The 74,000 numbers of Barclays Bank
By @edent
· bank phone security · 12 comments · 350 words · read ~10,262 times.
The UK faces an epidemic of telephone scams. Fraudsters are constantly calling people up pretending to be their bank. But how can you be sure the number displayed on your screen in genuine? You can't. The telecom system is hopelessly insecure and shouldn't be trusted for anything more complicated than dialling the speaking clock.
Barclays bank knows that customers are worried about this. So they've produced a handy website where you can see if a telephone number belongs to Barclays.
Because no one knows how to build a sensible web service any more, the page loads a 1.3MB JSON file containing every number that Barclays has.
https://www.barclays.co.uk/content/dam/json-files/TelephoneNumberChecker_26_03_2021.json
Over 74,000 numbers...
To be fair, Barclays does use a large number of prefixes for its phone numbers. 
But surely this could be handled in a more sensible way, like a regex?
Mind you, the service doesn't even work if you use the +44 prefix
Nor if you accidentally include some trailing punctuation 
Nor if you format it with dashes 
So a regex might be a bit beyond them.
Now, in fairness, the site does say that just because a number appears to come from them - doesn't mean it is them. 
And, looking at the file name of the JSON file, it appears to be recently updated. Which is good, I guess. Although I still think it is weird to give fraudsters a list of every single number in your range.
But, seriously, why not POST the number to a service which can be updated? Wouldn't that make more sense than slowly downloading the nine billion names of god seventy-four thousand numbers of Barclays?
Thanks to The AntiSocialEngineer and Robert Schifreen for pointing this out.
ARRGH! I was this close to thanking them for handing out the list of numbers for me to spoof, but when I looked at the site I (stupidly) assumed the look up was on the backend...
My tired brain read the first few words of the intro as "The UK facepalms..." but I guess it was accurate 🤦🏻♀️
This is an great example of how not to solve a problem in that it doesn't solve the problem and it creates a whole new one that didn't exist before they compiled all their "valid" numbers on a single public document for the criminals to use. Own goal of epic proportions.
Lee says:
Yeah, but that's not the problem is it? Now that Barclays have published their official numbers, the scammer can download them into their phone system and use them to spoof the caller-id on the scammers outgoing calls.
Best just to say, "Thanks for the info", hang up the call. And then contact your bank from your mobile.
In fairness, a regex would still be problematic so long as it's on the client side. It could be reverse engineered to create a list of valid Barclays phone numbers.
The only sensible place for this list is behind a server side API endpoint.
🤦
Never understood why (for customers with internet at least) banks don't just offer a tool on their website to create/verify a challenge-response code pair so you can authenticate someone calling from the bank without needing to exchange any customer data in either direction
Sounds like a good use case for a Bloom Filter. Only if there is a potential match via the filter do you need to do a web service lookup. But you don’t reveal the source data, and the size of the filter is much smaller than the data.
The regex is actually much smaller than the JSON. Perl's Regexp::Optimizer produced this which is only 43k: https://gist.github.com/jes/11f51d55240fe0a13589124a2c95ebdf
Perl’s Regexp::Optimizer produced this which is only 43k
I’ve probably done something wrong here but if I paste that regexp into a while(){if ($_=~qr/blah/){print}} kind of thing, it seems to allow, e.g., 83300414522 to pass even though it’s not in the original list (and indeed allows 175 swap-prefix-0-for-8 such mistakes.)
Oops! The mistake was I forgot to anchor each number to the start and end of the string.
With that fixed, the result is now surprisingly even shorter, just under 11k: https://gist.github.com/jes/e678e4300d1cfcbcc12b46aaa7e58e30
And it doesn't fall over on your test input.
If you want to play with it, this is the script I've been using: https://gist.github.com/jes/c7b848220bc36d8ae3771cd77f232d0c
The 74,000 numbers of Barclays Bank Link: shkspr.mobi/blog/2021/05/t… Comments: news.ycombinator.com/item?id=283260…
This Article was mentioned on ruanyifeng.com