Password pants-off at Lloyds Bank
Set yourself a rude password at Lloyds TSB, and it is just possible that you might find it changed to something politer. That was the experience of Lloyds customer Steve Jetley, who attempted to set "Lloyds is pants" as his telephone banking password. According to Mr Jetley, this was then changed by a member of staff to "no it's …
Oh man, does Lloyds understand anything about security? Not sure if El Reg is being artistic in its descriptions, but if a bank staffer can see that he put a rude password in, then their security system is on a par with that of the Tax office.
I guess it really doesn't matter any more anyway. The Govt have "lost" my bank details to the Dark Side anyway.
Aliens? Nothing scarier?
There's coffee on this one.
Any online system that even allows another human to read or extract a (sensitive) password has to be a joke.
>if a six-character password, visible to all system users, and with an apparently instant over-write facility represents the best in current security, then Vulture Central is investing in a very large mattress, under which it will be storing all its ill-gotten gains in future
Surely you should be more secure than that? You should put the ill-gotten gains _in a teapot_ under the mattress...
Mine's the one with the 1950s Goon Show scripts in the pocket...
Fuck me. This just takes the biscuit. They lose our personal information by binning unsanitised servers (RBS) and now it seems that our passwords are stored unencrypted and are accessible for read and write by any tom, dick or harry in the bank.
They are truly a complete bunch of bankers. The incompetence is breathtaking.
I'm not hanging around. My double king sized mattress is already on order.
Was this one of those "give us an easy to remember phrase so we can confirm it's you next time" or is this actually on a system through keyboard input?
Surely Lloyds cannot be so simple as to allow support staff to see customer passwords on systems?
"no possibility that this password could have been used to plunder his hard-earned dosh"
Who could imagine such a thing? I'm booking my tickets with Swine Air right now...
So much for the reassurance that the person at customer service can only see characters "x" and "y" when asking for my password.
No doubt said ex-employee has the full login details of anyone he desired.
...unless the password was stored in the clear?
When checking authentication, banks usually just ask for a couple of characters; not the entire thing.
I don't really understand how hiding the password is meantto make the system more secure.
The operator says "what is you password"
You say "grandmothersmaidenname"
and then the operator realises (s)he cannot see "grandmothersmaidenname" on the screen.
Oh dear thinks the operator, I cannot read the password so that means I cannot remember what the punter said.
The fact that any staff can see your password shows how shit they are for starts! I recently tried with my wife to get my name ADDED to HER Lloyds acccount. The computer said no, the woman looked lost, tried again and had to ask me for ALL my details ALL OVER AGAIN, again computer says no. Went out, 10 mins later came back in, tried again, computer says no. She says dunno whats wrong and nor do the technical people. Wow, maybe you lot should go on a college course in basic computing! especially the technical staff responsible for keeping things running who didn't know what was wrong! They should go get a job at PC world, they'd do just fine!
Add that to other Lloyds experiences, again through a partner shows why I've always said they are shit and they keep proving me right!
This happens everywhere. You ring up, give them your details, and your password pops up in plaintext so the operator can check it to complete DPA requirements. If you can't remember it, they check some other details and set a new one for you. Standard process in pretty much any call centre for any company, not just Lloyds TSB - it's a bit unfair to make it seem as though they're the only ones doing it.
I bet this was one of those insufferable old bastards who refuse to use Internet Banking because "I don't trust it / It's not secure / I saw something bad on TV about it / It'll make my children smell like hammers". You trust some 19-year-old kid in a generic outsourced call centre getting paid £6 an hour, though?!
Paris because even she's not that stupid!
It may interest you to know, Doctor, that the collective noun for bankers is a "Wunch".
I asume that it was a "give us an easy to remember phrase" Job. Most Banks seem to have been doing this since realising how trivial it is to find somones mothers maiden name.
I can in this case see why there would be tight restrictions e.g. would you want to be a call center worker having to hear hundreds of people giving the oh so clever password "your a wanker" every day.
The story says that it was his phone bank password, this has to be visable to staff so that they can verify his ID. And they can change it, a "Computer generated" password is sent out to the customer first and during the first call to LTSB phonebank you are requested to change it, as you are on a phone and do not have a keyboard in front of you, the operator (Call centre advisor/insert gratuitous & facetious monkey describing adjective here) on the other end has to do this.
You dont have to be old to not trust internet banking - I'm 25 and I dont trust it - not that I dont trust the banks computers I dont trust any computer of mine that's attached to the Internet.
If you think your immune from having your computer compromised online, then your a tool.
