Slashdot Mirror

← Back to Stories (view on slashdot.org)

Changing Customers Password Without Consent

Posted by samzenpus on from the leave-my-words-alone dept.

risinganger writes "BBC News is reporting that a customer had his password changed without his knowledge. After some less than satisfactory service the customer in question changed his password to 'Llyods is pants.' At some point after that, a member of staff changed the password to 'no it's not.' Requests to change it back to 'Llyods is pants,' 'Barclays is better,' or 'censorship' were met with refusal. Personally I found the original change funny, like the customer did. After all, god forbid a sense of humour rears its ugly head in business. What isn't acceptable is the refusal to change it per the customer's requests after that."

24 of 435 comments (clear)

  1. Plaintext passwords? by MiKM · · Score: 5, Insightful

    What worries me more is that they are storing the passwords in plaintext.

    1. Re:Plaintext passwords? by Al+Dimond · · Score: 5, Funny

      And I thought I had a shot at getting this in first...

      Maybe he should make his new password "Lloyds security is pants"

    2. Re:Plaintext passwords? by Psychotria · · Score: 5, Funny

      That was a bit silly. Now I can just ring the bank and say my name is "Anonymous Coward" and my password is "Cottage Rd". This means I can transfer all of your funds... didn't think of that did ya!

    3. Re:Plaintext passwords? by brianjlowry · · Score: 5, Funny

      You act like they are storing important information in the DB... like it is a BANK or something.

    4. Re:Plaintext passwords? by QuantumG · · Score: 5, Funny

      Yes, my voice password is "billy'; drop tables;", type it in muppet!

      --
      How we know is more important than what we know.
    5. Re:Plaintext passwords? by EdIII · · Score: 5, Informative

      It's a voice password. It is the employee on the phone that has to enter and verify the voice password. It is probably not being stored in plain text and it is entirely appropriate, and indeed required, that the administrative interface view the voice password as entered by other employees.

      The only concern here is that an employee changed the voice password without authorization. Anytime an employee changes a password there should be records of the interaction. Call logs, voice logs, notes, etc.

      Now in this case, the choice of the password might be deemed offensive. However, it seems that there was no clear and consistent policy enforced as to what a voice password could be.

    6. Re:Plaintext passwords? by Jedi+Alec · · Score: 5, Funny

      From the article it sounds like a voice code phrase to authenticate yourself over the phone. They staff has to be able to see it to verify it. It isn't a computer password.

      "I am the systems administrator. My voice is my password. Verify me."

      --

      People replying to my sig annoy me. That's why I change it all the time.
    7. Re:Plaintext passwords? by Cassius+Corodes · · Score: 5, Informative

      RTFA, its a phone banking password - as this is done via a operator, they are going to know the password anyway so its displayed to them.

      --
      Control is an illusion, order our comforting lie. From chaos, through chaos, into chaos we fly
    8. Re:Plaintext passwords? by MrNaz · · Score: 5, Insightful

      Unless there is money being paid for accessing the systems

      What, you mean like bank fees?

      or there is an existing policy/agreement in place that says the system owners will not mess with passwords

      What, you mean like the legislative requirement that banks give depositors access to their funds?

      The people that own the systems have the right to do what they wish with them.

      No, they don't. They doubly don't if it means banking customers' financial services are interrupted.

      Does your phone company, who own the systems that your phone calls go through, have the right to let their operators listen in on your conversations and interject with witty remarks every now and then?

      --
      I hate printers.
    9. Re:Plaintext passwords? by ei4anb · · Score: 5, Interesting

      That is actually one of the schemes that I use. I have a keyword that I use to generate the password for all websites; I concatenate the keyword and the site's domain name and use an hash of that and allow Firefox to store it. That way I get a different pwd for each site yet I can regenerate it if I need to.

    10. Re:Plaintext passwords? by EvilIdler · · Score: 5, Insightful

      Uhm..what?! You don't store passwords in plain text, full stop. One-time passwords, alright. Generate one based on your bank card, and give it to the operator. It can't be used again. But a regular password? No way.

