Simple security questions expose details of Barclays' mobile customers

The personal information of millions of people is potentially at risk of exposure on Barclays bank mobile banking site.

The personal information of millions of people is potentially at risk of exposure on Barclays bank mobile banking site.

People who lose their bank card, or have their card details copied, could have their banking transactions exposed to prying eyes, Computer Weekly has discovered.

The problem affects the web link which connects customers to pages designed to be viewed on mobile phones.

The site allows users to view their financial transactions if they answer four basic security questions.

Three of the answers are available on the card itself. These are surname, 16-digit account number and three-digit security code. The other question is the customer's date of birth.

Although no money is at risk, the flaw exposes details of Barclays customers' online banking transactions, including purchases and direct debits.

One Barclays customer who contacted Computer Weekly said he complained to Barclays about the security hole.

He said that he was shocked that Barclays said it was aware of the problem but did not close this security hole. "I spoke to someone at Barclays and they said do not worry 'no-one can make transactions using your account'," he said.

Barclays said the site only offers very limited functionality, "allowing small sums to be transferred between the customer's own Barclays current and savings accounts and a view of recent transactions only."

The bank reassured customers that money cannot be stolen in this way. "You can only view a limited time period of transactions online [and] for the majority of customers this will be around one month," it said.

"We do recognise the possibility that a customer's card and personal details could be used to access 'instant access' illegitimately. However, given the very limited functionality and money transfer restrictions this is highly unlikely, and in many years of offering the service we have seen no evidence to suggest there have been any instances of customer's money being transferred out of their Barclays accounts in this way."

Dai Davis, partner and IT expert at law firm Brooke North, said the three items of information on a card and a date of birth are not private information.

"From a data protect protection point of view, Barclays has not taken appropriate security measures to secure information," he said.

He said criminals could use information disclosed by the flaw to commit fraud. For example, if criminals can see a person's history of spending there is potential that it would be easier for them to call Barclays and change the customer's address.

Read more on Mobile networking