Password reset feedback


#1

Hi,
So - I’ve forgotten my password. It’s wasn’t a bit issue as I sign in with Touch ID anyway. But today I needed to setup a new payee and for that you need the password again.

I’ve submitted a ‘Please reset my password’ video through the app - anyone know how long those take to process? The new payee is waiting for the bank transfer so if it’s going to take a while, I’ll need to make other arrangements which is basically going to my other bank at lunchtime, taking the cash out from the cash machine from the Starling account, paying it into the other account, and then transferring it from there which is all a bit of a hassle…


So many technical misunderstandings I'm struggling to see why I should trust my money with Starling :/
#2

Ok - ignore this. Managed to remember my password afterall…


#3

I’d still like to know the answer. I haven’t forgotten my password, but assumed it would be a pretty near instantaneous reset if I needed to. But this :point_up:t3: suggests that’s not the case.


#4

I’ll probably be the minority in this, but I like that this is a manual process. I’m pleased that if a nefarious person wants to reset my password they will have to go through all this hassle and will fail authentication.

I also like the idea that Starling would have a recording of them as it’s evidence of an attempted fraud.


#5

It took around 2 hours to get the text message with the password reset link. But as I mentioned, I didn’t need it in the end anyway.


#6

Agreed! Love the fact that they would have recordings if fraud as @thom_horne said previously…
Should state on my card, before thinking to takeover my account, you will be on
Candid camera :camera:


#7

Thanks! Good to know.


#8

I’ve encountered several issues which make me seriously question the competence of Starling since opening an account for a few short overseas trips.

  1. Password resets are done by SMS. Was any thought given to the security implications of this? It should be obvious there are several trivial potential attacks by making this choice.

  2. It gets better! The SMS includes an https link. However, at no point do you mention that the link should only be opened on the device the Starling app is installed on. Strange not to point this out seeing as the whole point of https URLs is that they can be used on any internet connected device.

  3. There is no meaningful error message. Opening the link brings you to a page that says “Link failed to open in app. Device settings can sometimes redirect. Simply tap below and we’ll redirect you to the app.”

Obviously this is all false. You made no attempt to communicate with the app and try to open with the app. It’s also nothing to do with an issue about redirection. Finally, “tapping” below (on my laptop, I usually click not “tap”) obviously does nothing either. So 0/3 there.

  1. Why use the http protocol when the link on that error page (itself full of errors) includes a starlingbank protocol link?! Why not include this originally to avoid all this palaver and potential for errors?! You literally created a starlingbank protocol then decided not to use it unless you click once through another protocol? You what?!

  2. Opening the link in the SMS must be done through the Starling app. This means that you have to disable all your default app preferences and then re-enable them again. Once more, hard to understand why you’d make things so difficult for the user when you already have gone to the work of creating this custom protocol.

There are many many solutions for resources meant to be accessed only from one device and SMS including plain-text hyperlinks certainly isn’t it!

  1. Why not use what many other apps use and ask for permission to read SMS so you can automatically reset the password when an SMS is received. This is the only acceptable time for using SMS rather than the correct protocols? What’s the reason for making this choice and what benefits is it supposed to provide the user?

  2. The app crashes frequently on Android and has a horribly intrusive chat bubble screen overlay by DEFAULT! Yuck. Who asked for that?!

  3. You don’t handle Faster Payment references correctly. I’ve done some tests where they sometimes don’t even match from sender to receiver which is especially problematic as several organisations use them to automatically track payments e.g. HMRC.

When I asked which ISO you are trying to implement, nobody could tell me. In fact, strangely, it seems your staff are not training in acceptable character limits and character sets for Faster Payments as they appeared utterly clueless.

Right now, I’m deciding whether to just ditch Starling or if they are so incompetent not to risk any fintech companies at all with my money :frowning:


#9

Thanks for your feedback. I understand your concerns and I have passed these on to the team in terms of improving password resets, crashes/chat and Faster Payments.


#10

That’s my point. It’s fundamental misunderstandings. This is not about “improvements”, it’s about doing things is surely bemusing ways I’m concerned they have any coherent clue at all.

Inventing a custom protocol to use an app then ignoring it, using ancient century old technology instead and then having an error message with three errors in it is beyond the realms of sanity.

