Researchers were able to bypass fingerprint readers, which are used to unlock phones, log in to apps and make payments, using fake fingerprints created by using patterns found across many real prints.
The findings from New York University and Michigan State University call into question the security of the widely-used technology. The researchers were able to create a set of “master prints that could fool a scanner up to 65 per cent of the time.
In case anyone’s in the mood for guessing how insecure fingerprint protection on the Monzo app is / isn’t (spoiler - it’s being used as a privacy, not a security feature), this has been discussed here -
Everyone is well aware that fingerprint authentication is insecure when compared to passwords. For example, you don’t leave your password on every surface you touch, do you?
Most security experts recommend using fingerprints as usernames instead of passwords, but this advice isn’t normally followed.
As far as I can tell, in the Monzo app, the fingerprint authentication isn’t used to protect anything critical. The pin is there for that.
Unfortunately I don’t have any special forwarding ability but I’ll flag the post to make sure that someone from the team sees it.
Obviously the team are aware of that functionality already & users who have concerns about it have the option to disable it.
So this isn’t a concern for me personally, although I’m learning from the discussion in this community that I seem to have a relatively high tolerance for risk
Well it seems to me that if the fingerprint allows you to view the pin, and the pin lets you do all kinds of crazy stuff, then there’s no point for the pin.
Another way to get the pin is to send a support request with the user ID (available in top-up page) and the DOB (not really highly secure information).
And giving users the option to decide which security features they want doesn’t sound like a good idea lol . Makes them lean towards convenience instead of security.
Just to clarify, I’m 99% sure that @billinghamj was talking about the PIN for your Monzo card, not your phone’s passcode.
That’s why you don’t give them options for anything that’s there to protect something that’s actually high risk & as I mentioned, from the posts I’ve seen it looks like users tend to lean towards security not convenience, no matter how low the risk is…