Chat verification security


#1

Had a bit of an interesting experience verifying my identity to a customer support team member over the app chat yesterday. It’s a great idea to do a verification process - after all someone could have stolen my phone and might be pretending to be me to steal some valuable information or whatever.

To verify my identity I was asked my 9 digit card token (the person would also need to have stolen my wallet) and my date of birth (again, my wallet has that). May be a little easy there, but I think this is fine - someone who has my wallet and unlocked phone basically owns me.

The problem comes later. Once I supply those details, they stay in that chat forever. The android app offers no way of deleting that information and customer support confirmed as much to me.

Now if someone has my unlocked phone, they no longer need to have my card and date of birth - they can just look into this previous chat. Obviously this completely defeats the point of this security meaure in the future.

I was advised that Monzo has to keep all correspondence on file “due to legal obligations”. Fine, but this shouldn’t be done without respect for security. There must be ways around this that would not break Monzo’s legal obligations. For example, that part of the correspondence may still be kept on Monzo servers, but can be made invisible to the user.

Hope this makes sense.


(Matt) #2

This sounds like the need to add a “Sensitive” section in the message that can be read by monzo but not by the customer.


(Alex Sherwood) #3

Hey Mawe :wave:

I’m really keen to make sure that my personal details are kept secure too so it’s great to see you bringing this up.

Emphasis mine.

Fortunately, I think you’ve pointed out the security feature that’s keeping this information safe here :slightly_smiling_face: it’s your phone’s passcode.


#5

I am pointing out that the way the app is set up defeats their own security measures


(Alex Sherwood) #6

Could you please explain what you mean there?


(Marta) #7

@Mawe iOS has touch id, Android will have some sort of pin/fingerprint layer added too. Wouldn’t this create a barrier for a thief to not be able to access chat data (as well as Monzo app in the first place)?


(Hugh) #8

The point is, the verification details used to confirm your identity are stored in the chat log forever.

So, you can’t assume that when the identity is verified via the chat again, that the person entering those details is who the say they are, given, that they could have just scrolled up the chat!


#9

Easy solution: have the process automated with a pop-up where you enter your information and not through the chat.


#10

Have you seen people’s passwords? Have you seen people’s sense of security? It’s a laugh.

You need to force strong security measures and not rely on upstream to do its job.


(Hugh) #11

You can force strong passwords in Android.

Problem is, if you don’t rely on users being at least vaguely sensible we end up with a 3 stage verification process that takes 5 minutes just to enter the app…


#12

Monzo bank is liable for the stupidity of its customers, so it’s in their best interests to limit how stupid their customers are allowed to be.


(Hugh) #13

Limit yes, but there has to be a trade off between UX and security. Otherwise, we’d be carrying around air gapped devices to do our finances on!

In this case your idea of an in app dialog to verify user details if a COPs requests it, or if they add a new FPS recipient or whatever is probably a good trade-off against verifying identity every time someone opens the app just to check their balance.


#14

I wasn’t proposing a draconian security policy, just one that didn’t shift security to other services.


(Oliver Ford) #15

That was always true, so if that’s good enough there was no point asking for the nine digit token and DoB anyway.


(Hugh) #16

We’re starting to move into the realms of this thread on security in general.

Regarding security specifically for identity checks, I’d support @awn in some kind of in app verification engine that can be triggered by COPs, removing the need for a use to enter details directly into the chat. Could also be used to randomly verify if “suspicious” behavior was detected.


#17

I recently had reason to use the in app chat to request help, and was asked for my date of birth as a security check.

I have realised that if anyone did gain access to my phone/ Monzo app then they could cause even more harm by simply going through my past support conversations and noting down any answers to security checks.

It seems that I can’t delete these comments.

Even better than that, if the representative I was talking to was able to delete the comment as soon as they had read and verified it.

:slight_smile:


#18

I will get shot down for this, but if there was a PIN or password on the app they could not do that :wink:


(Allie) #19

Why is your phone not secure? I wouldn’t dream of using a banking app on a phone that wasn’t encrypted and protected by a secure lock screen. It seems this is a case of needing to secure your phone better.


(Sufi) #20

:wink:


(knows someone who knows Tom quite well) #21

Richard - don’t you have the option to turn on touchID to open app?