Feeds

Password pants-off at Lloyds Bank

Rogue staffer tinkers with login trousers

Security for virtualized datacentres

Updated: Set yourself a rude password at Lloyds TSB, and it is just possible that you might find it changed to something politer. That was the experience of Lloyds customer Steve Jetley, who attempted to set "Lloyds is pants" as his telephone banking password.

According to Mr Jetley, this was then changed by a member of staff to "no it's not". A certain amount of toing and froing followed. Mr Jetley played "Barclays is better". The computer said ‘no’. He was informed that the system would only accept single words.

Mr Jetley then tried “censorship”, but again, the computer said ‘no’. Apparently six characters is the system limit.

In fairness to Lloyds, it has since apologised to Mr Jetley, putting this incident down to the actions of a single rogue member of staff. A statement from the bank added: "It is very disappointing that he felt the need to express his upset with our service in this way. Customers can have any password they choose and it is not our policy to allow staff to change the password without the customer's permission. (El Reg exclaims: ANY password?)

"The member of staff involved no longer works for Lloyds TSB."

While all this japery may bring a smile to our readers’ lips, it does raise some quite serious issues. According to Mr Jetley, the first he knew that his security details had been changed was when he was informed that his code word did not match with the one on the computer.

When we spoke to Lloyds about this matter, it was less than reassuring. The system in question was one specific to Business Customers: as far as they were aware, the worst that could happen was that Mr Jetley would have been unable to confirm the balance on his account. There was no possibility that this password could have been used to plunder his hard-earned dosh.

Nonetheless, the consequences for any individual of not being able to access business banking information when they wish to could be serious.

Lloyds also confirmed that individual staff members were not allowed to change passwords – but was not so sure whether this also meant that they were not “able” to do so.

Initially, it believed the latter to be the case, but this story would suggest otherwise. It then suggested – but could not confirm - that the system involved in this particular story was an old one and had since been changed.

In other conversations with Lloyds, Reg readers report they have been told that Lloyds Telephone and Online Banking is based on state-of-the-art security principles. We seriously question this.

Or to put it another way: if a six-character password, visible to all system users, and with an apparently instant over-write facility represents the best in current security, then Vulture Central is investing in a very large mattress, under which it will be storing all its ill-gotten gains in future.

Updated: Lloyds sent us the following statement: "The keyword system referred to is one of a number of security checks that are used by Lloyds TSB, primarily for certain small business customers. The system is designed for customers who require a limited range of services such as the provision of an account balance. Other services such as payments require additional security checks.

"In response to customer demand for a wider range of services over the phone, we took the decision last year to introduce a new security number system for small business customers. Both systems are secure and easy to use. The security number is not accessible to staff."®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Oi, London thief. We KNOW what you're doing - our PRECRIME system warned us
Aye, shipmate, it be just like that Minority Report
WRISTJOB LOVE BONANZA: justWatch sex app promises blind date hookups
Mankind shuffles into the future, five fingers at a time
Every billionaire needs a PANZER TANK, right? STOP THERE, Paul Allen
Angry Microsoftie hauls auctioneers to court over stalled Pzkw. IV 'deal'
Apple's Mr Havisham: Tim Cook says dead Steve Jobs' office has remained untouched
'I literally think about him every day' says biz baron's old friend
Cops apologise for leaving EXPLOSIVES in suitcase at airport
'Canine training exercise' SNAFU sees woman take home booming baggage
Flaming drone batteries ground commercial flight before takeoff
Passenger had Something To Declare, instead fiddled while plane burned
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.