Starling Bank 3D Secure
Starling Bank is one of a new breed of mobile ‘challenger’ banks in the UK, with a focus on a new way to manage your money, real-time banking & security.
Yesterday Starling announced that it is Introducing 3D Secure:
Today, we’ll start a phased rollout of 3D Secure, an authentication tool for online purchases, to our customers. We explain how this will help keep customers' money safe.
3D Secure is a tool for online transactions that requires the account holder to complete an authentication process for some purchases. It forms part of the security of your account.
Starling users have previously suffered with payments failing if they tried to make a payment with a merchant that enforced 3D Secure, as Starling hadn’t previously implemented it.
Yes, 3D Secure may cause more friction when making a payment, but the concept is one to try and keep our money safe.
The implementation does concern me though:
At Starling, we’ve decided to use ‘one-time passwords’ sent via SMS as the type of authentication for online purchases. This means that a text will be sent to your phone when you are required to authenticate for a specific online purchase. One code will be sent for each purchase meaning that static password can be left behind.
I appreciate the need for more security, and yes, this does provide a further element. However, I really do hope that we are not going to see Starling (and other banks) use this as so called ‘proof’ that the account holder was indeed responsible for a transaction. It’s well known that SMS is a poor authentication method for security:
If you have your bag stolen with both your card and phone, in many cases the contents of SMS are displayed on the phone screen without unlocking. A thief need only make a payment with a stolen card and enter the code that pops up on the phone that they also have. Likewise, if anyone has access to the linked phone, perhaps left unattended on a desk, again they could simply see the code.
The technology is susceptible to SIM Swap attacks. Either locally with someone simply swapping the SIM to another phone and getting the SMS; Or alternatively, if someone has access to little bit of information about you, they can sometimes get your carrier to move your number to a new SIM card (not as easy, but certainly not beyond possibility).
As I said before, some form of security is better than none, and users shouldn’t be being blocked from making payments as they have been, but it’s depressing that Starling, like many other banks and services, rely on SMS as a means of authentication.
There is a further issue with SMS whereby if you are using a different SIM card (for example when out of the country), then you won’t get the SMS.
Starling do hint at one saving grace:
Using one-time passwords is the first phase of Starling rolling out 3D Secure. We will be working on a biometric authentication as an alternative to SMS passwords, with this planned to be rolled out later this year.
This can’t happen soon enough - It is to be hoped that the SMS option can be disabled though, otherwise the SMS weakness still causes the issues above.
Update: Since this article was written, I have written about how Starling Bank have since improved their implementation of 3D Secure.