Original URL: http://www.theregister.co.uk/2008/08/28/lloyds_passwords/

Password pants-off at Lloyds Bank

Rogue staffer tinkers with login trousers

By Jane Fae Ozimek

Posted in Bootnotes, 28th August 2008 12:08 GMT

Updated: Set yourself a rude password at Lloyds TSB, and it is just possible that you might find it changed to something politer. That was the experience of Lloyds customer Steve Jetley, who attempted to set "Lloyds is pants" as his telephone banking password.

According to Mr Jetley, this was then changed by a member of staff to "no it's not". A certain amount of toing and froing followed. Mr Jetley played "Barclays is better". The computer said ‘no’. He was informed that the system would only accept single words.

Mr Jetley then tried “censorship”, but again, the computer said ‘no’. Apparently six characters is the system limit.

In fairness to Lloyds, it has since apologised to Mr Jetley, putting this incident down to the actions of a single rogue member of staff. A statement from the bank added: "It is very disappointing that he felt the need to express his upset with our service in this way. Customers can have any password they choose and it is not our policy to allow staff to change the password without the customer's permission. (El Reg exclaims: ANY password?)

"The member of staff involved no longer works for Lloyds TSB."

While all this japery may bring a smile to our readers’ lips, it does raise some quite serious issues. According to Mr Jetley, the first he knew that his security details had been changed was when he was informed that his code word did not match with the one on the computer.

When we spoke to Lloyds about this matter, it was less than reassuring. The system in question was one specific to Business Customers: as far as they were aware, the worst that could happen was that Mr Jetley would have been unable to confirm the balance on his account. There was no possibility that this password could have been used to plunder his hard-earned dosh.

Nonetheless, the consequences for any individual of not being able to access business banking information when they wish to could be serious.

Lloyds also confirmed that individual staff members were not allowed to change passwords – but was not so sure whether this also meant that they were not “able” to do so.

Initially, it believed the latter to be the case, but this story would suggest otherwise. It then suggested – but could not confirm - that the system involved in this particular story was an old one and had since been changed.

In other conversations with Lloyds, Reg readers report they have been told that Lloyds Telephone and Online Banking is based on state-of-the-art security principles. We seriously question this.

Or to put it another way: if a six-character password, visible to all system users, and with an apparently instant over-write facility represents the best in current security, then Vulture Central is investing in a very large mattress, under which it will be storing all its ill-gotten gains in future.

Updated: Lloyds sent us the following statement: "The keyword system referred to is one of a number of security checks that are used by Lloyds TSB, primarily for certain small business customers. The system is designed for customers who require a limited range of services such as the provision of an account balance. Other services such as payments require additional security checks.

"In response to customer demand for a wider range of services over the phone, we took the decision last year to introduce a new security number system for small business customers. Both systems are secure and easy to use. The security number is not accessible to staff."®