Barclays PIN Sentry Disaster

Barclays PIN Sentry DisasterBarclays Bank have cut off some of their business customers from making payments to new suppliers, by forcing them to use PIN Sentry hardware that they don’t yet have.

The PIN Sentry is Barclays attempt to stop their customers accounts being hacked and having payment sent to fraudulent accounts. Something that would appear to be a good idea … if their current customers had the device in their hands and were able to use it.

Barclays Business customers that try to pay a new supplier using the online payment system will be stopped in their tracks if they don’t have a PIN sentry in their hands, as the online method now insists on its use.

How did this come to be?
We spoke to Barclays who told us that they started sending out the PIN Sentry devices, in August, to customers who ‘had a habit of paying new suppliers.’

Despite their weird turn of phrase, we pointed out to Barclays, that business is about expanding – both your customers and suppliers – hence every business banking customer is likely to be needing this.

Their suggestions for a fix was to request a PIN Sentry – and wait for five days for it to arrive. Not quite the point of online banking isn’t it?

Wouldn’t it have made a lot more sense to write to business customers asking them if they wanted or needed one?

Barclays PIN Sentry DisasterThe PR and reality don’t match
Prior to speaking to the press office, we spoke to the Barclays support centre and heard that they’d been having lots of people contacting them, and had “been talking to people all week about it, since it was introduced.”

This was borne out by finding out that there was a 20 minute queue to speak to the online banking telephone support and the advice that even if we got through they probably wouldn’t be able to help.

Quite rightly, they also commented that they “understood it was extremely inconvenient,” to not be able to pay new suppliers.

Sadly the story from Barclays press office doesn’t tie up with discussion that we’d had with those working at the Barclays call centre.

The over-aggressive PR at Barclays, Elizabeth Holloway, did no good for their cause when she continually insisted that everyone who needed one of the PIN Sentry’s had already received it. We repeated that this clearly wasn’t the case we hadn’t had one as we were left being unable to pay our suppliers

Barclays PIN Sentry DisasterWhen we asked how many people had had similar problems, the supercilious PR told us that SHE didn’t work on telephone support, so SHE had no idea.

The problems don’t end there
Not only do you need to have a PIN Sentry with you when you want to online bank, but you’ll also need a new debit card sent out to you to work with the machine.

Many people are not in receipt of those yet, but some have received them without knowing why to some annoyance.

Truth is stronger than Fiction
Hey Barclays, insisting that something is the case don’t make it so.

If you’re going to force customers to use a device to pay their money to a third party that they choose, the best idea is to distribute the devices that they are being forced to use to them in advance of making them have to use it.

PIN Sentry photo source: Kai Hendry

40 Responses to “Barclays PIN Sentry Disaster”

  1. on 01 Dec 2007 at 3:47 pm froogle man UNITED STATES

    Has anyone seen any customer reseach from Barclays suggesting this pin sentry was a good Idea and what customers wanted – I asked but they fobbed me off saying it was to ‘improve security’.
    I think it is rubbish as it totally limits the flexibility of online banking – before all you needed was to remember your online codes – more than sufficient- now you have to have also your card and pin reader with you – what if you are on holiday and your card or reader gets stolen? I say again, it is total rubbish.
    I am actually fuming that they think this is a good idea.

  2. on 05 Dec 2007 at 10:41 am D.B UNITED KINGDOM

    This PinSentry thing is stupid. The requirements used to verify a login on the old system were fine.

    To introduce a device which is meant to be safer and not inform the average user of this by phone, email or letter is bad.

    I tried to make a payment to a friend but couldn’t, the webpage then said i had to sign up to receive the reader, which i did and then in small print..”takes up to 7 days to arrive.”

    Incidently, i tried the reader of the first time today, and low and behold it didn’t work. :(

  3. on 05 Dec 2007 at 11:25 am Chris Hogan UNITED KINGDOM

    I have got my PIN Sentry, but the 1st time I went to make a new payment it asked me did I want to upgrade to PIN Sentry – since I couldn’t pay without it I said yes – and it requested another card reader & refused to make my payment for the next 72 hours.

