back to article Password pants-off at Lloyds Bank

Set yourself a rude password at Lloyds TSB, and it is just possible that you might find it changed to something politer. That was the experience of Lloyds customer Steve Jetley, who attempted to set "Lloyds is pants" as his telephone banking password. According to Mr Jetley, this was then changed by a member of staff to "no it …

COMMENTS

This topic is closed for new posts.
  1. Justin
    Alien

    The staff can READ your passwords?

    Oh man, does Lloyds understand anything about security? Not sure if El Reg is being artistic in its descriptions, but if a bank staffer can see that he put a rude password in, then their security system is on a par with that of the Tax office.

    I guess it really doesn't matter any more anyway. The Govt have "lost" my bank details to the Dark Side anyway.

    Aliens? Nothing scarier?

  2. Nic Brough
    Coat

    New Monitor Please

    There's coffee on this one.

    Any online system that even allows another human to read or extract a (sensitive) password has to be a joke.

    >if a six-character password, visible to all system users, and with an apparently instant over-write facility represents the best in current security, then Vulture Central is investing in a very large mattress, under which it will be storing all its ill-gotten gains in future

    Surely you should be more secure than that? You should put the ill-gotten gains _in a teapot_ under the mattress...

    Mine's the one with the 1950s Goon Show scripts in the pocket...

  3. Dr Who
    Flame

    Bunch of complete bankers

    Fuck me. This just takes the biscuit. They lose our personal information by binning unsanitised servers (RBS) and now it seems that our passwords are stored unencrypted and are accessible for read and write by any tom, dick or harry in the bank.

    They are truly a complete bunch of bankers. The incompetence is breathtaking.

    I'm not hanging around. My double king sized mattress is already on order.

  4. Anonymous Coward
    Anonymous Coward

    @Justin - Exactly what I would like to know!

    Was this one of those "give us an easy to remember phrase so we can confirm it's you next time" or is this actually on a system through keyboard input?

    Surely Lloyds cannot be so simple as to allow support staff to see customer passwords on systems?

  5. James Pickett
    Stop

    Hmm...

    "no possibility that this password could have been used to plunder his hard-earned dosh"

    Who could imagine such a thing? I'm booking my tickets with Swine Air right now...

  6. andy gibson
    Unhappy

    lies

    So much for the reassurance that the person at customer service can only see characters "x" and "y" when asking for my password.

    No doubt said ex-employee has the full login details of anyone he desired.

  7. The BigYin

    How did the employee know to change the password...

    ...unless the password was stored in the clear?

    When checking authentication, banks usually just ask for a couple of characters; not the entire thing.

  8. Anonymous Coward
    Anonymous Coward

    security?

    I don't really understand how hiding the password is meantto make the system more secure.

    The operator says "what is you password"

    You say "grandmothersmaidenname"

    and then the operator realises (s)he cannot see "grandmothersmaidenname" on the screen.

    Oh dear thinks the operator, I cannot read the password so that means I cannot remember what the punter said.

  9. Simon B
    Flame

    Lloyds have ALWAYS been crap!

    The fact that any staff can see your password shows how shit they are for starts! I recently tried with my wife to get my name ADDED to HER Lloyds acccount. The computer said no, the woman looked lost, tried again and had to ask me for ALL my details ALL OVER AGAIN, again computer says no. Went out, 10 mins later came back in, tried again, computer says no. She says dunno whats wrong and nor do the technical people. Wow, maybe you lot should go on a college course in basic computing! especially the technical staff responsible for keeping things running who didn't know what was wrong! They should go get a job at PC world, they'd do just fine!

    Add that to other Lloyds experiences, again through a partner shows why I've always said they are shit and they keep proving me right!

  10. doctorflam
    Paris Hilton

    You're surprised?

    This happens everywhere. You ring up, give them your details, and your password pops up in plaintext so the operator can check it to complete DPA requirements. If you can't remember it, they check some other details and set a new one for you. Standard process in pretty much any call centre for any company, not just Lloyds TSB - it's a bit unfair to make it seem as though they're the only ones doing it.

    I bet this was one of those insufferable old bastards who refuse to use Internet Banking because "I don't trust it / It's not secure / I saw something bad on TV about it / It'll make my children smell like hammers". You trust some 19-year-old kid in a generic outsourced call centre getting paid £6 an hour, though?!

    Paris because even she's not that stupid!

  11. Laurie
    Happy

    @ Dr Who

    It may interest you to know, Doctor, that the collective noun for bankers is a "Wunch".

  12. Paul

    As this seems to have been telephone banking...

