17 July 2018
Ben Smyth

Banking failures

Ben Smyth - University of Birmingham

2Posts 13,464Views 13Comments
Information Security

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

Barclays compromise financial privacy

01 June 2010  |  4477 views  |  0

On September 23, 2009 I discovered a vulnerability on Barclays online banking service which permitted a remote adversary to peruse customer bank statements. Barclays were immediately notified, but defended their system design as a balance between privacy and usability. The Financial Service Authority (FSA) and Information Commisioner's Office (ICO) were also informed. Six months later I published a technical report (http://www.bensmyth.com/publications/10barc/) on the attack. Following media coverage from PC Pro and The Times; Barclays finally fixed the vulnerability on May 17, 2010.

Security researchers widely accept the need for responsible disclosure, that is, notifying service providers and regulators prior to publishing details of system vulnerabilities. However, it would appear that Barclays simply used this period to shy away from their responsibilities, sacrificing their customers right to financial privacy. In addition, regulators failed to react to the problem in a timely manner; in fact, to the best of my knowledge, the regulators still have not reacted.

In this instance it would appear that public disclosure at an earlier date would have directly benefited customer security. Accordingly the research community should consider how best to handle disclosure in the future.



Comments: (1)

Ben Smyth
Ben Smyth - University of Birmingham - UK 02 June, 2010, 00:31

The Times published a follow-up article over the weekend.

Be the first to give this comment the thumbs up 0 thumb ups!
Comment on this story (membership required)

Latest posts from Ben

How password recovery threatens online banking security

04 August 2010  |  8988 views  |  5 comments | recomends Recommends 0 TagsSecurityGroupInformation Security

Barclays compromise financial privacy

01 June 2010  |  4477 views  |  0 comments | recomends Recommends 0 TagsSecurityGroupInformation Security

Ben's profile

job title Doctoral Researcher
location UK
member since 2010
Summary profile See full profile »
I am a Doctoral Researcher in the Formal Verification and Security group at the School of Computer Science, University of Birmingham.

Ben's expertise

Member since 2010
2 posts13 comments
What Ben reads
Stephen MurdochBen Smyth
Ben writes about
Ben's blog archive
2010 (2)

Who's commenting on Ben's posts