    I’m changing bank…

  4. on 06 Dec 2007 at 10:20 am Simon Perry UNITED KINGDOM

    Lots of people appear to have the same view on this – so it would be interesting to find out how much research Barclays did before going ahead with this.

    Our PIN Sentry has arrived now, so it will be interesting to find out how easy it is to use.

  5. on 06 Dec 2007 at 2:40 pm Shane McCracken UNITED KINGDOM

    I received the PIN Sentry reader a few weeks ago and of course the online banking site rejected my use of it saying my details didn’t match their records. I wonder if this is related to new debit card issue which of course I haven’t received nor been told about.

    Worst of all is that my bank manager is not helping one little bit.

  6. on 06 Dec 2007 at 7:36 pm Shane McCracken UNITED KINGDOM

    I mentioned the building buzz about this story to my bank manager and miraculously he was able to circumvent the call centre and sort the problem within an hour!

    It now works but I certainly feel it is less secure that the previous system. With the number of times you have to enter it when buying things I feel my PIN number is far less secure than my online password.

  7. on 10 Dec 2007 at 12:22 pm Adam UNITED KINGDOM

    I tried to make a simple payment ant the weekend, and the prompt to sign up for the PINSentry system was the first I’d heard of it, talking to a guy I know it seems RBS has had the same system in place for 6 months or so too, anyone know which banks aren’t going to adopt this ridiculous system so I know who to transfer all of my banking to?

  8. on 12 Dec 2007 at 8:50 pm The Reaper

    I waited just over a week for the PIn sentry device to arrive. Once it did I read the set up instructions and logged on to make a payment – well so I thought :-(

    Even though I followed the instructions by the book( literally) it did not recognise the 8 digit number and decided that my details do not match and proceeded to close my online account for security reasons.

    I concede that maybe I should have not attempted the third log in attempt but the system clearly asked me to input the 8 digit number which I did, I can’t realy be held accountable for a flawed system or one with so many glitches.

    So now I can’t log into online banking I have tried calling them at numerous times during the day and this evening. In fact even at 20.40 they are still receiving a large amount of calls and I really can’t be bothered to pay 4p a minute plus a 6p connection charge to wait on the phone for half an hour. I do not see why I should be penalised for another Barclays mess.

    After Christmas I shall move to another bank, maybe HSBC? As I really can’t be bothered with Barclays anymore, they just blithely stumble from one cock up to another.

  9. on 13 Dec 2007 at 11:37 am charlie UNITED KINGDOM

    I am curious how technically the Barclays PIN Sentry 2FA system works exactly.
    I have a theory, which is only that, as follows –

    The PIN Sentry generates a random code from x-million possibilites derived from part of your card number (last 4 digits?) and your PIN.
    Once the code is input into the Barclays webpage the Barclays system runs your card numbers last 4 digits and PIN (which it both knows anyway) against the same algorithm that the PIN Sentry uses to generate codes.
    This produces all the x-million possible codes than your PIN Senrty could produce.
    If the random PIN Sentry code you submitted to the Barclays website matches one of the codes that the Barclays system itself generates, with your information, the resulting code is then checked against an ‘already used’ list of codes (from your previous logins). If there is no match in the ‘already used’ list then authentication to the Barclays website is allowed and you can log in.

    Therefore you cannot use a code twice.
    So if by chance (a very slim chance, probably slimmer than being eaten alive by a Great White Shark in Trafalgar Square) the PIN sentry does throw up the same code twice then you just will not be able to login with that code.

  10. on 17 Dec 2007 at 10:35 am Simon Perry UNITED KINGDOM

    @charlie – could be, but they probably would be more secur than that. Challenge/response system often work on the time of day too, meaning the key is only kept ‘alive’ for a short period, around the time of request. Not sure is that is the case here though.

    @The Reaper – I think lots of people will be doing the same as you and moving on to another Bank – and who can blame them.

    @Adam – Have you seen any good/bad feedback around the RBS system?

    @Shane McCracken – Glad you got sorted in the end, but slightly amazed that your bank manager could circumvent the problem.

  11. on 17 Dec 2007 at 10:48 am Adam UNITED KINGDOM

    Apparently at RBS you don’t need to use it to log into internet banking, just to set up new payments etc, so not as bad as the Barclays one, but they’ve still said it’s intensely irritating.

