Experts: Barclays online banking vulnerable to snoopers
By Stuart Turton
Posted on 14 Apr 2010 at 11:28
Barclays online banking system could be abused to access a customer's statements, according to a researcher with the University of Birmingham.
In a report called "Privacy vs. Usability: A failure of Barclays online banking?", Ben Smyth attacks Barclays' Instant Access service which requires a surname, date of birth, sixteen-digit card number and three-digit card security code to access an online account.
“These details should be considered public knowledge and therefore known by an adversary,” Smyth said in the report. “Such information is regularly provided to hoteliers during check-in; disclosed to obtain products such as movies and alcohol (which require ‘proof of age’); submitted alongside business expense claims; and even published on the internet, in particular on social-networking sites.”
If the woman is in hiding, then disclosing where transactions are being made could be potentially very harmful to her personal safety
Barclays intended the service to be a more user friendly alternative to its PINsentry login system, which requires customers to enter a code provided by a separate card reader. To compensate for the reduced security measure, Instant Access restricts customers to viewing statements and transferring money between their own Barclays accounts.
However, as Dr Steven J Murdoch, a security researcher with the University of Cambridge, told PC Pro, this information could easily be abused. “As an extreme example, consider a woman who has left an abusive relationship and is hiding from her violent ex-partner,” he said.
“With the initial Barclays CAP implementation, it would be fairly easy to lock out the ex-partner, by taking the card away. However, with the new system discussed in the paper, there is a high likelihood that the ex-partner will know all the information necessary to access the online banking system.
“If the woman is in hiding, then disclosing where transactions are being made could be potentially very harmful to her personal safety. Now, this is an extreme example, but I am sure that there are plenty of other cases where people would be upset if someone could gain access to their online statements,” he concluded.
Instant Access changes
Barclays acknowledged the existence of the threat, but claimed it was highly unlike that it would be exploited. “We do recognise the theoretical idea in the report that a customer's card and personal details could be used to access Instant Access illegitimately, however given the very limited functionality and money transfer restrictions this is highly unlikely,” a spokesperson said.
“We can reassure customers that we have a multi-layered approach to security beyond log-in authentication and we keep all of our systems under constant review to maintain our priority of ensuring the safety of their money and personal details. As part of these standard reviews and our ongoing development of online banking we will be making some changes to Instant Access later this year," the statement concluded.
A Big thank you to all who have now told every crook in the world about it.
By delturner1 on 15 Apr 2010
Couldn't agree more with delturner1
I cannot believe that you have even pointed the criminals IN THE RIGHT DIRECTION
If some of you had any brains you would be dangerous.
You don't see Microsoft telling everyone there is a PARTICULAR problem, just that there is a vulnerability
All you have succeeded in doing by telling one and all is make the situation worse
By hanstrans3 on 15 Apr 2010
PCPro and Dennis Publishing should get their own house in order. Subscriber details can be accessed by entering the password on the mailer address. There are even instructions printed on it to tell you how.
By j325xc on 15 Apr 2010
Any criminal with a Barclay account will already know this information. I think that journalists publishing this kind of information is pressure to government and stupid corporations to look more seriously at their security.
By S_Elwell on 15 Apr 2010
Unfortunately Dennis Publishing do not themselves safeguard the privacy their users and readers.When one reads the small print, all personal information provided to Dennis is liable to be passed on to commercial associates with NO provision to opt out.I have confirmed this recently with senior staff from Dennis UK, whom I gather did not agree with this corporate decision.
Always read the small print
By novice8 on 15 Apr 2010
Bank customers also need to know how secure their bank is.
@delturner1 & hanstrans3
You suggest that this article will tip off criminals as to how to defraud others of their money. However, it works both ways: it informs Barclays customers about the poor state of security regarding their account data.
If I was still a customer of Barclays (and I was years ago), I would shut down my account immediately on reading this article. These are tech journalists doing their job and I for one congratulate them for making this point.
By iclbmc1 on 15 Apr 2010
Need for greater knowledge
It is not jst a simple matter of banks being complacent. Indeed they have their own experts looking after security, and that is where the problem lies. Having got their own they think their own know best and so it takes time for something like this to penetrate and be taken seriously.
The response is typical of their stand, and Barclays is no different to the rest. Because they spend so much time and money on security they cannot believe that they've got anything wrong.
So my advice to all PCPRO journos is to remember that if you are ever looking for a job you could have a head start in a bank's security department.
By Jaguar on 15 Apr 2010
Violates their OWN security
They'd better immediately stop their own practice of asking for an example of a recent transaction or direct debit as security validation on the phone then!
By Yakumo_unr on 15 Apr 2010
If Barclays was not told about the problem first and given a chance to sort it out before publication then this it was wrong.
However, if they were warned and responded with that stupid "What's the problem statement" the there was a duty to current and future customers to warn them.
By nicholbb1 on 16 Apr 2010
I would like to take this opportunity to reassure PC Pro readers that Barclays were notified about this vulnerability in September 2009, as noted in the original report: http://www.bensmyth.com/publications/10barc/. Moreover, PC Pro acted in a highly responsible manner prior to publishing this article.
By storm311 on 27 Apr 2010
As of today Barclays have removed their "Instant Access" service as described in this article. The reporting of PC Pro clearly influenced this progress. Congratulations.
By storm311 on 17 May 2010
- Flickr redesign: is it enough to tempt photographers back?
- Hands on with the new Google Maps
- Nokia Lumia 925 review: first look
- Why I won't subscribe to Creative Cloud
- GoPro camera strapped to a remote-control helicopter: the ultimate boy's toy
- Acer Iconia A1 review: first look
- Acer Aspire P3 review: first look
- Acer Aspire R7 review: first look
- How we produce the PC Pro podcast
- Google Now draining iPhone battery
- Yes, I write down my passwords
- How to deal with a ransomware attack
- How secure is your Wi-Fi network?
- How QR codes caught out the security pros
- Why I do not trust Do Not Track... yet
- The hard disks you can "secure" with a single-digit password
- Why I've started using a password manager
- Time to kill off CAPTCHA
- Are today's young people Generation I (for insecure)?
- Ransomware that's better made than antivirus software