So many technical misunderstandings I'm struggling to see why I should trust my money with Starling :/


I’ve encountered several issues which make me seriously question the competence of Starling since opening an account for a few short overseas trips.

  1. Password resets are done by SMS. Was any thought given to the security implications of this? It should be obvious there are several trivial potential attacks by making this choice.

  2. It gets better! The SMS includes an https link. However, at no point do you mention that the link should only be opened on the device the Starling app is installed on. Strange not to point this out seeing as the whole point of https URLs is that they can be used on any internet connected device.

  3. There is no meaningful error message. Opening the link brings you to a page that says “Link failed to open in app. Device settings can sometimes redirect. Simply tap below and we’ll redirect you to the app.”

Obviously this is all false. You made no attempt to communicate with the app and try to open with the app. It’s also nothing to do with an issue about redirection. Finally, “tapping” below (on my laptop, I usually click not “tap”) obviously does nothing either. So 0/3 there.

  1. Why use the http protocol when the link on that error page (itself full of errors) includes a starlingbank protocol link?! Why not include this originally to avoid all this palaver and potential for errors?! You literally created a starlingbank protocol then decided not to use it unless you click once through another protocol? You what?!

  2. Opening the link in the SMS must be done through the Starling app. This means that you have to disable all your default app preferences and then re-enable them again. Once more, hard to understand why you’d make things so difficult for the user when you already have gone to the work of creating this custom protocol.

There are many many solutions for resources meant to be accessed only from one device and SMS including plain-text hyperlinks certainly isn’t it!

  1. Why not use what many other apps use and ask for permission to read SMS so you can automatically reset the password when an SMS is received. This is the only acceptable time for using SMS rather than the correct protocols? What’s the reason for making this choice and what benefits is it supposed to provide the user?

  2. The app crashes frequently on Android and has a horribly intrusive chat bubble screen overlay by DEFAULT! Yuck. Who asked for that?!

  3. You don’t handle Faster Payment references correctly. I’ve done some tests where they sometimes don’t even match from sender to receiver which is especially problematic as several organisations use them to automatically track payments e.g. HMRC.

When I asked which ISO you are trying to implement, nobody could tell me. In fact, strangely, it seems your staff are not training in acceptable character limits and character sets for Faster Payments as they appeared utterly clueless.

Right now, I’m deciding whether to just ditch Starling or if they are so incompetent not to risk any fintech companies at all with my money :frowning:


9 posts were merged into an existing topic: Password reset feedback