Improving Monzo App security when a stolen phone has been compromised

Some feedback on the security of the Monzo app with a stolen device.

  1. Many Monzo actions are protected by information that is entered in public in a regular basis, this leaves them open to eavesdropping. Of course this is also true for a card + pin being taken but it would be nice to reduce the attack vectors.

Protected actions in the Monzo app should be protected with a unique pin / passcode that wouldn’t typically be entered in public.

  1. Monzo web app doesn’t offer a way to remotely log out of the app.

If a stolen device can’t be remotely disabled it should be possible for us to remotely sign out of an active session remotely, Google, Facebook offer this feature.

  1. Protect the un-freezing of a card, un-freezing the card should require authentication

If a card is frozen via the emergency web app it shouldn’t be possible to un-freeze it without some authentication method such as a separate password (as mentioned in 1).

Implementing all three would make me feel much safer about using Monzo as a main account. With the above I feel quite nervous using the Monzo app with any large sums, all my other banking apps have separate authentication methods to your pin/devise passcode, their web apps also offer much greater control in locking things down.

I feel Monzo has a lot to improve here.

1 Like

For some context my phone was stolen with the pin compromised (not know at the time) and had great difficulty in locking down my account without access, I hope these measures or similar can be applied by Monzo going forward

If someone has your phone pin and your account pin, then there’s not really a lot you can do. They could get into any app/reset passwords.

Web app revoking app access is a good idea, until they just get another email link, which they have access to and use your pins to log back in.

2 Likes

Email access be revoked remotely, can’t it? Gmail has an option for ‘sign out of all devices’, for example. And Outlook is such a large player in the market I assume they must have a similar feature.

1 Like

You can also lock your device, so that’s two steps before they can get back in to your account.

Although I’m not sure if someone has your device pin if they can unlock it to make it look “not lost”

1 Like

Your first point is already addressed - the app is by-default locked to your account pin - NOT your phone device pin.

As a workaround to your second (and third points), if you borrow a friend’s phone of the same OS family (iOS or Android), or use a tablet, etc., and log into your account, then immediately log out so you’re not logged in on the borrowed device, then this will automatically invalidate the login session on your stolen phone.

Overall, this is the same or better security than any other mobile banking app I’ve used, where all of them need pin or biometric to access, just like Monzo, but have even less option on locking out a stolen device.

Which banks are you with that offer better options than this? I’ve just checked three high street banks that I have current accounts with, and none of them offer any management of mobile access from the websites.

1 Like

My point here is that Monzo is only protected by information that is frequently entered in public and has high chance of being seen by a malicious individual. That does not address the first point as every other banking app I have used has a separate dedicated password/pin to unlock the app that would rarely be entered in public.

if you borrow a friend’s phone of the same OS family (iOS or Android), or use a tablet, etc., and log into your account

That does not seem like a viable solution, I should not have to rely on a friend at hand or a stranger to use their devise to secure my account.

Which banks are you with that offer better options than this? I’ve just checked three high street banks that I have current accounts with, and none of them offer any management of mobile access from the websites.

The difference here is that banking apps are more secure by default with the dedicated passcode and wouldn’t have such a worry.

1 Like

If you use your face/finger then you never enter any pin and nobody can see anything.

2 Likes

Again, the Monzo app is protected by the app PIN, same as other banking apps. This is not the device PIN which you enter regularly, but a dedicated PIN for the app, just like you have on your other banking apps.

Agreed. Something better would be nice, but the fact remains that it is still more than you can do with most other banks, where you don’t even get this option.

Again, your logic is flawed, since the Monzo app is protected in the same way, with a dedicated code, and I still can’t see any other bank that offers the features you feel that Monzo is lacking.

Again, the Monzo app is protected by the app PIN, same as other banking apps. This is not the device PIN which you enter regularly, but a dedicated PIN for the app, just like you have on your other banking apps.

That is not correct, my other banking apps have a dedicated pin/passcode. The device pin/card pin is not used unlike for Monzo.

Just to clarify - the Monzo App requires your phone passcode if you fail biometrics (and have things switched on etc).

To do anything with your money in the app it requires your Card PIN - if you fail biometrics etc.

If they install the app on another device, and log in as you - they will require an ID check to ensure they’re you.

2 Likes

This is incorrect. The Monzo app uses device pin as a fallback for biometrics. This is different to other banking apps where you can set a separate app pin.

Certain actions in the Monzo app (like transferring money) are protected by a different pin (the card pin). But from privacy perspective, Monzo app doesn’t help those who gave had device pin compromised.

2 Likes

Security is always good for any banking apps! I love using Face Recognition for Monzo! Never had any problems with it, if my face fails🥴 pin takes over. My partner uses Halifax and her app you have to input 1st 4th 6th number of password just to access app! That would do my head in every time.

1 Like

Device pin is something that’s almost never entered in public (or at all) any more, it’s hard to see how it could be compromised unless you told it to someone. As for biometrics… well if they have your fingers then you’ve got bigger problems.

I’m not even sure I remember my card pin, it’s been so long since I used it…

What if they have my face!? :scream:

I’ve heard multiple accounts of phone pins being compromised either through force or observation when face id fails, or more frequently touch id. Wouldn’t you think it should be more secure if a separate code was used to protect your bank account?

1 Like

At third pin (that people will just make the same) will not happen.

1 Like

There is separate code protecting your Monzo app, no money can be moved without your card PIN being entered. Unless you’re saying that PIN has been compromised also? In which case, a thief clever enough to capture two PINs isn’t going to be hard pushed to capture a third, are they?

2 Likes

With three pins, which ones are you entering in public?

The problem there is when you log in. To successfully login using a device on the same platform as the lost/stolen phone (and therefore kill the Monzo app instance running on the lost/stolen phone) you need to have access to your email too for the magic link. In the case of a lost phone, this isn’t too bad as no-one has access to your email and you can use a browser (hopefully) on the friends phone to access your email for the magic link email and login & kill the other instance.

But with a stolen phone, if the thief can also access your email on that device, you may be screwed. When you try & login ‘remotely’ a magic link email will be issued and the thief may get to the magic link button first on your stolen device and kick you off again.

1 Like