Email Security

Hi can someone help me understand a security matter for Monzo.

I have a monzo account and what I’m trying to check is what information a hacker would need in order to access my monzo account and steal money?

E.g. could they do so by simply obtaining access to my emails or would they also need the PIN for my monzo card?

Thanks in advance

I’m not sure this matters as I think the magic link in the email only works on the device that requested it. So if someone intercepts your login email, they can’t use it to login on their phone. They’d have to steal your unlocked phone as well.

2 Likes

You could use a two step authenticator, like the one Microsoft has.

Once you sign into your email a notification will be sent to your mobile for it to be approved. Could alleviate some of your concern.

This is by design. You can only be logged in to one instance of the Monzo app per platform. The app has always worked this way.

4 Likes

I know Monzo have said you can install the app on a tablet, but I haven’t seen them say it can be used at the same time as a phone, unless the two devices are different platforms (that is one Mac, one Android).

It is possible to be logged in to an iPad and an Android phone at the same time, say. (Unless they’ve changed this since I last tried it.)

I don’t know the reasoning behind the decision. I would guess it was either a pure design decision to make it quicker to build the app in the first place, a security decision to keep the user safer, or some mixture of the two factors.

1 Like

I’m largely of the opinion that this is a bit of a fib often spun by companies who have an interest in selling you a VPN subscription.

2 Likes

Agreed. Everyone should be using an SSL connection for their email (and I’d be very surprised if there are many people who don’t). With SSL, there’s no way for someone ‘in a coffee shop’ to intercept your email. It has to be someone who knows the path your email will take between mailservers, and there has to be a jump between mailservers that isn’t SSL encrypted (also unlikely), or the attacker needs access to the mailserver.

3 Likes

This is why I would really like to have the option to supply a public key, and have my emails encrypted end-to-end. Facebook (of all companies) does offer this, so if the email is intercepted in transit, it is still secure.

1 Like

They need to change to a more conventional but secure method IMO. Standard email and password but with an obligatory 2FA with TOTP. None of this weird email link stuff which would also be a pain when they give users the option to login on a browser. I don’t understand what the benefit even is of having a link sent to your email as opposed to a password.

1 Like

Using public WiFi is way more of a privacy issue (operators selling your browsing history etc) than a security issue for most people.

Most sites and services use TLS , for example a office with a fancy next gen firewall, and no devices has certs installed, the firewall had managed to scan only 1 file in 2 months, my point being there’s very little mainstream sites that don’t use TLS , a bored person doing sniffing for lulz in public won’t get much more than where you are visiting.

If your threat model is high then you should use a vpn obviously.

2 Likes

While anyone can setup a false hot spot, I’m not sure you can simply break encrypted traffic. Normally to intercept the traffic you need trusted cert’s on the device you’re wanting to intercept.

It’s why a lot of company networks install additional cert’s on devices, it allows them to intercept the SSL traffic and read it.

If you try and intercept traffic without that you normally get a warning or the connection fails.

Most public email uses secure connections both for sending and receiving, in fact port 25 which is normally used to send email without encryption is often blocked on many networks.

1 Like

The cert is to decrypt , you can still packet sniff and see unencrypted traffic without one. You can also see which sites are being visited with deep packet inspection, but you can’t decrypt the actual data.

1 Like

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.