A couple of days ago, I posted about the call I received from Barclaycard concerning fraudulent activity on one of my accounts, and from which I concluded that Barclaycard themselves have become a victim of social engineering (which I am now able to confirm, and will be updating that post to explain after finishing this one), allowing the fraudster to set up new online access to my accounts – and I dropped in a comment about the security questions that they ask, and would have asked the fraudster, pointing out that they are not actually secure at all. Since then, I’ve called Barclaycard myself, so to illustrate the point that the security questions they ask are anything but secure, here are the three I was asked:
- My address.
- Some specific detail of a transaction of their choosing from August.
- The last three digits of my phone number.
The first and third are quite clearly anything but secure – like most people, I do tend to provide my address and phone number to others. That’s what they’re for, to enable the people in my social circle, and people with whom I do business, to contact me. And the people with whom I do business would, logically, include some companies from whom I purchase things using my credit card – especially if it’s something that needs to be delivered. If one of these companies has had a security lapse, enabling someone to obtain my card details, there’s a good chance they’ll have these other details as well.
The second security question is more specific, and if there are (say) ten transactions in that month, there’s only a one in ten chance that it’s going to be the transaction from which the fraudster obtained my details (assuming that’s how he got them) – but one chance in ten is one chance more than zero chances in ten! However, even if it isn’t the source of his data, it still lacks any substance as a means of security, because my longer term recollection is that when I rang Barclaycard on one occasion a couple of years ago, when asked a similar question I commented that I wasn’t at home and therefore didn’t have my statements to hand, and I was steered towards the answer they wanted.
It’s also worth noting that having successfully circumnavigated Barclaycard’s weak security when calling them and, having done so, managed to persuade them to set him up with online access to my accounts, the fraudster now has access to historical statements going back however far Barclaycard makes them available to customers online. For subsequent calls, getting past those security questions is even easier than the first time. And even if Barclaycard henceforthed restricted these questions to statements going forward from these events, a crook with that history could make educated guesses unless I change what I tend to buy and where I tend to buy it from.
Well done, Barclaycard!
Now, to sign in online, I have – or rather had, given these events – a “user name or ID number” and a passcode to enter on one screen. Upon successfully entering those details I am then asked for two random characters from my password.
Why is their telephone security not handled in a similar way? When a customer rings them, after keying in their card number, they should be asked for certain digits from a passcode, certain characters from a password – information that would be known only to the customer, rather than information that is known by anyone who knows the customer, and can be easily determined by other people. (If it is Barclaycard initiating the contact, on the other hand, they should obviously not ask for passcode/password details – not even random digits – since this opens the way up for customers to be tricked into revealing this information to third parties pretending to be from the credit card provider).
As things stand, Barclaycard is only presenting the illusion of security to its customers. This has been my impression for some time, and the events of the past few days can only serve as evidence that it is so. It’s time Barclaycard took steps to put this right.