Barclays chat

No emails or anything? I’m just playing devils advocate really.

I don’t think anyone is arguing for or against anything. The app comes by default (I think) without the need for an entry pin that you can easily turn on in the settings or use face/finger etc.

I think it feels a bit jarring sometimes how easy it feels to get in, but you can’t take my money without a pin, so I know it’s safe.

2 Likes

I didn’t say it was impossible (unless I missed saying that) but I still don’t want someone, anyone, seeing any of my financial information. It’s just a personal thing to me; like I said I’m surprised we are having to even discuss that some people might thing that way.

2 Likes

Nope; my emails wouldn’t have any of my address on. I delete emails as standard and any I save are saved on my computer. Always done it that way.

3 Likes

I was referring to "once that phone is snatched it’s almost impossible to prevent loss or changes on your account until you get home.. I guess you did say ‘almost’ but that doesn’t really apply either IMO. It’s actually extremely easy to prevent these things and always has been, just set a secure PIN when you set the PIN which is what you should do anyway.

Fair enough; I probably shouldn’t have worded it quite that way.

Right I do have to go back to work now but I remain steadfast that I like a PIN option to just access any of my banking details :stuck_out_tongue:

5 Likes

I don’t know why people keep overlooking the fact you don’t need the card pin to make changes to existing payees.

That’s certainly something a phone snatcher could change and would be almost impossible to stop. :wink:

The security measures people are asking for when they request things like this isn’t to keep their account safe, or their money safe. It’s to keep their privacy safe. FaceID that falls back to the brute-forceable device passcode doesn’t quite cut it I’m afraid.

You want Face ID for ease of access yes, but you want the fallback to be to an app specific passcode, or even just let people have a password for logging in and Face ID fallback like N26 had. You can still have that option in tandem with magic links just as bulb do, so folks have a choice. It’s been a while since I’ve done any testing on it, but I still doubt the integrity of magic link emails, even though the concept is sound from a security standpoint, the issue is the protocol and the reliance on the integrity of aspects outside of their or the user’s control.

Personally I’d like to see some real 2FA. Monzo may look as if it adopts multi factor authentication, but that’s an assumption that’s too reliant on the integrity of external factors, to the point, that in reality, monzo is single factor at worst, two-step (two-factor at a barely justifiable push) at best.

We have some pretty great, highly usable multi-factor authentication systems available for free and most modern operating systems and in the cloud. Let’s adopt support for those please banks.

3 Likes

What would the benefit of that be to them, or the risk to me? I don’t see it.

1 Like

Then what?

If you’ve stolen my phone and changed my payee, you’re hoping when I set up on another phone I pay you by mistake? When it tells me that it doesn’t match that would be quite the red flag.

Talk about niche!

The risk is someone amending payee details to send future transfers elsewhere.

You can gleam who to target from the transaction feed and identifying contacts you send money to the most.

We know from other threads on here, and reports of fraud elsewhere online that most people ignore warnings here, especially when you factor in the issue that not every bank supports it yet, nor does it actually work properly for a lot of people.

The only proof of concept I have on such an attack is a test I ran on my brother by changing our mother’s details to mine, which was successful.

Maybe, but we know a lot of people ignore them. And the risk is still there, however niche, and so ought to be patched in my view. You need a pin for everything else anyway, where’s the harm in requiring it for saving changes to payee too.

I’m curious would you be dismissing the risk in a similar fashion if the pin wasn’t required for sending to existing payees too?

You’ve stolen my phone and sent money to my friend who will just give it back. Big whoop!

4 Likes

Except it isn’t easily brute-forceable. The sixth incorrect attempt locks the phone for 1 minute. The 7th attempt locks for 5 minutes, 8th for 15, 9th for an hour and the tenth incorrect attempt disables the phone entirely (or nukes all data if you have that setting enabled)

If you use a six digit passcode that isn’t 000000 or your birth date then it’s quite an effective defence

3 Likes

The pin has to be there for anything that can result in money leaving my account.

If I then send it of my own accord and ignore the warning, it would be interesting to see what Monzo would say about that.

2 Likes

Right, and I have that setting on. Here’s the issue though. The 10 most common passcodes are used on roughly 90% of handsets.

There are also tools and methods out there to circumvent Apple’s mitigation efforts, but we’ll ignore those because most street thugs aren’t going to be able to do that.

1 Like

Any additional PINs present a new problem - how do you reset it securely if you be forgotten it? Because that extra PIN is only as safe as it’s reset mechanism.

