Banking and security

And… We’re back!

And now we’re really back.

I think this kind of proves @Dan5’s point, because as bad as this practice is, I still see it in use by some people And that’s after years of warnings, training, and the obvious insecurity of such a practice.

If you’re running a bank with millions of customers, trying to get them to all successfully use (remember and not loose) a hardware key is not a reasonable proposition. The only reason the card reader things ever ‘worked’ to the extent that they did is because it was a self-selecting group that used them. There were millions of people who continued to go to the branch and found online banking too complicated, and the card reader will have been part of it.

You really can’t force people to learn if it’s too big of a leap. That’s why it’s so important to design systems that aren’t overly ambitious in what they expect out of the users. Make the required learning ‘reasonable’ for the target audience and with low/no friction.

I don’t think that was an unfair critique, I had the same understanding as @Revels. Claiming something is ‘security theatre’, sounds like it’s a bad system or at best pointless. Your position seems to have shifted from the beginning of the thread to now.

Absolute same it was a pain in the bum. The battery used to run out or I’d lose it, and then you had to go find a Barclays ATM or something (which they don’t have abroad, which screwed me over when I lost my Pinsentry in Australia).

I guess I’m struggling to see what the ‘theatre’ aspect of Monzo’s approach is, then. The only alternatives presented in this thread so far are:

• hardware key: non-starter as discussed above
• photo: but this can be too easily faked, hence the need for video with a custom phrase (i.e. the video adds to the security, so is not ‘theatre’)

I’m not sure where you got the impression that the video was put in place to appeal to the ‘Snapchat generation’. In Monzo’s early days no video was required, even for opening an account. Then for a while – a few years? – the only time you had to provide a video was to open an account. Other times a photo was sufficient for verification if needed. The need for a video instead of photo for certain actions came in later, so I assume this was because they found the photo system was not sufficient for preventing fraud. This feels to me like an evidence-based approach, not a theatrical one.

Maybe they’ve accepted that there will be a higher possibility of fraud for a small percentage of their users but that it’s a reasonable tradeoff to be more inclusive? That doesn’t mean the standard procedure is unnecessarily theatrical. As you’ve not described what this accessibility process is, it’s hard to understand what is at play here.

I suspect that this is the holy grail. Impossible to achieve all three (not that I know anything about security).

I would expect exactly that. The thief would need to know before hand they can exploit you in this way because you opted out.
The same is true of chip and pin I heard, if you have issues you can have a signature bit set on the card although I don’t know if that is still the case.

Just to point out, it was actually relatively difficult to fake the photo as it needed to be taken through the camera on the app, like not a gallery photo or something, and you had to hold your ID up during the photo.

Still clearly possible, hence the shift. But be interesting to know what the exploit was - I doubt a picture held up against the camera would have had any luck of succeeding. It did seem relatively secure, but I trust it ultimately wasn’t as Monzo has always had the absolute least measures possible to keep the account secure.

Yes, good point. I tried to capture that in the word ‘too’ before ‘easily faked’ above, because like you I didn’t think it would be easy to fake. But I imagine there was a significant enough risk otherwise I don’t know why Monzo would have made the process more onerous for a customer they are trying to acquire (at account opening time, this is a prime point for someone to drop out). Maybe with jailbroken phones it’s possible to insert a pre-composed photo into the pipeline or [something something mumble mumble neural nets/pseudo-AI].

Yes good point, some sort of software exploit seems most likely. Especially on Android with so many different camera modules.

How do we all feel about Monzo having optional TOTP 2FA? Or supporting a hardware key? As an optional ‘instead of the video authentication’?

I’d certainly be keen for either, I think.

I guess this a usability call, but in my experience the majority of people find TOTPs confusing (even when relatively well implemented as Apple does), certainly a lot more confusing than, “take a video saying these words”.

This wouldn’t help with opening an account. And for other times (in my experience), isn’t the video required when you are trying to do something in the Monzo app anyway? In which case, they want something more than just being logged into the app already.

Overall, a TOTP sounds more complicated to me, and something to keep track of. Given Monzo don’t even want people to have to keep track of a password, I can’t see this fitting in smoothly with the experience.

[For what it’s worth, I often feel TOTPs are security theatre. I’ve already chosen a secure, unique password, why do I need the hassle of something else when my password will not be cracked?]

I keep meaning to post this. I was researching passkeys the other week, and found it interesting that they used a banking example:

I think my response was a trained psychological response. It was pretty easy / smooth so my brain went ‘hang on, that can’t be secure’.

I still worry that FIDO is a bit regressive, though - how do you create your very first identity, with what data?

I don’t see the point? The app is only on your phone anyway. If someone has access to your phone they can surely get the TOTP

I meant that a TOTP wouldn’t help with opening an account, which is when the video is required. Since it’s your first interaction with Monzo they need something to verify you are who you say you are. Anyone can generate a TOTP when given a QR code, so it wouldn’t help with the ‘know your customer’ aspect of opening an account.

If that’s the case, where are you suggesting a TOTP would be used instead of a video? I thought the issue in play was that for certain actions in the app a video is required. Maybe I’m misunderstanding what’s being discussed (wouldn’t be the first time!).

Where do we all stand on government issued digital ID? I think Estonia has a digital identity that can be used to authenticate and open bank accounts, so no need for a video or selfie etc.

It feels like it’s a good technical solution but also one that opens up a whole bunch of other issues…

Ah, I see. I go several years between changing phones, so this was not top of my mind. Agreed that approving on an existing device would work for this use case. But it seems like such an edge case that I personally wouldn’t want Monzo to spend development time when there’s an existing security procedure.

Continuing the discussion from Banking and security:

Especially when you factor in the macro position that very soon more than half of the population of the world will be out of work (as we automate, and go deeper into things like AI and technological ‘improvements’), and so essentially fewer than 50% of the world’s population will be financially supporting everyone else, all the time.

At some point cutting human business costs becomes a global problem.