    I’ve already begun the move to First Direct myself, I asked if they were going to be instituting a PINSentry system in the immediate future, and the response was ‘a what now?’ which I know is no guarantee, but I took as a good sign.

    Only problem is First Direct are starting to charge a monthly fee for all of their bank accounts, unless you have other accounts with them (savings, credit card etc) in which case you’re exempt from the monthly fees.

  12. on 19 Dec 2007 at 10:17 am Dave UNITED KINGDOM

    The PIN Sentry system Barclays have introduced is a complete and utter joke, and that is coming from a member of staff. We are holding for 20+ minutes to the Online Banking help desk trying to get the system resolved for our customers but to little or no avail.

    The facts are now that, if you want to make a new 3rd party payment you must use PIN Sentry. Previously you were able to “opt-out” of the system and revert back to the old type of Online Banking. As of the 26/11/07 this is not available as an option. This is even more frustrating for the majority of customers as previously it was only “Premier” customers who could not opt out. Now, no-one can.

    The PIN Sentry system is also highlighting the fact that customers have multiple “CIS” numbers (customer record numbers to the layman) – one CIS number for their current, one for their savings etc under the names of, for example Mr John Smith and Mr John James Smith. The two Mr Smiths are the same person but the PIN Sentry system doesn’t recognise that as so and either won’t let you log on, or it will let you log on and have of your accounts drop off the screen. Once this has been done online it also makes the accounts drop off the software that advisors use in the call centres so they are none the wiser what is going on. To merge these CIS numbers can take up to 2 weeks depending on the complexity of the procedure.

    It seems that the whole system has been rolled out without consultation, without testing, without researching the impact on customers and general disregard to how Barclays customer want to do their banking. It just isn’t practical to carry the card reader around with you at all times when you’ve got your wallet, keys, mobile/PDA and whatever else. Just another Barclays cock-up.

  13. on 20 Dec 2007 at 3:16 am Callum Scott NEW ZEALAND

    I hate Barclays now!

    I was from the UK, i moved to New Zealand for six months and then I am going to Vietnam for six months. I had to pay for the organization arranging my trip and when I went to do it, up came the message saying we have now sent you a pinsentry to your home in the UK.

    Well thanks a lot! Now they say I will need that to login soon as well so I won’t have any access to my money whilst I am away.

    I am leaving Barclays but I don’t know if i can get an account with another UK bank whilst I am not in the country.

    Total ridiculousness.

  14. on 26 Dec 2007 at 11:53 pm EddyJawed UNITED KINGDOM

    It wouldn’t have been so bad if you just get access to your bank account and view your balance without using this decreped thing!
    I don’t understand – if I’m just viewing my balance to check for fraudulent activity especially if I’m abroad – and its password protected the old way – then what the is the security issue in that?

  15. [...] Pin Sentry confirms that we are in good company… this looks like it might be evolving into a bit of PR disaster for [...]

  16. on 31 Dec 2007 at 4:16 am small business UNITED KINGDOM

    I’ve got free banking with barclays for 12 months, if they haven’t sorted out this fiasco by the time the contract ends, I’m switching to another bank. It’s frustatingly inconvenient to log in like this. I misplaced my pin reader the other day and couldn’t even view my balance. It’s a shambles of a system. When are banks going to get a grip?

  17. on 01 Jan 2008 at 9:52 am John

    I hate pin sentry, I say it again, I hate it. Why do I need it just to access my account. I now visit my account less than I should and this cannot continue.

    I have tried to live with it for a month or 2 but am getting more annoyed. My new years resoluiton is to move account, I have spoken to Barclays and they think it is great. What a joke. I suggested they read the net and see the response form ral customers. Its a pain but after 20 years I have no choice to omve account.

  18. on 08 Jan 2008 at 2:26 pm Stephen POLAND

    Have not been inside a Barclays Branch in 10 years, so my first reaction was great, increased security however on reflection there is little added security when compared to the online security already provided by Barclays which uses a combination of keyboard, mouse activity and SSL encryption. Used in conjuction with a good firewall, antivirus & Spam filtering I would doubt if there are any benefits attached to the average consumer.

