Barclays online banking system is vulnerable to a remote attack which allows an adversary to view customer bank statements and transfer money between a customer's accounts. The vulnerability has arisen as a result of poor software engineering practice which neglected security in favour of usability. More precisely, Barclays authentication mechanism is reliant on four pieces of customer data, namely: surname, date of birth, sixteen digit card number and three digit card security code (the number on the reverse of the card). This simplifies the login process for the user. However, this information is publicly available and hence it can also be used by an adversary. Barclays have therefore failed in their duty to protect the financial privacy of their customers. Moreover, the system may leave customers open to fraud and even financial loss.
This article has been discussed by PC Pro (local cache) and The Times (local cache); The Times have also published a follow-up article (local cache).
A video demonstrating this attack is available on YouTube:
@TechReport{2010-attacking-Barclays-online-banking,
author = "Ben Smyth",
title = "{Privacy vs. Usability: A failure of Barclays online banking?}",
year = "2010",
number = "CSR-10-05",
institution = "School of Computer Science",
address = "University of Birmingham",
url = "http://www.bensmyth.com/files/Smyth10-attacking-Barclays.pdf",
}