How we secure Monzo’s banking platform 🔒

We’re taking a further look at the inner workings of Monzo :mag_right:

The engineering landscape moves fast, but our Security Infrastructure team moves faster :speedboat:

Read on to find out how they build security in a fast-paced engineering environment, and how they work with other teams to keep our customers and platform safe👇

We’ve also been able to grab some time from the author @chongyang to answer any questions you might have :smile:


@chongyang Thank you for taking the time out to explain your role, how threat modelling is used to secure monzo. In your view, are there any additional technologies, security processes that could be developed to deal with bad actors who access accounts via data disclosure/social engineering? I appreciate its not a question easily answered but would appreciate hearing your thoughts.

Hi @FrancoJJameson, thanks for your question.

In terms of defending against social engineering, there is both a human and a technical aspect of it. The human aspect involves security awareness and phishing training; and the technical aspect involves having effective security controls both in our platform and on our staff devices to make data loss difficult to happen.

For example, as mentioned in the blog post we use hardware token devices extensively at Monzo, as they are more resistant to phishing than many other types of multi-factor devices. Across the various security teams we’ve done a lot of work on these aspects and we are continuing to improve them.