    I asume that it was a "give us an easy to remember phrase" Job. Most Banks seem to have been doing this since realising how trivial it is to find somones mothers maiden name.

    I can in this case see why there would be tight restrictions e.g. would you want to be a call center worker having to hear hundreds of people giving the oh so clever password "your a wanker" every day.

  13. Neil

    Amazing...

    I have the same password on my luggage!

  14. Kiernan Wagstaff
    Stop

    Password

    The story says that it was his phone bank password, this has to be visable to staff so that they can verify his ID. And they can change it, a "Computer generated" password is sent out to the customer first and during the first call to LTSB phonebank you are requested to change it, as you are on a phone and do not have a keyboard in front of you, the operator (Call centre advisor/insert gratuitous & facetious monkey describing adjective here) on the other end has to do this.

  15. Chris Harden

    Old?

    You dont have to be old to not trust internet banking - I'm 25 and I dont trust it - not that I dont trust the banks computers I dont trust any computer of mine that's attached to the Internet.

    If you think your immune from having your computer compromised online, then your a tool.

  16. Anonymous Coward
    Paris Hilton

    RE: Lloyds have ALWAYS been crap!

    While I agree with you 100% have you seen Natwest's online banking offering? OMFG is it the worst thing ever. It's as if it was designed by cave dwellers!

    As for Barclays is better - I think they hold the top stop so far as online banking goes? (I've had online banking with them since the days of PC Banking an monthly subscription -meh). I don't think the design has changed since about 2000 that's how good it is.

  17. Jonathan Schofield
    Thumb Up

    They can see your password

    My Lloyds card was swindled to the tune of several thousand pounds and as a consequense had to change my password from my mother maiden name to something else. Now when you ring up they ask for the password with the hint - "it may be your mothers maiden name". The first time this happened after the swindle I had forgotten what the password was and the lady at the other end helpfully reminded me!

  18. Ken Hagan Gold badge

    They lied...

    "...attempted to set "Lloyds is pants" as his telephone banking password. [...] Mr Jetley then tried “censorship”, but again, the computer said ‘no’. Apparently six characters is the system limit."

    I've had telephone banking with Lloyds since before they admitted in public to having such a service. My password has always been more than six characters in length. Perhaps this is a new requirement, but since their database clearly has to cope with *my* old password, I can't really see the point. More likely, it wasn't the computer that said no.

    It would be really interesting to know whether such an insecure system meets the legal requirements to protect personal information. (It would also be interesting to know whether I can "unregister" with PhoneBank.)

  19. Anonymous Coward
    Stop

    Missing the Point

    I think some of you are missing the point.

    "who attempted to set "Lloyds is pants" as his telephone banking password"

    "his telephone banking" - notice the Telephone bit

    how is the person in the call centre suppose to check its you with out seeing what the password is

    your all saying it should be blanked out, how are they suppose to verify its you ?

    you " the password 1234abc"

    bank - all they see on the screen is *******

    how they hell is that going to work?

    and if you use the same telephone banking password as your internet banking password or for any other passwords, I would change it :)

  20. Paul Buxton

    It seems that the customer is always right

    Even as they try to dig themselves out of the hole they've created they get deeper.

    The trick is to dig UP.

    Lloyds is pants!

  21. Anonymous Coward
    Anonymous Coward

    It's not like Halifax are any better

    http://www.ciao.co.uk/Halifax__Review_5748464

  22. Steve
    Coat

    Encryption

    So he should have set the password to d34223e5f764af635b71b0f1f82137e8

  23. Anonymous Coward
    Anonymous Coward

    Ahh, Lloyds bank

    Somewhere I still have the letter from them stating I was 3p in credit and needed to settle my overdraft immediately as it had just been cancelled and was still around £30 overdrawn.

    Oddly, I had paid it off right before it was removed but they issued the letter based on the balance at opening time but listing the balance at closing time.

    Bankers.

  24. Wokstation
    Paris Hilton

    I bank with the ol' horsey

    And I use Phonebank a lot. The staff NEVER ask for your password anymore. You have a 6-digit PIN and during the callsteer, you have to enter your Account Number, Sort Code and 2 digits from the PIN which have been randomly selected by the computer.

    No member of staff handles the password, because there isn't one.

    For them to have a less secure system for business customers than they do for the average punter seems very odd to me...

    Paris... just coz.

  25. Paddy Newman
    Happy

    just to clarify...

    you know this is over the phone memorable word password..not users actual online banking password..

  26. Anonymous Coward
    Thumb Down

    Whatever happened to...

