Barclays GDPR security

haddo

Requested my DPA / GDPR data from Barclays. They put it all together and told me that to access it, I should (quoting here):
1 Search for 'Barclays data control' in a web browser - then browse down the page to 'Access your data request' beneath 'Your choices' Select 'Access my data'
2 When prompted, enter (password etc)
How is that secure? Do a Google, then click on the first link that has some chunk of text in it!
Can’t anyone, including criminals, use SEO to get their site to the top of a Google search?
What am I missing?

Robin9

Item 2 - password etc makes it secure - or am I missing something ?

haddo

@Robin: You're going to a site selected by Google / other search engine. If you enter your password, you'll be giving it to whoever comes top of Google's results.

How do Barclays ensure that they come top of the search? When I tried it, they didn't.

Robin9

Have I mis understood this ?
Having searched Google you have ended up in a Barclays site and are no longer in Google. The Barclays site is secure.

Chino

haddo said:

How do Barclays ensure that they come top of the search? When I tried it, they didn't.

Try using Bing instead - using the provided search terms the Barclays site came top of the search results for me:
https://www.barclays.co.uk/important-information/control-your-data/
Also check the SSL certificate of whatever site you navigate to. For the above link "This site has a valid certificate issued to Barclays PLC [GB], issued by a trusted authority.​"

PRAISETHESUN

Whichever search engine you use, just verify you are on the Barclays site before you submit your login details. It should contain barclays.co.uk as the final part of the url (as opposed to barclays.scamsite.co.uk, etc). Not hard to check really. But I do agree that Barclays telling someone to just "do a google search" might lead to issues for someone who isn't computer savvy to recognise a fraudulent site.

eskbanker

haddo said:

Requested my DPA / GDPR data from Barclays. They put it all together and told me that to access it, I should (quoting here):
1 Search for 'Barclays data control' in a web browser - then browse down the page to 'Access your data request' beneath 'Your choices' Select 'Access my data'
2 When prompted, enter (password etc)
How is that secure? Do a Google, then click on the first link that has some chunk of text in it!
Can’t anyone, including criminals, use SEO to get their site to the top of a Google search?
What am I missing?

How did they issue the above instructions?  If it was by post, they should have been able to specify an exact URL, but it's standard practice to advise against clicking on links in emails or texts, so if they sent that electronically it would be understandable not to include an actual link.

Presumably the password was a dedicated code specifically for accessing this data, rather than your usual online banking credentials, etc?  It's always possible for fraudsters to engineer fake sites to compete with genuine ones at the top of search rankings, but increasingly unusual as search engines have improved their algorithms - however, if those directed towards this site are anticipating read-only visibility of data, rather than something requiring their disclosure of anything other than the credentials listed in the instructions, then it's difficult to see how criminals could exploit this with a fake site.

Does the rest of the message add any context about security?

haddo

@eskbanker: Those instructions were issued by post. No further security context.

I absolutely agree that including an exact URL in the letter would be the right way to go. I wasted 15 minutes on DuckDuckGo (my preferred search engine) before switching to Google and getting a non-Barclays website first hit by following Barclays instructions to the letter. That site wasn't criminal, just a random site fishing for legit business, but I don't see why a criminal site couldn't get top.

haddo

@praisethesun: That's exactly my point. Non-computer-savvy types can potentially give away their data. How do Barclays know people requesting data are computer-savvy.

flo22

The Barclays website states 
We'll send your data to you securely electronically in PDF form, so you can share it with a third party if you need to. Alternatively, we can post it to you.
The OP must have received the access code to sign in securely and access it.
Someone who is not computer savvy would request it to be posted to them instead of logging in to receive it.

eskbanker

haddo said:

I wasted 15 minutes on DuckDuckGo (my preferred search engine) before switching to Google and getting a non-Barclays website first hit by following Barclays instructions to the letter. That site wasn't criminal, just a random site fishing for legit business, but I don't see why a criminal site couldn't get top.

I wasn't saying that a criminal site couldn't get to the top, but was querying how they could actually exploit that, in the context of anyone armed with one-off credentials for read-only access to a dump of their data.

As with another poster, I can't reproduce your experience, in that both Google and DuckDuckGo have the correct site at the top of the results for me - if you literally 'wasted 15 minutes' on the latter (more like 15 seconds for me), is it possible that your device and/or the software on it has been breached in some way?