Schneier on Security
A blog covering security and security technology.
« Border Gateway Protocol (BGP) Attacks |
| Another Voting Machine Cartoon »
August 29, 2008
A British Bank Bans a Man's Password
Mr Jetley said he first realised his security password had been changed when a call centre staff member told him his code word did not match with the one on the computer.
"I thought it was actually quite a funny response," he said.
"But what really incensed me was when I was told I could not change it back to 'Lloyds is pants' because they said it was not appropriate.
"The rules seemed to change, and they told me it had to be one word, so I tried 'censorship', but they didn't like that, and then said it had to be no more than six letters long."
Lloyd's claims that they fired the employee responsible for this, but what I want to know is how the employee got a copy of the man's password in the first place. Why isn't it stored only in encrypted form on the bank's computers?
How secure can the bank's computer systems be if employees are allowed to look at and change customer passwords at whim?
Posted on August 29, 2008 at 10:44 AM
• 41 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Besides: if the bank's employees can set a password, what's to stop them it from setting to, say, "drain my bank account", so that they can get um, 10%, off of whatever the bad guys get?
However, good on the bank for allowing password with more than four characters... But just barely.
(oh yeah, "First Post!")
The password in question is one used when a customer telephones the bank.
Exactly, this apparently was not 'the password', but a code word for verifying identity in a phone conversation. The customer service rep. needs access to it to make the protocol work (smoothly, that is - there are other ways, but those are more prone to error and thus less customer-friendly).
Of what use is this password? Obviously it was changed on him, and somehow he was able to find out what it was changed to fairly easily. Why have this password in the first place if anyone can just call in and find out what it is?
It's a phone password. You tell it to someone on the other end of the phone to authenticate yourself. So they need to see the original in order to know what the password is that you're supposed to be telling them.
Having them type in what they think you've said (so that they never see the original if you don't know it) might cause problems with homophones and regional accents.
While I agree the ability for an employee to just view and/or change the password at while is absurd, I do not think this is a "banking password".
Instead this seems to be the "security" word or phrase used when speaking to the bank via telephone.
These more times then not seem to be unencrypted so the rep can read it.
Although I assume you could kee an encrypted copy, and have the rep "type" in whatever you say - with the system just informing the re if it is correct.
I could see the banks reason for "censoring" the "security" phrase. Think of all of the racial/sexual things you could say, and remember you have to say this when calling - to a live person. However I disagree with the banks approch to the issue. They should have notified the client, and informed him he would need to change the phrase. Not do it for him.
And just because the client choice to be "smart" and insault the limits, doesn't mean they should deny his request.
However does the length of such a phrase matter?
It isn't like you can call the bank and ramble off 1000 different dicitonary words to the rep, until you get the right one. You could make your phrase "tree". As long as it was unique to you. The likely hood of someone guessing the word is slim, and we already ruled out brute-force.
I think this is less of a security issue and more of a customer service issue.
Justin M. Wray
Make my new verification phrase: "You are a twit."
I don't think the article mentions that the bank knew his original password -- only that Lloyds had somehow changed it (possibly a password reset). Then, when he wanted it put back, they refused to set it to the value he desired.
I guess you can't change your own password -- I would have told them to set it to "LoveLloyds" and then change it back myself after getting off the phone.
Changing someone's password/passphrase because it is something that, you personally, or the company you work for doesn't like, no matter what it is used, for is censorship and bad security. If you allow the passphrase in the first place you should validate against it. In this case "Lloyds is Pants" should have simply been truncated to Lloyds if the passphrase could only be 6 characters right? and Lloyds should have been acceptable. Instead you had changing "rules" seemingly at one employee's whim.
>I do not think this is a "banking password"
You do not think?
I think it's a stupid system, which exposes secrets to more people than it should. Smarter companies switch you over to an automated system that takes a numerical password instead.
The last time I dealt with Lloyds over the phone, they were asking for specific letters from my password - they weren't being shown the password, just asked for (for example) the third, fourth, and seventy-second letters.
At my company we had a user threaten to sue us because his password was innappropriate. The password he created! Turned out other members of his family had access to the computer and may have set it, but it was a sticky situation while our legal team was trying to prove that it was impossible for us to set a users password.
I recently got in a lot of trouble with our IT department here at work. They recently changed our password policy to require
1) four letters minimum
2) four numbers minimum
3) one uppercase letter,and
4) one symbol !@$%^&*()_
Fine, I'm all in favor of tight security, especially dealing with as much money and personal details as we do. But I happened to get this notice the day that IT notified me that my roaming profile had been erased and there was nothing they could do about it (over a week after I notified them of the problem, so they couldn't even do a restore because, they said, they only keep a few days worth of profile changes and they had past the deadline... in other words, "we're busy playing Quake and can't be bothered").