    11. Re:Plaintext passwords? by telchine · · Score: 5, Insightful

      If the operator ever needs me to prove my identity, I am asked to provide eg the 4th & 5th character, not the whole thing. Sounds like Lloyds needs to update their security procedures!

      My bank als asks me for two letters from my password, and my bank is Lloyds!

      How do you know for sure that your bank's operator can't see the full password when they're asking you for two letters?

    12. Re:Plaintext passwords? by Cow+Jones · · Score: 5, Funny

      RTFA, its a phone banking password

      So, unless I misread TFA, we now know that Mr. Steve Jetley from Shrewsbury has a phone banking account with Lloyds, and is unable to change his password to anything else than "no it's not". Mr Jetley said he was still trying to find a suitable password which met the conditions.

      Excuse me, I have to make a phone call...

      --

      Ah, arrogance and stupidity, all in the same package. How efficient of you. -- Londo Mollari
    13. Re:Plaintext passwords? by Bender0x7D1 · · Score: 5, Funny

      Does your phone company, who own the systems that your phone calls go through, have the right to let their operators listen in on your conversations and interject with witty remarks every now and then?

      I live in the U.S. and am offended by the implications in your statement. Of course they have the right! How else would they find the terrorists?

      --
      Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.
  2. Clarifying for Americans by RevWaldo · · Score: 5, Informative

    In the UK "pants" is the term used for underwear.
    It is also slang for rubbish (that's "crap" for Americans.)

    This doesn't speak well for the state of British underwear, but whatever.

    --
    Prisencolinensinainciusol. Ol Rait!
    1. Re:Clarifying for Americans by ben0207 · · Score: 5, Funny

      Does anyone else find it quaint when yanks try to comment on the English language?

      They always manage something that is nearly completely wrong, but right enough to see where they were going before they were distracted by something to eat or a TV.

      --
      cmd-q.co.uk - some sort of stupid fucking internet bullshit
    2. Re:Clarifying for Americans by fotbr · · Score: 5, Insightful

      American here. No, that is not anywhere NEAR the average American's grasp of geography. You're giving them far, far too much credit. Most of my countrymen below the age of about 30 have no clue about anything other than the area of the US they live in, and some vague notion of Africa being poor, and Iraq being "over there". They can't even pick out all the states, much less find Iraq on a map. They *might* be able to pick out the continent of Africa, but they'd probably be looking for a single country instead.

      Our public school system has turned an entire generation into morons, who think being wrong is ok as long as they feel good about themselves.

  3. Ok, and... by narcberry · · Score: 5, Funny

    I read the article and it only reports half the story.

    Sure he tells us all about his password and what he is using. But what was his account name?

    --
    Modding me -1 troll doesn't make me wrong.
  4. I once had a funny incident with some website. by CrazyJim1 · · Score: 5, Funny

    I called in and asked,"Can you give me my password?"
    Him "Ok give us your information."
    Me: I gave him my information.
    Him"You want your password now?"
    Me:"Yes please."
    Him,"Biteme."
    Me:"What?"
    Him,"Biteme is your password."
    Me,"Oh... Thanks..."

    I made a mental note,"Do not make passwords that will embarrass me if I have to call in the phone"

    --
    God spoke to me.
  5. Important message to Lloyds customers by Anonymous Coward · · Score: 5, Funny

    My Dearly Beloved Lloyds customers.

    I encourage you all to change your passwords to Lloyds is pants in protest at this stupid bank's actions.

    Thank you sincerely for your cooperation.

