Terence Eden. He has a beard and is smiling.
Theme Switcher:

The 74,000 numbers of Barclays Bank

· 12 comments · 350 words · Viewed ~10,303 times

The UK faces an epidemic of telephone scams. Fraudsters are constantly calling people up pretending to be their bank. But how can you be sure the number displayed on your screen in genuine? You can't. The telecom system is hopelessly insecure and shouldn't be trusted for anything more complicated than dialling the speaking clock.

Barclays bank knows that customers are worried about this. So they've produced a handy website where you can see if a telephone number belongs to Barclays.

Because no one knows how to build a sensible web service any more, the page loads a 1.3MB JSON file containing every number that Barclays has.

barclays.co.uk/content/dam/json-files/TelephoneNumberChecker_26_03_2021.json

Over 74,000 numbers...

Long list of phone numbers in JSON format.

To be fair, Barclays does use a large number of prefixes for its phone numbers. A long list of phone numbers, all with the same prefix. But surely this could be handled in a more sensible way, like a regex?

Mind you, the service doesn't even work if you use the +44 prefix

Error message when the phone number starts with the international prefix. Nor if you accidentally include some trailing punctuation Error message is displayed when the phone number has a dot at the end. Nor if you format it with dashes Error message when the phone has dash separators.

So a regex might be a bit beyond them.

Now, in fairness, the site does say that just because a number appears to come from them - doesn't mean it is them. It’s safe to call this number. Top tip Fraudsters can 'spoof' phone numbers, this means they make it look like they're calling you from one of our numbers. If you receive a call and you're not totally sure it's from us, end the call and ring us back instead . You can use the number on the back of your Barclays debit card or any other number that our checker confirms is safe to call.

And, looking at the file name of the JSON file, it appears to be recently updated. Which is good, I guess. Although I still think it is weird to give fraudsters a list of every single number in your range.

But, seriously, why not POST the number to a service which can be updated? Wouldn't that make more sense than slowly downloading the nine billion names of god seventy-four thousand numbers of Barclays?

Thanks to The AntiSocialEngineer and Robert Schifreen for pointing this out.

Share this post on…

12 thoughts on “The 74,000 numbers of Barclays Bank”

  4. Yeah, but that's not the problem is it? Now that Barclays have published their official numbers, the scammer can download them into their phone system and use them to spoof the caller-id on the scammers outgoing calls.

    Best just to say, "Thanks for the info", hang up the call. And then contact your bank from your mobile.

    Reply

    1. Perl’s Regexp::Optimizer produced this which is only 43k

      I’ve probably done something wrong here but if I paste that regexp into a while(){if ($_=~qr/blah/){print}} kind of thing, it seems to allow, e.g., 83300414522 to pass even though it’s not in the original list (and indeed allows 175 swap-prefix-0-for-8 such mistakes.)

      Reply

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

See allowed HTML elements: <a href="" title="">
<abbr title="">
<acronym title="">
<b>
<blockquote cite="">
<br>
<cite>
<code>
<del datetime="">
<em>
<i>
<img src="" alt="" title="" srcset="">
<p>
<pre>
<q cite="">
<s>
<strike>
<strong>

To respond on your own website, write a post which contains a link to this post - then enter the URl of your page here. Learn more about WebMentions.