Barclays (and others) looking to catch up

I disagree with this. It’s certainly within the users control as to how secure the likes of their email is, there are many providers out there to choose from. Those who are more security conscious will already have it locked up to their eyeballs.

I don’t think it’s the banks job to protect these types of people. Largely because if they need yet another or more complicated password you can almost guarantee that they will have it saved in their notes app in case they forget it.

For what it’s worth I do think that payee details should be PIN/biometrically protected, but I don’t think the overall all should have more layer’s.

1 Like

Not every provider gives you the option. It’s unreasonable to expect someone to ditch an email they’ve used their whole lives or change provider in such a case too.

It’s also not always the best idea to have 2FA on your email account. Some people might not want it, yet still wouldn’t want the lack of that on their email to compromise the security of their other more sensitive accounts, which is fine because it doesn’t have to.

It’s absurd to assess the security of your processes on the assumption that everyone is following best security practices everywhere else. Your systems need to be designed on the predication they are not. You shouldn’t be relying on this at all.

To emphasise the absurdity, no bank would trust I’m me on the basis that I’m emailing them from my email, with the headers validating no spoofing of any kind. Even though I have 2FA on. My email provider knows it’s me, my bank does not. Yet that’s the same level of trust Monzo are placing in it when it comes to logging in.

I’m baffled that folks are shutting down ideas of optional extra security because they don’t want it, instead suggesting those security enhancements be applied elsewhere where that user may not otherwise want or need them. It’s actually more arduous for users, and it’s a shift of liability from the service provider onto third parties, and even the user. No thank you.

Of course it is. If the security of authentication for your device is enough to undermine the security of your bank account, then your bank has a big problem in my book.

No one’s asking for that. But even if we were, this is how that looks when you flip the context of liability.

You could apply the same logic to device security too. Whatever security measure you’re imagining Monzo would need to deploy here to counteract poor device security are the exact same ones, and in turn, the exact same issues that would arise from one attempting to keep their device secure enough.

What’s being asked for by folks is the choice to enhance their individual app or account security if they want to. This does a few things. It adds freedom and control over how secure your account is. Multi-factor doesn’t necessarily mean hard to remember passwords. And of course no one has to use it. The freedom widens the scope of entropy, meaning the existence of the choice of greater security alone improves security for everyone without changing anything, when done right.

To reiterate what I’d like to see from Monzo. Proper 2FA on logins that doesn’t rely on the integrity of a third party service as a factorthatsnotreallyafactor. Keep the current magic two step setup if you have to, but give me an option to authenticate with something I have as well, like an authenticator app on my phone. The fallback for Face ID being something separate to my device passcode. Honestly, even just changing where you ask for the card pin would improve things here. Use that as the fallback. The ability to override biometrics removes a factor of authentication, effectively making access single-step (the same something you know used twice). Granted there’s still a second step to action stuff, that doesn’t safeguard against the massive privacy violation of someone gaining read-only access to my account.

3 Likes

I feel like the level of security you want/use and most other peoples are miles apart.

You’re off the scale at one end and really an anomaly.

4 Likes

Normally, probably. But it’s a bank, so then again, probably not.

What do you think fuels the theatrics other banks deploy? Customer feedback.

Given the niche of this community, a sizeable number of folks among us even want something a bit more robust here. I don’t think I’m as anomalous as you think! My approach to security is far more balanced and sits somewhere in between those who don’t follow best practices and those who take it to the extreme.

2 Likes

And I hate it.

For my Nationwide account I have to know my user number, then pick 3 of 6 digits from my pin and then wait for the “one time code” to be text to me. Madness!

What makes it feel more secure means all that people do is write these things down instead and hinders logging in.

People not understanding security vs privacy also makes this far more complex.

6 Likes

I assure you, the software engineers that have to design and build these things hate it too. We know it’s theatrics. But marketing says it makes people feel more secure, so that’s that. Everyone gets it.

3 Likes

I think we need to be clear about a few things here.

  • Is Monzo’s security model fundamentally flawed? No.

  • Could it do with a tune up? Yes.

In particular, I think it’s reasonable to address two common concerns: the fact you can change standing orders without validation and the desire for privacy (not security) from some users.

Here’s my prescription:

  • scrub the app (twice) to make especially sure that anything involving potential loss of money is subject to biometrics / card PIN.
  • change the new user flow so that users get the choice up front whether you have to authenticate to get into the app.
  • fix the bug that means that the setting to authenticate to access the app is forgotten on update
  • some info for users during sign up to let them know the importance of protecting their email account

I’d go a little towards @N26throwaway’s suggestion and suggest something user friendly (like 2FA from an Authenticator app) would also be helpful.

9 Likes

Evidence please.

I think it’s probably more nuanced than this. My hypothesis is that there’s been some well intentioned but technically illiterate regulation, followed by blunt implementation, followed by users thinking “crikey this is difficult so must be secure”.

