These discussions above are (in my opinion) why Monzo was built on iOS first. The adoption rate to the latest version of iOS is far quicker and higher than Android. I can see there being a fair few problems once the feature arrives because all handsets are running different versions of the OS and different hardware.
So where [a few of] you could just install a third party security app to solve this, you would rather the Monzo Android Team switch roles to become an Android App Security team.
Just my two cents, of course.
All views my own, not of any employer and/or associate.
Barclays
Lloyds
TSB
Metro Bank
Handelsbanken
Monese
Starling
Fire
bunq
Nordea
NatWest
RBS
Santander
Ulster Bank
Danske
Bank of Scotland
etc
they all have bothered to add a PIN or password to their apps to protect the security of their customer’s personal data, none of them have said we can’t be bothered and go and use another app to make up for our lack in this regard. None of them have said sorry we can’t do it as it is too hard for us due to the differences in OS versions or hardware makes and models.
It is lamentable that (a) Monzo do not seem to think keeping their customer data confidential is a concern if it is in the app but only when it is on some server, (b) other users should keep attacking and ridiculing those users who are concerned about the privacy of their data, (c) some people think it is more important to do work on sending emojis than securing customer data from prying eyes.
We are not saying we want to force other users to have to keep their data secure with some pin or password, just that we feel it should be part of the app. There is no reason why this could not be a toggle on/off setting in the settings.
I hate to say it but all comments like this do is undermine your credibility.
For the sake of everyone else in this community, could you please stop repeating the same points? This conversation has been had several times now & trying start it again from the beginning like this just wastes everyone’s time.
well if others keep posting here why we don’t need a pin or password or keep telling us to use a third party app I and others will keep responding. If you think this discussion has been fully covered then close the thread.
You should know by now that you don’t have to have the last post in the topic in order to be ‘right’. At the end of the day, it’s the Monzo team who will build this feature & they’ve read your comments in this thread already. They don’t need to see them again & again.
If it’s raised again, I’m sure that other users are perfectly capable of deciding & explaining whether that solution works for them or not.
That’s not my call, hopefully others will come up with new ideas, which will move the discussion forwards & they should be free to share them.
Since nothing is likely to change before current accounts are rolled in, how about we wait until then?
We’ve been told there will be parity between iOS and Android apps… I’m sure many Android customers will vote with their feet if the app doesn’t meet with expectations.
Apologies for the other thread where I suggested you’d inadvertently revealed your personal data. It was meant in good faith and, judging by your responses here, you know what you’re talking about.
It interests me how much personal data those arguing for more security theatre on here, reveal in their use of social media (allowing friends of friends to see check-ins, ‘Liking’ Facebook pages etc.) as hackers are masters at using social engineering to get you to reveal your own data. They do not need access to the actual device to compromise your personal security.
I’ve read this huge thread with initial interest then growing despondency. It would be useful to understand at this point @alexs, what your role is - are you a Monzo employee and therefore formally gathering views pursuant to a design decision? If not, your rather high-handed responses in here are disconcerting. If you are, I’d suggest you’re coming across as rather sharp-edged. Just an enquiry…
Don’t worry it’s fine, I know it was in good faith.
The thing is, I’m not arguing for explicitly revealing information, but just saying that if someone looks at my phone it’s already game over. With just 5 minutes of access to someone’s phone you can quietly reset their email password (or again if you’ve got the knowledge, install malware), and from there you can do a lot more damage. Even if you have two factor authentication, guess where the 2FA codes are? For 99% of people it would be that same phone.
So again, my point wasn’t “let’s show how much money you’ve got to the entire world” but more “if they can have access to your phone your bank balance is the last thing they’d want to see”. It’s like having a robber enter your house and you’re worrying about them looking at your phone/electrical bills - if they’re in your house your bills are the last thing you should worry about.
Or in 2 minutes, you could order a replacement card - locking the account and forcing them to wait for the replacement (which on Saturday means Monday). A nice, quick “practical joke”.
I see your point, but you can equally go to their settings app and reset the phone, and make them spend hours reinstalling their apps and potentially loosing some data if they don’t have any backups. With Monzo at least a quick in-app chat would cancel the new card order.
Again, it seems like we’re endlessly arguing about giving a kid a button that says “don’t press” and expecting them to not press it, and then blaming the button when it gets pressed. No, the button was designed with the idea that you won’t be giving it to a kid, and the Monzo app is the same - it’s designed to run on a secure terminal only you can access (because of the system-wide passcode).
Maybe we should start a poll and see what everyone thinks rather than arguing?
According to another thread, you cannot cancel a card replacement. Even if you ‘find’ the card, it should be considered compromised. Similar to if I ‘borrowed’ your phone for 5 minutes.
The elements of this thread + my opinion (if people are losing track):
Android lacks 1st party dashboard security
— hopefully fixed at current account release
— workarounds are available, see above
iOS dashboard security is optional
— I’m fine with this, security is forced for transactions, pin requests etc
(but I will turn on the theatre personally)
iOS dashboard security is fingerprint only
— not okay with this, fingerprint scanners can fail
I’ve actually had this exact situation and was able to cancel a replacement card and reuse my existing one when I found it. I think the “card compromise” is handled by the card freeze feature and so you can undo it (I definitely managed to undo mine, and a quick in-app chat cancelled the replacement card).
However if we evaluate the “security” of Monzo’s PIN/Touch ID protection there is another flaw - those features are purely client-side, so uninstalling/reinstalling the app would clear its state and you can just log in again (though the email app on the same phone), so in this case the entire login process needs to be redesigned and store the password on the server. Again, please make it optional - my password manager is already full as-is - but if you’re gonna offer this option then make it actually secure.
I’m guessing that this is exactly the sort of thing that Daniel was referring to when he mentioned that the app’s security has been redesigned for the current accounts. Perhaps not exactly the solution you’ve suggested but obviously they’re aware of those vulnerabilities.
I think the key thing is that we are still in beta at this stage so there are always going to be changes and developments, I noted my concern after switching from iOS to android but as long as it’s implemented at some point I’ll use the workaround of Norton app lock for now, not going to get all irritated about it
An off-the-shelf tool that can be bought for 75$ will completely take over a phone and all is needed is to install an APK (easily doable if you’ve got access to a phone for a few minutes), from there you’ve got complete control of the device and will even be able to bypass Monzo’s PIN if it existed (the same applies to all banking apps).
Hopefully now you understand why the in-app PIN is not that important and that all security is provided by the phone’s PIN/password - if that is compromised all bets are off.
What a load of crap. Yes we know if a phone is compromised people can bypass pins, passwords, fingerprint readers, whatever. But what matters is that on normal uncompromised phones there is no security of your personal data. Anyone with access to your phone can view it as Monzo stubbornly resist adding a simple pin or password to their Android app. It is time Monzo and their fans stop spending time coming up with a defense of this lack of data security and actually add it. Nobody in their right mind will open a current account if the app for that has the same gaping hole.
A PIN will do nothing against an attacker who wants to access your Monzo app and has physical access to your phone - they’ll just have to install malware as I explained previously. This is true for all banks, not just Monzo. You seem to be fine with this risk with all the other banks so why not here?
In the meantime I personally enjoy not having to type a meaningless PIN just to see how much I’ve spent today.
it is not about an attacker it is about friends, family, kids, work colleagues, being able to pick up your phone and view balance, spending history, etc.
I’m guessing that this is exactly the sort of thing that 