Community
On September 23, 2009 I discovered a vulnerability on Barclays online banking service which permitted a remote adversary to peruse customer bank statements. Barclays were immediately notified, but defended their system design as a balance between privacy and usability. The Financial Service Authority (FSA) and Information Commisioner's Office (ICO) were also informed. Six months later I published a technical report (http://www.bensmyth.com/publications/10barc/) on the attack. Following media coverage from PC Pro and The Times; Barclays finally fixed the vulnerability on May 17, 2010. Security researchers widely accept the need for responsible disclosure, that is, notifying service providers and regulators prior to publishing details of system vulnerabilities. However, it would appear that Barclays simply used this period to shy away from their responsibilities, sacrificing their customers right to financial privacy. In addition, regulators failed to react to the problem in a timely manner; in fact, to the best of my knowledge, the regulators still have not reacted. In this instance it would appear that public disclosure at an earlier date would have directly benefited customer security. Accordingly the research community should consider how best to handle disclosure in the future.
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Bo Harald Chairman/Founding member, board member at Trust Infra for Real Time Economy Prgrm & MyData,
24 October
Muhammad Qasim Senior Software Developer at PSPC
22 October
Mete Feridun Chair at EMU Centre for Financial Regulation and Risk
John Reese Business Analyst | Platform Growth Expert at Hashcodex
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.