    ...asking for two letters from your password?

    That way the staff member never knows the whole password and you don't have to read out the whole password within range of potential evesdroppers.

  27. Michael

    Speechless.

    I'm having a hard time believing any bank would be this stupid. Even the most noddy web applications I've written don't store passwords unencrypted.

  28. Richard Ormson
    Unhappy

    Doesn't surprise me in the least

    Lloyds just don't seem to understand technology.

    They used to have an on-line credit card facility under the Accucard brand. When they decided to amalgamate it into their core cards business they told the users by sending out a paper mail shot under the Lloyds brand - without making any announcement on the website or by email, even though the card was "on-line only".

    They then seemed surprised that most of the users binned the mailshot thinking it was junk mail, got rather ratty when their cards suddenly stopped working, and now won't touch any Lloyds product with a bargepole.

    Yes, I was one of those users. My card was cancelled while I was 12000 miles from home. Thanks a bunch Lloyds.

  29. Anonymous Coward
    Stop

    Re: The staff can READ your passwords?

    This is not unusual. Telephone banking passwords, much like security phrases used in almost any other situation where they are given over the phone (mother's maiden name for security reasons when calling your ISP, for example?) are simply there as memorable and kinda-sorta secret-ish "passwords", that the operator simply matches up with what you tell them, not secure encrypted passwords - This is why (as in the case of every bank i've ever used, at least) the telephone banking "password" you use is seperate to any other passwords/pin codes used with the account.

    And while the system evidently lets any user change the phrase (this is presumably industry-wide as well, as I can happily call my bank and get my telephone banking security phrase changed at any time, so the operator on the other end must be able to action it) it would appear it at least logs who makes the changes, otherwise Lloyds would probably have had a hard time finding and firing the staff member who altered it.

  30. Chris
    Pirate

    Who needs a password?

    Surely the password isn't needed by staff as they have their own systems that they use to see all our details.

    Plus there's bound to be some backdoor access to these details. Nothing that a few SQL scripts couldn't do.

  31. Jon Green
    Alert

    (In)security

    Lloyds' security is certainly pants if they limit passwords, particularly on business accounts (which often handle very large amounts of money), to six characters.

    Anyway, if that's the case, how did he set "Lloyds is pants", or the staffer change it to "no it's not"?

    Someone's not being straight with us here, and I suspect it's not Mr. Jetley.

  32. Frumious Bandersnatch
    Joke

    goons

    Goon A: "I'd like X pounds, please"

    Goon B: "why do you want X pounds?"

    Goon A: "for expenses!"

  33. Matt

    Re: They Lied...

    You _can_ unregister with Lloyds PhoneBank - something I did after someone tried to take all my savings, after walking (easily) through all the security checks - just go and do it in you branch

  34. Anonymous Coward
    Pirate

    A few points

    Firstly, most phone banking I've done before has used the system when you phone up that the call-centre operator asks for your (for example) 3rd and 7th letter of your password. The computer decides which letters they are going to ask for, and only shows them those letters. Given the volume of calls handled, and the lag between successive calls from a single customer, it would be incredibly hard for a member of staff to get to see someone's password. Of course, LTSB don't seem to do this.

    Now, I'm going to have to say, I'm not in the least bit surprised. A few years' ago, I dropped LTSB like a sack of spuds. Since the merger between Lloyd's and TSB their service had gone down the tubes, resulting in me suing them for about £5k, and then switching to HSBC Premier - the best banking decision I've made in a long time. Let me give you a few examples of just how bad LTSB have been. I've had my address revert to an old one in the computer without my intervention, and all my mail go to an address 3 or 4 moves ago. Then when I went to fix it, they spent an age telling me I had to go to my home branch to sort it out (despite having a home branch of convenience in London because I moved around the country so much). The best one they did was shortly after the merger though (late 90s iirc). I phoned my branch manager up to arrange an increased overdraft for that month. He agreed to it, but apparently didn't action it on the main computer. They had just implemented a new collections department where accounts that went over the overdraft limit were transferred. My account went in the red (according to the old limit, but fine according to the new limit that hadn't been actioned), and got transferred to the collections department, who promptly cancelled all my direct debits and started bouncing everything. When I phoned my branch, they accepted the error, but said they couldn't do anything since they had no control over the account whilst it was in collections. When I spoke to the collections department, they refused to accept the error, and wouldn't do anything for me until my account was back in order. I had to wait until the end of the month for pay-day to get my account back in order and transferred back to the branch, and then spent a year getting all my charges refunded (including charges from people who had their Direct Debit refused by my bank).

