Security expert Ben "OpenSSL" Laurie went into a Barclay's bank to transfer a large sum of money ("enough money to fund a small country") and discovered an incredibly lax, brittle security system that focused on meeting compliance requirements instead of keeping deposits safe. I'm in the process of switching from Barclay's to the Co-Op, after years of frustration, insane fees, and terrible service. The Co-Op has its own security issues (they won't let you use random passwords, instead forcing you to use much-more-easily hacked passwords that contain no repeated characters) but they're nowhere near as bad as Barclay's.
When I got there we sat down with a bank employee who asked me for my cash card. He stuck it into a PINsentry and asked me to type my PIN. On that evidence alone, we proceeded to transfer enough money to fund a small country. I find this a little scary. Anyway, when I reviewed the documentation, which I had to sign, it had a little box about ID verification, into which he'd typed "PIN xxxx + SRS" - "xxxx" was (part of?) the code from the PINsentry. I asked him what "SRS" meant and he explained it meant he'd checked my signature. In fact, he hadn't, but he proceeded to do so at that point, commenting that he already knew what my signature looked like, presumably to explain away why he hadn't done the check before..."We Used To Be More Secure"Anyway, at this point my wife mentioned that we were rather expecting them to check ID and stuff, to which he responded in a way I feel sure was not authorised by the bank: "well, we used to be more secure but now the bank believes that PINs are the highest level of verification". I explained to him why I disagreed with the bank. He didn't argue with me.
Oh yes, the signature check? He wasn't even in the room when I signed. For all he knew I carefully copied it from a crib sheet. So, all that's standing between me and complete emptying of my bank account is my PIN. But hey, the only way anyone other than me could know that is if I told them, isn't it? So it would serve me right, obviously.
RSS Feed
I had a funny experience with Barclays. My phone rang and a woman said "This is XXX from Barclays. Would you mind if I asked you a few security questions to verify your identity?". I replied "Of course I would mind. How do I know if you are who you claim to be? And anyway, you rang me. Your bank is always telling me not to disclose personal information etc..". She said "I see your point. Anyway, what I have to tell you doesn't really require security anyway." She then told me that as I was no longer a student they would have to start withholding tax on interest paid. I laughed long and loud. I explained to her that as the bank never paid me more than a few pence in interest anyway, they could withhold all the tax they liked. It still makes me smile.
I work for one of the world's largest banks, and I can tell you that this is not representative of most banks, and the rep was most likely not even following Barclay's own processes to ascertain the identity of a client performing a large, high risk transaction. If Barclay's truly had such a lax policy around verifying client identity, they would have gone out of business decades ago due to client losses from impersonation fraud.
Yes, a bank card and PIN are often use to identify clients, but usually only for smaller transactions (less than $1,000, for example). If the amount is larger, greater identification verification methods would kick in, depending upon the size. Verification of your signature -- signed in the presence of the bank rep -- would be performed, as well as perhaps even collecting other ID from the client, such as passport, driver's licence, birth certificate, etc.
Moving to the Co-op is a good move. Their customer service is second to none, and it has to be given they have hardly any branches. Most business is conducted online or the telephone. I moved to them after a shitty experience with Bank of Scotland, who I used to work for, and haven't regretted it. Their ethical policy is an added bonus.
I also highly doubt that the employee was following procedures. Why else did he write down that he had verified the customer's signature, unless not checking the signature would get his ass kicked in an audit?
The fact that he hadn't verified the signature (and, for god's sake, even seen the customer sign *in front* of him) just shows that the employee was taking the piss, rather than Barclays.
I imagine that Barclays has a list of suitable ways of identifying customers for particular transactions (dependant on the size of transaction too). The employee's comment about PINs being the be all and end all implies that the PIN is currently at the top of the list. The larger the transaction, the more likely you should provide more than one item from the list though.
The folly of putting the PIN at the top of the list is that many many people share their PIN with a friend or family member. Expediency trumps security for many people, especially when dealing with people that (rightly or wrongly) they trust.
ID checks wouldn't help much anyway - fake IDs are readily available, as are "legitimate IDs that just aren't yours, but have a similar photograph". Bank clerks are not usually capable of spotting an improper ID.
The only thing that would really impart security here would be for there to be a way to recover from fraudulent bank transfers (currently this is almost impossible, since you have to track down the fraudster and sue them, and hope they haven't spent it yet since you can't recover money they no longer have). If a fraudulent charge is made to your credit card, you have ways to recover it from the banks and stores who allowed it to happen. This is what makes credit cards secure. We need something like this for bank transfers.
This clerk must be some kind of rogue knucklehead. I transfer money from the UK to the US regularly using Barclays, and I've never been able to do it with just a PIN. They usually ask for a passport.
There are people who still have money? Why wasn't I told?!
I thought the New New Economy was B&B (Barter & Begging)!
I for one love the Cooperative Bank, Member-owned, Ethical Banking.
I for one despise the the Co-operative Bank. After 30 years personal and nearly 20 years business banking with them I off. Their smug "Ethical Banking" policy didn't extend to them meeting their side of an agreement (verbal over the phone, yeah they don't have many branches!) with me. Their admin system is Kafkaesque. I tried to change the name on my business account but was told (and the 8 page form confirmed) that I had to prove I was trading under the new name before they could change the account. A little difficult to trade with a new name if you don't have a bank account in that name, so I tried to change the name on the bank account ...
Bitter? Moi!
Similar to 'winkybb'... My mobile phone company phoned me to check something which I can't recall right now and they too started that they needed to verify my identity. They asked me to confirm my address with them to which I responded that I would need to confirm THEIR identity too, so if they could give me my street name while I gave them the house number the conversation could proceed. Thinking about it... I should probably have taken this further (the date of my last bill vs. the $ amount of that bill)...
My credit card company called me on my mobile from a number I did not recognise, asked for identity verification, and then told me my payment was overdue. They then asked me for debit card information to make a payment over the phone. The man got quite upset when I said I would do a bank transfer over the internet myself, and even more upset when I said that I was not certain of his identity. In retrospect he was probably being paid according to how many people made a payment with him over the phone. This kind of policy while useful in terms of missed payments, makes most customers more likely to trust anyone who rings and says they are from their credit card company, the caller only needs a very small amount of information to sound plausible.
I made a similar transaction with Barclays today, my wife having gone through their call centre hell over the phone I went into a branch to do it instead (their systems had gone down this morning).
I had to authenticate with the same Chip & PIN device they use for their online banking but I also had to answer some security questions, so it's possible that Ben's cashier was being lazy.
I had an identical experience to Anonymous with Orange calling me and asking me to identify myself. I pointed out they had called me on my Orange mobile and I needed them to prove who they were. I said that if I gave them partial information and they could complete it then I would talk to them. I ended up hanging up when they claimed they couldn't give me any information due to the Data Protection Act