Issue:
Default post install state - The application opens without any authentication. No pin or any other auth is required to open the app to gain full access to the account.
If a person looses their phone, they also loose their finances.
Details to reproduce:
Tap it, app opens revealing full access to account.
OS:
Android 8.0.0
Device:
Samsung Galaxy sm-g930f
App Version:
2.65.2
Screenshots:
You canât transfer any money out without entering your PIN or biometric
New install requires SCA and you can enable an app lock if you wish
Whats SCA? and donât you think that a successful authentication should be required by default to open the application?
No other banking app that I have come across will allow anyone to see balances, transactions etc without first authenticating.
Enabling things after install is not a good security policy. The average user is not aware of the threats and trusts that Monzo know what they are doing. I know people who have no lock on their phone and leave it laying around.
Strong customer authorisation. You need to enter your PIN to open the app after installing it
All other banks let you move money once youâve logged in, Monzo requires authorisation at that stage.
I donât know anyone who doesnât have a lock on their phone. That would expose your email account which is a lot more dangerous than seeing where you shop
Thereâs plenty of discussion on this elsewhere. Please use the search before creating new threads about old topics.
What is your interest here? Are you an employee of monzo or just another customer?
You seem more interested in fencing with me than anything else.
Iâm not here to argue or debate with you, iâm here to report a bug / misconfiguration.
If this is the kind of response issued to a commercial client when a concern is raised then this does not look good for Monzo.
Not a bug. Monzo have configured it this way, you can change that configuration if youâd like.
Itâs not a bug, itâs a feature and itâs actually a big reason why I and many other use Monzo.
By removing the friction of logging in to your account youâre more likely to check your balance and keep on top of your finances.
If you want to actually move money out of the account youâll need either your pin number or biometric authentication. Youâll also be occasionally challenged for a pin or biometrics in general use.
If youâre concerned then you can turn the app lock on in the settings.
This is a community forum. The Coral Crew are not employed by Monzo.
Youâre right, there is no need to argue or debate this matter, as it is neither a bug or a misconfiguration, merely a matter of choice.
2 replies, one of which was replying to you asking what SCA was!
jeezâŚ
Yes, I do wish youâd stop being so helpful. Must be all that cash money Monzo keeps paying you, keeps you eager⌠
That you donât agree with a design decision doesnât make it a bug.
Hi there John 
As other users have mentioned, this is neither a bug nor a misconfiguration. Itâs an intended design / UX choice.
Our app is designed in such a way that you would need to know the PIN to actually take any notable action within the app. However, if the user would like to enable additional security for their own peace of mind, we have the option to enable fingerprint unlock or FaceID.
Itâs perhaps worth pointing out that in an investigative report, the BBC considered our security to be above all other banks in the UK.
Thank you for your response Simon, May i respectfully suggest that you consider moderating this bug report forum in future as the aggressive and adversarial responses before yours to my attempt to help has left a bitter taste. Word of mouth is a powerful marketing tool and a switch to a competitor is a few taps away and others may be discouraged from seeking help or reporting bugs in future, I know I wont bother.
I am a developer who regularly uses bug trackers and this is a bit of a farce.
I am grateful for you cordial and constructive response however I can assure you that the BBC have nothing to do with concerns, only that when comparing with Bunq and Revolut, Monzo leaks the most personal information and uses the least amount of preventative security.
Cheers and best of luck in the future.
Hi @johnsmith12. You may wish to familiarise yourself with the community code of conduct, particularly:
Forum Etiquette
We avoid:
Responding to a postâs tone instead of its actual content.
The replies you got were polite and factual, and I think you were reading a tone into them which was never actually there.
best regards
For future reference the bug report forum is actually located here Bug Reports
It got moved out of there as it isnât a bug.
This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.