    I would have changed my account almost immediately, except back in those days it was incredibly hard to do, so I vowed that as soon as I got a decent bonus I would switch so LTSB never saw a penny of my money. Of course, switching became easier, and I went through on my promise. Personally, I would never ever recommend anyone uses any service LTSB have to offer. They have no idea of customer service, and are a dreadful organisation. I would prefer to put my money in a rugby ball shoved up my fudge tunnel than ever trust that barrel of snakes again.

  35. Anonymous Coward
    Flame

    Screw Lloyds

    I've just terminated my relationship with Lloyds, and things which have happened since then have confirmed nicely that it was definitely the right thing to do!

    Having closed all my accounts, they then sent me a new cash card 3 weeks later...

    ...and then proceeded to start sending me letters about unauthorised overdraft usage on one of my now closed accounts.

    The worst bit is that having complained that I hadn't received any advance notification about huge charges debited from my account, which put my account back into overdraft, for which they charged me more money, they pointed out that it was printed on the bottom of my previous bank statement. Yeah right, as if I'm going to see that when I primarily use internet banking which doesn't display upcoming charges anywhere.

    Anyhow, after 14 years, screw you guys I'm going elsewhere.

    Muppets.

  36. steogede
    Thumb Down

    wankrs

    is six letters.

    @paddy newman

    WTF difference does it make if this is the over the phone memorable word password rather than online banking password? They would both allow somebody to steal money from you if they were compromised.

    The one which always gets me is when the banks phone you and ask you to prove who you are by answering the DPA verification questions when they could be anyone.

  37. DarkWhite
    Happy

    So it must've gone something like....

    Lloyds: OK sir, I just need your telephone bannking password to allow you to transfer this money.

    Customer: Lloyds is pants

    Lloyds: Im sorry sir that's the wrong password. What you were looking for is "no it's not" but thanks for playing anyway.

    If he managed to find out what the password had been changed to, what was the point of asking him it in the first place?

  38. Anonymous Coward
    Dead Vulture

    Something doesn't ring true here.

    If the limit for passwords is 6 characters and only single words are allowed, how did the story begin with the password set to "Lloyds is pants" and then the change to "no it's not"?

    Somebody hasn't got their facts straight somewhere.

    Probably Lloyds/TSB. That wouldn't surprise me.

    As one of their reluctant business customers, I'd better stay AC in this case.

  39. Anonymous Coward
    Anonymous Coward

    @Missing the Point

    > you " the password 1234abc" >bank - all they see on the screen is ******* >how they hell is that going to work?

    you:" the password 1234abc"

    employee types password in; comparison (preferably one-way encryption alg.) is applied; yea or nay is returned - no p/w in the clear on the screen.

    Not that I'm defending this as exactly wonderful either, given the number of obvious flaws with it.

  40. DMG
    Thumb Down

    Re passwords in plain text

    The system they use shows the password to the operator in plain text, it is only for business accounts - apparently. Not sure if I trust them on that though..

    http://news.bbc.co.uk/1/hi/england/shropshire/7585098.stm

  41. Craig McLean
    Happy

    Goons, v.2

    Neddie: "Here's a photograph of a 10-bob note"

    Grytpype-Thynne: "And here's a recording of 3 shillings change!"

  42. Paul Buxton

    @AC

    your all saying it should be blanked out, how are they suppose to verify its you ?

    you " the password 1234abc"

    bank - all they see on the screen is *******

    -----------------------

    Ok, let's try shall we?

    The bank system could request the operator asks for the 2nd and 4th characters of the password.

    Bank: What are the 2nd and 4th characters of your password?

    You: 3 and F

    Bank: (sounds of typing)

    Bank's Computer system allows access

    Bank: Thank you Mr Buxton, how can I help you today?

    -----------------------

    It's not rocket science, just simple security.

  43. Anonymous Coward
    Paris Hilton

    par for the course

    Trust me, I would rather bank with LTSB than most of the other banks for various reasons - including their core security.

    They have been the only bank to provide me with sensible pricing, apologise when they have made mistakes (and refund money) and use a reasonably secure setup for internet banking.

    Anonymous because, well, I'd get fired from another bank :-)

    Paris because it's all hype and nonsense, just like her

  44. Nic Brough
    Happy

    @Encryption

    Surely it should be 09-f9-11-02-9d-74-e3-5b-d8-41-56-c5-63-56-88-c0 ?

    So glad I don't bank with this bunch of muppets.

