App, Security and Privacy (Fingerprint, Pin, or Password)


(Michael Rudloff) #1

I signed up for Monzo due to what I have seen on colleagues IOS App. Now I question whether that was wise even during a Beta period.

I don’t understand how any developer for a mobile OS can develop a financial application without ANY security features.

Implementing a simple Pin or Password, Fingerprint Sign on or even JUST the requirement of re-entering the CVV number when depositing - cannot be rocket science.

If it is for your developers, then an app like that should not be released.

You require users to sign up with a debit card, some of which itself don’t have any advanced fraud protection, deposit £100 yet any further deposit can be done without any further security.

If I would accidentally leave my wallet and unlocked phone laying around, someone can instantly load up the card with whatever I got available on my current account and go shopping before I even realise what happened and potentially lose it all as Debit cards don’t have the same fraud protection as credit cards.

Now why ironic ? Because you require a 10-Character password for a community account, where the worst that could happen is someone ‘stealing’ my email address and potential real name.

I am really surprised this got signed off, given the potential fraud nowadays. Yehudi via the App suggested to implemt Pin protection of my phone to avoid potential fraud - but this can’t be the answer to it - given that any other financial app I am using implements at least basic security (like re-entering CVV)


Fingerprint login
Security Access for the Monzo App
Security on Android?
Two factor for login?
Overriding TouchID with passcode? iOS
TouchID entry to app
App security using a pin
Security - it doesn't 'feel' secure
Login fails when Monzo app is locked
Additional Security?
App Security - Still Nothing
[Q&A] Ask us about Pulse!
Some Security is Better Than None
Improve Account security via in-app chat
Android fingerprint recognition access
Fingerprint security should have pin backup
Fingerprint override/pin option
Monzo for Android - Beta Channel Changelog
Monzo for Android - Beta Channel Changelog
#2

But if you lost your wallet and phone they could go shopping with all of your cards anyway (if they are contactless). I’m not sure why they would bother transferring money from one of your debit cards in the wallet to your Monzo card rather than just using your debit cards directly?

I’m not sure why further security is needed for a deposit as that can only result in you gaining money? For a withdrawal and for general privacy pin/fingerprint access could be useful.

People should have their phone locked down though given it is probably the one item that could give someone almost complete access to your life.


Login..☺
#3

If a criminal had your wallet and unlocked phone wouldn’t they just go on a spree with your current account card rather than topping up the monzo card from your current account to go on a spree?

There is no reason why i need loads of passwords to look at my account, that is just the status quo and monzo are legends for seeing that.

I have legacy accounts with layers and layers of security to view the account online, and someone managed to take a picture of my cards and rinse it out online. By the time i found out they had maxed everything with dozens of transactions. If i had monzo at the time i would have got a ding and frozen it straight away. You cant get any more secure than that. If you love unneccessary layers of security i highly recommend First Direct!


(Michael Rudloff) #4

Mmmmm… must have had a brain fart there … Not sure what my brain was on about … of course, the same limits apply for Monzo contact less - you still have the £30 limit and as you guys say - at the end of the day if they got my cards they can go mental anyway …

  • slowly walks away backwards *

(Leon) #5

Just on a slightly different aspect of what you were saying. When topping up from my current account to my Monzo card I have to go through Verified by Visa to do so.


(Marc Laurens) #6

Theoretically , Maybe if you had your wallet stolen and had the monzo card and another non contactless card, you could use the non contactless to top up the monzo and then go spending on the contactless.


(Tom ) #7

Ah you’re still here! Good. Enjoying Monzo?


#8

I have the same thing with SecureCode on my Mastercard debit card top ups


(Leon) #9

Hi ya! How’s things? Well for one thing the Monzo card is not as bad as it
looks on the images shown so for me that’s a huge plus. It’s still a little to bright for my tastes but it’s growing on me.

As for usage it’s ok. Would I say it’s a game changer, no or at least not
yet. I guess I don’t see Monzo as it’s now really doing anything fresh.

Having up to the minute balance notification alerts and shop location data is fun. Possibly more useful for someone that uses their card more then I do currently. I feel it’s unneeded and would be best utilized when the full fat bank
launches. I must add some of the other data like TFL travel and fare data
I have not used but would no doubt be really useful to those who use it.

