I think this kind of proves @Dan5’s point, because as bad as this practice is, I still see it in use by some people And that’s after years of warnings, training, and the obvious insecurity of such a practice.
If you’re running a bank with millions of customers, trying to get them to all successfully use (remember and not loose) a hardware key is not a reasonable proposition. The only reason the card reader things ever ‘worked’ to the extent that they did is because it was a self-selecting group that used them. There were millions of people who continued to go to the branch and found online banking too complicated, and the card reader will have been part of it.
You really can’t force people to learn if it’s too big of a leap. That’s why it’s so important to design systems that aren’t overly ambitious in what they expect out of the users. Make the required learning ‘reasonable’ for the target audience and with low/no friction.
I don’t think that was an unfair critique, I had the same understanding as @Revels. Claiming something is ‘security theatre’, sounds like it’s a bad system or at best pointless. Your position seems to have shifted from the beginning of the thread to now.
Absolute same it was a pain in the bum. The battery used to run out or I’d lose it, and then you had to go find a Barclays ATM or something (which they don’t have abroad, which screwed me over when I lost my Pinsentry in Australia).
But that’s not what security theatre is though, or at least isn’t what I mean by it. They’re still secure systems, just needlessly theatric as a means to imply it’s more secure than it really is. Because it matters more how it feels. Security theatre ≠ insecure nor bad. Neither of which I’ve used to described it other than suggest there are better.
Different stacks for different threat models and all that, but that’s not the impression I get for why Monzo chose the approach they did. Because going by experience, it feels marketing driven to me. Especially taking into account their target demographic and who was social media king at the time.
At the base level, it’s just a form of multi factor authentication. There are many ways of implementing a multi factor stack with less theatre. Monzo even concede a bit of the theatrics for accessibility, so it can’t be that important in the first place. And Chase is much more mild.
Think of it like your bank’s card reader again. It’s secure. But it’s done over the top. And the gain for the OTT implementation is minuscule over something that could just be easier and much simpler for all customers. This is just the modern Snapchat era spin on that.
My position hasn’t shifted at all, I’ve just tried to clarify it. I never described it as bad, I described it as secure. I also described the method as theatre and still stand by that, because in my opinion, it is. I think the nature of the video is a bit pointless yes, so your at best interpretation is the right gist for what I was trying to say.
I guess I’m struggling to see what the ‘theatre’ aspect of Monzo’s approach is, then. The only alternatives presented in this thread so far are:
hardware key: non-starter as discussed above
photo: but this can be too easily faked, hence the need for video with a custom phrase (i.e. the video adds to the security, so is not ‘theatre’)
I’m not sure where you got the impression that the video was put in place to appeal to the ‘Snapchat generation’. In Monzo’s early days no video was required, even for opening an account. Then for a while – a few years? – the only time you had to provide a video was to open an account. Other times a photo was sufficient for verification if needed. The need for a video instead of photo for certain actions came in later, so I assume this was because they found the photo system was not sufficient for preventing fraud. This feels to me like an evidence-based approach, not a theatrical one.
Maybe they’ve accepted that there will be a higher possibility of fraud for a small percentage of their users but that it’s a reasonable tradeoff to be more inclusive? That doesn’t mean the standard procedure is unnecessarily theatrical. As you’ve not described what this accessibility process is, it’s hard to understand what is at play here.
8 Likes
Anarchist
(Press ‘Help’ search ‘Contact us’ or email help@monzo.com or call 0800 802 1281)
66
I suspect that this is the holy grail. Impossible to achieve all three (not that I know anything about security).
I would expect exactly that. The thief would need to know before hand they can exploit you in this way because you opted out.
The same is true of chip and pin I heard, if you have issues you can have a signature bit set on the card although I don’t know if that is still the case.
Just to point out, it was actually relatively difficult to fake the photo as it needed to be taken through the camera on the app, like not a gallery photo or something, and you had to hold your ID up during the photo.
Still clearly possible, hence the shift. But be interesting to know what the exploit was - I doubt a picture held up against the camera would have had any luck of succeeding. It did seem relatively secure, but I trust it ultimately wasn’t as Monzo has always had the absolute least measures possible to keep the account secure.
