Man's 'pants' password is changed

[The Canadian]

A man who chose "Lloyds is pants" as his telephone banking password said he found it had been changed by a member of staff to "no it's not".

Steve Jetley, from Shrewsbury, said he chose the password after falling out with Lloyds TSB over insurance that came free with an account.

He said he was then banned from changing it back or to another password of "Barclays is better".

The bank apologised and said the staff member no longer worked there.

Mr Jetley said he first realised his security password had been changed when a call centre staff member told him his code word did not match with the one on the computer.

"I thought it was actually quite a funny response," he said.

"But what really incensed me was when I was told I could not change it back to 'Lloyds is pants' because they said it was not appropriate.

"I asked if it was 'pants' they didn't like, and would 'Lloyds is rubbish' do? But they didn't think so.

"So I tried 'Barclays is better' and that didn't go down too well either.

"The rules seemed to change, and they told me it had to be one word, so I tried 'censorship', but they didn't like that, and then said it had to be no more than six letters long."

'Very disappointing'

Mr Jetley said he was still trying to find a suitable password which met the conditions.

He said his dispute with the bank started over some travel insurance, but that issue had been dealt with by managers independently.

A statement released by the bank said: "We would like to apologise to Mr Jetley.

"It is very disappointing that he felt the need to express his upset with our service in this way. Customers can have any password they choose and it is not our policy to allow staff to change the password without the customer's permission.

"The member of staff involved no longer works for Lloyds TSB."

Lloyds TSB stressed there was no security lapse in this case.

A spokesperson said: "On the majority of transactions advisors cannot read customers' passwords.

"In this case it was a business banking customer using a system where more than one person from a business can check their balance.

"In these cases an advisor can read the full password.

"But if such customers require more complex transactions, then full security procedures apply and advisors cannot read secure information."

Source: BBC NEWS

[Ayepecks]

lol?

[metallithrax]

A spokesperson said: "On the majority of transactions advisors cannot read customers' passwords.

"In this case it was a business banking customer using a system where more than one person from a business can check their balance.

It shouldn't matter what type of system they are using, they shouldn't be looking at the passwords.

[houlty]

its telephone banking, so the customer would have to say the password to whoever he is phoning at the bank. it was probably one of those people who changed it.

[Richard Hammond]

It shouldn't matter what type of system they are using, they shouldn't be looking at the passwords.

How is the person supposed to verify the password then if the agent in the call center cant see the password?

[megamanXplosion]

The call center agent must be told the password. Regardless of how it is stored in the database, the person must tell the agent the password. No encryption or hashing will help you. Since humans constantly record what they hear, while computers can be instructed not to do so, I tend to trust computers more than humans.

This message board, for example, stores MD5 hashes of passwords rather than the plain-text passwords themselves. For example, if your password is doggydoor, your password is represented like d3ed1d27eed8902ee5c6ea79d694b0b9. (That's not technically true since the forum does other things to obscure the password further, but I won't dive into the details here.) When you login and give "doggydoor" as your password, the computer will do the MD5-hash process again, resulting in d3ed1d27eed8902ee5c6ea79d694b0b9, which it compares with the hash stored in the database for your user account. The computer sees that they match and lets you in and promptly forgets that your password is doggydoor.

This approach is helpful because it helps prevent those with access to the database from reading peoples' passwords. It helps prevent, but doesn't prevent entirely, as their ability to figure out the password depends on the complexity of the password in the first place. If you use a single word that can be found in the dictionary, they won't have much trouble figuring out your password. They simply go through the dictionary entries following the MD5-hashing process and continue until they find a matching hash. If your password is complex—combining lowercase letters, uppercase letters, numbers, and symbols, like 6+FxCh%&g—then your password will remain concealed from those with access to the database.

That approach isn't possible with human-to-human authentication though because you must tell the person your password and that person has little to no control over whether they remember the password or not. Steve Jetley learned this the hard way.

Regardless, even though that sort of problem is unavoidable in those cases, the six-letter maximum makes no sense whatsoever. They should never confine a password to a single word you can find in the dictionary and only those with six letters or less. That remove most of the randomness that makes passwords useful. How many words exist in English with six letters or less? Not many, in the grand scheme of things, perhaps a few thousand. Among those few thousand words, which words would a successful business person use? A smaller fraction still. This banking company is practically ensuring that it's possible for outsiders to guess a password. I guess they assume that the fact that they run a bank will scare away most people, thus relying on security through obscurity, but that's just foolish from any perspective.

The spokesperson was right that there was no lapse in security. Unfortunately, he's only right in the sense that there practically wasn't any security practices to lapse from.

[metallithrax]

How is the person supposed to verify the password then if the agent in the call center cant see the password?

They should be able to verify it, but not change it.

[tsupersonic]

lol...

[Andrew Lyle Global Moderator]

It shouldn't matter what type of system they are using, they shouldn't be looking at the passwords.

I guess in the situation that it is a security verification process, and not a physical password you use... then it is allowed

[Chode]

its telephone banking, so the customer would have to say the password to whoever he is phoning at the bank. it was probably one of those people who changed it.

That's garbage. Telephone banking should be done using an IVR system.

[funkymunky]

They shouldn't get to see the whole password.

It should be a select few random characters, asked on the screen, the operator enters them then the System should confirm if it is correct or not. Surely this makes much more sense??

[MrChainsaw]

lol