The 74,000 numbers of Barclays Bank

The UK faces an epidemic of telephone scams. Fraudsters are constantly calling people up pretending to be their bank. But how can you be sure the number displayed on your screen in genuine? You can't. The telecom system is hopelessly insecure and shouldn't be trusted for anything more complicated than dialling the speaking clock.

Barclays bank knows that customers are worried about this. So they've produced a handy website where you can see if a telephone number belongs to Barclays.

Because no one knows how to build a sensible web service any more, the page loads a 1.3MB JSON file containing every number that Barclays has.

https://www.barclays.co.uk/content/dam/json-files/TelephoneNumberChecker_26_03_2021.json

Over 74,000 numbers...

To be fair, Barclays does use a large number of prefixes for its phone numbers.

But surely this could be handled in a more sensible way, like a regex?

Mind you, the service doesn't even work if you use the +44 prefix

Nor if you accidentally include some trailing punctuation

Nor if you format it with dashes

So a regex might be a bit beyond them.

Now, in fairness, the site does say that just because a number appears to come from them - doesn't mean it is them.

And, looking at the file name of the JSON file, it appears to be recently updated. Which is good, I guess. Although I still think it is weird to give fraudsters a list of every single number in your range.

But, seriously, why not POST the number to a service which can be updated? Wouldn't that make more sense than slowly downloading the nine billion names of god seventy-four thousand numbers of Barclays?

Thanks to The AntiSocialEngineer and Robert Schifreen for pointing this out.