things that together combine into real stupidity -- they are advocating both password sharing and they are allowing a help desk person to INTERPRET a plaintext password. Not to mention instantiating password polices requiring a single dictionary word with a limit of 6 characters!
This means that punctuation probably doesn't count. Capitalization doesn't count. Spelling probably doesn't count. If an attacker can come up with a reasonably approximate phonetic representation of the password, then chances are, the help desk will assume the caller is the right person. After all -- if there was a requirement for an exact match, then the help desk person could just type in exactly what the user tells them and get a yes/no answer back without ever seeing the password, and the plaintext requirement wouldn't exist.
Once you have the password for account viewing, how much money do you want to bet that a significant proportion of customers use the SAME password for all their other activities with the bank? But don't worry -- that second, possibly identical password is protected with "full security procedures"...
don't mess with those geekgrrls
Back when I was doing tech support for Worldnet dialup internet, we could change people's passwords when requested (and we could also just read off what it's currently set to). I got a call once from someone saying they couldn't log in, and wanted me to read off their password. After the usual verifying security, I gave 'em their password... which was at the moment set to... umm... let's just say another way of saying "homosexual lover", since putting the actual password would likely set off the swear filter. Yeah, THAT was an awkward call.
The system logs the tech's login for any changes made to an account, so it was easy to see what happened. Someone, on their last day of work, changed some people's passwords to either racist, homosexual, or other various types of things.
Because of that incident, they stopped us from being able to either read passwords, or even create them to what someone wanted. If someone forgot a password, we could randomly generate a new one. That's it.
Planet Zebeth - Metroid with a twist
Comment removed based on user account deletion
Now, I'm not about to do something crazy like RTFA, but.....
Beyond the fact that the password was changed, how did the rep see it? Was he going through all the accounts looking at the passwords and see this one?
--
My parents went to Slashdot and all I got was this lousy sig.
"I hope my cookies never expire."
That should be on a Tee-Shirt.
This should be on a Tee-Shirt
Note: It might be, but the original is in Spanish.
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
I assumed you stated a belief in a profitable rage, in which case even if you don't wear it yourself, you should go ahead and do it! (If the original poster doesn't object.)
So basically every single operator they've ever employed, can find or just remember your username _and_ password if they want to. And who's to stop them from calling after hours and pretending to be you?
How is this different from withdrawing cash from the bank in person? All you are doing is verifying your identity to a bank employee who could drain your entire account without a password. Just like the bank clerk does not have to ask you to enter a password before they give you money.
Seems ironic, given that Websters defines "icon" as "a religious image painted on a small wood panel".
For the BOFH types you could do what was done in this story:
http://news.bbc.co.uk/2/hi/asia-pacific/4396831.stm
Just because it CAN be done, doesn't mean it should!
TFA points out that this is telephone banking. Really, read TFAs once in a while and don't rely on summaries approved by editors who cannot spell a word as simple as Lloyds.
Burns: We're building a casino!
McAllister: Arrr. Give me 5 minutes.
Email them to me -- I will look after them for you!
Repton.
They say that only an experienced wizard can do the tengu shuffle.
The comment by Cassius Corodes is undereducated and misleading. There are a myriad of reasons besides whether or not the operator will be in the loop (which should only be guaranteed if the caller provides the correct password anyhow) that I'm sure other responders have already pointed out. Please mod it down.
In fact I'd put pressure on companies providing services to have a higher standard with passwords such as ensuring that they are always stored encrypted, and that their personnel can't read them under any circumstances not even when debugging.
Now that's not always possible with phone in services where they want you to identify yourself to them using a password. Then it's in the clear on the phone and within ear shot. In this case the company should log which of their people saw or hear the password. This is usually possible with customer service records.