Join the Community

22,238

Expert opinions

44,206

Total members

424

New members (last 30 days)

214

New opinions (last 30 days)

28,750

Total comments

Join Sign in

Barclays compromise financial privacy

01 June 2010 Be the first to comment

Retired member

On September 23, 2009 I discovered a vulnerability on Barclays online banking service which permitted a remote adversary to peruse customer bank statements. Barclays were immediately notified, but defended their system design as a balance between privacy and usability. The Financial Service Authority (FSA) and Information Commisioner's Office (ICO) were also informed. Six months later I published a technical report (http://www.bensmyth.com/publications/10barc/) on the attack. Following media coverage from PC Pro and The Times; Barclays finally fixed the vulnerability on May 17, 2010.

Security researchers widely accept the need for responsible disclosure, that is, notifying service providers and regulators prior to publishing details of system vulnerabilities. However, it would appear that Barclays simply used this period to shy away from their responsibilities, sacrificing their customers right to financial privacy. In addition, regulators failed to react to the problem in a timely manner; in fact, to the best of my knowledge, the regulators still have not reacted.

In this instance it would appear that public disclosure at an earlier date would have directly benefited customer security. Accordingly the research community should consider how best to handle disclosure in the future.

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

5373

Report

Channels

/security

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

Join group

216 opinions 45 members 04 November 2024