I think theatre is still the right word. Because sometimes that’s reassuring when, at the macro level, it’s actually harmful.

4 Likes

Nothing I can actually link to or back up with evidence I’m afraid.

I’m sure regulars on here already know about my past association with Barclays, and that I’m a software engineer, and that this issue is what caused that association to end.

I need to be careful what I say, so all I’ll say is, it hit a point where a more secure approach was shut down and abandoned because it was easier for users than their existing system and would have transitioned away from PINSentry devices. This was a bit before fintechs started popping up too, just before Apple Pay.

I still believe the focus group was deliberately set to make it fail because the response was it wasn’t secure enough… Some higher up at Barclays must really love their pinsentry devices.

Apple Pay caused a similar rift I believe when that landed, but the customer backlash went far enough to invoke change. In what world does a fair and unbiased panel unanimously favour bpay? :crazy_face:

This is all of course, hearsay, so take it with a pinch of salt! :wink:

3 Likes

Actually, question, if my Monzo device is logged into somewhere else do I get an email?

Thanks, “Tom”, that’s very interesting.

More broadly, I think that use of evidence is an interesting one. I’d guess that, in this case, Barclays weren’t actually interested in the customer feedback. But, like places where vested interests run deep, it’s convenient when it reinforces existing biases.

I was about to say we’re in danger of veering off topic, but looking at the title, it actuality brings us closer back. Well done us!

2 Likes

I don’t think so, but I’m not totally certain about that. But, that said, you will have had a “log in” magic link email.

Of course, the current device limitations mean that you can only be logged into one device of each OS, so if you’ve been logged out that’s a red flag.

(I’ve been keen for years for Monzo to build a proper multi device security model. I think that alerts on new logins - and 2FA - would probably help with that)

6 Likes

I was going to say, I think maybe one layer I wouldn’t say no to would be the ability to have security alerts sent to a second email address. It’s probably no use sending them to the same address given that would be compromised. I suppose you can do this with some email rules though. Maybe I will! That would be one easy step for the security obsessed.

In terms of Monzo, I see no reason why they should spend time or money developing anything unless they are seeing examples of fraud resulting from their current security level.

2 Likes

I suppose you can do this with some email rules though. Maybe I will! That would be one easy step for the security obsessed.

Okay I take this back, you can’t do this in Gmail. Only in outlook desktop I think.

In which case maybe a separate ‘your account has just been logged in to’ email would be handy.

Poor security, so not really a great example.

It’s the knowledge factor twice again, just made awkward, plus an attempted possession factor with the SMS code (which doesn’t really count as a proper second factor due to the obvious vulnerability of SIM Swap attacks and SMS being unencrypted, so potentially intercepted easily - the FCA have issued a notice to banks that they don’t consider SMS as secure enough to meet Strong Customer Authentication requirements).

That makes the point that @N26throwaway was already making, which is that often banks are employing onerous security theatre to make logging in more difficult in an attempt to reassure customers that they “must be secure”, when in actual fact the level of security is minimal. The point was it is possible to create solutions which are more secure and more user-friendly, especially if operating a mobile-only bank as you have the advantage of knowing that all your customers have a smartphone capable of running apps.

I agree with you there, but there is a crossover where things that are more secure also, generally, will create the conditions for more privacy by default, most of the time.

I think that suggestion especially is a good one.

This would be a nice option, and not that user-unfriendly, as you could always allow resetting it via selfie verification (similar to how Starling verify new devices).

You can in Gmail!

Rules (in Outlook parlance) are just called Filters.

2 Likes

Hmmm I couldn’t find a way and googling didnt help! I can forward the actual email with the link but obviously that’s a poor idea!

What I couldn’t find a way to do was send a new email to my other account (which would just be ‘you have been sent a login link or something like that). Am I missing something?

1 Like

Oh sorry, I thought you just wanted to forward the link automatically.

I don’t think you can send a completely separate message automatically as Filters don’t have the option (as far as I know); they are more basic than Outlook Rules.

Yeah I thought so :cry:

That’s why a separate email would be handy, I could forward that.

edit: then again I suppose if someone gets into my main email somehow my notifications light up like a Christmas tree so probably just overthinking it

1 Like

Yes, and also even though it’s probably not best practice to forward the magic link, it’s not exactly that insecure as the authentication token can only be used once and (assuming your secondary email is adequately secured like your primary) there is minimal chance of it being intercepted, either before you use it yourself or as part of a fraudulent account login.

1 Like

True. I do still think these kind of ‘someone logged into your account on a new device’ type emails are a really easy to implement but powerful security feature though.

It’s nice to have the 100% certainty that no one is accessing something they shouldn’t. Even when you are completely confident in the security of something, it’s a nice peace of mind feature.

1 Like