Face ID security

I do not have a driving licence anymore due to health issues, as I do not travel much, my passport is in a safe. So unable to use them as id check, but as soon as I enabled Face ID, I can see my PIN number. Anyone can hold my phone facing my face to unlock phone and app, so technically finger and Face ID is not as safe imo

I.e. I have a epilepsy seizure, staring into blank space, some random person picks up my phone, opens the Monzo app, uses my face to unlock phone/app and then makes transactions. I think a secondary check with the Face ID is better. Password/pin? Even if just for logging in. Or at least let us choose if we wish to have an extra check when using Face ID?

If I had epilepsy or suffered from passing out, Id just use pin on Monzo and turn off the face/thumb under settings if I was super worried. The chance has got to be slim some one would take advantage unless you’re in dodgy areas. I don’t know if you inform a bank of a condition that they would be able to help any more in recovering money. I guess a credit card would help more in this instance so if it was nicked and your face/thumb used whilst you weren’t able to do anything about it could be flagged and removed :man_shrugging:


Turn off Face ID if this is a concern for you?


Good to be concerned about security.

The scenario given seems very much theoretical. Certainly an edge case.

If of concern, disable FaceID / TouchID.


First, Face ID requires you to directly look at the sensor to unlock (assuming you enabled this, like you should).

Second, this scenario is incredibly unrealistic. The threat from having your PIN compromised by a bystander watching as you input it on an ATM, or using a rigged ATM, or entering your card details online on a site processing them awfully, is far more likely. The scenario you described is so incredibly unlikely to realistically happen.

It presumes that you’re having a seizure, a guy comes along, gets your phone from your hand, unlocks it by putting it to your face (requiring you to stare into the Face ID camera to unlock), he opens up the Monzo app, gets a Face ID from you again in the same manner, goes straight to PIN, reveals PIN, gets a 3rd Face ID from you again, then memorises your PIN, robs you of your wallet, pinches your Monzo card, and then runs off. All while there’s presumably no bystanders which could help you out or stop an extended and wildly exotic robbery.

Let’s assume this incredible scenario actually happened. How does one deal with this? Quite simply, you report your card as stolen in the app as soon as you regain your composure. The card is immediately terminated and is now useless. His extended effort to rob you didn’t pay off.


I have to agree with @afel and others, this scenario requires a very specific set of circumstances to occur.

The first being that every time you have a seizure, someone is out to get you. My brother has epilepsy with regular seizures and vacancies all the time. Mugging him has been the last thing on anyones mind when this has happened. People being supportive and protective is a more usual response.

If someone did come to rob you whilst a seizure occurs, the chances they actually know you are a Monzo customer and have planned this elaborate heist for every epileptic they meet is far fetched. It would be far easier to simply steal your wallet, card and phone and run without the problem of trying to find out you are a Monzo customer, multiple Face Id attempts and you even actually having a balance worth stealing.

If you don’t believe in the security of Face ID or Touch ID, just disable it.

1 Like

My concern is with someone getting hold of my PIN or cloning my card, which seems to be (I think) much more realistic. So I use mbway, which is a service we have here in Portugal to get a one use code to withdraw cash. I just need to go up to any ATM and insert the generated code, no cards involved. Incidentally generating the withdrawal code is authenticated by touch/face ID

NatWest has it built into their app here.

Anyway aren’t you far more likely to mugged at the ATM than someone bothering to get your pin.

When having a seizure you stare into blank space, usually straight ahead and can be used to unlock phone.

Even when just going bogged eyed, it unlocks.

What are the chances? Considering Monzo is growing in size. All it takes is someone to pick up a phone from someone having a seizure, opens the Monzo, holds it towards the person having the seizure and it unlocks.

No I do not have it enabled, I am just raising it as an issue.

I would say it is then thousand times more likely they would just steal your phone and run off to be honest instead of checking what bank you use, loading the app, making you unlock it, then setting themselves up as a payee, initiating a transaction and then making you authorise it again.

1 Like

To rob you whilst using the card and see your pin, you have to be at an atm using the card. To open the app with Face ID, they can just rob the phone

To open the phone and app with Face ID is not location specific.

If Biff’s sports almanac was protected by FaceID it would have made for a really long Back to the Future 2…

As has already been suggested, “attention” is a feature of FaceID that you have to manually turn off in the accessibility settings. They’d have to have your attention, and therefore willing to have your phone & app unlocked in multiple instances. I can see it being an issue if there are people who know you that are plotting to con you out of your money, but that in itself is an edge-case.

All you need to do is look at the screen, I do not call going crossed eye having attention

What is the point of bringing up potential issues if people are going to just say disable this, disable that etc?

I had only said that someone would be more likely to be waiting for someone to finish using the ATM before mugging them as then they are most likely to have cash on them.

Nothing about them peering over your shoulder or using a camera to see your pin being entered and then stealthily nicking your card which is another possibility.

Far easier just to either mug them or nick the wallet to get the cash that’s been withdrawn.

Nicking the actual phone to then try and bypass the usual pin/face/thumbnail and then start making transfers in app is slim. This is only going to happen if you’re a specific target of interest, and going to nick thumbprints to create a dummy thumb or face imaging to create a realistic mask, or phishing con to get the pin, and not just some guy on the street.

My point was that you actually have to deliberately weaken FaceID in the settings for it to be an issue. Out of the box it’s already pretty secure.

And my point is, all it takes is someone to see you with a Monzo card, have a seizure, or even rob you, hold the phone towards you and that would unlock, even going bogged eyed it unlocks.

The chances? Considering Monzo is growing in size, a lot of people have epilepsy, the chances are higher than you think.

Just because you know what you are doing and how to make your account more secure etc, does not mean everyone does. Especially the elderly.

Disregarding the additional factor of them seeing you with a bank card like Monzo first, the chance that you are incapacitated in the vicinity of someone who would take advantage of you and start trying to use your face or thumb to unlock and then start marking transfers next to your body and hoping that nobody intervenes in this space of time has got to be so so so slim.

Let’s say it did happen, the chance of this being caught on camera and you have the account/sort the transfer was made to it wouldn’t take much investigation.

If people going to mug they will mug, they aren’t waiting for people to have seizures and going :money_mouth_face: “jackpot”. People tend to help people who have gone down, it’s way too much attention to start trying to steal or using their face to own their phone in those situations.

If you are going to be alone in very high risk areas, where muggings are common, and you have a condition that could incapacitate you then only carry a credit card so it’s trival to challenge any transactions, or like don’t carry your phone (or use a simple burner phone without the app you don’t mind giving up) and just the cash you need. It’s the same common sense for everyone tbh. Unless you’re in some seriously dodgy parts of the UK, it would be nice you don’t need to take those precautions here at least.

Don’t believe so. At least here in Portugal while both situations are extremely uncommon, there have been half a dozen cases a year of criminals installing ATM skimmers (usually the same group installing skimmers in about half a dozen different ATMs). Someone mugging you when leaving an ATM happens even less than that. Probably because it’s a violent crime with more serious consequences if caught, the victim can try to fight back and has a smaller payout

That NatWest solution doesn’t seem to fulfill the same purpose as its way limited in the amounts and only works at certain ATMs, not to mention it’s only available from a single bank