App, Security and Privacy (Fingerprint, Pin, or Password)


#98

Agree, and this has been mentioned before when discussing accessibility…but perhaps convieniently forgotten


(Chris Lavender) #99

I use my One Plus 3’s built in app Locker to protect all financial, messaging and sensitive apps. It works better than any 3rd party app.

I’m not sure if app Locker is standard part of android Nougat?

I use finger print but it can also use a pattern or pin for those who don’t have a finger print reader.


(Ravinder Sembi) #100

For the app will be nice have option to use the fingerprint reader to unlock the app for added security.


#101

I believe Monzo itself should at least provide the option of specific security on accessing the app, especially to top up or transfer money. The security I apply to other apps and features of my android phone are a separate matter, and Monzo should not rely on them.

So, without any Monzo security I tried to use additional Android app security measures. I had problems using Avast app locking and Monzo (I can’t log on properly because the app gets tangled up with entering the Avast pin) I decided to try the “protected apps” feature of LineageOS 14.1 on my Android phone. Monzo is now invisible to at least casual users. It’s not perfect, but better than nothing.

I assume that if my phone does get lost or nicked I can ring up the Monzo help desk to get the card suspended - is that true?


(Alex Sherwood) #102

Yes, you can just call the number on the back of the card.


#103

The 0800 won’t always work from abroad, if not then try:


(Jolin) #104

The latter is already the case. I haven’t used the Android app, but I believe when transferring money it is the same as the iOS one, in that it requires your card PIN to be entered. Topping up involves adding funds to your account, not removing them, so it doesn’t require a PIN. This is not to detract from the reasons (discussed :arrow_up:) that people want to be able to protect the Monzo app, but to hopefully give you some reassurance that your money is not at risk even without an app-level PIN.


#105

To me it is not a risk over money but the fact personal private financial information like balance, transactions, address, email, etc are all open to view by anyone using the phone due to the dire lack of any basic security guarding access to the app. I know @alexs will say it is privacy not security but that is petty semantics. It is security of my data, that is my concern. Without a simple PIN or password to protect access to my data the app is not a credible option for a full current account when it is launched. Such functionality should be baked into the app, rather than have to resort to a third party app to make up for this serious omission.


(Alex Sherwood) #106

I’ll just leave this here…

This post.


Edited to make the over-sized screenshot smaller.


#107

I know I use it but I shouldn’t have to.

I am now contacting the data regulators to ask them their opinion on this matter.


(Tom ) #108

I don’t really get this… We seem to always go round in circles on this issue.

Monzo have said they are adding fingerprint technology to the Android app https://trello.com/c/SQYxkP6v - likely when the current accounts roll out. Development on the prepaid app is pretty much done I would imagine - why would they invest time and money into development of apps that will be redundant in a matter of months? The prepaid and current account offerings are completely separate products.

You signed up for a Beta program - and as part of that - unfortunately you have accept that it isn’t a finished product.

I understand you are frustrated but the feature you’re so desperate for is coming.


(Gareth) #109

When you’ve waited 9 months for a feature, what’s 6-9 more…

That’s for fingerprint, not a pin. @hugo is questioning if PIN fallback should be a thing (despite both Apple and Google OS implementations suggesting it should be, and it being in Android Material guidelines that fingerprint should not be the only authentication method used).

Personally, I’m not too fussed. But as it is, if I hand my unlocked phone to someone to show them a picture or video, 3 taps and they see every transaction I’ve made. It shouldn’t be a third party app or changing user in android as the solution.


(Tom ) #110

Agreed

I’m absolutely on the side that it should be, and was actually quite surprised it isn’t in the iOS app currently.


(Alex Sherwood) #111

Clearly the Monzo team agrees as fingerprint protection is on the roadmap so the question is “how urgent is this?” & the team clearly don’t think it’s very urgent - presumably because users have those alternatives in the meantime.


(Gareth) #112

Search is obviously more urgent :slight_smile:


(Jolin) #113

Yes, I don’t understand what the argument is for not providing PIN as a fallback. Is there some sort of security issue? I’m surprised there is a discussion around this. Even if everyone had a fingerprint scanner (they don’t), it often doesn’t work if using your phone in drizzle/wet/sweaty conditions.


(Alex Sherwood) #114

This was discussed a while ago in the developer’s Slack. I won’t post the whole conversation without the context but it’s worth pointing out that -

So it’s probably not taking the time to discuss this until the current accounts launch & we know what the security features will be.

Then, since there will be a white paper on this, the experts in this community will have an opportunity to take part in a peer review on Monzo’s approach :wink:

And just in case everyone wants to carry on discussing this now, here’s some food for thought -

so if anyone wants a PIN, I’d be keen to hear their solution for the recovery process too…


Security - it doesn't 'feel' secure
What We Know About the Current Accounts & Debit Cards / FAQ :bank: :credit_card: (open Wiki)
Security - it doesn't 'feel' secure
Safe to move my salary to Monzo
#115

What’s the damage someone could do with access to the Monzo app? They can’t wire money out of the account, they can’t get the card number either, so to take your money they’d need the physical card anyway.

To be honest given how much personal data we keep on our phones someone having access to the Monzo app would be the least of my worries.

I think this kind of reaction is the consequence of all the “security theatre” implemented by legacy banks, where you have to go through 10x different authentication systems just to see your balance. People eventually get used to it and immediately discard anything less annoying as insecure without thinking of the actual risks (or lack thereof). I am glad Monzo is cutting that crap and saves me time and frustration.


(Patrick) #116

It’s important to note that this PIN/Password/Fingerprint is an app lock mechanism only, this PIN should ideally be different to your card’s PIN. Since it’s an app-related PIN; I wouldn’t expect it to be there when reinstalling app, so I don’t think there really needs to be a recovery method. If someone forgets it, then they can just be permanently locked out requiring them to go through email re-authentication with magic link again after which they can then set a PIN as if for the first time on a fresh app.

More than a fallback I think the reasoning in Android is that fingerprint is never the main method of unlocking the phone, it’s just an extra that simplifies the actual unlocking process. Fingerprint has its own entry in the security settings (at least on my phone, I can provide screenshots if needed) and they are not included in the main lock options of which you need to choose one before you can even enable fingerprint. You also can’t use fingerprint to unlock phone on start-up for some reason. This is the kind of fingerprint authentication philosophy I would expect: PIN first and a fingerprint if phone-enabled to bypass this in a faster, handier way.

I personally don’t care for this extra security, my phone is pin/fingerprint protected and I’m its only user. But I do feel that if Monzo are going to allow users to lock their apps, they should allow a PIN fallback because while it doesn’t happen regularly; every now and again, my fingers don’t work and I have to unlock phone with PIN. It would frustrate the life out of me to occasionally find myself locked out of the Monzo app because fingerprint wasn’t being recognised.


(Alex Sherwood) #117

In that case, the PIN wouldn’t be effective protection at all because the phone’s user will also have access to their emails (unless they’ve protected them via a PIN & in which case what’s the recovery process for that one?) so they can just delete the app, remove the PIN protection & then log in via the magic link.