Yes, good point. I tried to capture that in the word ‘too’ before ‘easily faked’ above, because like you I didn’t think it would be easy to fake. But I imagine there was a significant enough risk otherwise I don’t know why Monzo would have made the process more onerous for a customer they are trying to acquire (at account opening time, this is a prime point for someone to drop out). Maybe with jailbroken phones it’s possible to insert a pre-composed photo into the pipeline or [something something mumble mumble neural nets/pseudo-AI].
TOTP was the first one suggested, and the one I backed as a more convenient method. Don’t need a hardware key.
It’s also pretty well regarded than an already authenticated device is sufficient for authenticating another without needing to go through the whole process again. Just let me approve the login via the Monzo app on the phone I’m already signed into. Use my card pin as part of the equation and then we have essentially a simple method that’s 3FA (and 4 step), but much easier and quicker than the 2FA we have to go through, and definitely more secure.
Again it has an attack vector in the form of a stolen device. No method is impervious to one, not even video based facial biometrics. There’s always going to be a trade off, and no implementation is secure against everything.
Just the timing of the bank account launch, the demographic they appealed to. I actually think it was Monzo’s founder who referenced building it for the Snapchat generation. Or it might have been WhatsApp. My memory going that far back is a bit fuzzy. But the comparison was made to explain things like the onboarding, the emojis, tone of voice, etc.
You don’t have to speak the phrase. You can have it held up on an iPad screen, or a piece of paper. Or the one time the phrase had changed between my typing it up and going through it, I didn’t need to have it written down at all. They just wanted to see my face. Once it’s whittled down to that point, it’s just the same as what Chase ask of you as standard.
Whilst it might just be a weakening of the security for an accessibility use case, that’s every bit as speculative as my own opinion. Banks don’t normally undermine the integrity of their security for accessibility. We certainly never did at Barclays. We offered other avenues, but they had to hold up to the very same security standards.
I guess this a usability call, but in my experience the majority of people find TOTPs confusing (even when relatively well implemented as Apple does), certainly a lot more confusing than, “take a video saying these words”.
This wouldn’t help with opening an account. And for other times (in my experience), isn’t the video required when you are trying to do something in the Monzo app anyway? In which case, they want something more than just being logged into the app already.
Overall, a TOTP sounds more complicated to me, and something to keep track of. Given Monzo don’t even want people to have to keep track of a password, I can’t see this fitting in smoothly with the experience.
[For what it’s worth, I often feel TOTPs are security theatre. I’ve already chosen a secure, unique password, why do I need the hassle of something else when my password will not be cracked?]
I think options are always when it comes to security. Especially if you want to be as inclusive as you can be, so long as they meet the same standards that are required. Even Apple of all companies is starting to improve at this. Don’t have much hope for banks though.
For what it’s worth, Starling made the same concession for opening my account. Their system wasn’t clearly designed for it mind though, so it was rather frustrating.
I do believe Monzo will do it for opening an account as well. There’s a policy about it somewhere on the website! Will dig it out later.
It’s at the bottom. Doesn’t say it there, but if you have problems with the alternatives it’s literally just a selfie equivalent they’ll accept.
Only for large transfer requests AFAIK, and it’s more just because they’re a bit lacking in a proper security stack is my guess. Monzo’s security stack is about as barebones as a bank would be alowed to get away with. Other banks don’t ask for that, though some use Atom’s security approach for it.
I meant that a TOTP wouldn’t help with opening an account, which is when the video is required. Since it’s your first interaction with Monzo they need something to verify you are who you say you are. Anyone can generate a TOTP when given a QR code, so it wouldn’t help with the ‘know your customer’ aspect of opening an account.
If that’s the case, where are you suggesting a TOTP would be used instead of a video? I thought the issue in play was that for certain actions in the app a video is required. Maybe I’m misunderstanding what’s being discussed (wouldn’t be the first time!).
Where do we all stand on government issued digital ID? I think Estonia has a digital identity that can be used to authenticate and open bank accounts, so no need for a video or selfie etc.
It feels like it’s a good technical solution but also one that opens up a whole bunch of other issues…
That would be nice in the UK but it’s barely rolled out in the U.S, heck, we don’t even have the emergency message alerts, it’s been in ‘testing’ since last year though
And that’s after years of warnings, training, and the obvious insecurity of such a practice.