Domain: barclays.co.uk
Stories and comments across the archive that link to barclays.co.uk.
Comments · 22
-
Re:"maximum" penalty
The maximum penalty the UK could probably make happen is they are no longer allowed to operate in the UK in any capacity.
That would be highly damaging to the UK economy - substantial impact across the financial sector, knock-on impacts across retail, and also remove a key competitor within Equifax's own market.
Long before Equifax reached a position where dissolution (or banning) was considered they'd have had their operations brought forcibly under third party control.
a breach like this means they have demonstrated they cannot be trusted with private data
No, it demonstrated that they couldn't be trusted. The FCA can (and will) demand evidence that they can now be trusted, and have a range of sanctions available should that evidence be unavailable or insufficient.
How did they get this private data?
Electoral records, court records, social media activity and (mostly) data provided by financial institutions.
I sure as hell didn't give them permission to have it.
Some of it doesn't need your permission (under current law). Some of it you almost certainly have consented to.
(I know, likely hidden away in the TOS of credit cards I have).
Not necessarily even your credit cards. See Section 10 (page 35) of the T&Cs of one of the UK's largest banks:
https://www.barclays.co.uk/con...While many people wont read that far, it is to be fair written in easy to understand language and doesn't shy away from the ugly details: They're going to give all your data to Equifax.
-
Re: This isn't why they had a security breach
exactly how do they charge the card then?
The vendor takes the customer's name, postal address and card number, and sends a message to their card processor (bank) saying "I want to charge this customer this amount for this transaction"; the bank sends back a url and the customer is redirected to that page.
The (secure) page (which displays a shared secret known only by you and the bank) asks for your online banking password; the bank processes the payment, and redirects you back to the vendor's thank-you page.
This has nothing to do with chip and pin.
But UK banks also hand out free one-time pad terminals which use your chip and pin card for online identitification.
-
Re:How does chip & pin work online?
Online transactions don't use the pin; you indicate you have the physical card by keying in a three-digit number printed on the back of the card; but you also have to give the billing address for the card, which if you've just picked it up in the street you're not going to have. And if you have got it, it doesn't help since anything you buy will be shipped to the cardholder instead of you.
Online transactions for virtual goods are verified by transitioning to a bank https page which asks for selected characters from a password; it then sends a go or no-go status to the merchant. To prevent spoofing, the bank's page might also include an indentification phrase - 'the cuckoos are loud tonight' or whatever - which you created when you first registered with the bank.
And to log into your bank account, you can use a small handheld identification thingy which takes your pin number and uses it to create a one-time pad passphrase.
-
Re:Capital Crime
Opening an account requires a bit more than that:
http://www.barclays.co.uk/CurrentAccounts/Identificationdocumentsrequired/P1242557966027
I know as well that Natwest asked for my passport when I wanted to change my contact details.
-
Re:Doesn't two factor mean 2 pieces of info?
I would think the smart card authentication devices like this are quite cheap. The debit card already needs the chip (to authenticate transactions in shops in the UK, and many other countries), and the reader probably doesn't do much.
-
Re:Reminds Me of Something the Sony CEO Said ...
Many banks (at least in the UK) still use a variant of username+password authentication [...] instead of the much safer challenge-response method using an external pin-device (like this) [...]
This for me is the biggest sign that they're perfectly willing to seriously sacrifice security for the sake of saving a couple of pounds per customer on the pin-device.
Got to hope the pin-device isn't made by RSA
-
Re:Reminds Me of Something the Sony CEO Said ...
Many banks (at least in the UK) still use a variant of username+password authentication to access online banking (susceptible to things like keyloggers in the user's machine and phishing, not to mention cryptographical attacks against SSL in old browsers) instead of the much safer challenge-response method using an external pin-device (like this) + banking-card where no kind of password ever gets typed into an unsafe device (a general use, personal PC, used by somebody with little or no IT security training qualifies as an unsafe device).
This for me is the biggest sign that they're perfectly willing to seriously sacrifice security for the sake of saving a couple of pounds per customer on the pin-device.