    Mrs Mariam Abacha, Lagos, Nigeria

  6. Re:Legal Problems by Ixitar · · Score: 5, Interesting

    I just love the hypersensitivity out there. I was on a project years ago where there were duplicate records on companies. One fellow that I worked with wrote a drag and drop application to eliminate duplicates. The user would drag the "good" record over an icon for the good company record and drag the "bad" record over the icon for the bad company record. The good company icon was a building in white with a halo over it and the bad company icon was a building in red with horns. I told him that someone with no sense of humor is going to tell him to change the icons. Sure enough, he was told to change the icons so as to not potentially offend someone's religious faith.

  7. fun with passwords by Eil · · Score: 5, Funny

    Until a few months ago, I did some helpdesk work at a web hosting provider. When a customer calls in, we are required to make them verify that they are the account holder by telling us either the last four digits of their credit card or their hosting account password (which they specify when they're signing up for service).

    One day, a new customer calls in and says he's having some trouble setting up DNS and would like some advice. He's maybe in his late teens or early twenties He gives me the account number. I notice that he makes his payments via PayPal. When I see his password, I hit mute on the phone and giggle for a few seconds. After my composure is somewhat regained, I unmute and ask him to verify his account password for security purposes.

    You could almost hear him tense up. When he starts stuttering, I was sure he never stopped to consider that he might have someone

    "Ummm, uh, it's fuckyou2dickhead."

    I helped him through his DNS questions as politely as possible and we got along pretty well. Before hanging up, he asked if there was a way he could change his password online. I said yes, through our monitoring and billing system.

    He gave a huge sigh of relief.

  8. Passwords are awful for security by mcrbids · · Score: 5, Interesting

    Everybody knows passwords. We're all used to them. But they suck rather miserably for real security. They are a vast improvement over nothing at all, but they just aren't good enough, anymore.

    All it takes is one leak of your password, and you're hung. Worse, you don't know that you're hung. You can't let somebody else use your password. Ever. You can't ask a family member to enter it in for you while you're on the road while they look up your bank balance on the way to the airport without disclosing your password.

    And lots of people can see your password. Techies. Poorly-paid tech support people in India. System administrators. Clerks, counters, janitors, and people who dig up your stuff out of the pile of computer hardware behind XYZ large firm.

    Passwords are a terrible, terrible idea for security, and have left the social environment highly vulnerable to vast compromises.

    On the other hand, dual-key cryptography is rather good for security.

    It doesn't matter who sees the key exchange. If somebody else gets your public key, it doesn't weaken the strength of your private key. Nobody else can see your private key. You don't need to disclose your private key to anyone to use it.

    Personally, I'd like to see a password-key machine. Basically, a weak form of dual-key cryptography (at least as effective as a password) stored in a small doohickey. It has your private key. Rather than type in a password, you are given a set of characters that you need to encrypt with your doohickey. You type the characters into your doohickey, and indicate which private key you want to use. (since it's private, you really only need one)

    You enter in the passphrase for your private key. You enter the response back into your website, whatever.

    Weaknesses? Not many.

    1) You can lose your doohickey. At which point you need to get another one, regenerate a private key, and hand out new public keys to everybody. But even with the doohickey, $RandomBadGuy can't do much without the passphrase. Which is not a "password" in the usual sense because it's only stored there, in the doohickey and cannot be seen by anybody else.

    2) You can use your doohickey thru the phone. Your son-in-law is checking your bank balance for you, and you want him to - this time. He sees the challenge, and tells it to you. You enter challenge into doohickey, give him the response, and he types it in. That gives him nothing more than a login that time, because next time, the challenge will be different, and without doohickey, he can't do anything more.

    3) Nobody else sees your private key. It's yours. It's private. Websites and such will have your public key, but it won't help them any since they don't have the private key that matches.

    Doohickey doesn't have to be much - it could easily fit into a cell phone. Processing a small, 32-bit key isn't difficult, and the challenges don't have to be very long to well exceed the security of your average password. (EG: Wife's middle name, the street you were born on, etc)

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
  9. Re:It's still retarded security by Anonymous Coward · · Score: 5, Funny

    And who's to stop them from calling after hours and pretending to be you?

    Perhaps the fact the call center would be closed after hours?