  45. Sarah Bee (Written by Reg staff)

    Re: Screw Lloyds

    They changed the name on my account and everything pertaining to it to Mrs Sarah Gunn, sent me new chequebooks and cards accordingly, and addressed me as such to my face in my local branch. Then when someone cloned my card later on they accused me of stealing it myself.

    Oh and they managed to cock up address change and standing order, the festering douchebags.

    Mrs Sarah Gunn sounds like a no-messin' Old West madam, though, so it was kind of funny. Kind of.

  46. Anonymous Coward
    Anonymous Coward

    For those who don't understand trapdoor password mechanisms

    Why does the call centre person need to see your password on screen to verify that you gave the right password.

    Password is stored encrypted with a one way trapdoor algorithm.

    You phone up and say my password is XXX, operator types XXX into the computer, computer encrypts it with same one way trapdoor algo and compares result. If they match, the chances are that the password is the same and computer says "yes".

    (Almost) no password should ever need to be stored in the clear (or in a decryptable form.) If it does need to be stored in the clear, redesign the application.

  47. Tony Hoyle

    No change then

    TSB somehow managed to set my account with a negative overdraft limit (an underdraft limit??) - when my balance dropped below £200 they levied punitive charges on it.

    Of course they didn't *tell* me about it for 2 months, by which time it was in a large debit entirely due to their incompetence. Their phone banking was absolutely rubbish and refused to admit their error.

    I ended up camping in the local branch and absolutely refusing to move until they sorted it out. It still took them another month to actually stop charging me on the (then closed) account. Total idiots the lot of them.

  48. Carl

    @Paul Buxton

    That's great, but how would you set up a telephone banking password like that in the first place? Maybe make 3 calls to 3 different operators and give them 2 characters at a time?

    Reminds me of the Python sketch where they tried to translate the world's funniest joke into German by having one person work on each word at a time. Somebody saw two words and spent several weeks in hospital.

  49. Anonymous Coward
    Paris Hilton

    I actually like LTSB

    We have 2 branches in Bedford & I have always found them to be real easy to use, helpful about things to how to reduce charges on loans etc and have never said no to me when I needed temporary increases on my credit card or overdrafts.

    I was with Barclays for a while in the early 90's and refuse to step foot in any of their branches ever again so great is my loathing of them. HSBC just made a mess of everything and put a dirty black mark on my credit history (thanks guys) which even these Experian type people are struggling to with (note: not ONCE while I was with HSBC did I ever go over any agreed limits or miss any CC payments and this is when we were setting up the business)

    I find the online system simple to use (unique ID/password letters X,Y&Z from secret 2nd password) and the telephone drones quite friendly (X,Y&Z digit from secret number and then X & Y letters from passphrase – and if they are not sure about you the ask about a few random recent transactions – how much did you take from ATM sat night, you spent X on Friday – where was it etc etc) , they can be a bit over protective of my credit card though (Yes I buy lots of dells on my company credit card - Yes it is authorised just like the last 6 times you stopped my card payments to dell - do they not look at purchase history??), annoying as that is I would rather they be over protective of my money than not give a toss.

    I do think this may be getting blown slightly out of proportion by the media – this observation is only based on my personal experience

    So I guess horses for courses - I’m sure we all know someone with a horror story about X bank - still a trifle worrying that some call centre drone can refuse your password as it offends them - I would love to have been a fly on the wall on that meeting when the issue came up.

    Paris - cos she would never be du,b enough to let anyone guess her passwords - Doh!!

  50. Anonymous Coward
    Anonymous Coward

    ....but it's true!

    Having accounts at Barclays and Lloyds I can confirm that Lloyds is pants and Barclays is better.

    Although that's like saying someone stamping hard on your foot is better than someone shooting your foot.

    Now, when are Lloyds gonna let me use my debit card in cashpoints they don't own...

  51. Dick

    Can system folks see your password?

    Years ago I caught an employee using a co-workers password. She confessed that her own pw had expired while she was on vacation and she was too embarrassed to call the help desk for a reset because it was set to "fuckujoe" - Joe was the guy who worked the help desk.

  52. ShaggyDoggy

    @ steogede (DPA)

    Try MBNA for size ....

    Caller: this is MBNA here what's the first line of your address

    Me: (gives first line)

    Caller: what's your password

    Me: you're kidding me aren't you

    ........ etc etc etc as far as I know they still do that

  53. Paul Buxton

    @Carl

    "That's great, but how would you set up a telephone banking password like that in the first place? Maybe make 3 calls to 3 different operators and give them 2 characters at a time?"

