Wow. I was contemplating a change of job but if it’s that easy I’ll just steal phones and wipe out people’s fortunes.
If my phone is stolen…they can’t get into my ‘real’ bank account without a password that’s not stored in the phone
This (except what makes a bank account “real”…) has been discussed in-depth here:
Don’t kid yourself it’s not easy…gangs roam pubs like Dickensian pickpockets…they pick up phones …take out to a waiting van …where expert hackers are in your phone in minutes…before you’ve even got to the bottom of your drink and realised it’s missing…d’you really think it’s that hard to get into an android phone if they know what they are doing?
This vision of expert hackers in a van – is that taken from watching Big Mommas House 2 or something? I find it completely implausible.
The gangs around here just tend to rip the ATMs out of the walls with a stolen JCB in the middle of the night , they don’t seem to bother with nicking phones in my locals in the hope that the owners do in app banking with thousands in their accounts even though its easier to just hack the phone in their van later
I’ve filmed it happening.
I was thinking a PIN for the app, which would be stored in the phone, my bad. Re-reading I guess your talking more like when we enter online banking ID and password with the likes of Lloyds, Halifax etc.
I’m driving home now but interested to read what @lumisota linked to, will be checking back later.
Cool! Where can we see it?
No idea…it was for Japanese television…Japanese directors don’t make small talk with local crew!! Anyway …we watched a guy plug a phone in and operate it remotely despite it having fingerprint and password protection
The guy was a Japanese speaking Turk if I remember correctly…the whole thing was pretty weird…one of the oddest jobs I’ve done…but nonetheless…unless the whole thing was some kind of weird hoax…it was pretty frightening to watch.
Can you not set your phone to have your linked to your banking app email address on your phone without auto sign in and force yourself to sign in with a memorised password rather than a password stored on your phone that auto fills it when you sign in ?
I know its a bit old school security but … mind you if the hackers are that good they could perhaps search the phones memory , mind you if they were that good they would be going after far bigger fish wouldn’t they ???
I wonder if it was an old episode of Spooks.
Well…how about just have a password…like on my 'normal ’ banking app? ? Why try to reinvent the wheel.
Thats what Im suggesting, a password that doesn’t autofill, for an email address you use solely for Monzo - if you aren’t happy with phone thieves having access to your email because your unlocked / hacked phone autofills the email password when logging on to that email address which would then give access to your logged out Monzo account - disable the “remember my password” function , fill it in manually every time you log on, to log in to Monzo and then there is another step the thieves need to get through
- the fault in this plan is you would have to log out of the Monzo app quickly after every transaction to ensure security of the app before the phone was stolen
Security is a mixture of things. Nothing is ever 100% they are all based on the idea that they will mitigate the risk to near zero. For example most of my important passwords are one time pad created. Security should be looked as various small things creating a ring of steel.
- Antivirus to prevent RATs etc,
- Strong one time pad passwords for entry points- phones etc,
- Remote access to my phone for wiping data is my last line of defence.
Having one secure method in fact makes a method insecure.
- Instant notifications, the ability to freeze your card and pots make Monzo more secure than most other banks in this case.
Unlocked phone stolen
If a phone thief steals your phone and finds out or hacks your phone password, then yes they’d be able to access and view your Monzo account.
However, to send any money the thief would need to know your PIN (or have your fingerprint if you have fingerprint security turned on in your Monzo app). I think the only thing they’d be able to do with access to your Monzo app is move money in and out of your pots unless they have your PIN too.
In this case, your money is no less secure with Monzo than with other banks - all the thief can do is admire your spending, until you wipe the phone.
Unlocked phone and card stolen
If the thief has your unlocked phone and card, I guess they could move money out of pots and then use your card just like they’d use any stolen non-Monzo bank card with a separate code for the banking app (ie: contactless payments below £30).
In this case, your money has the same security as with a non-Monzo bank, but only if the thief knows about Monzo pots (so they can move all your money into your main account to spend).
Unlocked phone and PIN stolen
If the thief have your unlocked phone and knows your PIN, then they could send money using the Monzo app. They could also use your Apple/Google Pay to go on a spending spree, but this is also true for all other banking apps.
In this case, Monzo would be less secure than a banking app with a separate passcode (since the thief could send money using the Monzo app). However, the use of Apple/Google Pay would be the same for banks with a separate banking app passcode.
Unlocked phone, card and PIN stolen
- Monzo is just as secure as banks with separate banking app passcodes.
- For all the above I’ve assumed that the thief can somehow bypass your fingerprint and the Monzo user, knowing this, has not enabled any fingerprint security:
If the thief can hack past any password or fingerprint sensor, then the additional passcode for the banking app makes no difference.
If the thief can only hack past a phone’s lock screen, then locking the Monzo app with your fingerprint provides the same level of security as a additional passcode.
I find it amazing that some people want their challenger bank to look exactly like all the other banks.
Monzo is doing something different. They’ll be the first to change things if they realise they’ve inadvertently created an app which lets Japanese speaking Turks in vans steal all the money in the bank.
Until then, if you want to put three letters from your password and your first school into an app, go back to HSBC.