And so, I changed my password to F*ck1234! (where 1234= telephone extension of the IT helpdesk). Made me feel a little better. For a day. Until the next day when the system wouldn't let me log on.
So I called, and the guy put me on hold for 20 minutes. Then he got on speaker (I could hear the echo) and he asked me to repeat my password. Three times. Then he said "okay, it should be working now (giggle)".
I've resigned myself to emailing low level Trojans to random stupid people in the company (the kind that opens any and every attachment, no matter how poorly spelled).
As the others are saying, it's not a password as we would normally think of it, but just something you set up for when you call in to prove that you're you, instead of relying on information in a public database to quiz you with. It's normally something pronounceable so it's easy to verify over the phone. Agreed that it's more of a customer service issue than a security issue.
Dan: At my company we had a user threaten to sue us because his password was innappropriate. The password he created! Turned out other members of his family had access to the computer and may have set it, but it was a sticky situation while our legal team was trying to prove that it was impossible for us to set a users password.
What possible basis for a suit could he have had? What, was he claiming that he had to go to a therapist because he saw a word he didn't like? Your company took him seriously legally, and not just as a customer service issue?
Maybe your company needs new lawyers and new managers...
I think it can very well be the man's banking password.
A lot of banks in Britain use a rather complicated login process for internet banking.
I have a 4-digit pin code and a password. When I login to my internet banking, I have to provide three randomly chosen digits of my pin code and 3 randomly chosen characters of my password.
In order to verify the correctness, they need to have the password in cleartext.
I do not know what extra measure of security this strange method might give them, I find it very much annoying. A key logger only has to grab repeatedly for my banking login sequence to get all characters of the password.
Schneier> what I want to know is how the employee got a copy of the man's password in the first place. Why isn't it stored only in encrypted form on the bank's computers?
This is moot since, as others have pointed out, it's not a machine-validated password. But to address the general concept in your question, maybe they use digest auth. Dude, like, you wrote a book about this stuff. Why is storing a plaintext password always wrong? There's always exposure somewhere along the line, and there are cases where digest auth is superior to basic. Yes, I know, it's, like, *so* iconoclastic to suggest that passwords don't always have to be encrypted in databases...
How else would I steal your money otherwise.
Seriously most banks salting of PW in DB is primitive; almost anyone (with the right access) can get at this info.
I know MANY banks who insist that password should not contain any other char's than [aA0-zZ9] .. of course spaces are excluded too.
The software that analyzes passwords has never been scrutinized either (I am sure of it) ; and probably has many holes in it to drive a truck thru.
A couple things that could be learned by RTFA:
-The "password" in question is a short phrase to authenticate the phone user. It probably seems more user friendly to the end user, instead of having to remember some random string. Useless, but it's not the password they would use to log in to their account or anything.
-Don't get me wrong, the actual bank passwords are stored in plaintext. The bank employee can see a few of the characters from your password, with the rest masked so they cannot see them. You need to tell them which characters are in the positions they can see, so they can authenticate you. Obviously, this would be impossible with a hashed password.
-They did not just randomly reset the guy's phone passphrase. The guy set it to "Lloyds is pants", and the employee changed it to "no it's not". Aside from the horrible data security practices, I thought the back and forward was minorly funny. But then, it has been a long week.
More questions: Why did he ask to change it? The normal protocol should be: send a temporary password via a different channel, then let the client change the password on first login.
@Bruce: "Lloyd's claims that they fired the employee responsible for this"
Source please? The two articles I've read about this quote Lloyd's saying that the employee no longer works for them. That doesn't assert that he/she was fired, especially since call centre staff are often short-termers anyway.
I don't get it "Lloyd's is pants". What is not appropriate. I am from the US.
"The bank tellers paid 70K after following directions from the phone number on the back of the declined card. Nice trick..."
I heard the same trick used on ATMs.
They put a sticker onto the atm "In case of problems call customer services on [phone number of a nearby phonebox]", then extended the ATM to keep the card.
When somebody called, the asked a security question "what is your PIN", then told the caller that everything is OK, the card will be mailed back to their home address.
>I don't get it "Lloyd's is pants". What is not appropriate. I am from the US
Have you thought of having a tshirt made up with that on it? It would be very droll to wear it when out and about in places other than the US.
Also, I often find the internet is your friend when perplexing cultural references arise, for instance.