The important thing about the card PIN is it can only be reset through the in-app flow, that’s what makes it super secure. You can’t really have that for a PIN that lets you into the app, so I feel like any other PIN is going to end up either less secure, or far more user-unfriendly to reset, or probably both.

1 Like

In reality though, people that treat their security like that are unlikely to set a PIN to open the app, and if they do they are likely to choose the same number as their phone PIN. If users aren’t treating security properly no amount of additional passwords is going to increase their security!

4 Likes

An important point worth bearing in mind. It’s another obstacle only having magic links for logging in present.

But you’re right. Pointless having multi-factor authentication of the method to reset credentials undermines it.

As I say, I think it’s time bank apps embrace proper 2FA in the same way companies like Apple and Twitter do. No need to force it onto everyone, but as an option it would be appreciated.

Looking past all the security theatrics banks deploy, we’re in a world where the process to login into my ISP control panel is both more secure and easier than it is to log in to my bank and sanction actions.

I’ve always been a fan of the idea of a bank deploying a 3FA stack. Utilise 2 factors to authenticate a first time login on a new device. Once logged in, utilise one of them to unlock, a second to sanction actions, and a third for higher risk stuff.

Monzo are so close to striking what would be that perfect balance for me. It’s lacking in the login and app unlock processes. I don’t think they’re as secure as they could be whilst still retaining the same (or very close to it) ease of use. Especially when every request I’ve seen on this to bring them up to par has been for them to be optional extras, rather than forced on everyone.

2 Likes

Then, honestly, I don’t think you’ve set things up right or your ISP control panel is a little overblown security wise.

To login to your Monzo account you should need:

  1. Access to physical device OR your email account and
  2. You PIN number

That’s three factor authentication already if it’s set up right. You should have 2FA on your email, and to access your device and open the Monzo app should require a passcode and the device itself. So just step 1) should be subject to two factors of authentication.

Then to transact you need a third layer - the PIN, which should be unique and knowable only to you, isn’t brute force able and isn’t resettable.

Three factor authentication should really be sufficient for even the most security concious especially as the final layer is extremely well controlled. Maybe we disagree here but I don’t think adding further layers is necessary or really helps anyone.

If people want more security on their Monzo account, the sensible thing to advise is that they:

Have a secure device
Have a secure email address
Have a secure card PIN
Use FaveID to enter the app (/whatever Android does)

3 Likes

It’s just basic 2FA. Nothing overblown about it. It’s just a lot simpler than the 2FA methods used by banks, who in some cases don’t use 2FA at all, but multi-step authentication (which is less secure than two-factor) with weird limiters which reduces entropy, and in turn weakens the security.

Emphasis mine. Because if it’s not, and for most people it won’t be, it’s two-step at best.

The issue here is the reliance on the integrity of other components which are outside the control of the user and the bank. With respect you can’t rely on these or consider them as factors of your authentication process. They’re external components. To count them, every single service we sign up for and use would 3FA as standard too. They’re not. It would be bonkers to assess the security of a service in that way.

The authentication factors of one service ought to be completely segregated from those of another. This is what a meant earlier, when I said at an exaggerated push, one could justify that Monzo has two factor. In reality, ignoring how secure one’s email account is or how secure their devices are, it really is not at all.

4 Likes

Okay but the solution is to make it so it is! Adding more layers of security because people are ignoring or undermining the layers that are already there feels like the wrong solution.

I think really I will have disagree that it’s desirable to have three layers of security in the banking app that’s already hidden behind two layers of security. That ultimately makes it five factors of authentication just to make a transfer or something, it’s overkill and the less security concisous will just undermine them the same way they undermine the other layers anyway.

2 Likes

So do I, and I like to have it even though I don’t actually need it.

Face ID’s attention detection feature should also automatically kick in if the phone can tell it isn’t you using it, which would lock the device anyway. There have been bugs with that feature, though, going right back to iOS 11 when the iPhone X was first introduced, so you probably can’t rely on it.

It is also possibly to virtually instantly lock and/or wipe your device via iCloud, track it using Find My, and probably even call Monzo to force-logout the app.

All of which you can also add a secondary lock to (although I don’t). WhatsApp has a Face ID option now and has had for a while, Outlook is a widely-used email app which also allows locking with Face ID. The stock Mail app doesn’t, however.

2 Likes

I agree with you on this.

Really it is just the “something you know” (knowledge) factor twice over: email credentials to get to the magic link, plus Monzo PIN.

Ideally it should be two different and completely separate factors, but then you do run into a usability issue.

Starling’s new device login, on the other hand, is truly two-factor as it tests inherence (what you look like through the verification selfie) and knowledge (app password). But then we do hear complaints about that being “too awkward” all the time!

1 Like