App, Security and Privacy (Fingerprint, Pin, or Password)

I’ve just made the leap from an iPhone 7 to an S8+ after many years with iOS and much annoyance and it’s my first experience of the android ecosystem.

I’ve briefly read through this thread and I too am a little perturbed that the app doesn’t ask me for a pin or fingerprint to open the app after using touchid on iOS

Please at least give us the option, I don’t want people to just be able to open the app and see my spending habits if they have my phone

2 Likes

Exactly, that is what you are doing, making up for a lack of security of your personal data. Your funds may be secure but there is a failing on the part of Monzo to protect your personal data in their app.

2 Likes

OpenYOLO and its pairing partners (Dashlane, LastPass etc) might be something to look at?

If someone has access to your phone, Monzo should be the last of your worries.

Even if Monzo had a PIN/password nothing prevents them from leaving malware on your phone so next time you type the PIN they will still get it (and with malware they can do much worse than stealing money from your Monzo).

Your real security is in the phone’s actual passcode/passwords (which also serves as an encryption key to encrypt storage at rest - so they can’t just take the memory chips out and put them in a computer) - if an attacker bypasses that you’ve already lost and should consider all data on that phone compromised.

3 Likes

Different security performs different jobs at different layers. Monzo without security is like leaving my bank statements on the coffee table when people come in for a drink.

1 Like

Exactly it’s a privacy feature :slight_smile:

Andre’s post was focused on security.

The ICO describe it as the “security” of personal data…not “privacy” of data.

2 Likes

I’m pretty sure this is out of scope of the ICO as the data is safe from random attackers on the internet. The data is safe and secure as only you and your device can access it (just like with other bank apps).

1 Like

There is an obligation on companies not just to keep personal data secure on servers but in apps too. Failing to provide such security of personal data and making a user dependent on a third party app to secure there data arguably does not meet their obligations.

However Principal 7 of the Data Protection Act 1998 is not prescriptive in nature so there in an onus on Monzo to prove they are following the spirit and intent of the DPA rather than just the working of this principal.

Formal correspondence has been sent to Monzo on 11th July 2017 pointing out the current requirements and seeking their comments. The ICO will be reviewing the reply sent as part of open case number ENQ0689063 to see if there is sufficient evidence that they are meeting the requirements.

3 Likes

My point was, Monzo is not more nor less secure than any other bank app against an attacker having physical access to the device - in both cases all it takes is leaving some malware on the device or dumping its storage (which includes the authentication tokens it uses to talk to the app’s servers) to get access to that same data.

It’s not always about security though, for me it’s privacy. In a household full of children, if I give them my phone to play a quick game (some of them have worked out my security code now), I don’t want them to have easy access to my account balances.

2 Likes

In this case, would you like them to accidentally click on some malicious ad and install this new free “game”? And then someone else will be able to have access to your account balances.

I’ve educated them to not click random links/install random games. Security I’m not concerned about, it’s privacy that’s key to me.

1 Like

In this specific case an app locking solution would work (some people here mentioned third-party solutions). Also I thought Android had multi-user support by now, maybe you can use that?

1 Like

I could do but when all my other banking apps are pin/password locked it seems a little excessive to be coming up with a solution specifically to get around a shortcoming in Monzo’s app.

In any case, I’m hoping this will be resolved in the updates that come as part of the current account rolloout. There’s no point in them making changes now for the pre-paid card.

2 Likes

The Data Protection Act says that: APPROPRIATE TECHNICAL and organisational MEASURES SHALL BE TAKEN against unauthorised or unlawful processing of personal data and AGAINST ACCIDENTAL LOSS or destruction OF, or damage to, PERSONAL DATA. This is the seventh data protection principle.

A pin or password on the Android app would be an appropriate technical measure against accidental loss of personal data.

3 Likes

Well the iOS Monzo app has Touch ID so I’m pretty sure once they launch the current account they’ll have the same features on the Android app.

On the other hand personally I am grateful Monzo did away with all this “security theatre” BS where simply looking at your balance is behind 10 layers of “security” (though all of them will be defeated by malware, making the “security” moot). I remember having to reverse engineer the Nationwide app’s API just so I could make my own lock screen widget to display my balance without typing a PIN, and that was a painful experience I never want to deal with again (they’ve since lost me as a customer in favour of Monzo).

3 Likes

I believe the default should be secure and private with the option to turn it off if you want to.

2 Likes

Should it really be the default? Personally I think your use-case is pretty unique, and most people keep their phones private already (though a lock screen passcode or fingerprint) so I don’t think it makes sense to have it as default. Plus we’d be sinking all the way down to the bottom where the other banking apps we like to mock are.

3 Likes

I think for any app security and privacy should come first. Breaking out of that should be optional.

2 Likes