Account accessed from another location while still logged in

Hi both, thanks for the responses.

I agree it is concerning that they got the pin, I’m hoping Monzo might have an explanation but I guess that’s unlikely. I have changed the pin everywhere it was in use. I double checked my email account for my pin and it’s definitely not in there.

I have checked haveibeenpwned and also spycloud.com which had more results, but none with the pin.

I’ve had no prior correspondence with Monzo via phone and I’ve only needed to contact them for replacement cards recently.

The account that was compromised was my Microsoft Outlook email account, looking at the sign-in logs, it only shows me logging in and loads of unsuccessful IMAP sync’s from random countries, I checked with friends and they all have very similar unsuccessful IMAP sync’s on their account happening every few hours.

Somehow connecting via IMAP seems to bypass the need for MFA as whenever I login to my Outlook account, I receive a code via SMS I have to enter before logging in but I have not received any codes that I did not request but my email account was definitely accessed.

I have just done some googling on this, and didn’t realise there was an issue with IMAP access being on. I’ve just switched it off for my gmail (didn’t know it was on TBH), as I only access that via the web front end or via the app, so have no need of it, but it’s worrying I didn’t know anything about it bypassing the 2FA/MFA processes. Crazy.

If you’re only using webmail then making sure IMAP and POP3 are switched off should be the first thing anyone checks on their email service, if they haven’t already.

Also worth checking forwarding options and filter rules to make sure no-one’s compromised the account and silently fiddled things that way. (At least with Gmail now you get a warning banner for a week when forwarding is turned on.)

IMAP bypasses MFA because it’s an old protocol, probably. Dates from when webmail wasn’t really a thing and people used email clients installed on their computer instead (Turnpike, Thunderbird, etc). IMAP let the software contact the mail server and download the emails.

Just like with any password, it’s really good practice to have a different pin for any account that needs one. It sounds like you were using the same 4 digits for multiple accounts and that’s a big security risk.

Indeed. I once know someone who found some unexplained withdrawals on one of their cards but the bank said they were legitimately done with PIN. Turned out that they’d used the same PIN for their Sky box, and their kid knew the Sky PIN…

Hi Nick, thanks for the advise, I had checked for forwarding rules ect and it doesn’t appear any have been created.

I looked into this and found POP is already disabled but it’s not possible to disable IMAP on my Hotmail/Outlook account. This shouldn’t be an issue though as the only way to login via IMAP once MFA is enabled, is via an app password. I checked and there aren’t any setup on my account. So if this is the case, it would be impossible for them to access my account via IMAP.

I’m now thinking there could be some kind of malware on my phone that has recorded me typing in my PIN and that would also give them access to my email account. I reset my phone about 10 days ago as I was swapping between devices but I think I will reset again. There are no apps with device admin currently.

I don’t want to give too many personal details away but the pin was only used as my phone pin, in addition to the card, so I guess that also points at the phone.

iOS or Android?

Android, I only have Android devices.

Is it an up to date android?

Also is there a chance that’s it’s someone who could have had access to your physical phone?

It’s a Note10 with the June security patch and no, I’ve been working from home and haven’t gone out for much other than shopping in months.

If my Samsung account had been logged into, I would have received notifications on all of my Samsung devices so I’m pretty sure that’s not been accessed.

Do you have an ex/friend with a grudge that knows your pin?

I honestly don’t think so, I never give either my pin or email password away, it’s something I’ve never done. My currently partner doesn’t even know them.

Where does it tell you this IMAP sync information?

In my sign in activity it only tells me when ive logged in via my browser, which isnt very often and the only changes occur when ive logged in via a VPN so the IP address is different

I have my outlook emails read via my ios mail app and none of the access attempts are logged.

I see this information by going to https://account.microsoft.com/security/ and clicking on “Sign-in activity”.

My hotmail account is from 2004 and has been leaked in quite a few breaches, I suspect this may be why it’s being targetted. I use unique passwords so leaked passwords cannot be used to login to my other accounts.

So kinda related, I only ever keep £20 in my main account, the rest I keep in pots and just feed my main account daily by means of Ifttt from 1 of my pots, I feel this limits my exposure to someone getting rich quick at my expense, also most of my pots are saving accounts so there is a 24hr lead time on getting the money into the main account and I’d be well in the picture before anyone was able to withdraw a large amount of money, I have also hidden the monzo app from the app drawer so it can only be accessed by means of a screen gesture.
I feel these methods are a good security measure that were maybe never intended to be used in this way.

Good luck and I hope you get sorted.

Hope it gets sorted and thanks for engaging with the follow-up points, which is a much more relatable experience than some rather dubious fire and forget posts of late by others

always use a separate email for banking and nothing else

I can finally update this.

After 6 days, I received a full refund for this.

Monzo customer service unfortunately never fails to unimpress.

I was initially told I would have a response in 24 hours, clearly the staff member didn’t understand what a business day is as I was told the fraud team only worked on business days but if this was true, I wasn’t going to get a response in 24 hours as I was reporting the issue on Friday evening.

I didn’t get any response during the weekend and then received an entirely pointless message saying the chat had been closed even though the investigation was ongoing. I see absolutely no reason for this message to be sent.

I then received messages from the Fraud team who repeatedly asked me the same questions and asked for a lot of details regarding the case. I don’t mind explaining the situation but with other banks, I have received my money back during the initial call when I have reported a fraudulent payment.

I have been with Monzo ever since the Android app had a waiting list to join, initially the experience was great, it really felt like the future of banking.

After a few issues with customer service and now the fact I can’t even find a way to chat to them unless someone has literally stolen all of my money from my account seems ridiculous and I will be leaving Monzo.

I think the worst experience I had was when I received a notification asking me why I hadn’t clicked a button in the app (Yes really). I opened a chat and asked them why they had started sending me notifications advertising features in the app when I had requested this not to happen. They responded saying “We don’t send advertising notifications at all”. This was literally the definition of an advertisement, it was a notification promoting a feature in the app. This went on until I get an “final response” that showed they hadn’t even understood my complaint, making the team look completely inept.

Funnily enough, I received an email this morning stating they were removing the exact feature they were promoting.

Also the fact that 4 years on, my card STILL isn’t accepted everywhere is a joke frankly, another thing customer support is completely useless at resolving.

It’s been an interesting experience Monzo but I don’t think you’re ready yet and it doesn’t sound like things are going to get better any time soon. Goodbye.

Absolutely this. I accept that others will experience Monzo differently, but I had so many issues in comparison with other banks that Monzo is, and I suspect will remain, a dead account for me.

So what actually happened?