Marketplace and Third Party Security


#1

I recently received a document notifying me about changes to my legacy bank; one thing mentioned was account aggregation and allowing third party providers to give payment instructions and gain information about my account. (I’ll attach it below as it’s easier than explaining it all.)

I don’t mind this as I like the idea of a marketplace bank but from looking at the wording they are using one thing worries me. I am expected to give these companies my actual username, password and memorable information, i.e. my security details!

58

I’m wondering how Starling will deal with this, what will be used to authenticate back and forth between apps in the marketplace and if the worst comes to the worst (say a company is hacked) can I remove all rights from the app accessing my Starling account?

I know the marketplace isn’t really out yet so you may not be able to answer this in full, but security really is a top concern for me.


#2

These aggregation utilities have been around a fair old time, of course, and on one or two occasions, I’ve dabbled.

But on each occasion, having first marvelled at seeing all my accounts in one place and seeing it miraculously add the (3) totals, I got the jitters.

Then I review the discussions here around the minutiae of ensuring good account security and think “why on earth did I sign up to that???

To me it’s counter-intuitive. No more.


#3

I agree, but with open banking and the legacy bank commenting elsewhere about becoming a marketplace too I wouldn’t be surprised if they keep users having to give their password and more out in the future.

I’m mostly asking how Starling will link between apps securely and how plans are if say a company is compromised, also will we be able to revoke rights easily?


#4

Food for thought. Vigilance required.
This forum is surely a good place to keep ourselves informed eh?


#5

I signed up for OnTree while trying to get my banking to show me all I wanted to know in a more moden format and I was a bit worried about the access it wanted (and no API key here… direct username/password stuff) THEN I realised I was being crazy and canceled it all and changed my passwords… On a side note I remembered why my Halifax password wasn’t as secure and large as I normally use… It’s because Halifax has a limit on the compelity of their passwords! Nothing that isn’t alpha-numeric so CLEARLY they are storing ALL their passwords in plain text in their DB’s… :expressionless:

SOOO Glad I can move all my money to someone who at least has BASIC security in place… Or at least the outward appearance! :wink:


#6

Hi Gaz

Yep Ontrees was my avenue as well. :flushed:

Unless I’m mistaken, wasn’t this utility promoted by Martin Lewis some time back?


#7

I don’t remember… I can’t see him suggesting it… He always seemed fairly cleaver… :wink:


#8

Hi @thom_horne

This is one of the things that you will be able to have complete control over in the Starling Marketplace. We already have a basic version of this in the app now, if you go to “More” then “Apps & Services”, then you are shown a list of all 3rd party integrations that have access to your Starling data. You can click on any of these to see exactly what is being shared and there’s an option for you to revoke this access at any time (I put a screenshot of my MoneyBox integration below so you can see how this looks!).

We have a few things in the works, one of which is to make the list of permissions more granular, so 3rd party apps can access only the specific data they need (right now they’re grouped in levels) to minimise the amount of your data being compromised should anything happen.
We do of course have control from our side, so should anything happen and a Partner is compromised then we are able to revoke their access to all customer’s data!

Going forward, once PSD2 and Open Banking come into play then all Partners will have to be authorised to even ask you to access your bank data. In the meantime our legal and security teams are doing compliance and due diligence checks on anyone who does want to access your data. The authorisation process is via OAuth 2.0 so there will never be any need for you to share your Starling password with anyone; for creating payment instructions on your behalf this is not currently live but we plan to add message signing in for that to add an additional layer of security.

Hope this helps, let me know if there’s any more questions!



What permissions do Marketplace apps get?
#9

Thanks for such a well written and detailed reply.

You’ve answered my question perfectly. :grinning:


#10

Yes indeed. Very comprehensive.

Thankyou.


#11

Thank you for the details and much appreciated answer to this subject @Cecilia_Highley