-
Re:Authenticator
Because your bank is crap.
I have one of these: Barclays PINsentry Card Reader
-
Re:Not everyone has a bank account
I had an account in my name like this one when I was 11
Thai prawn curry? You must have made a copy-paste mistake.
Yet again I wish KDE wouldn't remember the clipboard contents after I shut down... that was Thursday's meal.
This was the account for children 11-15.
But a lot of parents are technophobes who keep their kids unbanked so that they can control their kids' spending and keep them from buying or using anything that is "not sold in stores".
My parents controlled my spending by not giving me any money. I usually got about £60 for my birthday (adjust for inflation) from various relatives, so I didn't exactly use the bank account very often. (Friends with more-normal parents did though.) My brother secretly opened a second bank account when he was about 15 so he could buy and sell things on eBay without my parents knowing.
Person-to-person transfers [...] by telephone
What kind of fee does your bank charge for that?
It's free (except the cost of the phone call -- 5p/minute or so). Transfers are free to/from any UK account for individuals. I've used it once, and regardless of the claimed security felt uncomfortable about it.
It's reasonably easy to change bank accounts in the UK, so there's a lot of competition between the various banks to gain customers. Someone with a current account is likely to use other services (loans etc), and any bank who started charging for things people expect to get for nothing would have trouble. However, branch opening hours are apparently quite restricted compared to some countries (e.g. usually only 10-13:30 on Saturdays, closed Sundays), and I'm guessing people are paid less interest here.
I've twice been charged by a bank for a service. The first time was when I went overdrawn beyond the agreed limit -- I complained and they reversed the charge (£30) and extended the limit, I was a student and they were hoping I'd keep the account when I got a decent job. The second time I forgot to pay my credit card bill, and had to pay about £2.10 in interest the next month.
-
Re:Not everyone has a bank account
I had an account in my name like this one when I was 11, which comes with a cash card or (with parental consent) a debit card.
I'm not sure if it's a law or a "do this or we'll make a law", but banks here offer "basic" accounts to prisoners, debtors etc. These don't let you spend more than you have. Here's one.
Person-to-person transfers can be done electronically either online, by telephone or (in some countries, not the UK) at an ATM. My bank sent me one of these for free, which was designed to secure online transactions (usual points about 'secret' encryption schemes apply).
-
Re:Oyster cards!
Expect an Oyster card (London transport card) integrated into a mobile phone in the next couple of years (I read that somewhere, I think it was official).
There's also the Barclay's credit card, RFID credit card (no need to enter a PIN for transactions under £10) and Oyster card (all three).
http://www.barclays.co.uk/credit-cards/search/index.htm -
Re:solution to CC breeches ..
Not quite what you are suggesting since it doesn't connect to the client PC so there's a lot more data entry required of the user, but these devices, widely deployed by UK banks, have a feature where they can sign transaction amounts and destinations. Some banks terms and conditions hint that their use might be extended to online shopping in the near future, which would be a great improvement over the horribly insecure "click here to change your password using the information that any fraudster already has" verified by visa system.
-
Re:Username/password combo for banks flawed.
Barclays ran trials 2 or 3 years ago where they sent different authentication devices out to small groups of customers. The outcome was that they chose offline card readers, which are now being rolled out at all UK banks as some sort of standard - expect to start seeing them used beyond online banking once all banks have finished deploying them.
-
Re:The first thing that comes to my mind is...
-
Re:The first thing that comes to my mind is...
Barclays have been providing a device they call PIN Sentry since early 2007:
http://www.barclays.co.uk/pinsentry/
NatWest introduced their offering summer 2007:
http://www.natwest.com/microsites/general/card-reader-user-guide/index.asp?cmp=reader
I believe you're right about Lloyds not having followed suit just yet.
-
Re:Tall on story, light on details
Okay then - if the PIN really IS sent across a network, how do you explain this? http://www.barclays.co.uk/pinsentry/
-
Re:Scare tactics
How ironic. I just switched from Barclays because they implemented this scheme. Note that Barclays give you everything you need for free.