    If the introduction of Pin sentry is a reaction to Barclays concern to customers who respond to a phishing email requesting bank details and password then its appaling that Barclays reacts due to the lack of computer awareness by a minority of customers and introduce something that effectively reduces flexible secure mobile banking. Barclays should have spent the time, energy & resources to educate and inform.

    I am all for change and increased security, however the choice of a device that is 2 times larger and 3 times chunkier than some of its competitors which makes portability an issue and renders the device open to damage as you sling it in the suitcase rather than wallet. So Barclays please if you want increased security spend some more money on a modern credit card style pinsentry or USB card reader.

  19. on 08 Jan 2008 at 2:48 pm Stephen POLAND

    One further comment, the pinsentry is not date or time sensitive, so you can print out in advance several codes and carry this with you to allow flexible mobile banking and leave the pinsentry at home. Barclays encourage customers to reduce their level of security !

  20. on 13 Jan 2008 at 12:08 am Timothy Ross COLOMBIA

    A Barclays customer for over 40 years, as soon as I was told they would cut off my online (and only) access to my funds if my debit card and Pin Sentry does not arrive within 5 days, I started enquiries with other banks about opening accounts and will move just as soon as transfer of direct debits, interest payments, &c. is arranged.
    I have been trying for over six months to get Barclays to send me a debit card application form. 19 e-mails, letters and expensive international phone calls later, despite the repeated promises that “It is on it’s way”, “It will be posted this afternoon”, and “It is being sent out at the same time as this letter”, I have still not received the form. It is no longer possible to bank with Barclays.

  21. on 13 Jan 2008 at 3:03 pm Tez UNITED KINGDOM

    I too have been forced to use one and my overall concern is that eventually the keys will be worn as I type the same pin number over and over again. Should this fall into the wrong hands, eg, I get mugged and the thieves take the pin sentry and the card, they see the worn keys, and keep trying different combinations until the reader says pin correct and off to the shops they go.

    Ultimately if this thing becomes a pain in the backside I will move away from Barclays and find another bank that has a simple log in

  22. on 14 Jan 2008 at 10:59 am Simon Perry UNITED KINGDOM

    @Stephen – Is the PIN really not time sensitive? It would be an amazing oversight not to include that. I’ve just used the PIN sentry a couple of times and it gave a different number each time, so it’s possible that the time of use is part of the code generation.

    Of course it’s quite another matter if the server end doesn’t pay attention to the time the code was generated, thus allowing any code that has been created no matter how long ago.

    Anyone done any experiments of using a code that was generated some time ago, using them much later?

    @Timothy Ross – A sad tale Timothy. It does look like Barclays are losing a considerable number of customers over this.

    @Tez – Good point! That wouldn’t exactly aid security would it!? I suppose Barclays would excuse themselves by trying to shift the issue to the customer (again?) by suggesting that the PIN is changed regularly.

  23. on 14 Jan 2008 at 11:56 am Stephen POLAND

    @Simon, its not time sensitive. For logging on, reviewing balances and transferring or paying bills already setup you can note down a few CODES put them on your mobile/laptop [encrypted of course] for future use[only once]. For NEW payment references you need the pinsentry to enter transaction account, the amount and then the pinsentry algorithem calculates a 8 digit code, at no point is there a reference to time.

  24. on 14 Jan 2008 at 12:01 pm Stephen POLAND

    @simon, yes I generated codes on the 8th Jan and used them today [14th Jan] to check my balances and pay some utility bills already set up some time ago.

  25. on 15 Jan 2008 at 1:04 pm Simon Perry UNITED KINGDOM

    @Stephen – Thanks for the background on that.

  26. on 23 Jan 2008 at 12:46 pm Eddy Jawed UNITED KINGDOM

    Another probably major point of negatiVity to mention on this daft card reader thingy is –

    After using the card reader a few times I’ve realised I have a habit of forgetting and leaving my debit card inside it when I’m at home, instead of placing it back in my wallet.
    Its happened to me a few times now where I’ve realised i have ‘lost’ my debit card only to work out half an hour later that I may have left it slotted into the card reader at home and forgot to replace it back in my wallet.

    BARCLAYS BANK – I HATE YOU!

