More information on the security used to protect our data


#1

I would quite like it if there was a bit more information on the security used to protect our data, both in transit, and at rest.

Does the app use the latest TLS? What level of encryption is used to store data at rest?

Secure cloud storage services, such as Tresorit, put this front and centre to help reassure customers their data is secure.

https://tresorit.com/security


#2

Not sure if this is just a plug for Tresorit.

Personally I think it better if banks not too open about their infrastructure and security measures, the less people that know about it the better.

For example if you mention the hardware or software you use it makes it much easier for hackers to target or exploit vunerabilities.


#3

It’s not a plug at all. I have nothing to do with them. It’s merely an example. I could point to a whole host of apps / services, be it cloud storage or password managers, that give details of their security.

And I didn’t suggest I want to know about server hardware and software. But I would like to know adequate encryption is being used in both transit and at rest.

If their encryption is up to spec, they have nothing to hide, and nothing to fear about making it public.
In fact, most companies wear the fact they use military grade encryption as a badge of honour. One more way to reassure customers that their data is safe.


#4

I don’t know what security Starling has, but I know that I trust Starling with my data more than I would a legacy bank, with their decades old systems.

Anne made some very interesting comments about this recently to the press. I have included a snippet below (in the context of a review), but please do read the full article, it’s good.

"There seems to be a misconception that traditional banks and financial services are more secure than new fintechs. There is that idea of a grandiose building with large Roman columns, and the image itself is very secure and solid.

Traditional banks are built on core systems that were coded in the 1980s and ’90s, and a huge fear of overhauling these systems has to do with the fear of losing security."


#5

That may or may not be the case. But how are we to know? :wink:

I always tend to sway towards companies/services that are more open about these things. It’s all about building trust.


#6

I agree. It would be nice to have some technical details (within reason). :slight_smile:


#7

I guess the last assurance I’d be looking for would be that which Dave seeks. Hadn’t even considered it, really.

If there were no other avenues of assurance I’d perhaps be more cautious. My money is safe and I’m commited to helping my current account be the best it can be. A journey.


#8

Another reason I trust Starling more than a legacy bank is their size.

Humans are usually the biggest security risk, not computer systems.

If a bank has thousands of staff and hundreds of physical locations, you can be sure there are at least a few staff, right now, trying to make money out of selling data.

Access control within the legacy banks is not as good as you might think. At branch level it’s truly atrocious. Branch staff can lookup accounts with very few details, and go on to access balance and transaction history, without additional security checks.

I know for sure this is the case with one high street bank. I don’t know about others.

The legacy banks rely on audits far too much, and by the time the audit happens, the damage is done. Punishment of the member of staff doesn’t undo the damage.

Any customer account access should require a trigger event such as an active phone call, live chat session or recent message. Without the trigger event, access should not be authorised. Accounts should only be accessible without these triggers for KYC/ML teams.

Basically, human greed worries me, not systems. :slight_smile:


#9

Just to be clear, I’m not saying I don’t trust Starling. Far from it. But I think in not prominently advertising how secure your data is, they’re missing a trick.

I think it’s just a fact that currently, the average person will probably trust an established bricks-and-mortar bank more than a new, app-only one. Anything that can help allay potential fears is a positive in my opinion.

This seems to be the tack that most prominent password managers took. They had to convince people to ditch hard copies of passwords, and instead entrust everything to an invisible cloud. The way to do that was to put data security front and centre.


#10

You make a good point. :slight_smile:

More information might help build trust.


#11

I disagree - security by obscurity never works and often backfires when the obscurity was your only defence and it suddenly fell.

Not to mention any competent attacker would be able to figure it out anyway, so they might as well disclose it. I don’t know of anyone who got cracked because they said they were using the latest TLS.

In regards to advertising, I’m not sure it’s a good idea. People/companies who brag about “military grade” encryption (whatever that means - at one point DES was considered military grade - now obsolete and insecure) or extreme/impossible key sizes are usually the most insecure ones - this bragging would be a huge red flag for me. Security should be there by default - you shouldn’t need bragging about it. Brag about your modern tech stack if you want but no need to brag about something so obvious we’re all expecting it to be there already.


#12

I guess there’s a distinction between bragging and reassuring?

If I have a choice between two cloud storage services, and one openly advertises it’s encryption, whereas the other doesn’t mention anything, I’d probably go for the known quantity (providing it’s up to spec).

As for expectations regarding security, I read a white paper a few years back on banking app security, and it’s findings were pretty damning.

90% of tested apps initiated connections without proper SSL encryption.
70% didn’t have alternative authentication solutions.
50% used UIWebView insecurely.
40% didn’t validate the authenticity of digital certifications received from a server.
20% were complied without using features designed to limit the risk of memory corruption attacks.
Many apps exposed sensitive information through system logs and crash logs.

So I don’t think you can ever just assume something is so obvious, it’s definitely been covered.


#13

The issue is that anyone can advertise encryption without actually using it, and this is why someone bragging about their crypto looks like a red flag to me. Reassuring doesn’t work either - legacy banks “reassure” me by putting padlock icons everywhere and quote “256-bit SSL” (when it should be TLS) and yet my account is protected by a 6-digit passcode and their way of telling phishing from legitimate emails is whether my correct postcode is included (no joking - Nationwide really does this). To the average user, how would Starling’s “reassuring” be different from Nationwide’s reassuring?

Here’s a good read from Bruce Schneier (a respected figure in the security community) about the warning signs of snake oil crypto. Bragging too much about crypto would put you dangerously close to the bad crypto products and that would raise red flags IMO.


#14

I think if a company advertises it’s crypto, and then doesn’t use it, they’re in line for bankruptcy when they eventually get hacked.

Look at Lastpass. They advertise using 256-bit AES on their password vaults. The other year they got hacked, and potentially had encrypted vaults stolen. If they had lied, and suddenly everyone’s accounts were getting accessed using stolen passwords, they’d be out of business pretty sharpish.

But I appreciate what you’re saying. You can never be 100% sure what’s going on behind the scenes.

I’ll be sure to give that article a read :+1:


#15

Really interesting chat guys. You live and learn eh?:+1:


#16

So in the example of the LastPass the weak link ultimately was the user reusing a password for their LastPass which meant the AES256 was only as good as the password being secret.

That’s why I use DICE words for my password manager and another for my iOS device pass code.