    An automated telephone system maybe?

    Am I just smarter than you?

  54. Bill Gould
    Gates Halo

    Ah, keyword

    While I would still expect that to be encrypted, I would also expect that certain staff would be able to see it while checking your account. How else would they verify you are who you say you are over the phone? A common keyword is "Your mother's maiden name".

    It would explain how they were able to track down the single offending employee quickly. There would be logs about who accessed the users account for keyword verification or changes.

  55. Adrian Jackson

    Goonage: In a teapot under a mattress?

    That'll never do. Here, let me hide the mattress inside this life-size cardboard replica of Nelson's column.

  56. Anonymous Coward
    Happy

    OMG Security!

    Man whats with security these days?

    I mean, im an analyst/programmer, and just last week I had to advise a client that the information they were planning to store on a system needed to be encrypted. Fine, no problems there, they took my recommendation and let me do it right.

    Doing it this case was a one-way encryption, and looking up the data needed the right source data which would be encrypted and compared to the table before the rest of that records information would be presented in the clear. Even the lookup was on encrypted data so there was no way to get to anything unencrypted.

    The data? Vehicle VIN numbers, with matching keycodes and stereo codes. Not exactly a high security requirement, but it needed security nonetheless, might as well do it right.

    Thing is, if im going to a level of security way above the banks for much less important data, am I being paranoid or are they being lax??

  57. Fred Bauer
    Joke

    Bureaucracy

    From some of the stories above, it seems like the folks at Lloyd's have been taking their management practicies from that classic Infocom game.

  58. DavCrav
    Stop

    Am I missing something?

    To people above who suggest having to type in the details and the computer returns yes/no (and not to those who say that they should ask for two letters), if it's the correct password, doesn't the cell centre person still have your password anyway?

  59. This post has been deleted by its author

  60. Anomalous Cowherd Silver badge

    2 digits from a 6 digit pin?

    "And I use Phonebank a lot. The staff NEVER ask for your password anymore. You have a 6-digit PIN and during the callsteer, you have to enter your Account Number, Sort Code and 2 digits from the PIN which have been randomly selected by the computer."

    I've got £10 that says digit 1 is 0, 1 or 2 and digit 3 is 0. Given that they normally give you three tries I just need to keep calling back until I'm asked for those two digits, then I have a better than even chance of getting access for most accounts.

    Any system that relies on 2 digits from a 6 digit numeric pin is inherently insecure. Require 7 digits and people won't automatically use a date.

  61. Wokstation

    @"Lloyds is pants and Barclays is better." AC

    Yeah, Barclays is "better", eh?

    Barclays, the ones who let someone withdraw £500 from my account with nothing but my name, sort code and account number. They had no ID. They didn't even attempt to sign my name - they block-printed it. Yet still, Barclays let them take it out.

    I only noticed because I spotted, later that day, that my account was £500 shy and queried it. As soon as they compared the withdrawal slip to my on-record signature, they could see it was different (I sign like a spider covered in ink having a fit on the page).

    Though the guy was as thick as them - he tried it again the next day... and promptly got arrested.

  62. Sonny Jim

    I used to work in an LTSB call centre

    Very recently I took on a job working the front line support for the branch/counter staff (not customers). One of the things I noticed was the complete lack of security when it came to passwords. The 'script' we had (flowchart, basically) for password resets went like this:

    1. Check date of birth spreadsheet, if not listed (hardly any were), goto 2

    2. Check memorable information (2nd character of blah etc), if not listed (again, about 80% did not have this setup) goto 3

    3. If the caller is based in India, reset password

    I'm not making this up, I even questioned this to which my superiors replied "It's always been like that". So if you want to get a password reset just put on a Indian accent.

    Because we had to use two separate boxes (one for call handling/office work the other was on the bank network) we could not copy and paste, henceforth all the desks were littered with bits of paper with usernames, account numbers, you name it. There was no 'clearing your desk' policy or if there was, it wasn't very heavily enforced

    I was forced to work continuously over 2hrs without a break whilst using a VDU which I assumed was illegal in the UK, but apparently not. I met some people there who had been working as temp's for over a year! When I started my boss introduced me to the people I would be working with and said:

    "We've got some really good guys on your pod, really experience so just ask them if you get stuck. This guy has been here for nearly 6 months"

    I had to fake a sneeze to stop me going WTF? Basically, anyone with an ounce of talent is going to get the hell out of these sorts of places as soon as, so you are left with all the fuckwits.

