Ah! My bad!
Signing in on a new device. That’s the brunt of my qualm (it stemmed from @ravipatel complaining about the process of signing in on a new device). For signing up, sure, I can see how it’s important, and TOTP indeed doesn’t work for that process.
I’m sure it’s a whole other can of worms, but I’ve imagined the smartphone itself would wind up filling this role down the line, only sanctioned by Apple/Google as opposed to the government. It’s sort of already making its first step.
I’d trust personally trust them more with the ever so important privacy element of managing something like that.
To play devils advocate though, as neat as things like that sound, they’re all susceptible to the theft issue, and there’s no decent solve for it (yet).
Ah, I see. I go several years between changing phones, so this was not top of my mind. 
Agreed that approving on an existing device would work for this use case. But it seems like such an edge case that I personally wouldn’t want Monzo to spend development time when there’s an existing security procedure. 
Continuing the discussion from Banking and security:
Especially when you factor in the macro position that very soon more than half of the population of the world will be out of work (as we automate, and go deeper into things like AI and technological ‘improvements’), and so essentially fewer than 50% of the world’s population will be financially supporting everyone else, all the time.
At some point cutting human business costs becomes a global problem.
I mean video helps with that, its harder for people to steal my face saying a specific phrase while saying “let me into my bank” backed up with IR scanning to really reduce factors.
Citation/explanation about how its so barebones and how others do it far more less barebones/more secure?
I mean TOPT is screwed if your phone is stolen with pin as people can have access to that from your phone, then also people have a habit of using the same pin on everything such as bank card and phone and even if its different their is a chance its saved on the phone.
It’s already (partly) here. In Scotland I can access various government and council services using Yoti. I like this system. The company seems trustworthy, personal data is stored on my phone, and it only shares as much as needed for a particular service.
Would be great for it to be more widely adopted.
So I just mean how there’s fewer options to pull from vs other banks.
Monzo only has one of each by my understanding:
Various other banks have multiples of these, some require the use of all them, some give you options. You really only need three though, but options are nice.
Now the way a lot of banks put all this together is over the top and obtuse. No reasonable human can remember everything banks expect you to know without writing it down somewhere, which only undermines it. I have a (Face ID protected) note on my phone titled BANK STUFFZ with all this stuff for my many accounts, otherwise I’d lose access to almost all of them.
But they have more things to pull from for you to pass through their security process. Monzo don’t, so it really has to be the video selfie they use. They don’t have anything else to authenticate you by. There’s your card pin, but that’s very weak.
Hopefully that explains what I mean. Wasn’t meant to be a criticism to suggest it’s weaker than other banks. I think Monzo is better, but that there’s room for improvement.
I have all my bank logins and all the various passwords and codes in 1Password so I don’t have to worry about remembering them.
You forgot access to your email which if its google hosted it is better secured but if its on some old isp it could be trivial.
Really really not great given the slackness for verification it needs to content with mic issues and the ability to fake voice on demand.
I mean both of those are weaker than video by quite a bit.
Yeah thats hated by so so many which is why its dead with a lot of banks now.
Gawd that would end any use by my folks or a lot of folks if you had all that. To be fair RBS is kinda shite too, I have an online account number + a special pin + password to login to that but on my phone it uses a different password + some terrible face scan.
I would like the ability to set an account password in Monzo but all of these security measures will have to way to reset and the social side that really causes the weakness.
The magic link monzo uses is brilliant but it depends on email security which is vastly variable but if you also need the cards pin and a harder to fake video that will reduce the risk without being too much to put people off.
I do think monzo have traded a lot of the convenience against security sides well. The video is actually something that can and will cause issues when most of those other methods can be leaked.
Depending on what that contains and my ability to know your pin when a stole your phone that would potentially allow a LOT of access but even then you have to trade off convenience against security. If anything the need for that note shows that the bank has gone too far. I dont expect you to have literally everything verbose, more clues to remind yourself but the post it folks will, all those other factors just for a note to get around it all.
I get access to that (even if you have not put all the details in their, I know people that would) and never get challenged by a video I have full control. The video though stops a lot of damage, especially with large transfers.
The more I think about it the more I think all banks will use video verification because its a natural extra enhancement and is difficult to fake, its also difficult to social engineer against bank staff with the whole “I dont have access to my money and we are about to die from lack of food” stories.
I dont want it to sound like I am tearing you, I know you have video selfie issues but I really do think its a very good additional factor that is simple for many to use with few drawbacks and not just marketing.
EDIT: I have Yubikeys using FIDO, its brilliant to prevent phishing but secured by a pin which most will use as 4 digits and it will be the same as their phone/dob/etc so it falls down if its stolen.
Generally in favour for me. With the cost and effectiveness caveats, of course.
HSBC group are by far the worst for this stuff looking at my notes!
Hatch Bank, a digital-first bank that provides infrastructure for fintech companies offering their own brand credit cards
There’s lots of 3rd party companies that you also need to trust, anyone from app analytics to kyc outsourcing.
It can be if you’re starting from scratch but lately they’ve simplified things and transferring between phones is just scanning a QR code.
The new challenge which many outside of this forum may not have considered is the growing art of getting people to expose their phones pin unlock code. It’s especially nasty on Apple phones as you can lock out every other connected Apple device.
I don’t use the account enough to know much any of it is used post sign up, but the QR code thing sounds like it’s right up my alley.
To scratch @l33t’s itch, here’s a slightly redacted look at the sort of approach I take to storing all this data in notes. A few redactions for the alphanumersymbolic crap that’s forced upon you, because I’ve no algorithm in my brain for that, so I have to keep it in plaintext.
In hindsight, one of the question answers is too obvious and I really ought to change it at some point. It’s too public info.
Is it shitfeet or Disney? 
That would be poo paw! 
He’s in the pets thread somewhere.
So - obviously without giving anything compromising away - what steps/measures/routines, do you use as a customer to protect yourself. What do you do to minimise risk?
I understand that there are pay-offs between security processes and convenience.
Somewhere (in a different thread, I believe) I have read of someone using a separate phone for banking; that is its sole function.
For me personally, that would probably be too inconvenient. I feel that it would be more likely for me to lose a phone, if I had two to constantly worry about.
Just how secure are password managers for example?
As long as you’re not using Last Pass you’ll be fine…
I use 1Password for example, it has a secret key that makes it secure. Password manages are officially recommended by the NCSC too.
Not an awful lot generally. Overkill security is not part of my personal threat model and I see most digital things as fairly disposable.
I have 2FA on my Apple account, and that’s about it.
I’d usually recommend a little more security to other folks though. I’m not much of a practice what you preach sort in this regard, but I don’t value the integrity of my accounts to the same degree I expect others will.
I get the thinking here, and this is probably someone who’s done their thread model and decided this is best from them. A lost secondary phone is better than a stolen only phone.
But I agree. It’s probably too much for most despite a fairly significant security gain from doing it.
Depends on the manager, but typically as secure as the security protecting your manager. If it’s just a single weak password, not very.
I do something like this. On my primary phone I only have a small number of financial apps - Monzo, one credit card app, and PayPal. And I only keep a relatively small amount of money in my Monzo account.
Everything else (savings bank, investment apps and crypto accounts) is on another device that stays at home and only really gets turned on on when I want to intereract with those apps. Aside from addressing a security concern, I also think it’s healthy not to have temptation of regularly looking at investment accounts.
