What is Digg?85 Comments
- dynamicx, on 08/29/2008, -0/+44It should really be more prominent in the article that this is a telephone password, not an internet one.
- melonhedd, on 08/29/2008, -2/+29It's not a website password.
- allenb, on 08/29/2008, -0/+25Yep, it's a verbal password to help ensure telephone conversations are authorised. The operator at the other end needs to be able to read it.
- Zipko, on 08/29/2008, -9/+26So they have to have a 6 character, one word password and it's not encrypted to prevent the bank staff from viewing it? Jesus, why are people trying to crack Citibank accounts, just go over to England. They're practically giving money away.
- sliksta, on 08/29/2008, -1/+17Pricks. Why treat the customer like garbage anyway?
- iamichi, on 11/12/2008, -1/+15My LloydsTSB phone password had to have a minimum of 6 characters, so that manager just lied. Of note however is that Lloyds have one of the more secure internet bacnking logons of banks in the UK. It uses drop downs to take 3 characters from your memorable word, after your username and password have been entered, to stop key loggers (you could still work it out however with enough screen grabs of them logging on).
- alexcroox, on 08/29/2008, -1/+12Yes the above is correct, this is a telephone password not a website one.
- PawFox, on 08/29/2008, -0/+10This is for PHONE banking not INTERNET banking - Please RTFA.
- zleef, on 08/28/2008, -24/+33Wow... Talk about an insecure website. The fact that the staff is able to decrypt the password tells you its not using very good security practices!
- iamichi, on 11/12/2008, -1/+10This is a telephone password and the representative of Lloyds needs to be able to see it so they can compare what is said back to them by the customer. They ask for 2 letters so others can't hear you saying your full password and then they ask your date of birth, etc. So yes, they need to store the password in plain text, because otherwise the operator can't compare it.
- inactive, on 08/29/2008, -0/+9"no it's not."
Haha, awesome. - melonhedd, on 08/29/2008, -2/+9It's not a website password.
- drlha, on 08/29/2008, -0/+7As others have stated, this is for phone banking. In the USA all most phone banking people ask for is the last 4 digits of your social security number, so that would be even easier to hack. That and you can pretty much transfer money out of any bank account in the USA if you know the routing number and account number, which can be gleaned from a check, so please, don't be attacking the UK banking system as insecure, the US one is a joke.
- kraftj, on 08/29/2008, -0/+7They took his pants off?
- mphutchy, on 08/29/2008, -0/+6This must be correct - I bank with Lloyds and you actually use two passwords to access the online account. When calling telephone banking they ask a number of security questions including a separate password. The telephone agent obviously needs to know what this password is.
- inactive, on 08/29/2008, -0/+6Called into Citigroup one time to update my address.
After giving my secret answer, I was put on hold - and told that she took it upon herself to see if that was allowed. She said it was too offensive, and that I must choose something else.
Closed my account after being told this. They are plenty of other No Annual Fee/Low APR banks out there. - iamichi, on 11/12/2008, -1/+6They can't be hashed. Needs to be plain text so they're able to compare it with what the customer says back to them.
- manitoba98xp, on 08/29/2008, -0/+5I hate to echo melonhedd, but…it's not a website password. It's for a telephone banking system. (So, while they could hash it and have the person at the other end hash it, it's simplest to do it that way.)
- fluxion, on 08/29/2008, -0/+5i bet that's not what the employee was saying AFTER they fired him.
- strictnein, on 08/29/2008, -0/+5That's the combination to my luggage!
- ChayD, on 08/29/2008, -2/+7You forgot:
***** you
douchebag - cesclaveria, on 08/29/2008, -0/+4telephone password...
- iamichi, on 11/12/2008, -0/+4They ask you for 2 letters from your password when you phone up. So the staff have to be able to see it to compare your answer! This is a phone password, not internet one.
- DeFex, on 08/29/2008, -4/+8LLOYDS IS PANTS!
- javaroast, on 08/29/2008, -0/+32.) He picked a harmless way to strike back. For god's sake why should the bank give a damn, they still have his business. To their credit Lloyds' stated as much, "Customers can have any password they choose and it is not our policy to allow staff to change the password without the customer's permission." He even showed a sense of humor about the response. I think the Lloyds' manager is the only one in this story that needs to grow up.
- ChayD, on 08/29/2008, -0/+3I think this only applies to Lloyds, other UK banks have started giving out authenticators (Like those SecureID thingies) for their online banking. I bank with Lloyds, but now after hearing this, I think it's time for a change....
- amanoj, on 08/29/2008, -0/+3I love this response...
"I thought it was actually quite a funny response," Jetley told the BBC. "But what really incensed me was when I was told I could not change it back to 'Lloyds is pants' because they said it was not appropriate. I asked if it was 'pants' they didn't like, and would 'Lloyds is rubbish' do? But they didn't think so."
"Lloyds is rubbish"!!!! Bout peed my pants!!! - ammundsen, on 08/29/2008, -2/+5Well technically not. The employee could just enter it themselves, allow the encryption routine to encrypt it and then match the encrypted results with what is on record. They dont have to do it that way.
