Some feedback on the security of the Monzo app with a stolen device.
Many Monzo actions are protected by information that is entered in public in a regular basis, this leaves them open to eavesdropping. Of course this is also true for a card + pin being taken but it would be nice to reduce the attack vectors.
Protected actions in the Monzo app should be protected with a unique pin / passcode that wouldn’t typically be entered in public.
Monzo web app doesn’t offer a way to remotely log out of the app.
If a stolen device can’t be remotely disabled it should be possible for us to remotely sign out of an active session remotely, Google, Facebook offer this feature.
Protect the un-freezing of a card, un-freezing the card should require authentication
If a card is frozen via the emergency web app it shouldn’t be possible to un-freeze it without some authentication method such as a separate password (as mentioned in 1).
Implementing all three would make me feel much safer about using Monzo as a main account. With the above I feel quite nervous using the Monzo app with any large sums, all my other banking apps have separate authentication methods to your pin/devise passcode, their web apps also offer much greater control in locking things down.
For some context my phone was stolen with the pin compromised (not know at the time) and had great difficulty in locking down my account without access, I hope these measures or similar can be applied by Monzo going forward
Email access be revoked remotely, can’t it? Gmail has an option for ‘sign out of all devices’, for example. And Outlook is such a large player in the market I assume they must have a similar feature.
Your first point is already addressed - the app is by-default locked to your account pin - NOT your phone device pin.
As a workaround to your second (and third points), if you borrow a friend’s phone of the same OS family (iOS or Android), or use a tablet, etc., and log into your account, then immediately log out so you’re not logged in on the borrowed device, then this will automatically invalidate the login session on your stolen phone.
Overall, this is the same or better security than any other mobile banking app I’ve used, where all of them need pin or biometric to access, just like Monzo, but have even less option on locking out a stolen device.
Which banks are you with that offer better options than this? I’ve just checked three high street banks that I have current accounts with, and none of them offer any management of mobile access from the websites.
My point here is that Monzo is only protected by information that is frequently entered in public and has high chance of being seen by a malicious individual. That does not address the first point as every other banking app I have used has a separate dedicated password/pin to unlock the app that would rarely be entered in public.
if you borrow a friend’s phone of the same OS family (iOS or Android), or use a tablet, etc., and log into your account
That does not seem like a viable solution, I should not have to rely on a friend at hand or a stranger to use their devise to secure my account.
Which banks are you with that offer better options than this? I’ve just checked three high street banks that I have current accounts with, and none of them offer any management of mobile access from the websites.
The difference here is that banking apps are more secure by default with the dedicated passcode and wouldn’t have such a worry.
Again, the Monzo app is protected by the app PIN, same as other banking apps. This is not the device PIN which you enter regularly, but a dedicated PIN for the app, just like you have on your other banking apps.
Agreed. Something better would be nice, but the fact remains that it is still more than you can do with most other banks, where you don’t even get this option.
Again, your logic is flawed, since the Monzo app is protected in the same way, with a dedicated code, and I still can’t see any other bank that offers the features you feel that Monzo is lacking.
Again, the Monzo app is protected by the app PIN, same as other banking apps. This is not the device PIN which you enter regularly, but a dedicated PIN for the app, just like you have on your other banking apps.
That is not correct, my other banking apps have a dedicated pin/passcode. The device pin/card pin is not used unlike for Monzo.
This is incorrect. The Monzo app uses device pin as a fallback for biometrics. This is different to other banking apps where you can set a separate app pin.
Certain actions in the Monzo app (like transferring money) are protected by a different pin (the card pin). But from privacy perspective, Monzo app doesn’t help those who gave had device pin compromised.
Security is always good for any banking apps! I love using Face Recognition for Monzo! Never had any problems with it, if my face fails🥴 pin takes over. My partner uses Halifax and her app you have to input 1st 4th 6th number of password just to access app! That would do my head in every time.
Device pin is something that’s almost never entered in public (or at all) any more, it’s hard to see how it could be compromised unless you told it to someone. As for biometrics… well if they have your fingers then you’ve got bigger problems.
I’m not even sure I remember my card pin, it’s been so long since I used it…
I’ve heard multiple accounts of phone pins being compromised either through force or observation when face id fails, or more frequently touch id. Wouldn’t you think it should be more secure if a separate code was used to protect your bank account?
There is separate code protecting your Monzo app, no money can be moved without your card PIN being entered. Unless you’re saying that PIN has been compromised also? In which case, a thief clever enough to capture two PINs isn’t going to be hard pushed to capture a third, are they?
The problem there is when you log in. To successfully login using a device on the same platform as the lost/stolen phone (and therefore kill the Monzo app instance running on the lost/stolen phone) you need to have access to your email too for the magic link. In the case of a lost phone, this isn’t too bad as no-one has access to your email and you can use a browser (hopefully) on the friends phone to access your email for the magic link email and login & kill the other instance.
But with a stolen phone, if the thief can also access your email on that device, you may be screwed. When you try & login ‘remotely’ a magic link email will be issued and the thief may get to the magic link button first on your stolen device and kick you off again.