Banks Security and Technology
An English bank, once a highly respected establishment, one you could trust and entrust with personal data, common sense and good practices; sadly this is no longer the case.
With the fast moving technological era that we’re now living in, it amazes me how the mighty have fallen. Whilst reporting of data breaches from large, international companies are all too common these days (Sony, Yahoo, Ashley Madison etc.), it’s hard to believe that simple bad practices are not only still implemented, but the reporting of such practices ignored.
Yesterday I received an automated phone call, on my landline phone, which went something like this:
Caller: Hi, if you’re <insert name> please press ‘1’, else hang up.
[After pressing ‘1’]
Caller: Please enter your date of birth
At this point, I hung up.
Shortly after hanging up, the same call was made to my mobile phone….and of-course, I wasn’t prepared to take that call either.
If you’re wondering why you should not give personal details to someone who called you, then you really need to think more about identity theft and how to protect yourself.
The bank here is Barclays and I decided to report the issue. Getting in-touch with the fraud department is easy; just call the number on the back of the bank’s credit card.
On calling Barclays, I was amazed to hear that the automated call was genuinely from them. They’re trying to be “proactive” by contacting customers that may have used a credit card on a site that may have been breached, though my card had not yet seen any fraudulent activity.
First line support for a fraud department should insist on hiring people with common sense.
After explaining the problem with their method of contacting customers this way and the fact that it only aids customers behaviour to give out their personal details to anyone, the reply I was given was that they could provide me with their direct number to the fraud department if I suspect a call is fraudulent. I asked if my concerns of the method they’re using for their customers could be passed on, but again, I was informed that I could have their direct phone number; they just weren’t listening!
This isn’t an isolated incident of bad practice from Barclays, as noted by Security Researcher Scott Helme
Barclays isn’t the only financial institute implementing poor security practices; let’s look at Virgin Money and what happens when you want to log in to a savings account
Yes, that’s right, they are clearly storing customers’ passwords directly and not using any form of hashing.
Not only does this prevent users from having strong passwords and using copy and paste from a password manager, but even with a 32 character password, this site has never requested a character higher than the 8th value!
I have reported this to Virgin Money and asked for it to be escalated. Their response was that they don’t see a problem here and are following ‘best practice guidelines’!
So, what can we do? I suggest we all start reporting these issues to our financial institutions and shout out to everyone when they’re not listening. Hopefully things will improve, but sadly I wouldn’t bank on it!