Starling Discussion & Feedback

If it’s using the same technique then it’s a non issue for me.

3 Likes

For reference: Download receipts

2 Likes

I would be interested in how the individual found their own passport if URLs are truly obfuscated in the same way as receipts.

Assume they have traced all network calls from their phone?

I think it was in a support chat.

Support gave them the URL?

I thought I read that it was in a support chat. Might be mixing things up.

That’s the tweet I saw.

Hmm. Wasn’t aware of their support tool. Will see if I can find it

That’s going really badly for them at the moment. They have been given multiple opportunites to fix it and haven’t.

The response by the ‘higher up’ staff member was pathetic, failed to ignore the concern and effectively brushed him off, they’re paying for that in the comments section.

2 Likes

What is there to fix?

2 Likes

Form what I can tell it was a tonken link they sent him via support and only way someone else could view it was if he was to share the link

Ben has now posted this to LinkedIn, lengthy discussion in the comments.

I thought we were living in American then (sorry US folk). I can see the headline now…

“Man accuses bank of data breach, after sharing his completely secure, personalised URL on the internet”…

Joking aside, I can understand the potential alarm if you see your data on the internet behind what would appear to be a public facing URL - But boy, someone wanted to make a big deal out of nothing it would appear.

I don’t know enough about the security aspect behind banks “in the cloud” - Someone said it was likely to do with their use of AWS?

Does Monzo have the same security?

3 Likes

How I expect this to work is that they’re using signed URLs where the URL itself is the authentication key.

In this case this is fine - the URL (the secret in this case) is returned by the Starling API only to authenticated users so no unauthorised access is possible.

There is the issue of the URL being leaked but given that it’s not even supposed to be user-facing I’m not sure how it can leak under normal conditions.

7 Likes

If so, then they might want to look a bit deeper, as AWS gives you a lot of control on how the file is accessed.

1 Like

I think this would be relevant here.

4 Likes

So… given my immense understanding of the situation and technology (which amounts to the same understanding I have of Swahili), I take it that you both have the same technology/security here? :sweat_smile:

6 Likes

Pretty much (from the cursory glance I have given the Linkedin post) :sweat_smile: You can read @daniel’s explanation of why/how this is secure above :+1:

4 Likes

If only someone had linked that earlier…

2 Likes

How long is the Starling URL?

help.starlingbank.com/files/surname/forename/dob/filenumber.pdf