App, Security and Privacy (Fingerprint, Pin, or Password)

They don’t, by deleting & reinstalling the app, you switch off fingerprint protection so you shouldn’t ever end up completely locked out

Some things are harder than you imagine they would be, if you don’t know what it takes to put them together.

Sorry this is not a good enough answer. Fingerprint should be rolled out with a backup option as standard.

This is my view.

It would of been a better idea to roll out full security than half security. And with Monzo being a bank this should be a higher priority.

I’m loving Monzo, but whoever makes these choices has there head in the sand. And I’m happy for that person to contact me if they disagree.

Ah ok, we’re talking about different things.

The fingerprint protection is a privacy feature, rather than a security feature. It stops people going into the app to look around but there’s extra steps that users have to complete before they can withdraw money, for security.

The PIN protection is on the way. But in the meantime, Monzo’s liable for any theft that happens because it’s not there. Which suggests there isn’t much theft because if there was, it would be a higher priority. And if you lose money due to the PIN not being there then (as long as you’ve followed the rest of the T’s & C’s), you’ll be reimbursed.

I agree. I suffer from minor eczema and at its worse my fingerprint scanner can’t read my fingerprint. My phone falls back to another method in that case. I can’t imagine a legacy bank would alienate a certain group of people this way and it certainly feel wrong that Monzo are.

Ok I do genuinely apologise. But what I say stands just replace security for privacy.

FYI…

Good news, everybody!

This is just for Privacy IMO, Security is still reliant on PIN and email.

Nope. “Good news, people with Fingerprint enabled devices and without skin conditions!” That’s very far from “everybody”!

It’s very, very sad that Monzo thinks this half-baked workaround is the solution to the request for privacy and security!

As far as I can tell, there’s two users in this community who can’t use the fingerprint unlock feature..

I think it’s good that they’ve bought this out now so that most users can benefit from it.

They have of course said that they’re considering a solution that works for everyone too and that, that decision will be informed by how much usage this feature gets.

Click the to view the full post.

How many times will people need to say that none of these client-side restrictions provide any kind of security? If your device is compromised, so will be your fingerprint, PIN, or password, or smartcard/hardware token because you’ll be entering the secret values in that same compromised device.

You don’t Read up on “Security in Depth”. Just because one aspect doesn’t provide absolute security in itself, doesn’t mean it’s useless…

I’m not sure it’s worth having this discussion in two places at once, you’ll only end up repeating yourselves..

I’d suggest you discuss this in the other topic that I’ve linked to there

Gojaba to answer your question directly I believe the security situation is actually quite similar regardless of whether or not we are talking Android or Apple iOS. The security measures are based on a form of 2Factor Authentication; one is the hardware Android or iOS device and the number associated with the device. This is transacted by using “tokens” which if my understanding is correct are proxies for the actual data, number etc they refer to. If there is a vulnerability in this it is in relation to the fact that the token is capable of being ex-filtrated, stolen and manipulated. iOS devices offer a very good level of security and anonymity provided iCloud is turned off. There is a Russian company (rival to the Israeli company) who can analyze an iPhone and compromise its security: they do this by gaining access to the security token and manipulating it (without recourse to Apple).

Email?

I’m sorry I can’t agree with this! If somebody is using your monzo account, on your phone. Email is only a click away

On the security note, I would quite like 2FA (Hardware device - I have one from square enix for a game. Its a keyring where you press a button and it gives you six digits that you use to login)

You don’t have to be sorry but I am not sure what you don’t agree. I just pointed out that current Andriod fingerprint lock by Monzo is going to act just as an extra layer of privacy. It is not a security feature at the moment because Monzo login relies on your email hence the security of your email is going to prevent unauthorised login. Most people keep their phone secure with a PIN so that is the real security of your email and Monzo App.

That makes complete sense now, I thought you meant email verification would be a good form of security. Read it completely wrong lol

So the fingerprint feature is great. But a slight problem arises sometimes. I’m a climbing guide by profession, and often find that after climbing or rope work, the fingerprint sensor doesn’t recognise my fingerprint. The same thing happens if I’ve been at the gym lifting, and I assume it happens for others who use their hands alot.

A fingerprint override option, so that I could input a pin or similar would be great, as currently if this happens, I’m unable to use the app.

Ok this is a controversial topic round here but if you always leave your phone locked do you need the additional lock on the app? Just toggle it off in app settings (on iOS, I presume same on android).
Some of us are happy with just the phone lock, some like both locked