Security expert Ben "OpenSSL" Laurie went into a Barclay's bank to transfer a large sum of money ("enough money to fund a small country") and discovered an incredibly lax, brittle security system that focused on meeting compliance requirements instead of keeping deposits safe. I'm in the process of switching from Barclay's to the Co-Op, after years of frustration, insane fees, and terrible service. The Co-Op has its own security issues (they won't let you use random passwords, instead forcing you to use much-more-easily hacked passwords that contain no repeated characters) but they're nowhere near as bad as Barclay's.
When I got there we sat down with a bank employee who asked me for my cash card. He stuck it into a PINsentry and asked me to type my PIN. On that evidence alone, we proceeded to transfer enough money to fund a small country. I find this a little scary. Anyway, when I reviewed the documentation, which I had to sign, it had a little box about ID verification, into which he'd typed "PIN xxxx + SRS" – "xxxx" was (part of?) the code from the PINsentry. I asked him what "SRS" meant and he explained it meant he'd checked my signature. In fact, he hadn't, but he proceeded to do so at that point, commenting that he already knew what my signature looked like, presumably to explain away why he hadn't done the check before…
Anyway, at this point my wife mentioned that we were rather expecting them to check ID and stuff, to which he responded in a way I feel sure was not authorised by the bank: "well, we used to be more secure but now the bank believes that PINs are the highest level of verification". I explained to him why I disagreed with the bank. He didn't argue with me.
Oh yes, the signature check? He wasn't even in the room when I signed. For all he knew I carefully copied it from a crib sheet. So, all that's standing between me and complete emptying of my bank account is my PIN. But hey, the only way anyone other than me could know that is if I told them, isn't it? So it would serve me right, obviously.
