1. 14

  2. 12

    oh wow… a website decided to use a single 1.3mb JSON file (thats compresses to 187KB on the wire, and is only fetched on first use) rather than spin up entire webservice to for a single column lookup. God only knows what the internal processes around adding things to the public facing aspect of a consumer website are for barclays, but this there’s plenty of likely scenarios where what they’ve done is perfectly fine, avoids complexity and is a reasonable tradeoff.

    Just to drive this nail in further, at no point does the article attempt to flesh out what a sensible web service would be, or what it would entail in development and ongoing operational costs, or even consider who might asking for this functionality and what tools/teams they might have available to them

    Blog posts like these demonstrate the complete detachement from “getting something useful done” that afflicts fat oo many “celeb” developers

    1. 7

      Yeah, using a single JSON blob for this is totally appropriate. It means you can host the site on S3 or whatever. The author says “why not use a regex” but that’s a really fragile solution that assumes the numbers will follow a definite pattern. It sounds like they botched the client side lookup cleaning though. Oh well. There are plenty of other things to complain about in life.

      I wrote a site that tracks some data, and I realized that in ten years, we only had 4,000 entries which came out to 700KB of JSON (180KB with gzip), so I just ship the whole dataset down to the client. It’s a much better way to do it: no expensive DB queries, the JSON is always warm in the cache, subsequent data filtering on the client side is instant, etc.

      1. 6

        I get phone calls from banks and other financial services people periodically that start by asking me to prove who I am. I always reply by saying you called me, so please prove that you are from Barclays before I say anything else. I was pleasantly surprised by my most recent call from Barclays: They are the first company to call me and actually have a procedure for doing this. The people that are authorised to cold-call me now have access to a thing that can send me a message via the mobile banking app, so they could send me something saying ‘On the phone with {person name}’ to confirm that this person actually was supposed to be talking to me. It’s not completely secure. Anyone who can compromise the app can now impersonate Barclays, but in general someone pretending to be Barclays on the phone can do far less damage than someone who can compromise the app and is more likely to be detected, so it’s probably fine.

        1. 3

          Agree. To me this looks like something that had to be put in place hurriedly to counter a recent spate of cold calls from people pretending to be from Barclays. Knowing a little bit about how fast banks move (for both fiduciary and cultural reasons) this setup looks typical.

        2. 1

          This isn’t such a bad way to share their phone numbers storage-wise. Given they need to be treated as strings the dataset compresses really well with regular gzip. There’s only a 10K difference between the fastest and best flags.

          $ wget https://www.barclays.co.uk/content/dam/json-files/TelephoneNumberChecker_26_03_2021.json
          $ cat TelephoneNumberChecker_26_03_2021.json | python3 -c "
          import json, sys;
          " | gzip -9 | wc -c

          The only real issue is the volume of numbers they own but even if they only had a few phone numbers scammers might claim they’re calling from a new one. I wonder how long until voice communication with the bank only happens through their online banking app.