    Can’t wait until some smart ass hacks into this stupid thing making thier whole expensive new venture completely futile.

  27. on 23 Jan 2008 at 8:12 pm John UNITED KINGDOM

    Have posted before but as Barclays don’t seem interested in getting rid of this piece of rubbish I have set in motion steps to move my account to First Direct. Its basically all I can do. With Pin SEntry I do not check my current account as often as I should and that is not good, changing bank is all I can do.

    Barclays are just so stupid for bringing this in. Some muppet sits in his white ivory tower thinking he is grat but all they have done is alienate thousand’s of customers.

  28. on 24 Jan 2008 at 5:53 pm Martin UNITED KINGDOM

    I wonder how long Pin sentry would last if Barclays got inundated with requests from angry customers for free replacement units for ones that were “accidently” broken, for example that LCD display is quite fragile ;-) Also are they going to provide free replacement batteries for the units? Perhaps customers should start asking Barclays for a spare set ready for when the current ones run out.

  29. on 23 Feb 2008 at 8:13 am J UNITED KINGDOM

    Although we have had this impracticle pin sentry forced on us from Barclays we are now going to have it forced on to us by Nationwide. How many others are going to join this unfortunate bandwagon?

  30. on 05 Mar 2008 at 11:13 pm Pete UNITED KINGDOM

    Had to move to Pin Sentry a couple of weeks back. At no time did I see any instructions about needing a new card to use with it, so I was confused when the PIN number for the new card arrived before the card… (Even more confused, because a few weeks earlier, for un-related reasons, I had asked for, and received, a new card – so 2 new cards in two weeks…)

    Repeatedly tried to use the first new (ie old) card with the PS – got locked out. Phoned for help. – Was told I needed to wait to use the new card. Asked for them to reset the on-line system so I could use it when the new new card arrived. –

    “We need you to use your “phone banking” credentials to establish that you are who you say you are”.

    “But I haven’t used phone banking for 5 years – I can’t remember any of the codes”.

    “We can’t help – phone up to get your phone banking credentials reset so you can then use them to get your on-line access restored…”

    Waited 3 days, got the new card, phone again, got a different Muppet who reset the on-line stuff immediately – and then at least two log-on attempts failed, while Muppet 2 talked me through logging in again (PhD in Quantum Mechanics and 30 years in IT). Eventually got in, but I swear he did something between log-in attempts, as entries were digit-perfect in both the early attempts.

    After 30+ years with them I’m leaving Barclays as soon as.

    Barclays – if you’re reading this – your hubris is breathtaking and you deserve to get royally stuffed over this.

  31. on 07 Mar 2008 at 6:02 pm Toby UNITED KINGDOM

    @Martin – no I’m sure I read there would be a charge for replacing broken machines.
    But if you were to suggest that it never arrived in the post, they might be kind enough to send you another ;)

  32. on 11 Mar 2008 at 12:20 pm Ann-Marie UNITED KINGDOM

    I am absolutely seething and spitting MAD with Barclays!!

    I have been a customer for 15 years, i’m not an old geezer who doesn’t like or understand online banking, i’m 29 & have used online banking ever since it came into being. And yet this piece of plastic crap ‘PINsentry’ is actually prompting me to leave Barclays as a result of the horrendous customer experience i now have.

    I find it unrealistic in the extreme that i should be expected to carry this plastic calculator toy with me wherever i go, in order to online bank or make a transaction. And even when i do have it, it’s such an irritating drawn-out process it makes my blood boil before i’m even into my account! Once in, it feels like to undertake the slightest ‘normal’ banking procedure, I now must repeat this drawn-out log-in process with the plastic crap machine. Aaaaaargghhhh!!!

    I’ve just got off the phone to the customer service numpties for the second time in 2 days, trying to feed back to them that this PINsentry doesn’t work for me as a customer experience. But they absoultely can not function beyond the boundaries of their pre-planned cue cards, and cannot put me thorugh to anyone whose job it may be to have this sort of feedback given to them. Grrrrrrr.

    And yes, you can opt out – but – *hmmm, here’s where they’ve got you by the balls* – yes, you can’t actually make any payments to new people.