While I agree with you 100% have you seen Natwest's online banking offering? OMFG is it the worst thing ever. It's as if it was designed by cave dwellers!
As for Barclays is better - I think they hold the top stop so far as online banking goes? (I've had online banking with them since the days of PC Banking an monthly subscription -meh). I don't think the design has changed since about 2000 that's how good it is.
My Lloyds card was swindled to the tune of several thousand pounds and as a consequense had to change my password from my mother maiden name to something else. Now when you ring up they ask for the password with the hint - "it may be your mothers maiden name". The first time this happened after the swindle I had forgotten what the password was and the lady at the other end helpfully reminded me!
"...attempted to set "Lloyds is pants" as his telephone banking password. [...] Mr Jetley then tried “censorship”, but again, the computer said ‘no’. Apparently six characters is the system limit."
I've had telephone banking with Lloyds since before they admitted in public to having such a service. My password has always been more than six characters in length. Perhaps this is a new requirement, but since their database clearly has to cope with *my* old password, I can't really see the point. More likely, it wasn't the computer that said no.
It would be really interesting to know whether such an insecure system meets the legal requirements to protect personal information. (It would also be interesting to know whether I can "unregister" with PhoneBank.)
I think some of you are missing the point.
"who attempted to set "Lloyds is pants" as his telephone banking password"
"his telephone banking" - notice the Telephone bit
how is the person in the call centre suppose to check its you with out seeing what the password is
your all saying it should be blanked out, how are they suppose to verify its you ?
you " the password 1234abc"
bank - all they see on the screen is *******
how they hell is that going to work?
and if you use the same telephone banking password as your internet banking password or for any other passwords, I would change it :)
Even as they try to dig themselves out of the hole they've created they get deeper.
The trick is to dig UP.
Lloyds is pants!
http://www.ciao.co.uk/Halifax__Review_5748464
So he should have set the password to d34223e5f764af635b71b0f1f82137e8
Somewhere I still have the letter from them stating I was 3p in credit and needed to settle my overdraft immediately as it had just been cancelled and was still around £30 overdrawn.
Oddly, I had paid it off right before it was removed but they issued the letter based on the balance at opening time but listing the balance at closing time.
Bankers.
And I use Phonebank a lot. The staff NEVER ask for your password anymore. You have a 6-digit PIN and during the callsteer, you have to enter your Account Number, Sort Code and 2 digits from the PIN which have been randomly selected by the computer.
No member of staff handles the password, because there isn't one.
For them to have a less secure system for business customers than they do for the average punter seems very odd to me...
Paris... just coz.
you know this is over the phone memorable word password..not users actual online banking password..
...asking for two letters from your password?
That way the staff member never knows the whole password and you don't have to read out the whole password within range of potential evesdroppers.
I'm having a hard time believing any bank would be this stupid. Even the most noddy web applications I've written don't store passwords unencrypted.
Lloyds just don't seem to understand technology.
They used to have an on-line credit card facility under the Accucard brand. When they decided to amalgamate it into their core cards business they told the users by sending out a paper mail shot under the Lloyds brand - without making any announcement on the website or by email, even though the card was "on-line only".
They then seemed surprised that most of the users binned the mailshot thinking it was junk mail, got rather ratty when their cards suddenly stopped working, and now won't touch any Lloyds product with a bargepole.
Yes, I was one of those users. My card was cancelled while I was 12000 miles from home. Thanks a bunch Lloyds.
This is not unusual. Telephone banking passwords, much like security phrases used in almost any other situation where they are given over the phone (mother's maiden name for security reasons when calling your ISP, for example?) are simply there as memorable and kinda-sorta secret-ish "passwords", that the operator simply matches up with what you tell them, not secure encrypted passwords - This is why (as in the case of every bank i've ever used, at least) the telephone banking "password" you use is seperate to any other passwords/pin codes used with the account.
And while the system evidently lets any user change the phrase (this is presumably industry-wide as well, as I can happily call my bank and get my telephone banking security phrase changed at any time, so the operator on the other end must be able to action it) it would appear it at least logs who makes the changes, otherwise Lloyds would probably have had a hard time finding and firing the staff member who altered it.
Surely the password isn't needed by staff as they have their own systems that they use to see all our details.
Plus there's bound to be some backdoor access to these details. Nothing that a few SQL scripts couldn't do.
Lloyds' security is certainly pants if they limit passwords, particularly on business accounts (which often handle very large amounts of money), to six characters.
Anyway, if that's the case, how did he set "Lloyds is pants", or the staffer change it to "no it's not"?