Of course with phrases containing spaces and what not this would probably be a rather error prone way to handle it. And no amount of security can stop employees who are committed to ripping off their customers. - Plotinus, on 08/29/2008, -0/+3um, not really.
they could, like other banks ask, for the 1st, 3rd and Nth letters of your password (system chooses at random - any combination of letters will do) which they type in. No need for the tele-agent to know password at all. - iamichi, on 11/12/2008, -0/+3They have been planning to bring those in for ages (hhttp://news.bbc.co.uk/1/business/4340898.stm) and have trialled them. As said previously however, this isn't an online password, it's the one they compare when you phone them.
- waydee, on 08/29/2008, -3/+6fat yanks
war mongerers
inbred hicks - fluxion, on 08/29/2008, -0/+3@ammundsen
yup, especially considering that in the couple cases where i forgot my password, customer service absolutely would not tell me what it was. id have to go to a bank in person to reset it, which is fair (else passwords would be fairly useless)
and from there they simply reset it. so there's absolutely no reason for them to store passwords in plaintext. they need only store a hash, and compare it to the hash of whatever the customer gives as their password.
it is an unnecessary security hazard. - MicheleFloyd, on 08/29/2008, -1/+3The British are indeed citizens not subjects. I have a British passport right in front of me and just double-checked.
- ChayD, on 08/29/2008, -0/+2Ah, okay. Maybe I'll stay with them, then :)
- chicoer2001, on 08/29/2008, -11/+13Stay away from Llyods. They can see your password, and change it. God know what else they do with your account.
- iamichi, on 11/12/2008, -1/+3How can staff compare what the customer says back to them if it isn't?
- SSUK, on 08/29/2008, -1/+3If they have the power to see your password, they have the power to alter any part of your account connected to your password anyway.
- Zipko, on 08/29/2008, -0/+2Yes, even systems that have encrypted passwords like they're supposed to have tools for administrators to reset the password to whatever they want. So an employee can reset your password and then use that to get into your account. The problem isn't so much with them having access to your account, but it's that they have access to your password. This becomes an issue when people use the same password for multiple accounts.
- MicheleFloyd, on 08/29/2008, -0/+2James, that link doesn't work. Anyway, you were correcting someone when they were actually right.
Check this out -
"British citizens are not British subjects under the 1981 Act. The only circumstance where a person may be both a British subject and British citizen simultaneously is a case where a British subject connected with Ireland (s. 31 of the 1981 Act) acquires British citizenship by naturalisation or registration. In this case only, British subject status is not lost upon acquiring British citizenship."
To be a British subject today is rare relatively speaking.
http://en.wikipedia.org/wiki/British_subject - socalftw, on 08/29/2008, -3/+5Samsonite!
- waydee, on 08/29/2008, -0/+1It was a spoken security question... I have a Lloyds account and to get to the point where you give an answer to your security question you have to have entered a minimum 6 digit alphanumeric password into an automated system ("enter the third, fourth and sixth letters of your password" type affair).
- Kelmon, on 08/30/2008, -0/+1That's all rather disturbing. I'm a Lloyds TSB customer and we rely on their internet banking services since we're expats living in Belgium at present (popping into our local branch is somewhat inconvenient). It's rather shocking to learn that Lloyds TSB staff have access to my password and can change it. Based on this we're going to give serious consideration to changing banks.
- ficious, on 08/29/2008, -0/+1dugg because he is from Shrewsbury, my home town!
- cjvos1, on 08/29/2008, -0/+1Cause Authoritarian insanity is a rare thing in the US, right?
- ohreilly, on 08/30/2008, -0/+1"On 1 January 1983, upon the coming into force of the British Nationality Act 1981, every Citizen of the United Kingdom and Colonies became either a British Citizen, British Dependent Territories Citizen or British Overseas Citizen.
The use of the term "British subject" was discontinued for all persons who fell into these categories, or who had a national citizenship of any other part of the Commonwealth. The category of "British subjects" now includes only those people formerly known as "British subjects without citizenship", and no other.
British citizens are not British subjects under the 1981 Act.
The only circumstance where a person may be both a British subject and British citizen simultaneously is a case where a British subject connected with Ireland (s. 31 of the 1981 Act) acquires British citizenship by naturalisation or registration. In this case only, British subject status is not lost upon acquiring British citizenship."
O'RLY? - inactive, on 09/01/2008, -0/+1ammundsen - What would be the point - the employee STILL gets to know every password because you tell them it - so why hide it from them in the first place?
- chemicalalt, on 08/29/2008, -7/+81. It wasn't his password that was in question it was his security question.... which obviously bank staff need to see or they can't ask him what it was...
2. he's deliberately antagonising the bank, i'm not surprised they weren't happy... he should grow up... we have a financial ombudsman in place to deal with the kind of issues he was originally complaining about...
3. Lloyds are pants... - inactive, on 09/01/2008, -0/+1Its for phone banking NOT internet banking. Read.
- MattB123, on 08/31/2008, -0/+1iridescence: they could type whatever you tell them into a system that would hash that and compare it to a stored hashed value.
- stoitofardo, on 08/29/2008, -0/+1True.
-
Show 51 - 90 of 90 discussions
Digg is coming to a city (and computer) near you! Check out all the details on our 
© Digg Inc. 2009
— Content created and posted by Digg users is