2FA - Yubikey for all new payee

Hi Monzo Team,

Muggings seem to be on the rise, at least if you browse Reddit. The amount of posts about knife point robberies forcing people to withdraw/send money seem to be quite high. It doesn’t matter if you have pin or Face ID enabled. There really isn’t much you can do when someone forces you to open up an app and send money.

The Idea: Adding new payee must be authenticated using a Yubikey

I don’t know about you, but I don’t send money to strangers that often. When I do, I know it in advance so I can prepare. As long as you don’t carry the key with you, robberies where they force you to empty your bank account are pretty much reduced to zero.

Many other apps use this technique when logging into a new unknown device. Why isn’t something like this implemented for a banking app? High street banks used to have this card reader which you had to use to add a new payee. This seems to be disappearing from use. I don’t know why, because it seems like a solid security feature.

I’d love to hear your thoughts on this. I may be missing something, but it seems like a no-brainer.

If the reddit posts are to be believed, muggers will sit with you in an Uber to go back to your house to get your card reader/Yubikey.

Most people seem to hate them.

6 Likes
  1. Implementing such a solution is expensive
  2. The additional friction when making transactions would be very unpopular with customers

In addition, card readers issued by most organisations provided limited security - apart from those used my HSBC/First Direct which use a different technology

I have a Yubikey for work, and I hate it

1 Like

Why is that?

The risk of what you’ve described is so so minute that adding extra steps would just annoy everyone.

One of the features that Monzo promote is being able to pay someone quickly and easily. This is about as far from that as it’s possible to get.

1 Like

The HSBC/FD solution works like you would expect an RCA/authenticator to work - the code changes every 60 seconds or so.

The solution used by other banks (where you put your card in) does not use time as a factor, so it is possible to pre generate codes if one wished too…

In almost all of the Reddit stories, Monzo and Revolut were used as the last step to offload the victims money… which would suggest a solution that would not be popular among this forum (uninstalling the apps) or not having your neobank accounts as trusted payees for your other accounts

The above is obviously a joke, and any precaution which actually requires a convenience compromise is rather pointless where there are stories of people being brought back to their own house in an Uber to get the device required to authenticate the payment… at the end of the day at knifepoint they could just get you to login on their phone, go to your banks ATM and transfer money from there with your card and pin

I’ll take my chances.

Can’t steal nothing from nothing anyway.

5 Likes

Monzo are working on alternative security methods - I’m sure they’ll reveal more in the near future! :+1:

The solution from other banks provides you with a sequence of random numbers to input before it generates a code – so I’d expect the code to be a hash of the code you input + the card details. It’s not possible to pre-generate codes unless you know what the numbers will be.

I think it’s a sliding scale between convenience and security and it’s up to the person to decide where they wish to fall on that scale. That said it shouldn’t be for a bank to cater for every risk appetite, the person needs to decide how to conduct their business in line with their risk appetite.

I personally think the Uber part is unlikely (even if 1 in 5 kidnappings are now not gang-related) but the knifepoint robbery is more so so if one could wish to mitigate against one but not the other.

2 Likes

Can’t steal what doesn’t exist.
Eddie Murphy Im Smart GIF - Eddie Murphy Im Smart GIFs

4 Likes

There’s always going to be an extreme situation. The risk of muggers getting caught is way higher if you include travelling to another location, especially the persons house.

I’m not suggesting having it mandatory, but as an option. Just like you get to pick between FaceID and PIN.

Though the chances of it happening are slim, they seem to be increasing. Just because it’s ‘annoying’ doesn’t mean it shouldn’t be in place.

Monzo also added a lot of other features since, like cash ISA as well as Investment ISA account. Monzo is no longer a pre-paid card where you don’t expect to hold high amounts of money. You’re essentially carrying all your wealth with you. What they provide to their users had changed, and with that, security should follow.

An ISA or an investment doesn’t contradict the banks selling points. Your idea does.

Never ever going to happen.

1 Like

And who pays for the Yubikey at £50 a pop to get one with USB-C??

Is that a user cost or a Monzo cost…

To add we tested these at work and the feedback we got - " what a PITA to use." we binned the for Auth Apps, and a lot cheaper…

2 Likes

Most people who value cybersecurity at work have one

It’s really not a large cost in regards to time or money, it’s a very basic checksum

image

5 Likes

For a sec, can we define what “Full Monzo” means? I get paid into it, use Flex and use it for a business account

But I wouldn’t ever keep 100% of my savings in pots (not that I don’t trust them), or use the ISA (better rates elsewhere)… For a second put aside having all your eggs in the Monzo basket, because if you do your putting them in having access to your phone/email, and if not having to deal with the dire support team, and having 0 access to Monzo until you get it solved… if you lose your phone and don’t have access to another device logged into your email, you have to probably wait until you get your number back to authenticate the 2FA code to login to your email if you use it

It doesn’t seem smart to me to lock your entire financial life behind an app, I’m very happy with Monzo for 99% of it but an extra safety net is always necessary imo

1 Like

For most of your posts I have absolutely no idea what you’re trying to say

Why bother with the plethora of apps. 2FA via a different device yes maybe (and I’d consider that to be a good shout) but what if the user doesn’t have one?

Being able to disable Monzo via web would resolve this without the need of a key

At your work or generally? I manage the technology function for our organisation inc service, infrastructure, cybersec, software dev etc and no one has one of these. We use 2FA via an Authenticator app for any access to systems along with Least privileged access.