Photo of Terence Eden. He has a beard and is smiling.

The 74,000 numbers of Barclays Bank

· 12 comments · 350 words · Viewed ~10,276 times.

The UK faces an epidemic of telephone scams. Fraudsters are constantly calling people up pretending to be their bank. But how can you be sure the number displayed on your screen in genuine? You can't. The telecom system is hopelessly insecure and shouldn't be trusted for anything more complicated than dialling the speaking clock.

Barclays bank knows that customers are worried about this. So they've produced a handy website where you can see if a telephone number belongs to Barclays.

Because no one knows how to build a sensible web service any more, the page loads a 1.3MB JSON file containing every number that Barclays has.

https://www.barclays.co.uk/content/dam/json-files/TelephoneNumberChecker_26_03_2021.json

Over 74,000 numbers...

Long list of phone numbers in JSON format.

To be fair, Barclays does use a large number of prefixes for its phone numbers. A long list of phone numbers, all with the same prefix. But surely this could be handled in a more sensible way, like a regex?

Mind you, the service doesn't even work if you use the +44 prefix

Error message when the phone number starts with the international prefix. Nor if you accidentally include some trailing punctuation Error message is displayed when the phone number has a dot at the end. Nor if you format it with dashes Error message when the phone has dash separators.

So a regex might be a bit beyond them.

Now, in fairness, the site does say that just because a number appears to come from them - doesn't mean it is them. It’s safe to call this number. Top tip Fraudsters can 'spoof' phone numbers, this means they make it look like they're calling you from one of our numbers. If you receive a call and you're not totally sure it's from us, end the call and ring us back instead . You can use the number on the back of your Barclays debit card or any other number that our checker confirms is safe to call.

And, looking at the file name of the JSON file, it appears to be recently updated. Which is good, I guess. Although I still think it is weird to give fraudsters a list of every single number in your range.

But, seriously, why not POST the number to a service which can be updated? Wouldn't that make more sense than slowly downloading the nine billion names of god seventy-four thousand numbers of Barclays?

Thanks to The AntiSocialEngineer and Robert Schifreen for pointing this out.

Share this post on…

12 thoughts on “The 74,000 numbers of Barclays Bank”

  3. said on twitter.com:

    This is an great example of how not to solve a problem in that it doesn't solve the problem and it creates a whole new one that didn't exist before they compiled all their "valid" numbers on a single public document for the criminals to use. Own goal of epic proportions.


    Reply | Reply to original comment on twitter.com

  4. Lee says:

    Yeah, but that's not the problem is it?
    Now that Barclays have published their official numbers, the scammer can download them into their phone system and use them to spoof the caller-id on the scammers outgoing calls.

    Best just to say, "Thanks for the info", hang up the call. And then contact your bank from your mobile.

    Reply

  6. said on twitter.com:

    Never understood why (for customers with internet at least) banks don't just offer a tool on their website to create/verify a challenge-response code pair so you can authenticate someone calling from the bank without needing to exchange any customer data in either direction


    Reply | Reply to original comment on twitter.com

    1. says:

      Perl’s Regexp::Optimizer produced this which is only 43k

      I’ve probably done something wrong here but if I paste that regexp into a while(){if ($_=~qr/blah/){print}} kind of thing, it seems to allow, e.g., 83300414522 to pass even though it’s not in the original list (and indeed allows 175 swap-prefix-0-for-8 such mistakes.)

      Reply

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

See allowed HTML elements: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">