I think these kinds of posts always generate a lot of discussion about various things - security, responsibility, liability, and so on.
I came across this post on LinkedIn today where someone’s phone had been stolen and as a result £20,000 was stolen via Starling.
Starling have replied and confirmed they are assisting by email. But I have to ask, how someone managed to do this? For transactions of any kind of volume, I have to enter a password to confirm it
(Before anyone replies, please keep the conversation constructive)
The problem with any sort of post such as the one linked to, the originator will usually only post a snippet of what actually occurred. I’m not saying in any way I disbelieve what the IP has stated, but they will I suspect, not have posted the whole scenario. That of course would be understandable, but I know if this sort of thing had happened to me, I wouldn’t be posting publicly about what had happened, the information would be firmly between myself, the bank, possibly Action Fraud and the police, though of course if reporting to Action Fraud, then essentially that is reporting the crime to the police as it is run by CoLP.
It would be interesting to know of course how the fraudster gained access to the Starling banking App. I don’t know about anyone else, but on my iPhone I have enabled face recognition as standard on all of my Apps to access my accounts. How someone bypasses that sort of security I have no idea. I don’t know what security is available on Android as I don’t use Android for anything remotely connected to banking.
The thing is, they’ve picked on Starling in this case because they haven’t refunded them. But the same thing happened with HSBC, they just done the refund.
So people are picking out that it’s Starling’s security at fault (being able to by-pass passwords, not asking for authentication to add a payee, etc.), when HSBC was “exactly the same”.
I have never had an instance with Starling, or any other bank for that matter, where I’ve not been asked for authentication to complete something like this. I pay myself from my Starling business account (as a payee) and every single time I have to enter the password
I have to admit that my level of sympathy has reduced to practically zero the more I read the alleged events.
So the IP states that apparently, HSBC reversed the charges. Well did they? Did HSBC just refund without a thorough investigation? Who knows
I’ve just updated my iPhone to iOS 18.1. I have stolen device protection turned on. I’ve taken every necessary precaution I can possibly take to prevent an unauthorised person from accessing my device. Heck, I don’t even have a physical SiM in my phone since I changed my phone provider.
I see there’s plenty of comments questioning the circumstances of how Starlings security has been compromised. Having formerly been a Starling customer, I personally never had a single security issue arise whilst I was a customer.
I’ve seen so many of these cases over the years and absolutely none of them make any sense considering the security that is available now.
It’s more likely in this case the password has been autofilled in the Starling app using a password manager which they did for convenience. This was an iPhone so how they got around the phone lock in the first place and then the lock on the Starling app itself I have no idea.
Add a physical security key too, it will be required case they try logging into your account on a new device or browser, and when changing security settings of your iCloud account.
I have been caught out a few times by this .
Edit:
You ca also now lock individual apps with FaceID
Thanks for the pointers however I’m fully aware of all of the security options available with the iPhone. I’ve enabled all of the options including requiring face ID on literally every App on my device.
I also change the password on my Apple account frequently. Maybe I’m just a bit too over the top
“UPDATE - Thankfully, Starling Bank have resolved this issue and returned the funds after investigating. On this occasion they have acted swiftly. Thanks for all the support and messages, I appreciate it!”
For anyone wondering how the thieves got access to the bank accounts, the most likely explanation is ‘shoulder surfing’, not an elaborate hacking method.
Thieves are always on the lookout for people entering their iphone passcodes. If they catch sight of someone entering theirs, that individual becomes the mark.
The next step is to swipe the phone and they have full access. If the victim’s banking passcodes are the same as the iphone lock screen code (all too common) then it’s job done. It’s all they need to access banking, setup a new payee and transfer funds.
Face ID access to apps is irrelevant because ios reverts to manual passcode after failed face ID attempts.
Have a different lock screen code and banking code (preferably an alphanumeric lock screen code and not a 6 number pin) and turn on stolen device protection. For added security use a separate screentime passcode to limit access to banking apps. It’s also helpful to keep an older iphone that is setup as a trusted device on icloud and kept at home. This will give you a quick way to get onto find my phone and lock and erase the stolen device.
If you are wondering how common this is, then ask yourself why stolen device protection was recently added by apple. Solely to protect your phone when both it and your lock code is acquired.
I do have sympathy for the victim here, social engineering is advancing. Thieves now a phone is useless without a passcode these days and they’ve found away around it. Nowadays extra precautions are needed to defend from savvy criminals.
