They emails can easily be intercepted and read, but they would now also require your card pin to successfully log in to your Monzo account, in addition to the magic link.
Although I would personally still prefer a more traditional password, I am now satisfied that magic links are secure enough in implementation. Just make your best effort to keep your PIN confidential and abstruse.
I’m not sure this matters as I think the magic link in the email only works on the device that requested it. So if someone intercepts your login email, they can’t use it to login on their phone. They’d have to steal your unlocked phone as well.
It does not matter in Monzo’s case, but I feel it’s worth being aware of in general. The hacker wouldn’t need your phone though, they would just need to know your pin or be able to guess it within 3 attempts.
I’ve just requested a magic link from my iPad and been able to open it and log in by clicking on it on my iPhone 7. Interestingly, this also logged me out of my iPhone 11 Pro.
Depends who by and where the email is intercepted. It’s a very common thing in coffee shops for example, though not so much on your own home network, unless you’re specifically being targeted. Either way, as a best practice, I avoid email if at all possible when it comes to any form of communication I wouldn’t be comfortable conducting publicly on something such as Twitter.
I know Monzo have said you can install the app on a tablet, but I haven’t seen them say it can be used at the same time as a phone, unless the two devices are different platforms (that is one Mac, one Android).
It is possible to be logged in to an iPad and an Android phone at the same time, say. (Unless they’ve changed this since I last tried it.)
I don’t know the reasoning behind the decision. I would guess it was either a pure design decision to make it quicker to build the app in the first place, a security decision to keep the user safer, or some mixture of the two factors.
Agreed. Everyone should be using an SSL connection for their email (and I’d be very surprised if there are many people who don’t). With SSL, there’s no way for someone ‘in a coffee shop’ to intercept your email. It has to be someone who knows the path your email will take between mailservers, and there has to be a jump between mailservers that isn’t SSL encrypted (also unlikely), or the attacker needs access to the mailserver.
It’s not, sadly. Anyone can do it with a cheap laptop and some free software, and the ability to follow simple instructions. It happens more common than you might think on public WiFi.
I have experience in the industry, but no affiliations with any VPN companies, though I do use my own personal VPN when I’m out of the home.
A few years back I spent a day in Manchester venturing between six different Starbucks stores for some research. In at least two of those stores I was able to identify the presence of packet sniffing software, in addition to my own.
Absolutely agree. Some mail service providers already now do this as standard, but it can vary by service and client. We need a standardised encrypted protocol that everyone uses and deploys as a default. I think we’ll get there at some point, and strides have already been made, but we’re not all the way there just yet.
Yes, some have started to do that in recent years, but not all do, and not all clients support it. I can still, for instance, establish an unencrypted connection to my iCloud email account, which would in turn download the emails to my device in plain text. Perhaps I’m just a little bit too paranoid.
This is why I would really like to have the option to supply a public key, and have my emails encrypted end-to-end. Facebook (of all companies) does offer this, so if the email is intercepted in transit, it is still secure.
They need to change to a more conventional but secure method IMO. Standard email and password but with an obligatory 2FA with TOTP. None of this weird email link stuff which would also be a pain when they give users the option to login on a browser. I don’t understand what the benefit even is of having a link sent to your email as opposed to a password.
Using public WiFi is way more of a privacy issue (operators selling your browsing history etc) than a security issue for most people.
Most sites and services use TLS , for example a office with a fancy next gen firewall, and no devices has certs installed, the firewall had managed to scan only 1 file in 2 months, my point being there’s very little mainstream sites that don’t use TLS , a bored person doing sniffing for lulz in public won’t get much more than where you are visiting.
If your threat model is high then you should use a vpn obviously.
The cert is to decrypt , you can still packet sniff and see unencrypted traffic without one. You can also see which sites are being visited with deep packet inspection, but you can’t decrypt the actual data.