    Here's a quick example of how much idiocy occurred at this place. Most counters have a MICR (Magnetic ink) readers for cheques etc. They ALSO have hearing aid inductions loops. A hearing aid induction loop is one big magnet, can you see where this is leading? They upgraded all the MICR readers and then suddenly found out (due to the sheer number of calls) that the hearing aid loops was causing interference and their solution? Not, as you may all think, TEST THINGS IN A LIVE SETTING before installing them into over 300 different sites but to simply tell the staff to turn off the loop until they see someone with a hearing aid walk in (and hope they didn't have lots of cheques).

    The general atmosphere was rotten, in the short time I was there I was quite legendary as I was one of the few people who was actually trying to help out the customer. It was a 'blame' culture, where problems would just bounce around different departments saying "It's X depts fault, contact them" or "You've missed out a tiny insignificant detail on the problem report" and it gets rejected.

    I've got a much better job now, but it's changed the way I treat people when I inevitably have to ring a call centre. Once the english training gets up to full speed in India I doubt there will be a call centre left in the UK.

    p.s They want to fill out an 'leavers' interview before I can get my holiday pay, is this legal? I'm tempted just to copy and paste this text.

    p.p.s We did not have access to the 'full' password, but then again we had the power to reset them.

  63. Carl

    @Paul Buxton

    An automated telephone system that definitely isn't "monitored or recorded for training purposes" right?

    Presumably it would have some sort of voice recognition -- "did you say 'banker', that's 'b', 'a', 'n', 'k', 'e', 'r'?"

  64. Anonymous Coward
    Anonymous Coward

    @ Justin

    Of course they can read your passwords ... but only those that actually know how to read

  65. Anonymous Coward
    Flame

    You're all a wunch of bankers

    Funny, I've never seen any of this in my dealings with many banks (Barclays - both personnel and commercial, Halifax, Lloyds, and a couple of building societies). In fact, I had to change my telephone banking password the other day with one of them (I normally bank on-line and had forgotten my password). After answering all of the security questions - and there were many - I was passed through to another individual who did not have access to my account details, to whom I passed my new password. In future, when using this password, I will be asked for letters x and y from it - not the full password.

    Assuming (I know, I know) that what I was being told was truthful (and I have no reason to doubt otherwise) then this would appear to be a reasonably secure method.

    Finally, there are so many inconsistencies in the Reg Article, I'm surprised that anybody has given it any credence.

  66. JimC
    Coat

    I have little sympathy for both sides...

    On the one hand the amazing stupidity of some of the public, a substantial proportion of whom couldn't reliably tell you what the fifth and seventh characters of their pass phrase are,

    On the other hand the terms and conditions of on line banking, which see to boil down to: its your fault unless you can prove its not, and don't think we're going to let you see the system logs and things you'd need to prove its not your fault.

    [gets coat and heads down to the market place]

  67. Paul Buxton

    @Carl

    "An automated telephone system that definitely isn't "monitored or recorded for training purposes" right?"

    Why, having made a secure system, would you then introduce levels of insecurity?

    It definitely would be monitored. How else would you get the key presses logged in a database? No need for any human intervention at any stage of this so it's inherently more secure than ANY system that involves people.

  68. Anonymous Coward
    Thumb Up

    @ Dr Who

    I think you will find there are no Toms or Harrys at the bank, they are all dicks.

  69. Anonymous Coward
    Paris Hilton

    In another bank

    The pass phrase is absolutely any response to anything the customer deems to be a good security question ... resulting in, as I understand it, instances of the bank asking something like: "Do you think you are going out dressed like THAT?" to which the correct response could be (but isn't): "At least I've shaved my armpits".

  70. David Hayes
    Flame

    Hows about a password:

    "; drop table LLoyds.ShareholdersAccounts; //

    No?

  71. Dennis
    Paris Hilton

    Security Verus Cost.....an analysis

    The problem with Banks is that they are there to make a Profit. So when it comes to security they run a cost-benefit analysis. It will cost the Bank a £1,000,000 to fix this. My potential exposure to loss is £1,000,000. But factor in stupid customers who don't notice when they are being ripped off, will reduce this figure by a quarter. £750,000. Not changing the system means I won't have to retrain staff saving me another quarter. Figure down to £500,000. So crooks get away with £500,000. Customers take a hit of £250,000 and the Bank takes a hit of £250,000.

    Saving the Bank £750,000. So next time you hear of a Bank quoting they are losing Billions through fraud you will now know why they don't do more to stop it. Because it would cost them more money to fix the problem.

    And anyway if they do lose too much money they will just ask Gordon Clown for a hand out and he will willingly oblige.