It’s not just doing things wrong, it’s doing thing wrong in the most convoluted and backward of ways. The guys at dailywtf would have a field day…

And it’s just flabbergasting to see that you don’t understand how to implement an ISO nor that an security through obscurity about a public ISO makes no sense whatsoever.


#11

Why wouldn’t you open the link on the device that the app is installed on? Presumably the very same device you used to receive the SMS?


#12

Why would I?

And, more the the point, why the hell should I if that’s not my normal workflow? It’s not for anyone to tell me how to work with my data!

After all, SMS APIs and email gateways have been around for decades, not to mention things like IFTTT. SMS apps on phones are all still utterly woeful especially when oldbanks try to make you input confirmation codes and things. For example, with all other banks that do that, I save about 90% of time not by doing all my SMS work through a computer not a phone.

I personally haven’t used a phone to send/receive/data wrangle SMS for well over 5 years and god help me if I ever have to go back to doing things that infuriating old fashioned way.

More to the point of your question (I hope I’m not being gullible by actually taking you seriously):

The link has clearly been chosen to be and (evidently is) an HTTP link which is explicitly designed to work on any device. Upon seeing the receipt of the SMS as a push notification, it makes more sense to try to open it on a device with a proper web browser at first attempt. And as I’ve mentioned, it’s much much quicker and easier to click a link in an SMS on a computer than fiddle about with a phone.


#13

I guess my approach and workflow is a bit different then!

My thoughts are that if I receive an SMS relating to the auth flow of an app (especially if the platform is pretty much entirely app-based), then I’m going to open it on the device itself so that any redirects or app intents are handled properly, and that my device is open and ready for the next step.

:man_shrugging:


#14

Do you really (in real life) do that with Santander and Halifax and all the other oldbanks?

If they want you to open it in the app, as I explained it’s trivial to use the correct methods of doing that (which they’ve already gone to the trouble of implementing!).

If they want you to click an https URL (that then links to the correct method), that’s just bordering on insane.

It’s not so much the inconvenience of this one case, it’s the the fact I’m completely unable to fathom why they’ve gone to all this trouble only to undo all their work in one fell swoop! That’s what concerns me.

Given myriad superior fleshed out alternatives, no auth flow whatsoever should be through SMS in 2018 anyway and DEFINITELY not through clicking links in an SMS. That’s just beyond the pale.


#15

I do whatever is necessary to complete the task. If it involves opening a link sent by SMS that redirects to a page in the app, then so be it. It’s not that big of a deal (to me) :slight_smile:

Hopefully they will get an official response for you as to why they do it which satisfies your curiosity/outrage/confusion over it :slight_smile:


#16

I myself would find it very “out-of-the-ordinary” to click a link in an SMS message. Mainstream banks always encourage customers to not click ANY links in SMS due to “Smishing” which is quite commonplace unfortunately. It’s been bred into customers to be wary of any SMS/email links or any request for information.

I would probably feel more comfortable if the password reset was done via a 2FA method (Such as Google Authenticator, like the starling developer account is) . This would fit nicely and feel more natural with the mobile app. (However I’m certainly not a developer and I’m not sure if this is feasible)


#17

Indeed. I would never encourage clicking LINKS in SMS as normal practice, especially standard web protocol ones and with the ease of address spoofing this is VERY bad form. As you say, there are dozens of alternatives that are better for the user and more secure. And indeed, Starling themselves have even made their own superior alternatives. While I don’t want the belabour the point, nobody has mentioned that the error message contains three errors and is singularly un-useful to the user (nor that it seems @StarlingSupport don’t seem concerned about admitting mistakes nor fixing them).

You miss my point somewhat. Oldbanks send SMS confirmation codes for online transactions on a computer which then require you to unlock your phone, navigate to the SMS app, find the message, distinguish the code from the ID, go back to your computer, copy down (without any errors) the frequently-long sequence of numbers and letters (sometimes they even use characters which look similar like l,I,1 and 0,O,O) using your keyboard.

Using SMS always on a PC means it takes about 2 seconds to copy, alt-tab, paste and hit enter with no chance for mistakes.


#18

Maybe a “mobile-only” bank isn’t for you then.


#19

I do everything from my computer, my phone is connected to my computer while at work, so if I get a text I receive it on my computer, so that negates the problem of having to go to the phone open an SMS then type in that SMS, I just go to the phone program on my computer and copy and paste the code, takes a few seconds, so no real hardship for me.