An update on PIN lock


#21

As we’re only talking about 4 digits, even if you salted the hash, it would be pretty easy to generate some rainbow tables to figure out the PIN.


(Chris Rimell) #22

I have regular numbers that I use for things, but my PIN is never contained within them. So I would never want my PIN stored in any form on my device in the way suggested or otherwise.

Device PIN would be my preference but actually I’m happy to remember another number because my device PIN is short and I want a longer PIN for all my banking apps.

Not sure if I’d use emoji but maybe some A/B testing or releasing both versions would help see what is most useful


(James Billingham) #23

A modern computer can calculate millions of hashes a second. Even with very heavy use of PBKDF2 or a slow hashing function, if it’s fast enough that a user can get into the app without being annoyed, it’s too fast to be safe.

If there’s only 10k (4 digits) or 1m (6 digits) combinations, it’ll take a few minutes even in the absolute best case.

If you’re checking the PIN, it has to be done in a way where you can enforce limits, so it cannot happen locally.

On Android though, I guess it might be possible to enter your PIN on the phone, then tap your card to the NFC element and the card can verify it. That would cover the security requirements, and would only be needed when the phone was offline. Might be a worthwhile consideration. But won’t work on iOS of course!


#24

@JordanFish

I am a fan of the emoji lock option. However, I think it should not be laid out in a 0-9 keypad style, as there is too much chance of people using the emoji version of their main PIN, which is not a great idea.


(Trevor Mitchell) #25

Here is my security measure, I have hidden the app from sight and use a screen gesture to open the app, so if anyone were to get my phone they would not instantly be able to figure out that I use monzo…


(Steven Joyce) #26

Can you turn this option off. I really don’t see the point. You have to unlock your phone you also have to use a pin or biometric to action a transaction. Is an other password needed lol ?


#27

where is the option? I don’t see it in my app, but would love to turn it on :closed_lock_with_key:


(Steven Joyce) #28

There already a option for this on IOS. It must mean for Android.


(Paul) #29

Funny you should say that. It was the nickname I gave my ex.


(Rhys Jones) #30

You can’t store the pin on the device as that would be a security issue.


#31

I think it would be good for security to be forced to enter a pin in order to use the app and if you switch to another app to do something your app auto locks and you have to re-enter the pin to get access again. I can currently image that at some point all you need to do is leave your phone unlocked accidentally or its hacked and access to your account is easy.


#32

PIN lock is in progress:

At the moment, you can use Touch ID/Face ID/fingerprint ID to lock the app as you describe (Settings > Require * to unlock app).


#33

I would prefer security over features any time:

We’ve prioritised working on improving the performance of our app (so it’s quicker!), building a new lending product and helping you earn interest on a savings pot instead.

its seems you have strange priority’s!?


#34

they have strange priorities, where they is “Monzo” or “someone who works for Monzo” (I am neither).

(I sort-of agree with you, though those preferring security aren’t leaving their unlocked devices around)


(Noel Edmonds Beard Sculptor ) #35

The average person can’t hack an iPhone and mine is always locked or auto locks after a minute.


((╯°□°)╯︵ ┻━┻) #36

I kind of agree with what you’re saying but all security emphasis cannot be put onto Monzo. They could have it like a vault and it can still be vulnerable due customer habits / configuration.

In the example above you’d configure your phone to lock after x seconds/minutes so this has nothing to do with the Monzo app.

Likewise If it gets hacked this will be because you lost the phone, had a poor password or revealed your details publically. Monzo again cannot be responsible for this.


#37

I would just like to point out that no one can make payments or move money from your account without knowing you PIN or using your fingerprint if you have set one!


#38

I personally love being able to see my finances without a PIN or passcode etc

It makes it so much easier and less cumbersome. I have a PIN on my phone for that!

You can’t access any of my money without my Monzo PIN, so not much fun.


( related to Monzo CEO, Investor in Monzo ) #39

weird - I cant see anything without touch ID :slight_smile: :slight_smile: then I have to touch Id AGAIN !!! to open my Monzo app - very frustrating, then if I want to pay a bill Ive got to touch the bloody thing again :slight_smile: :slight_smile:


#40

It should not matter if the person is security conscious or not, security should be the first in line of priority’s even if the user does not think of these things, its especially important for those users who don’t think about these things.