    Paris because I would have to explain this simple premise to her.

    So as you see your security is determined by money.

  72. Krystan Honour
    Pirate

    plain text

    This means that at some point staff can read a users password, thats a joke.. As a developer I am heavily against storing passwords in plain text, its just asking for someone to steal them and to be honest is security 101, so the real question here is who changed that password and at what stage ?

    Surely they should just be storing a hash or such as your password match and not what you actually typed in.

  73. DR

    re everyone who i could be bothered to read.

    "OMG THE BANK CAN SEE OUT PASSWORD"

    ummm,,, yes, that's how they know that when they ask you for a password on the phone that you give the right password. (actually I think they ask for a series of letters from your password).

    "OMG THE CAN CHANGE THE PASSWORD",

    ummm... yes, that's how they are able to change/reset the password when you ask.

    nothing really all that surprising here then, with the exception of a guy with extraordinarily high company loyalty that doesn't want customers slagging off his business.

  74. Eddie

    Not just banking

    I don't think anyone is very serious about security, to be honest, maybe banks should know better, but surely ISPs, technical companies who employ seasoned network professionals to design and secure their systems should know about security and the need for it?

    In the mists of time (about 7 years ago) before VirginMedia and Blueyonder, Telewest technicians had all their customers passwords and details in clear text on screen for each service call - my introduction to this went as follows:-

    "Hi, I think I've forgotten my password"

    "What do you think it is"

    ????

    "Pardon?"

    "What do you think is your password"

    "What you mean read it out?"

    "Oh yes, I've got your screen up, and it's here"

    ?????

    "You're kidding"

    "No"

    "That can't be right, I'm not giving you my password"

    "No, you can't - I've already got it and you haven't"

    "blah blah blah"

    "Yes, that's correct - do you need your password for your webspace cos I've got that here too.."

    Basically they had your account screen and it contained your username, password, webspace password, email aliases, the lot, all in plain text. What fun a bored tech could have had with that...

    I made a tad of a complaint about that, and I think it's been changed.

    Since then though, I've made a point of not using my teleyondermedia account for anything other than surfing, and all important material is routed through my work accounts.

  75. Blacklight

    @ Eddie

    They still do. I have been having issues with VM for various reasons (and I joined when they were Telewest), and each time I call I'm asked for my password. Not digits, the entire password.

  76. Mark

    re: re everyone who i could be bothered to read.

    ""OMG THE BANK CAN SEE OUT PASSWORD"

    ummm,,, yes, that's how they know that when they ask you for a password on the phone that you give the right password. (actually I think they ask for a series of letters from your password)."

    Which could be sorted by them typing in the password into a login that

    a) logs their use of that password

    b) confirms the identity

    and that password can be a one-way cipher.

  77. Homard
    Paris Hilton

    TSB customer for years

    Been a lloydstsb customer for a long time now. I don't have any gripes, except being charged for my overdraft. Which is my own fault.

    Listening to my colleagues, any bank can be a bunch of wankers and fuck you about.

    Fortunately for me this has not been the case.

    Something is seriously wrong with this article. IIR with TSB phonebanking you give phonebank ID and 2 digits of passphrase *before* you are logged in, or speak to an advisor. In the event of the latter, you gave name/address details, **NOT** password. Phonebank ID is not your account number.

    No-one in their right mind could have such a fucking stupid security system as described. And how was the customer supposed to find the new password ?

    Paris cos even she doesn't believe the crap claims of poor security !

  78. Gilbert Wham

    @EDDIE

    Telwest/VM store your password on the first screen that comes up when your details are brought up (the software they use is called ICOMS. Believe me, it's better than its predecessor). Any idiot (and lo, they are legion) can change it.

  79. Anonymous Coward
    Stop

    This doesn't make any sense...

    Passwords aren't generally viewed in the clear. Being able to tell what character was in a given position wouldn't let a clerk see the whole thing.

    I don't know of any system that lets you have spaces in your passwords, though I suppose having a passphrase might allow that. I can't see a passphrase being limited to six characters, though.

    I can't see any passwords being limited to six characters any more. Even for the most trivial uses, you've usually got to enter at least eight characters - and they're increasingly requiring you to enter digits and alpha characters.

    I think this story has gotten garbled in the retelling.

  80. Jeff

    Lloyds- this really is no surprise

    One of my best friends used to be a Lloyds coder. The stories he told of managerial incompetence, misused technology and organisational intertia were astounding- they on par with Dilbert scripts.

This topic is closed for new posts.