Hi can someone help me understand a security matter for Monzo.
I have a monzo account and what I’m trying to check is what information a hacker would need in order to access my monzo account and steal money?
E.g. could they do so by simply obtaining access to my emails or would they also need the PIN for my monzo card?
Thanks in advance
They emails can easily be intercepted and read, but they would now also require your card pin to successfully log in to your Monzo account, in addition to the magic link.
Although I would personally still prefer a more traditional password, I am now satisfied that magic links are secure enough in implementation. Just make your best effort to keep your PIN confidential and abstruse.
I’m not sure this matters as I think the magic link in the email only works on the device that requested it. So if someone intercepts your login email, they can’t use it to login on their phone. They’d have to steal your unlocked phone as well.
It does not matter in Monzo’s case, but I feel it’s worth being aware of in general. The hacker wouldn’t need your phone though, they would just need to know your pin or be able to guess it within 3 attempts.
I’ve just requested a magic link from my iPad and been able to open it and log in by clicking on it on my iPhone 7. Interestingly, this also logged me out of my iPhone 11 Pro.
You could use a two step authenticator, like the one Microsoft has.
Once you sign into your email a notification will be sent to your mobile for it to be approved. Could alleviate some of your concern.
Stops a hacker from accessing your account themselves. Doesn’t stop an email being intercepted on it’s way to the destination.
This is by design. You can only be logged in to one instance of the Monzo app per platform. The app has always worked this way.
Thanks for clarifying. I wasn’t sure given that Monzo themselves have indicated to people on Twitter in the past that you can use their app on a tablet adjacent to their phone.
Do you happen to know if there is a reasoning behind that design decision?
Depends who by and where the email is intercepted. It’s a very common thing in coffee shops for example, though not so much on your own home network, unless you’re specifically being targeted. Either way, as a best practice, I avoid email if at all possible when it comes to any form of communication I wouldn’t be comfortable conducting publicly on something such as Twitter.
I know Monzo have said you can install the app on a tablet, but I haven’t seen them say it can be used at the same time as a phone, unless the two devices are different platforms (that is one Mac, one Android).
It is possible to be logged in to an iPad and an Android phone at the same time, say. (Unless they’ve changed this since I last tried it.)
I don’t know the reasoning behind the decision. I would guess it was either a pure design decision to make it quicker to build the app in the first place, a security decision to keep the user safer, or some mixture of the two factors.
I’m largely of the opinion that this is a bit of a fib often spun by companies who have an interest in selling you a VPN subscription.
Agreed. Everyone should be using an SSL connection for their email (and I’d be very surprised if there are many people who don’t). With SSL, there’s no way for someone ‘in a coffee shop’ to intercept your email. It has to be someone who knows the path your email will take between mailservers, and there has to be a jump between mailservers that isn’t SSL encrypted (also unlikely), or the attacker needs access to the mailserver.
It’s not, sadly. Anyone can do it with a cheap laptop and some free software, and the ability to follow simple instructions. It happens more common than you might think on public WiFi.
I have experience in the industry, but no affiliations with any VPN companies, though I do use my own personal VPN when I’m out of the home.
A few years back I spent a day in Manchester venturing between six different Starbucks stores for some research. In at least two of those stores I was able to identify the presence of packet sniffing software, in addition to my own.
Absolutely agree. Some mail service providers already now do this as standard, but it can vary by service and client. We need a standardised encrypted protocol that everyone uses and deploys as a default. I think we’ll get there at some point, and strides have already been made, but we’re not all the way there just yet.
Yes, some have started to do that in recent years, but not all do, and not all clients support it. I can still, for instance, establish an unencrypted connection to my iCloud email account, which would in turn download the emails to my device in plain text. Perhaps I’m just a little bit too paranoid.
This is why I would really like to have the option to supply a public key, and have my emails encrypted end-to-end. Facebook (of all companies) does offer this, so if the email is intercepted in transit, it is still secure.
They need to change to a more conventional but secure method IMO. Standard email and password but with an obligatory 2FA with TOTP. None of this weird email link stuff which would also be a pain when they give users the option to login on a browser. I don’t understand what the benefit even is of having a link sent to your email as opposed to a password.
Using public WiFi is way more of a privacy issue (operators selling your browsing history etc) than a security issue for most people.
Most sites and services use TLS , for example a office with a fancy next gen firewall, and no devices has certs installed, the firewall had managed to scan only 1 file in 2 months, my point being there’s very little mainstream sites that don’t use TLS , a bored person doing sniffing for lulz in public won’t get much more than where you are visiting.
If your threat model is high then you should use a vpn obviously.
While anyone can setup a false hot spot, I’m not sure you can simply break encrypted traffic. Normally to intercept the traffic you need trusted cert’s on the device you’re wanting to intercept.
It’s why a lot of company networks install additional cert’s on devices, it allows them to intercept the SSL traffic and read it.
If you try and intercept traffic without that you normally get a warning or the connection fails.
Most public email uses secure connections both for sending and receiving, in fact port 25 which is normally used to send email without encryption is often blocked on many networks.
The cert is to decrypt , you can still packet sniff and see unencrypted traffic without one. You can also see which sites are being visited with deep packet inspection, but you can’t decrypt the actual data.
This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.