Had a bit of an interesting experience verifying my identity to a customer support team member over the app chat yesterday. It’s a great idea to do a verification process - after all someone could have stolen my phone and might be pretending to be me to steal some valuable information or whatever.
To verify my identity I was asked my 9 digit card token (the person would also need to have stolen my wallet) and my date of birth (again, my wallet has that). May be a little easy there, but I think this is fine - someone who has my wallet and unlocked phone basically owns me.
The problem comes later. Once I supply those details, they stay in that chat forever. The android app offers no way of deleting that information and customer support confirmed as much to me.
Now if someone has my unlocked phone, they no longer need to have my card and date of birth - they can just look into this previous chat. Obviously this completely defeats the point of this security meaure in the future.
I was advised that Monzo has to keep all correspondence on file “due to legal obligations”. Fine, but this shouldn’t be done without respect for security. There must be ways around this that would not break Monzo’s legal obligations. For example, that part of the correspondence may still be kept on Monzo servers, but can be made invisible to the user.
Hope this makes sense.