I think these kinds of posts always generate a lot of discussion about various things - security, responsibility, liability, and so on.
I came across this post on LinkedIn today where someone’s phone had been stolen and as a result £20,000 was stolen via Starling.
Starling have replied and confirmed they are assisting by email. But I have to ask, how someone managed to do this? For transactions of any kind of volume, I have to enter a password to confirm it
(Before anyone replies, please keep the conversation constructive)
The problem with any sort of post such as the one linked to, the originator will usually only post a snippet of what actually occurred. I’m not saying in any way I disbelieve what the IP has stated, but they will I suspect, not have posted the whole scenario. That of course would be understandable, but I know if this sort of thing had happened to me, I wouldn’t be posting publicly about what had happened, the information would be firmly between myself, the bank, possibly Action Fraud and the police, though of course if reporting to Action Fraud, then essentially that is reporting the crime to the police as it is run by CoLP.
It would be interesting to know of course how the fraudster gained access to the Starling banking App. I don’t know about anyone else, but on my iPhone I have enabled face recognition as standard on all of my Apps to access my accounts. How someone bypasses that sort of security I have no idea. I don’t know what security is available on Android as I don’t use Android for anything remotely connected to banking.
The thing is, they’ve picked on Starling in this case because they haven’t refunded them. But the same thing happened with HSBC, they just done the refund.
So people are picking out that it’s Starling’s security at fault (being able to by-pass passwords, not asking for authentication to add a payee, etc.), when HSBC was “exactly the same”.
I have never had an instance with Starling, or any other bank for that matter, where I’ve not been asked for authentication to complete something like this. I pay myself from my Starling business account (as a payee) and every single time I have to enter the password
I have to admit that my level of sympathy has reduced to practically zero the more I read the alleged events.
So the IP states that apparently, HSBC reversed the charges. Well did they? Did HSBC just refund without a thorough investigation? Who knows
I’ve just updated my iPhone to iOS 18.1. I have stolen device protection turned on. I’ve taken every necessary precaution I can possibly take to prevent an unauthorised person from accessing my device. Heck, I don’t even have a physical SiM in my phone since I changed my phone provider.
I see there’s plenty of comments questioning the circumstances of how Starlings security has been compromised. Having formerly been a Starling customer, I personally never had a single security issue arise whilst I was a customer.
I’ve seen so many of these cases over the years and absolutely none of them make any sense considering the security that is available now.
It’s more likely in this case the password has been autofilled in the Starling app using a password manager which they did for convenience. This was an iPhone so how they got around the phone lock in the first place and then the lock on the Starling app itself I have no idea.
Add a physical security key too, it will be required case they try logging into your account on a new device or browser, and when changing security settings of your iCloud account.
I have been caught out a few times by this .
Edit:
You ca also now lock individual apps with FaceID
Thanks for the pointers however I’m fully aware of all of the security options available with the iPhone. I’ve enabled all of the options including requiring face ID on literally every App on my device.
I also change the password on my Apple account frequently. Maybe I’m just a bit too over the top
“UPDATE - Thankfully, Starling Bank have resolved this issue and returned the funds after investigating. On this occasion they have acted swiftly. Thanks for all the support and messages, I appreciate it!”