Someone's not being straight with us here, and I suspect it's not Mr. Jetley.
Goon A: "I'd like X pounds, please"
Goon B: "why do you want X pounds?"
Goon A: "for expenses!"
You _can_ unregister with Lloyds PhoneBank - something I did after someone tried to take all my savings, after walking (easily) through all the security checks - just go and do it in you branch
Firstly, most phone banking I've done before has used the system when you phone up that the call-centre operator asks for your (for example) 3rd and 7th letter of your password. The computer decides which letters they are going to ask for, and only shows them those letters. Given the volume of calls handled, and the lag between successive calls from a single customer, it would be incredibly hard for a member of staff to get to see someone's password. Of course, LTSB don't seem to do this.
Now, I'm going to have to say, I'm not in the least bit surprised. A few years' ago, I dropped LTSB like a sack of spuds. Since the merger between Lloyd's and TSB their service had gone down the tubes, resulting in me suing them for about £5k, and then switching to HSBC Premier - the best banking decision I've made in a long time. Let me give you a few examples of just how bad LTSB have been. I've had my address revert to an old one in the computer without my intervention, and all my mail go to an address 3 or 4 moves ago. Then when I went to fix it, they spent an age telling me I had to go to my home branch to sort it out (despite having a home branch of convenience in London because I moved around the country so much). The best one they did was shortly after the merger though (late 90s iirc). I phoned my branch manager up to arrange an increased overdraft for that month. He agreed to it, but apparently didn't action it on the main computer. They had just implemented a new collections department where accounts that went over the overdraft limit were transferred. My account went in the red (according to the old limit, but fine according to the new limit that hadn't been actioned), and got transferred to the collections department, who promptly cancelled all my direct debits and started bouncing everything. When I phoned my branch, they accepted the error, but said they couldn't do anything since they had no control over the account whilst it was in collections. When I spoke to the collections department, they refused to accept the error, and wouldn't do anything for me until my account was back in order. I had to wait until the end of the month for pay-day to get my account back in order and transferred back to the branch, and then spent a year getting all my charges refunded (including charges from people who had their Direct Debit refused by my bank).
I would have changed my account almost immediately, except back in those days it was incredibly hard to do, so I vowed that as soon as I got a decent bonus I would switch so LTSB never saw a penny of my money. Of course, switching became easier, and I went through on my promise. Personally, I would never ever recommend anyone uses any service LTSB have to offer. They have no idea of customer service, and are a dreadful organisation. I would prefer to put my money in a rugby ball shoved up my fudge tunnel than ever trust that barrel of snakes again.
I've just terminated my relationship with Lloyds, and things which have happened since then have confirmed nicely that it was definitely the right thing to do!
Having closed all my accounts, they then sent me a new cash card 3 weeks later...
...and then proceeded to start sending me letters about unauthorised overdraft usage on one of my now closed accounts.
The worst bit is that having complained that I hadn't received any advance notification about huge charges debited from my account, which put my account back into overdraft, for which they charged me more money, they pointed out that it was printed on the bottom of my previous bank statement. Yeah right, as if I'm going to see that when I primarily use internet banking which doesn't display upcoming charges anywhere.
Anyhow, after 14 years, screw you guys I'm going elsewhere.
Muppets.
is six letters.
@paddy newman
WTF difference does it make if this is the over the phone memorable word password rather than online banking password? They would both allow somebody to steal money from you if they were compromised.
The one which always gets me is when the banks phone you and ask you to prove who you are by answering the DPA verification questions when they could be anyone.
Lloyds: OK sir, I just need your telephone bannking password to allow you to transfer this money.
Customer: Lloyds is pants
Lloyds: Im sorry sir that's the wrong password. What you were looking for is "no it's not" but thanks for playing anyway.
If he managed to find out what the password had been changed to, what was the point of asking him it in the first place?
If the limit for passwords is 6 characters and only single words are allowed, how did the story begin with the password set to "Lloyds is pants" and then the change to "no it's not"?
Somebody hasn't got their facts straight somewhere.
Probably Lloyds/TSB. That wouldn't surprise me.
As one of their reluctant business customers, I'd better stay AC in this case.
> you " the password 1234abc" >bank - all they see on the screen is ******* >how they hell is that going to work?
you:" the password 1234abc"
employee types password in; comparison (preferably one-way encryption alg.) is applied; yea or nay is returned - no p/w in the clear on the screen.
Not that I'm defending this as exactly wonderful either, given the number of obvious flaws with it.
