Well, I am guessing because I don’t know what can be done on all versions of the apps, and how it is linked at the back end. It’s really up to Monzo to look at their own systems and data architecture, and do a risk assessment! But here are some initial thoughts to help with those discussions. Hope it helps.
The question is whether concurrent sessions are allowed or not. Currently the answer to this is both yes and no. So the current situation is perhaps due to one of:
- not thought about (missing security requirement / broken security development lifecycle), or
- thought about, and specified incorrectly (security design flaw), or
- thought about, and has been implemented incorrectly (security bug), or
- thought about, but not implemented yet.
NB Importantly I am only discussing Monzo here - I think it is inappropriate to discuss any other organisation’s apps here.
Various parties can be affected by breaches of confidentiality, integrity and availability. They include Monzo the company, its customers, its employees, its shareholders, its partners, its suppliers, Card companies, the banking sector, and even society. In this case I think the threat is primarily against customers, but there could also be a knock-on reputational loss for Mondo.
So, assume a customer loses their phone or it is stolen from them. They are alert and grab the nearest tablet (or the phone of a friend) to temporarily install the Monzo app , so they can freeze their card. The problem is that with a long session timeout (never?), if the phone and tablet use different OSs, the lost/stolen phone could still continue to be used to:
- View/export one customer’s personal data
- Top up the account from the customer’s debit card (funds/limits permitting)
- Transfer money to a contact (even maybe a newly added one?)
- Undertake chat sessions with support staff.
The latter could be used by a malicious person to try to recover full access to the account and card. I don’t actually really know what happens when you freeze your card, so the above are guesses - but anyway a stolen device might be used before the real customer notices and gets round to freezing their card. [I am assuming that freezing the card on one OS freezes it on the other i.e. it is not device specific, unlike this session management issue]
Thus, a Monzo account holder who uses apps on iOS and Android, is at greater risk of account misuse, than a user who only ever uses a single OS. Perhaps some customers assume that setting up the app on another device terminates their previous session(s) on other devices. That’s the impression that we have been given previously and only through some helpful dialogue via the Community Forum did we found out that this wasn’t necessarily the case. And that increases the possibility a lost/stolen phone with an authenticated app remains active.
Also, this highlights another closely-related security vulnerability, there is perhaps no way for the customer to “log out” of the lost/stolen device?
It could also be a security mandate failure e.g. contrary to a compliance requirement. I don’t know whether any systems accessed using this session handling are within Monzo’s current scope for PCI DSS, but if they were, then this would be an issue to be reviewed under “PCIDSS 6.5.10 Broken Authentication and Session Management”, and perhaps also “PCIDSS 6.5.6 All ‘high risk’ vulnerabilities…”. In the latter case, as outsiders we don’t know Monzo’s process for ranking vulnerabilities, and thus whether it is ‘high’ (PCIDSS 6.1).
No idea whether this issue also affects use of the API, but that would be another area to check.
General comments on concurrent sessions
Maybe concurrent sessions are meant to work, and Monzo has other security controls in place to prevent, detect and recover from misuse, but that isn’t how the same-OS version works. If the decision now or later is to allow multiple sessions, consider:
- letting customers decide whether they want to permit multiple concurrent sessions
- optionally bind to selected device fingerprints
- alert all other active instances when the account is set up on another device
- only allow concurrent sessions if optional user security features enabled (e.g. fingerprint access).
There are lots of risk-mitigating options available!
Lots of possibilities, but as I say, let’s leave it to Monzo to decide.