Chat verification security

You don’t “do” your finances on them - they just generate a OTP for you to login with. You still need a device, connected to the internet to be able to login.

1 Like

True but it’s still online and a half step in the right direction security wise. The only problem is losing them or never having them with you when you need them.

I would say that meant they were a step backwards?

1 Like

A step forward for security but a step backwards for usability I guess.

Ah I see what your getting at. It’s s a bit like the phrase a bad workman blames his tools. If you forget it it’s on you. Of course the banks build in a secondary way to bypass the above just in case it is forgotten.

But you see this is the problem! If there is a secondary way to get around this, presumably that defeats the point of having the device in the first place (for security purposes anyway)?

MFA based on existing solutions (whether that be over text or Google Authenticator) are arguably better solutions. Passwords have always been weak and ultimately the only way to actually solve that issue is to have physical hardware (public/private key USB sticks). I wouldn’t say however having bank and card specific generators are the best, most economic or environmentally conscious solution though.

2 Likes

Yeah I thought the very same thing as I was typing out the above. Google Authenticator is the same system as the bank token. It’s something you have (or not have) so of course there has to be a way round that. Which goes back to the first point you made. :slight_smile:

1 Like

I use Norton App Locker, which good, but shouldn’t need to rely on a third party software to make up for failure to provide it in the app.

The issue is if Monzo build the security in it can be depended on to be secure. If left to a third party then that third party app could be compromised or contain a backdoor that would then allow access to your banking apps. With Starling and Monese etc you won’t get far if such third party lock is bypassed or removed intentionally or maliciously but with Monzo you are straight in.

For me it is a matter of principle on how a financial firm should make efforts to secure personal data. I can install all sorts of third party stuff to secure my phone and have to enter a password, pin and draw a pattern but I should have such an option in my bank’s app not perhaps in some untrusted app I pick at random from Google Play Store.

1 Like

If banks had gone with this logic we would have never got NFC payments imo.

If your phone is protected with a PIN or password then someone has to bypass that then go into your 3rd party app locker, I am assuming that would be password protected as well then hack into Monzo app and then they will find to transfer any money they need your card PIN :upside_down_face:

I’m referring to your phone’s lock screen, not to a third-party product. Secure the phone itself.

2 Likes

I do. But that is still me taking action to make up for lack of this basic functionality in the Monzo app.

Also if you are lending your phone to someone and they consequently have the screen unlocked they can still access intentionally or unintentionally your app and see all your financial expenditure history

2 Likes

It’s hardly ‘taking action’ - if anyone in today’s world doesn’t have their phone secured, I can’t feel the tiniest pity for anything that happens to them. It’s basic security.

Same with loaning your phone - your phone contains basically your entire life, why would you loan it to someone you don’t trust with your life?

7 Likes

This is for me the main point. There are probably lots of people who have family, and may (more or less regularly) share their phone with their spouse or kids. In my case it’s OK for my spouse to see my account (she knows all my passwords anyway), but not for my kid! I have - on a couple of occasions - given my unlocked phone to friends whose battery had died but they needed to do a phone call.

That is quite apart from the fact that (1) my son, wife and friends all know my birthday, (2) those who know my name can easily find it on Google/Bing/etc, and (3) the dates of birth of pretty much all of South Africa is now public, (and I have no doubt that you can find most other DOBs online as well,) so the DOB is an entirely inappropriate security measure anyway.

There are two reasons why I simply cannot use Monzo for anything else than holiday spend: (1) The complete lack of ability to lock down the app from even the most simple intrusion. (2) The complete lack to do anything from my PC.

2 Likes

But it’s okay for your kid or your friends to see your email that would reset any password they wanted, your Facebook they could use to defame you, or any one of the numerous other aspects of your private life you have on your phone? Really? Phones hold so much about us, if we don’t trust them, we shouldn’t use them.

ONE person has access to my phone. My best friend. They know my passcode and their fingerprint is registered. I trust them with my life and if anything happened to me, they’re the one I’d want to be able to access the massive amounts of my life unlockable with my phone. My (hypothetical) kids, or any other friends? NO WAY!

2 Likes

This is lost on me - What has further investment to do with app security :thinking:

3 Likes

A couple of services I’ve used allow the chat agent to pop up a separate box for the user to enter verification info into, and the agent just gets a yes or no telling them if it was accepted. This way no one has to worry about details being stored forever. Would this work?

4 Likes

Yeah, this is what I and others suggested. When Monzo moves to it’s own chat platform it would make sense to bake this in.

Just had an issue - some idiot forgot his PIN, and changed his fingerprints on the phone, meaning the pin can’t be recovered.

Because of this, I had to chat to support in-app. No issue - they’re always really helpful!

I was asked to confirm my DoB as a security question before the PIN can be sms’d out to me, which seems sensible at a first glance, but now my Date of Birth is accessible within that chat forever: we can’t delete old chats!

This kinda strikes me as making the security question completely pointless from the second contact with customer services onwards - the answer is available to an attacker without authentication.

I’m unsure what the best solution for this would be, but if Monzo are relying on correct answers to Security Questions, bad security is worse than no security questions at all: everyone’s lulled into a false sense of security.

Thoughts?

(Edited: I can’t England.)

Another Edit: My pin has just been SMS’d to me based on that chat. Something doesn’t feel right here.

4 Likes

This is an issue and there’s a thread discussing it here.

Elsewhere, Simon confirmed that the current in-app chat will be replaced in the next year or so. One would hope this security issue will be addressed then, if not sooner.

1 Like

Boom. Genius. Your discourse search-foo is superior to mine!

1 Like