Passwords, privacy and pants

How private is your online banking password?

Not private enough for one customer at Lloyds TSB it seems. Steve Jetley chose the password ‘Lloyds is pants’ only to find a bank worker unilaterally changed it to ‘No we are not’.

Perhaps if he’d chosen ‘Ll0yds 1s Pants’, he’d have got away with it. Either way, it’s outrageous. What could be more personal than your password? It’s not the bank workers’ business to know your password, let alone change it. At least they didn’t charge him for the privilege.

I’ve not signed up for on-line banking. Partly because every day I seem to get authentic-looking emails from one phisher or another, inviting me to verify details of my non-existent accounts. It never occurred to me that the threat to account security might come from your own bank staff.

Nor had it occurred to me to use a password to protest. (Several years ago, I did briefly have an email signature which included the phrase ‘Never buy a Moben kitchen’. It’s a long story. Actually the kitchen was fine in the end – but it took a lot of grief to get there.)

But now I can see the attraction. Having a cheeky password adds a certain subversive thrill to the boredom of paying bills and checking balances. Perhaps if we all say ‘Censorship is pants’, the banks will leave well alone.

Advertisements

3 Comments »

  1. Lois said

    “Partly because every day I seem to get authentic-looking emails from one phisher or another, inviting me to verify details of my non-existent accounts.”

    Which you presumably ignore – and which therefore are not going to affect your online banking security if you signed up to online banking.

    I use online banking. Periodically I receive emails e.g. telling me my online statement is available for viewing etc. But I would NEVER access the account via any link in the email just in case it isn’t genuine.

    “It never occurred to me that the threat to account security might come from your own bank staff.”

    Any supposedly secure system using logon ids, passwords etc is going to have some system management personnel with access authority to fix problems with a customer’s password, e.g. to reset it when the customer has forgotten it. What bothers me about this particular episode which you relate is that someone was able to read the password as set up by the customer. The issue as far as I am concerned is that it should have been stored only in encrypted form.

  2. Helen Elsom said

    There’s some confusion in the press story. Your on-line password is encrypted, and nobody else can ever see it. You should never see it in the clear yourself. Lloyds expects you to have two of these, one encrypted as a whole and the other encrypted letter by letter. It’s not a question of somebody being able to see a file who shouldn’t: the bank only stores the encrypted password or letter sequence, and matches these to what you put into the form.

    Your phone password is something that you give or be told on the phone, and it’s this that Steve Jetley must have set to “Lloyds is pants”. It was wrong of the bank staff to change this, but there wasn’t a problem with authorised people seeing it.

    There are some problems with Lloyds’ on-line security, mostly related to the usability of the interface, but it’s really a pretty secure system.

  3. bridgetfox said

    Thanks Helen – that’s good to know!

RSS feed for comments on this post · TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s