• silicon.com
• Technology
• Security

By Sonya Rabbitte, 11 August 2000 00:25

NEWS EXCLUSIVE: Barclays' online security is under fire again - after a third security lapse in the space of a fortnight exposed further flaws in the banking giant's online offering. A silicon.com viewer discovered a design fault that allowed her to re-access her account after logging out of the system - without using a password. A leading security analyst described it as "a big design flaw". Lauren Kennedy found the flaw when she checked her account details online. After logging out she re-accessed her account by simply using the 'back' button on her browser. The system did not prompt her to re-enter her password. Kennedy, a web project manager with Usecolour.com, said she was extremely angry at the lack of security. "It's a basic requirement and they have been very irresponsible," she told silicon. "I am very angry." A silicon.com journalist was also able to re-access his account in the same manner. A spokeswoman for Barclays told silicon.com the bank was aware customers' financial data was retained on their PCs after logging out and that it was company policy to inform all customers in writing. However she said the bank did not consider this design feature to be a security concern. She said: "Every time someone registers with Barclays online they receive a booklet explaining how to use the site. They are told that when they complete their transaction they should log off and clear the cache. The service is safe." According to John Hayday, knowledge services director with internet security firm ISS, the fault could lie with timed cookies that have an active timeframe that may be longer than the login time. "You type in your password details to authenticate with the bank that you are who you claim to be. They send a cookie to your PC confirming the details. That cookie has a life span. If you try to re-access the account within the valid timeframe of that cookie you won't need to re-enter your details. Should that be the case there are a lot of security concerns. It's a big design flaw," he said. Kennedy called the Data Protection Commissioner today regarding this issue and was told to file a complaint in writing. She also told silicon.com she is still waiting for an apology from Barclays for last week's security breach and is now considering closing her account.