I mean video helps with that, its harder for people to steal my face saying a specific phrase while saying “let me into my bank” backed up with IR scanning to really reduce factors.
Citation/explanation about how its so barebones and how others do it far more less barebones/more secure?
I mean TOPT is screwed if your phone is stolen with pin as people can have access to that from your phone, then also people have a habit of using the same pin on everything such as bank card and phone and even if its different their is a chance its saved on the phone.
It’s already (partly) here. In Scotland I can access various government and council services using Yoti. I like this system. The company seems trustworthy, personal data is stored on my phone, and it only shares as much as needed for a particular service.
You forgot access to your email which if its google hosted it is better secured but if its on some old isp it could be trivial.
Really really not great given the slackness for verification it needs to content with mic issues and the ability to fake voice on demand.
I mean both of those are weaker than video by quite a bit.
Yeah thats hated by so so many which is why its dead with a lot of banks now.
Gawd that would end any use by my folks or a lot of folks if you had all that. To be fair RBS is kinda shite too, I have an online account number + a special pin + password to login to that but on my phone it uses a different password + some terrible face scan.
I would like the ability to set an account password in Monzo but all of these security measures will have to way to reset and the social side that really causes the weakness.
The magic link monzo uses is brilliant but it depends on email security which is vastly variable but if you also need the cards pin and a harder to fake video that will reduce the risk without being too much to put people off.
I do think monzo have traded a lot of the convenience against security sides well. The video is actually something that can and will cause issues when most of those other methods can be leaked.
Depending on what that contains and my ability to know your pin when a stole your phone that would potentially allow a LOT of access but even then you have to trade off convenience against security. If anything the need for that note shows that the bank has gone too far. I dont expect you to have literally everything verbose, more clues to remind yourself but the post it folks will, all those other factors just for a note to get around it all.
I get access to that (even if you have not put all the details in their, I know people that would) and never get challenged by a video I have full control. The video though stops a lot of damage, especially with large transfers.
The more I think about it the more I think all banks will use video verification because its a natural extra enhancement and is difficult to fake, its also difficult to social engineer against bank staff with the whole “I dont have access to my money and we are about to die from lack of food” stories.
I dont want it to sound like I am tearing you, I know you have video selfie issues but I really do think its a very good additional factor that is simple for many to use with few drawbacks and not just marketing.
EDIT: I have Yubikeys using FIDO, its brilliant to prevent phishing but secured by a pin which most will use as 4 digits and it will be the same as their phone/dob/etc so it falls down if its stolen.
3 Likes
Anarchist
(Press ‘Help’ search ‘Contact us’ or email help@monzo.com or call 0800 802 1281)
90
Generally in favour for me. With the cost and effectiveness caveats, of course.
It can be if you’re starting from scratch but lately they’ve simplified things and transferring between phones is just scanning a QR code.
The new challenge which many outside of this forum may not have considered is the growing art of getting people to expose their phones pin unlock code. It’s especially nasty on Apple phones as you can lock out every other connected Apple device.
So - obviously without giving anything compromising away - what steps/measures/routines, do you use as a customer to protect yourself. What do you do to minimise risk?
I understand that there are pay-offs between security processes and convenience.
Somewhere (in a different thread, I believe) I have read of someone using a separate phone for banking; that is its sole function.
For me personally, that would probably be too inconvenient. I feel that it would be more likely for me to lose a phone, if I had two to constantly worry about.
Just how secure are password managers for example?
I do something like this. On my primary phone I only have a small number of financial apps - Monzo, one credit card app, and PayPal. And I only keep a relatively small amount of money in my Monzo account.
Everything else (savings bank, investment apps and crypto accounts) is on another device that stays at home and only really gets turned on on when I want to intereract with those apps. Aside from addressing a security concern, I also think it’s healthy not to have temptation of regularly looking at investment accounts.
Depends what I’m doing. There are instances where I am sending PGP messages off TailsOS but let’s not talk about those
Actually I do way too much. It’s just a trait of mine that I worry about these things and doing more helps me not to worry. I do keep my savings accounts off my phone for example (on my desktop or laptop, not on another phone!).
Obviously I use a password manager (1Password) with a very secure master password. 2FA on most things. A child lock password on my iPhone, lots of other little stuff.
One thing I do that might seem odd, is that I don’t use 2FA on my main email. Instead it has a four random word password committed completely to memory. It isn’t in my password manager either. The reason is, I won’t forget it and if I were to lose my phone I’d still have access to my email, from there I could hopefully reset passwords etc, re-download the Monzo app so I have money, stuff like that.
I also faceID lock pretty much every important app, that’s because there are people in my house I don’t trust tbh, and they could easily pick up my phone as I’m always leaving it everywhere.
Is your email seperate from the iCloud account you use with your phone?
The main thing the recent WSJ article made me realise is I’m vulnerable to someone locking me out of my primary email if they discover my phone passcode (because it’s the Google account I use for my Android phone). I think I need to switch to using a different account for my email or a different account for my phone so they are uncoupled.
I’ve had a good read through some of the NCSC materials - interesting stuff. I’ve also done a fair bit of reading user reviews etc., of 1Password and that is a route I will probably take.
But there is one last step for me to take.
It still seems counter-intuitive to put pretty much all of my security in one environment, which by its very nature would identify itself as a prime target for those who would wish to take what is ours.
What gives you peace of mind that 1Password (BItwarden etc.,) is secure enough?
Thanks for the link. I’ll have a look at that shortly.
I was thinking more along the lines of 1Password as an entity being the target of concerted attacks and suffering a data breach and the integrity of the stored data being under threat of being compromised.
Or am I missing something blindingly obvious about how their security and encryption functions.
The data is stored on device, with not only your password but also the secret key that even they don’t know. So someone would need to have both of those values.
Thank you both for clarifying things for me - that’s a big help.
For daily IT use, I was one of the self-taught generation and a recurring issue for me has always been that I don’t know what I don’t know and often a helpful clarification/explanation makes all the difference.
