Well, I am guessing because I donât know what can be done on all versions of the apps, and how it is linked at the back end. Itâs really up to Monzo to look at their own systems and data architecture, and do a risk assessment! But here are some initial thoughts to help with those discussions. Hope it helps.
The question is whether concurrent sessions are allowed or not. Currently the answer to this is both yes and no. So the current situation is perhaps due to one of:
- not thought about (missing security requirement / broken security development lifecycle), or
- thought about, and specified incorrectly (security design flaw), or
- thought about, and has been implemented incorrectly (security bug), or
- thought about, but not implemented yet.
NB Importantly I am only discussing Monzo here - I think it is inappropriate to discuss any other organisationâs apps here.
An attack
Various parties can be affected by breaches of confidentiality, integrity and availability. They include Monzo the company, its customers, its employees, its shareholders, its partners, its suppliers, Card companies, the banking sector, and even society. In this case I think the threat is primarily against customers, but there could also be a knock-on reputational loss for Mondo.
So, assume a customer loses their phone or it is stolen from them. They are alert and grab the nearest tablet (or the phone of a friend) to temporarily install the Monzo app , so they can freeze their card. The problem is that with a long session timeout (never?), if the phone and tablet use different OSs, the lost/stolen phone could still continue to be used to:
- View/export one customerâs personal data
- Top up the account from the customerâs debit card (funds/limits permitting)
- Transfer money to a contact (even maybe a newly added one?)
- Undertake chat sessions with support staff.
The latter could be used by a malicious person to try to recover full access to the account and card. I donât actually really know what happens when you freeze your card, so the above are guesses - but anyway a stolen device might be used before the real customer notices and gets round to freezing their card. [I am assuming that freezing the card on one OS freezes it on the other i.e. it is not device specific, unlike this session management issue]
Thus, a Monzo account holder who uses apps on iOS and Android, is at greater risk of account misuse, than a user who only ever uses a single OS. Perhaps some customers assume that setting up the app on another device terminates their previous session(s) on other devices. Thatâs the impression that we have been given previously and only through some helpful dialogue via the Community Forum did we found out that this wasnât necessarily the case. And that increases the possibility a lost/stolen phone with an authenticated app remains active.
Also, this highlights another closely-related security vulnerability, there is perhaps no way for the customer to âlog outâ of the lost/stolen device?
Security mandates
It could also be a security mandate failure e.g. contrary to a compliance requirement. I donât know whether any systems accessed using this session handling are within Monzoâs current scope for PCI DSS, but if they were, then this would be an issue to be reviewed under âPCIDSS 6.5.10 Broken Authentication and Session Managementâ, and perhaps also âPCIDSS 6.5.6 All âhigh riskâ vulnerabilitiesâŚâ. In the latter case, as outsiders we donât know Monzoâs process for ranking vulnerabilities, and thus whether it is âhighâ (PCIDSS 6.1).
API worry?
No idea whether this issue also affects use of the API, but that would be another area to check.
General comments on concurrent sessions
Maybe concurrent sessions are meant to work, and Monzo has other security controls in place to prevent, detect and recover from misuse, but that isnât how the same-OS version works. If the decision now or later is to allow multiple sessions, consider:
- letting customers decide whether they want to permit multiple concurrent sessions
- optionally bind to selected device fingerprints
- alert all other active instances when the account is set up on another device
- only allow concurrent sessions if optional user security features enabled (e.g. fingerprint access).
There are lots of risk-mitigating options available!
Lots of possibilities, but as I say, letâs leave it to Monzo to decide.