>I don't get it "Lloyd's is pants". What is not appropriate. I am from the US
Apart from meaning trousers, it's also a colloquial expression meaning "rubbish", or "not very good", as in "That bank is rubbish".
A few years ago there was an immigration official sacked (I think) here for telling someone seeking asylum in the UK that his application was a "pile of pants" - a load of rubbish.
A further note for non-Britishers: "pants" meaning "rubbish" is not considered a rude or offensive term in itself. It's maybe very slightly more charged than "rubbish", but much more slangy/informal. I'd guess that the same person at Lloyd's would have objected to "Lloyd's is awful" in much the same way.
I have an online voicemail and fax service I use, and they insisted on all-numeric passwords (presumably so the same password would work for touch-tone input and online input). So I set my password, and then tried to use it - no luck. Called, got them to reset the password (which I figured I'd somehow misentered), changed it to a different password. STILL did not work!
Finally I got on the phone with them as I went through the password process. Including telling them the password as I entered it.
"Oh!" said the operator as I typed the first number aloud, "There's your problem!"
"What?" I asked.
"You can't start the password with a 4."
"You can't start the password with a 6. It doesn't work."
"But... but... there are only ten digits! This isn't documented! You must get a lot of calls about this!"
"No, most people start their passwords with 1."
c/6/4 on that second line. Too early for typing.
Password is easy to guess.
(Company name) (is) dictionary atttack short words.
An automated system should red flag the first field, perhaps the second as well. Then a human would review password.
Seems reasonable to me, for a bank to do this.
As to the reply, no its not. Good, shows they probably got their stuff together, and are making a point of it...
I'm with this bank; I've contacted them asking for clarification concerning the actual nature of the password referred to. I've assumed it is some form of telephone banking challenge/response but its not really an assumption I want to rely on.
"Apart from meaning trousers"...
I feel obliged to point out that in the UK, "pants" does not mean trousers. It means underpants.
Example usage: "If you forget your sports kit, the teacher will make you play in your vest and pants".
I've had this happen to me. I've been asked to supply a question and and answer so I can be identified later. The guy at the bank (or was it a utility company? I can't remember) wouldn't let me use a question that was political in nature. I tried several variations, but he kept saying no.
They would rather use my first girlfriend's name, than what I think of various politicians.
"They would rather use my first girlfriend's name, than what I think of various politicians."
Very sensible, given the current snooping and data mining on phone and data traffic by various secret services. A repeated negative opinion on an important politician might get the bank into trouble.
If there's sense to it, it's because the first girlfriend's name won't ever change, unlike people's political views. But it's a bad idea because it allows one bank build a corpus of personal information that can be used to compromise other institutions, by a bank employee or an intruder, or, naturally, one's close friends, and in this case, one's first girlfriend. It's both password reuse and use of information others know as an authenticator. Stupid on both counts.
I always provide false answers to these kinds of queries, which I record for future reference. If possible, I make the answers themselves strong passwords.
A great example of this explicitly as a customer service exercise was at a video store I was a member of. You needed a card and a password to take out videos, presumably so if someone stole your card, they couldn't rack up large fines and keep the videos for themselves.
It's just a verbal password, in (probably) the same context as the original in the article - you say it over the counter, the guy behind the counter compares it to what's on screen. But it led to a great exchange that always managed to amuse...
What's your password?
Ok sir, here are your movies.
The card was on the same keyring as my car keys, so if I lost it I would be worried about more than overdue rentals.
Lloyds is indeed 'pants'. Lloyds is one of the only banks which gives out loans to people confirmed as bankrupt.
I know somebody who is over £50,000 to in debt to Lloyds, yet the bank just keep asking him "would you like another loan?".
Lloyds are also very easy to phish!
"Pants" in this usage means crap.
Strange. Most banks give you a password or code and ask you to repeat a few characters from it for authentication. I once rang up my bank and gave them the whole word and they got quite irate because they had to send me off to another system to reset it to something else. Apparantly the operators in one place only saw a few characters for verification purposes while another set of operators probably could set the password but had no idea who they were setting it for.
I'm not trying to brag, but my bank is worse. The password used by their online banking system is stored in cleartext and made available to bank employees. I called them with problems a while back, and the helpful employee called up my account details.
"Oh, this must be the problem. Your password is all mangled. It's random letters and numbers," she said to me. I was amazed on several levels.
I don't understand how a bank could be so lacking in password security. I agree that ideally the password should be automatically generated with numbers, lower case and upper case letters and special characters. You can have a passphrase to prove to a phone rep that the account is yours, but the password should be encrypted and not viewable by anyone.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.