Tuesday 25 October 2022

Barclaycard commercial trouble

 Barclaycard commercial trouble

All I wanted was the statements for the company credit card from June till now. So I went to the web site that I've used before to get them, but it wouldn't let me log in. I tried the two possible usernames, with the correct password, and I got a "703 error" - it couldn't recognise me.

So I called  Barclaycard commercial. I got talked through doing what I had already done, and got the 703 error again. So I waited a couple of days.

Meanwhile, I filled in the form on their web site to get help.  That got me an answer that talked me though logging in to the online system. It was as if no-one had actually read about the problem I had getting into their system. I tried following their instructions, and again got the 703 error. 

 So I phoned again (0800 008 008) and spoke to Andrew there. He told me that the 703 error was a known problem that they've had for the last couple of months, and that they were working as fast as they could to fix it. In other words, there was no way I could use their online service to get the statements. So I asked for another way, and he said that this is done by a different department, he'd ask them to send the statements by email.

An email arrived, telling me that  "You have received a PGP Universal Secured Message" and that I should "each out to sender within 48 hours
and get your One Time Passphrase (OTP)". So I called 0800 008 008 again, and was told that I'd be phoned with the OTP.

A couple of days later, I hadn't been phoned, so I called 0800 008 008and said, maybe they called the wrong number, or maybe I was out, and this time I gave them my landline and my mobile to call.

I didn't get a call.

Then I got two emails. One told me the URL where the secure message was and also gave me the passphrase. The other one told me the URL, but not the passphrase. This seems to be a different system?

So I copy-pasted the URL into the browser, told it my email address and the passphrase; it let me in and told me to change the passphrase. I had to try a few times because it hadn't mentioned that I needed at least one capital letter, one lower case, one number and a punctuation mark. And, by the way, the passphrase that they sent me, didn't conform to that.

So, at last, I could access my statements. Which led me to another problem. It looked like this.

Nearly illegible. And it got worse when I scrolled down to the individual payments. So I phoned again to tell them about this, and also to tell them that they shouldn't have told me to wait for a phone call, because on their second attempt, they sent me the passphrase in the same email as the URL to access.

Pretty bad security, by the way, because if that email had been intercepted, the bad guy would have been just as able to access my statements as I did, since he would also know my email address (it was also in that email, of course). The complicated system that they used, was no more secure than if they'd just emailed me the pdf. Because a bad guy intercepting the pdf, could equally have intercepted the email that gave all the details about how to access the pdf.

Banks aren't very good at security. I sent them back an email to tell them so.

Your attempt at security is pathetic.

You sent me an email which, if intercepted, would give the bad guy full   
access to my statement. I have xxxxxed out the important details of that   

How is this more secure than the much simpler procedure of simply emailing
me my statement?

Is there anyone at Barclays who understands security?

 And none of this would have been necessary if your problems with the "703
error" on your online system had been fixed.

Please take this as a formal complaint.

So, to print out the statement, I used Libreoffice Draw as a pdf reader, and that gave me a sufficiently legible version.

No comments:

Post a Comment