I recently had to telephone Barclays to report that I had received a potentially fraudulent text message from an unknown source that appeared to be a legitimate Barclay’s text message. I explained that the text message stated that I needed to deposit £106.66 (very precise amount) via Barlays.mobi/app by 2pm the day I received the text in order to avoid an £8.00 fee. The actual text message read as follows:
‘You don’t have enough funds to make your payment from account 12345. To make your payment and avoid £8.00 fees just deposit £106.66 in cash today in branch or transfer by Telephone, Mobile or Online before 2pm http://www.barclays.mobi/app‘
Obviously 12345 is a fictional number but in reality the real last five digits of my savings account was used in the actual text message. So here were my first realisations and questions upon reading the text message:
1. Firstly, it’s my savings account number and it is impossible to carry out a card transaction in store with a savings card or make an online payment via a savings account.
2. Secondly, THIS IS A SCAM!
3. I realised that if indeed it was a scam, how on earth did they get my account details?
4. If my card had been skimmed in one of the Barclays ATM’s that I had recently used, how on earth would the culprit have known my mobile phone number?
5. Why would I have to deposit the exact amount of £106.66 by 2pm? Bearing in mind there are no overdraft facilities with a savings account and usually with my current account I would simply receive a letter approximately two days later informing me that an £8.00 fee WILL be taken out of my account regardless; and there is no negotiating before the £8.00 fee is debited from my account.
6. Why 2pm?
After doing a little bit of online research to investigate whether anyone else had experienced the same message, I discovered there were no posts as yet relating to the same incident. So I went on http://www.barclays.co.uk to get the relevant phone number or email to report the potential fraud. The following is an excerpt from the Barclays website:
‘For any concerns around Barclays fraud alerts sent via text SMS to your mobile, please call 0845 3512288 1 (+44 1604 529410 outside the UK or from a mobile)’.
Now here’s the thing… Having rang Barclays to report the issue I was asked by the telephone operator to answer some security issues before he could go any further with the telephone call. After giving the ‘long number’ across the middle of my card I was informed that my account was visible on the operators screen but I would have to answer further security questions. So, my response was “before I give you my security details can you answer my security question? When was the last time I withdrew cash from a machine and how much was it for?” He replied “I’m sorry I can’t give you that information, you would need to answer the security questions first”. My response was “but the day and time I last withdrew money is hardly a security issue”. “No, I am sorry ma’am; I cannot give you that information until you answer the security questions”. I felt we were going around in circles here. So after having quizzed him about Barclay’s procedures with taking such calls, I was confident enough to give him the security details he requested… name, date of birth, place of birth and the location of the branch at which I opened the account. Silly girl I hear you saying… well… that’s exactly what I thought too but I wanted to test the system and see what Barclays’ next procedure was in the steps of reporting fraud. The response was as follows:
“Well Miss, I can see that no fraudulent activity has taken place on your account and that we indeed have not sent you a text message”. “Great, so how can I report the fraudulent text message; will you be making a note of it?” “No, I am sorry Miss but you need to ring a Freephone number and report it to them, do you have a pen? The number is 0800 389 16 52”.
So out of frustration I thanked him very much for his help and he wished me a great weekend.
Next step, I rang 0800 389 16 52.
“Hello can you give me the ‘long number’ on your card please and answer some security details”
You have probably guessed the outcome of this conversation.
So here’s the thing that popped in my mind as I very calmly slammed down the phone down – One Way SSL.
One-Way and Two-Way SSL
SSL can be configured one-way or two-way:
With one-way SSL, the server is required to present a certificate to the client but the client is not required to present a certificate to the server. To successfully negotiate an SSL connection, the client must authenticate the server but the server will accept any client into the connection. One-way SSL is common on the Internet where customers want to create secure connections before they share personal data. Often, clients will also use SSL to log on so that the server can authenticate them.
With two-way SSL (SSL with client authentication), the server presents a certificate to the client and the client presents a certificate to the server. WebLogic Server can be configured to require clients to submit valid and trusted certificates before completing the SSL connection.
So final thought; wouldn’t it be in the banks best interest to provide a two-way secure protocol in order to gain trust from potential and existing customers. By way of setting up a system whereby the banking telephone operator also has to answer a set of security questions relating to the customer, this would remedy the distrust and concern that is inherent in modern day telephone banking.
P.S. My card obviously wasn’t skimmed – How would my telephone number be known from skimming a card. There was however, a mass security breach within Barclays Bank and thousands of customer files were stolen. According to an anonymous whistle-blower that passed on information to The Mail on Sunday, customer’s files can be sold for up to £50 per file on the black market. Read more about it here http://www.dailymail.co.uk.
P.P.S. The other question this article raises is whether there was a security breach on www.barclays.mobi/app the day I received the text message. It was very particular about the fact that I had to deposit a very specific amount of money by 2pm that day.