Published: 11 August 2000 00:25 GMT
EXCLUSIVE: Barclays' online security is under fire again - after a third security lapse in the space of a fortnight exposed further flaws in the banking giant's online offering.
A silicon.com viewer discovered a design fault that allowed her to re-access her account after logging out of the system - without using a password. A leading security analyst described it as "a big design flaw".
Lauren Kennedy found the flaw when she checked her account details online. After logging out she re-accessed her account by simply using the 'back' button on her browser. The system did not prompt her to re-enter her password.
Kennedy, a web project manager with Usecolour.com, said she was extremely angry at the lack of security. "It's a basic requirement and they have been very irresponsible," she told silicon. "I am very angry."
A silicon.com journalist was also able to re-access his account in the same manner.
A spokeswoman for Barclays told silicon.com the bank was aware customers' financial data was retained on their PCs after logging out and that it was company policy to inform all customers in writing. However she said the bank did not consider this design feature to be a security concern.
She said: "Every time someone registers with Barclays online they receive a booklet explaining how to use the site. They are told that when they complete their transaction they should log off and clear the cache. The service is safe."
According to John Hayday, knowledge services director with internet security firm ISS, the fault could lie with timed cookies that have an active timeframe that may be longer than the login time.
"You type in your password details to authenticate with the bank that you are who you claim to be. They send a cookie to your PC confirming the details. That cookie has a life span. If you try to re-access the account within the valid timeframe of that cookie you won't need to re-enter your details. Should that be the case there are a lot of security concerns. It's a big design flaw," he said.
Kennedy called the Data Protection Commissioner today regarding this issue and was told to file a complaint in writing.
She also told silicon.com she is still waiting for an apology from Barclays for last week's security breach and is now considering closing her account.
Directory, password resets, addressing and network basics, network basics Must be able to work shift pattern (8am to 6pm) Reed Specialist Recruitment ...
The Test Analyst will come from a strong banking background and be looking to enter into a fast paced and results focussed environment as you will be ...
Record and tack all problems/requests, resolving issues/requests where possible (1st and 2nd level support) - e.g.password resets, simple problem ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Is Your Enterprise Architected for Tomorrow's Growth?
Improving IT service delivery through an integrated approach to software asset management...
TechRepublic Resource Guide: Software as a Service (SaaS) for Small and Midsize Businesses...
Download a Free Trial of SmartDraw: Learn why SmartDraw is the ideal alternative...
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Digg
Slashdot
Del.icio.us
Stumble
Reddit
RSS Feeds
Clive Longbottom Windows 7: Not perfect - but ready for prime time Microsoft's latest OS fixes most of Vista's ills - but still has challenges ahead
Stephen Kleynhans Mind the details with Windows 7 Just because it might work better than Vista, it doesn't mean you can be sloppy