The system they use shows the password to the operator in plain text, it is only for business accounts - apparently. Not sure if I trust them on that though..
http://news.bbc.co.uk/1/hi/england/shropshire/7585098.stm
Neddie: "Here's a photograph of a 10-bob note"
Grytpype-Thynne: "And here's a recording of 3 shillings change!"
your all saying it should be blanked out, how are they suppose to verify its you ?
you " the password 1234abc"
bank - all they see on the screen is *******
-----------------------
Ok, let's try shall we?
The bank system could request the operator asks for the 2nd and 4th characters of the password.
Bank: What are the 2nd and 4th characters of your password?
You: 3 and F
Bank: (sounds of typing)
Bank's Computer system allows access
Bank: Thank you Mr Buxton, how can I help you today?
-----------------------
It's not rocket science, just simple security.
Trust me, I would rather bank with LTSB than most of the other banks for various reasons - including their core security.
They have been the only bank to provide me with sensible pricing, apologise when they have made mistakes (and refund money) and use a reasonably secure setup for internet banking.
Anonymous because, well, I'd get fired from another bank :-)
Paris because it's all hype and nonsense, just like her
Surely it should be 09-f9-11-02-9d-74-e3-5b-d8-41-56-c5-63-56-88-c0 ?
So glad I don't bank with this bunch of muppets.
They changed the name on my account and everything pertaining to it to Mrs Sarah Gunn, sent me new chequebooks and cards accordingly, and addressed me as such to my face in my local branch. Then when someone cloned my card later on they accused me of stealing it myself.
Oh and they managed to cock up address change and standing order, the festering douchebags.
Mrs Sarah Gunn sounds like a no-messin' Old West madam, though, so it was kind of funny. Kind of.
Why does the call centre person need to see your password on screen to verify that you gave the right password.
Password is stored encrypted with a one way trapdoor algorithm.
You phone up and say my password is XXX, operator types XXX into the computer, computer encrypts it with same one way trapdoor algo and compares result. If they match, the chances are that the password is the same and computer says "yes".
(Almost) no password should ever need to be stored in the clear (or in a decryptable form.) If it does need to be stored in the clear, redesign the application.
TSB somehow managed to set my account with a negative overdraft limit (an underdraft limit??) - when my balance dropped below £200 they levied punitive charges on it.
Of course they didn't *tell* me about it for 2 months, by which time it was in a large debit entirely due to their incompetence. Their phone banking was absolutely rubbish and refused to admit their error.
I ended up camping in the local branch and absolutely refusing to move until they sorted it out. It still took them another month to actually stop charging me on the (then closed) account. Total idiots the lot of them.
That's great, but how would you set up a telephone banking password like that in the first place? Maybe make 3 calls to 3 different operators and give them 2 characters at a time?
Reminds me of the Python sketch where they tried to translate the world's funniest joke into German by having one person work on each word at a time. Somebody saw two words and spent several weeks in hospital.
We have 2 branches in Bedford & I have always found them to be real easy to use, helpful about things to how to reduce charges on loans etc and have never said no to me when I needed temporary increases on my credit card or overdrafts.
I was with Barclays for a while in the early 90's and refuse to step foot in any of their branches ever again so great is my loathing of them. HSBC just made a mess of everything and put a dirty black mark on my credit history (thanks guys) which even these Experian type people are struggling to with (note: not ONCE while I was with HSBC did I ever go over any agreed limits or miss any CC payments and this is when we were setting up the business)
I find the online system simple to use (unique ID/password letters X,Y&Z from secret 2nd password) and the telephone drones quite friendly (X,Y&Z digit from secret number and then X & Y letters from passphrase – and if they are not sure about you the ask about a few random recent transactions – how much did you take from ATM sat night, you spent X on Friday – where was it etc etc) , they can be a bit over protective of my credit card though (Yes I buy lots of dells on my company credit card - Yes it is authorised just like the last 6 times you stopped my card payments to dell - do they not look at purchase history??), annoying as that is I would rather they be over protective of my money than not give a toss.
I do think this may be getting blown slightly out of proportion by the media – this observation is only based on my personal experience
So I guess horses for courses - I’m sure we all know someone with a horror story about X bank - still a trifle worrying that some call centre drone can refuse your password as it offends them - I would love to have been a fly on the wall on that meeting when the issue came up.
Paris - cos she would never be du,b enough to let anyone guess her passwords - Doh!!
Having accounts at Barclays and Lloyds I can confirm that Lloyds is pants and Barclays is better.
Although that's like saying someone stamping hard on your foot is better than someone shooting your foot.
Now, when are Lloyds gonna let me use my debit card in cashpoints they don't own...
