Barclays online banking security flaw?

Nuclear Fusion

Nuclear Fusion

Nuclear Fusion

Soldato
Joined
30 May 2012
Posts
2,537
Location
Bristol
Just opened a savings account with Barclays along with a current account for online banking. I upgraded to PINsentry so that a new code is generated by using my card and entering my PINinto the reader, each time I log on and each time I add a new payee. I'm sure many of you use these card readers for online banking. This all makes it very secure against online security attacks, but after doing a test transfer to one of my other accounts with Nationwide, I realised that the card and PIN number were the only things necessary to both gain access to Barclays online banking, and to set up new payees and complete a bank transfer to them (of course a card reader device is also needed, but they are the same across all the banks, Nationwide card readers function exactly the same as PINsentry readers).

Therefore, as said previously although it may be secure again online attacks, against physical theft of the card and PIN number it is very weak. For example, if someone managed to catch a glance at your PIN number in a shop, they could steal your card later on and rinse your account of the entire balance in seconds on their phone. Less time than it would take for you to cancel the card no doubt. Now you should hopefully be able to reclaim that money, but it shows that if anyone happens to see your Barclay PIN number, the balance of any Barclays accounts you hold are now as easy to acquire as cash stuffed in your pockets.

This is a warning to Barclays current account users. I have emailed them to suggest using a passcode in addition to PINsentry, not as an alternative option at log in, similar to my Nationwide account which uses the same card and reader system but also requires a 10 digit membership number. I'd also urge people to also email Barclays if you take financial security seriously as hopefully they might actually change something.
 
Hmm my barclays online banking requires a membership number as well as the pin - just the membership number is saved and doesn't need to be entered each time - might be a legacy thing tho as I've got a very old online account with them.
 
Rroff said:
Hmm my barclays online banking requires a membership number as well as the pin - just the membership number is saved and doesn't need to be entered each time - might be a legacy thing tho as I've got a very old online account with them.
Click to expand...

It has an option of entering a membership number, but there is also the option to enter the sort code and account number, or your card number, both of which can of course be found on the same card. To find out the membership number, you need to enter your surname and one or both of these bits of info (doesn't really matter either way since it can all be found on the card anyway).
 
Strife212 said:
I think it goes without saying that if you lose both your card and your PIN your account is compromised...
Click to expand...

Yes, but you wouldn't know if your PIN number was seen by someone in a shop. As soon as someone has seen your PIN number, the fact that they can move the entire balance to their account in seconds just using a phone is pretty worrying.
 
Regardless, why would someone see your pin? Every pin entry terminal has a very visible sticker telling you to cover the keypad to hide your entry that I've seen.

PIN number
Click to expand...

:mad:
 
Last edited:
mrk said:
:mad:
Click to expand...

Hah also oops I meant the code generated via the PIN number.

But what I was meaning with my post - maybe due to having an older account - the settings with my account by default require the membership details before you can login via any other method other than for basic functionality that doesn't include the ability to setup new fund transfers. (I did notice recently a banner at the top on logging in suggesting setting up the account to allow logging in via sort code, etc.).
 
Last edited:
Nuclear Fusion said:
Yes, but you wouldn't know if your PIN number was seen by someone in a shop. As soon as someone has seen your PIN number, the fact that they can move the entire balance to their account in seconds just using a phone is pretty worrying.
Click to expand...

Eh? If they want to set themselves up as a payee they would need your card, your pin and the reader.

If they have access to your card and PIN they can just go to a cash machine and withdraw cash which is untraceable. Why on earth would they try and get access to your online account? They would need your username and password too.
 
Totality said:
Eh? If they want to set themselves up as a payee they would need your card, your pin and the reader.

If they have access to your card and PIN they can just go to a cash machine and withdraw cash which is untraceable. Why on earth would they try and get access to your online account? They would need your username and password too.
Click to expand...

Though there is a maximum cash withdrawal limit at a cash machine, plus CCTV. Also, there is no username and password needed if you use PINsentry, you can optionally use it instead of the generated passcode, but not in addition to. It's just the fact that having a compulsory additional password would be such a simple way to increase physical card theft security massively.
 
Rroff said:
Hah also oops I meant the code generated via the PIN number.

But what I was meaning with my post - maybe due to having an older account - the settings with my account by default require the membership details before you can login via any other method other than for basic functionality that doesn't include the ability to setup new fund transfers. (I did notice recently a banner at the top on logging in suggesting setting up the account to allow logging in via sort code, etc.).
Click to expand...

Hmm maybe, I would prefer the slight inconvenience of having to remember a passcode rather than the ability to get past with card information and PIN number alone.
 
Nuclear Fusion said:
Hmm maybe, I would prefer the slight inconvenience of having to remember a passcode rather than the ability to get past with card information and PIN number alone.
Click to expand...

Unfortunatly the site is down for maintenance so I can't double check but I think what your describing is default behavior for new accounts maybe - I might be behind on what changes they've made also as the front end seems to change quite often - i.e. I was just about getting used to the last mobile setup they had for basic access when they changed it for a new system :S
 
If someone knows your pin and steals your card they don't need to go online to steal your money.
Its the same security pattern as ever, if you 'password' in this case your pin is compromised, then the is no security.

Cover your pin, hope not to get skimmed at a fake atm.
 
Its really not dissimilar to having you car keys and car stolen, and worrying the alarm and m,obiliser were sidestepped by the thief having the keys.
The alarm wasnt designed to stop theft of keys.
 
Hikari Kisugi said:
Its really not dissimilar to having you car keys and car stolen, and worrying the alarm and m,obiliser were sidestepped by the thief having the keys.
The alarm wasnt designed to stop theft of keys.
Click to expand...

This. The online threat is much higher than the threat of physical theft.
 
I use my phone the barclays app is secure It has a pin sentry on it too and teh 5 digit code for my phone app isn't the same as my pin. nor is it my DOB lol.

The flaws in pin sentry are no different to any others If someone learns your pin and has the dedication to find out account details they can get you. 1 Guy in sheffield was re-ordering cards for houses that have post boxes at the end of their drives and then collecting the cards......

bottom line is nothing is 100% safe.
 
You must log in or register to reply here.
Back
Top Bottom