    Barclays are absoutely astounding in their utter disregard for any sort of easy, pleasant customer experience. I feel utterly disenfranchised as a customer and after i’ve vented my spleen here, i’m off to the nearest branch to close my account.

    Yes, i feel that bloody strongly about it.

  33. on 11 Mar 2008 at 4:11 pm John

    Ann-Marie,

    Closed my account and moved to Frist Direct. Only way I could get to hurt Barclays for this piece of cr@p

  34. on 27 Oct 2009 at 11:55 am John RUSSIAN FEDERATION

    Barclays say:

    “However, if you use Barclays Online Banking outside the UK you do so at your own risk as it may constitute an offence in that country. ”

    They don’t tell us which ones. How very helpful!

  35. on 16 Feb 2010 at 6:59 am Clare

    I live overseas and rely heavily on my UK Barclays account. Last night I needed to make an urgent payment on line and was told i could not do it without this pin sentry rubbish. So, obviously I ordered one but it has defeated the entire point of online banking for me.

    Seriously…WHY WHY WHY????? This is the worst and most impractical idea ever and has transformed something which (I assume) was intended to make life easier into a ridiculously inconvenient mission.

  36. on 05 Jun 2010 at 10:27 am traveller45 NETHERLANDS

    I have a similar device from ABN AMBRO in Holland. I don’t have to remember all the silly codes that Barclays insist I have to remember (write) like passcode, membership number nor memorable word. If Barclays works the same way then I am happy yto use it. The only downside about the device is that one has to carry it around with oneself. An inconvenience if one travels a lot, which I do. However ABN AMBRO’s customer service a millenia ahead of Barclays in the UK. CS for Barlcays offshore is pretty good, and unlike the UK version, one can make international SWIFT/ABA/IBAN payments in any currency around the world online. They could have integrated the device into the debit card and used two different PINs : one for device and one for ATM/merchant payments.

  37. on 05 Jun 2010 at 10:28 am traveller123 NETHERLANDS

    I have a similar device from ABN AMBRO in Holland. I don’t have to remember all the silly codes that Barclays insist I have to remember (write) like passcode, membership number nor memorable word. If Barclays works the same way then I am happy yto use it. The only downside about the device is that one has to carry it around with oneself. An inconvenience if one travels a lot, which I do. However ABN AMBRO’s customer service a millenia ahead of Barclays in the UK. CS for Barlcays offshore is pretty good, and unlike the UK version, one can make international SWIFT/ABA/IBAN payments in any currency around the world online. They could have integrated the device into the debit card and used two different PINs : one for device and one for ATM/merchant payments.

  38. on 15 Jun 2010 at 11:51 am Paula UNITED KINGDOM

    This is a ridiculous idea!
    I have my log in details memorised so that I can make payments to whoever I want, whenever I want and to check my accounts wherever I am. Now I have to make sure I have my card with me AND this stupid little machine! Seriously Barclays, you really should have thought this one through properly and actually ASKED your customers if they wanted it first.

  39. on 20 Jun 2010 at 12:04 pm simon watts UNITED KINGDOM

    I tried the Pinsentry Barclays sent me. Followed the instructions and successfully did a transfer after about ten minutes. However the next time I wanted to use I had forgotten the basic rules and it locked me out. I rang them and they told me I had to go to a cash machine to change things. That was it! I am now a customer of HSBC and everything is nice and user friendly. I thought Barclays Pinsentry was dreadful and after 22 years I finally moved banks which proved to be far easier than using the Barclays pinsentry.

  40. on 02 Aug 2010 at 8:57 pm Rich UNITED KINGDOM

    haha – you lot make me laugh. You complain about the inconvenience of protection and yet you will cry and complain more when you are a victim of cyber crime.

    I sleep better at night knowing this security is in place protecting my few assets.

    Keep it in your hand bag or backpack and you’ll always be in a good place. I do. Its about being organised.

    It’s cheaper for Barclays to lose a small element of its customer base and save millions in payouts for cyber crime. And to be honest as some of you leave, several others will be signing up purely for the security functionality of barclays online banking and if you read up on ratings Barclays is at the top of the retail banking sector for security.

    Wise up to security before complacency gets the better of you and the cyber criminals get the better of your cash!