You need a user id, password, your card and the PINSentry device to access the site. That's sort of OK when you're at home. It's not great when you leave your card in the reader and don't realize until the next day when you're in the shop. It's not great when you travel and you have a few different accounts setup. Although Mr G overcame that he wouldn't have his card to make payments with!
It's spectacularly bad when you have a Python script screen-scraping their site twice a day and you're running the transactions through your local "suspicious transactions" algorithm. I record the bulk of my future transactions, so it's easy for me to spot erroneous ones - heck, I even have a secure RSS feed for the transactions from my five accounts. There's no way to give my bank this payment information (yet) so their heuristics are running without the data that would really help them. I had a heart-to-heart with my Premier Account Manager at Barclays about this and his hands were tied - they just aren't advanced at all. If they want to keep the data in their closed world then they need to give me the tools in that world to manage my money (and yes, OpenPlan is a step in that direction - great if you only use Barclays I guess).
-
Re:Things will only change if...
I don't think they should give a shit whether or not a web application runs in ANY browser - they should give a shit whether or not their web application is conservative in the feature set it users, and follows standards. If they do, then it likely will work in Lynx, as my current online bank, Barclays do (no, I don't usually use Lynx, but I tested it a bit earlier because their site is very clean, and I was curious, and it worked flawlessly).
-
UK banks
In the UK I've tried the following banks successfully. Barclays is all server side so will work in anything which can do secure connections. Smile is a java client which is abit strange. It works fine in Netscape running in KDE, but just displays a blank screen in Netscape under Gnome. If anyone has any ideas about why whether I'm runnig KDE or Gnome should make a difference I'd really like to know!
-
Credit card authenticity checks.The problem Ive found recently (Im in the UK too) is that with UK credit/debit cards (I have a Visa/Connect from Barclays Bank), the banks dont seem to let people outside the UK get access to the registered card address - this means that the company you are buying from cant check that your address matches the one on the card which is their primary security. - I had to send a photo of my card and my passport to bidpay to get authenticated there, and some companies just refuse to do business with you!
Oh well - its worth the hassle - ebay is my life....:-)
--
Lauren Child, lauren@laurenchild.net -
and the UK???What about us in the UK, who don't want to convert all our money to dollars and back again? Has anyone found a decent UK online bank yet?
Most of the high-street banks have SOME kind of online-banking, but most of them require windoze software, or some of them have nice java software but it checks you're running windoze before letting you run it! (yes, there are hacks, but I'd rather not give THOSE kind of people my business)...
Egg has a nice interest rate, and has done it The Way It Should Be Done with no java, just plain HTML, CGI, HTTPS... but they only allow you to pay out into your one or two nominated accounts, so you can't use it to pay bills, give money to friends, etc etc, and anyway, their security panics and locks you out if you dare to use the wrong capitalisation in any of the security questions.
marbles isn't a bank after all. anyone tried first-e? any good? what about any of the others?
I'm after something that will take my pay-cheque, and look after it, preferably earning a little interest. Something that will let me pay bills, pay money to friends, or transfer to other accounts. It MUST NOT make a fuss about me using any more secure OS than most of the rest of the planet. It should PREFERABLY not use huge java apps either, but I'd probably put up with java if it met all my other requirements.
Help!
:-) -
On UK banksThe situation isn't that much different in the UK... most of the banks need windows, or some need the windows quirks to work properly...
However, this has been enough for me to change my main bank. I used to bank with the Royal Bank of Scotland, but solely because of the availability and features of their internet banking uner linux, I have changed to Barclays Bank!
Of the others I've approached...
egg.com works, as long as you turn java off,, but it's so basic (savings and credit card only) and so SLOW to react (they respond to e-requests sometimes over a week later).
first-e.com and smile are impossible to apply under linux because they run afoul of the "long drop down list and keyboard freezing" bug in netscape... I couldn't even apply for first-e under windows as their forms were all messed up when using large fonts! When I contact them about it, they gave me step by step instructions to set my monitor to 800x600 with small fonts. Fine, but... I do not think I'd bank with them if I had to change fonts and resolution every time I wanted to do some banking!