I do value the fact that almost everything can be done via the app,
including talking to the Monzo team if need be.

Overall I am happy with it though I do have one eye on the full launch as I
think then everything will come together.

P. S. When I said I don’t see Monzo doing anything fresh what I meant was I
don’t find it useful as is. When it’s a full fat bank that’s when the above
data will be invaluable. Then they will be kicking some serious behinds. As
ever if you disagree let me know :slight_smile:


(Casey Rain) #10

The ease of use in “freezing” the card is an excellent security measure.

I notice that the iOS app can also utilise TouchID - I hope the Android app will also soon hook into the fingerprint sensors.

As someone who uses both Android and iOS, I’d say that if anything, the fingerprint sensor on my Nexus 6P is even faster than Apple’s sensors.

As long as your phone is secured with a fingerprint sensor, PIN/password/etc I really don’t think there’s anything to worry about. People who steal phones are usually looking to wipe them as soon as possible these days due to location tracking features. Not go poking around in apps and potentially revealing details.


#11

I must say I was slightly surprised there was no security checks when topping up via debit card, although admittedly it makes it more convenient.

I pressed the top up button expecting it to ask for a security code or at least a confirmation dialogue.

The potential for someone to pick up your phone and deposit £1000s in your Monzo acc (e.g. child, hilarious friend) is slightly worrying.
I wouldn’t be overly worried about fraud in this case, more how I would transfer the money back, and what my current account provider will charge in fees!


(Michael Rudloff) #13

Good point actually - I am not sure you can transfer money out of the card back into a bank account ?


( related to Monzo CEO, Investor in Monzo ) #14

go to your ATM at the bank, withdraw it in cash and pay it back into your account ? give your account fees to your “friend” and see how hilarious they find it :wink:


(Michael Rudloff) #15

Depending on the amount, that could take a while, given the daily limits at ATMs. Either way, to fix it, you pay fees, ATM, PayPal, whatever.

Not sure why it is such a bad idea to have at least the option of additional security.

There is the argument of protecting your phone with pin whatever. I don’t need to. Phone is insured, my mobile plan is unlimited and protected against miss-use and emails are received in a Sandbox (Samsung Knox) and any other financial app requires fingerprint to open.

Now I got two options with Monzo on Android.

A. Take it
B. Leave it

Either way, I am happy to still use it, but I don’t see why having an option is such a bad idea.


#16

I find that interesting that you don’t bother securing your phone - I take it that you don’t have any sort of passwords auto saved in your browser or anything?

I do agree though that different levels of security should be available to the user should they wish


#17

I personally don’t secure my phone either. I use last pass to store all my passwords (with a very secure master password), I’m on prepay so no risk of anyone running up a huge bill, and all banking apps have multi-factor authentication (except monzo).

I think it’s great that I can view Monzo without typing in multiple passwords but I do think a 4 digit pin code on debit card top ups is sensible.


(Michael Rudloff) #18

I am using KeyPass for passwords, which is cross platform and I don’t store anything in the browser either. Even if I do accidentally, I am logged into chrome and cleaning history works across platforms also.

So if I notice I lost my phone, I can simply wipe my history from any device.

You can also remotely wipe the device using google device manager.

So yea, only insecure bit on my phone now is Monzo


(Rika Raybould) #19

As someone with a huge interest in mobile security, it’s always fascinating the different ways users choose to secure their devices.

Without any kind of device protection on Android though, anybody can grab your device and use it, set up ADB, extract any data they want, run practically any code they want, lock you out of any ADM actions and begin breaking in to accounts using recovery methods including SMS and phone calls using your number.


(Michael Rudloff) #20

Then you should be one who would support additional security on financial applications, rather than saying you need to secure your phone instead.

What you describe makes maybe sense for people who have their whole life on the phone - but as I say - all sensible stuff is in a secure area - Samsung Knox has even been approved by the US Military …

If you are so worried about ADB and ADM actions - then why not worry about someone finding a way to use the Monxo app to redirect money somewhere where it doesn’t belong


(Michael) #21

I had to take Monzo off my iPad as my daughter could just top my card up without requiring any pins at all :expressionless:

So i now rely on Monzo on android to top up.

Hopefully a pin to open the app / topup is the next feature on ios/andorid.