Could not delete the card from Apple Pay?
Yup, you can do that remotely.
Iâm not being difficult Iâm just trying to understand where all of this has stemmed from.
It seems that theyâve added their card to a less secure 3rd party service that has no spending caps or anything. It then got compromised but itâs Monzo that has poor security?
Iâd personally be complaining to Apple Pay for not having any controls. Not wanting Monzo to add a third PIN 
2 Likes
Icloud was removed from the phone so this was not possible here. Clearly a horrible situation but left me unable to control my Monzo account due to no control of the phone. Hoping here Monzo can protect against this with the measures.
Additional pin is just one suggestion that would help, remote disablement and not being able to un-freeze the card would all of helped in the above.
1 Like
This cannot be done without your iCloud password.
So someone had your phone, phone pin, Monzo pin and your iCloud password?
Thatâs fair. So enter the card PIN to freeze or unfreeze the card?
Iâd certainly be looking at biometrics after all of this, thatâs for sure. Nobody is stealing your face or fingerprint to get into your phone or Monzo app unless youâre in a James Bond movie.
You canât disable it on the device without a password, I checked before I posted. No option for pin.
Icloud password was un-fortunately in my devices keychain, a lesson for the future. No they did not have my card pin, just phone and phone pin.
1 Like
Not necessarily. I tried to add a card to my Phone via Apple Pay on HSBC after resetting it and HSBC immediately blocked it. The same with Natwest. Monzo are lax here. Also in the past other banks have frozen my card when there have been a few Apple Pay purchases after a period of non use.
Indeed. Itâs one of the failings of apple/google pay IMHO. The fact it falls back to device PIN if you donât use the Face correctly. I donât think you can turn it off.
I think the problem here is that Monzo doesnât really have any fraud spending checks, or at least they are much more relaxed than a mainstream bank. As above, in the past Iâve had a large purchase temporarily blocked and a quick call to resolve. With Monzo, essentially if thereâs Money the thief can spend it.
This has been an interesting thread, and I wanted to put some thoughts to this.
- I donât think Monzo is secure enough currently, but I appreciate the options are given. In that if you so want, you can enable FaceID access to the app. Personally when I had Monzo I never bothered on the basis theyâde need my Face to unlock and I never enter the phone pin in Public view.
- Other apps have better security controls. I can for example remove any device from another with HSBC and via mobile banking
- If I do this and the thief needs to re-install, the only way they can do this is via a QR code on a different device already logged in, or via text. That second one is a weak point since if the number is compromised then this is a challenge (HSBC)
What would I like to see:
- Better enforcement of FaceID/BioMetrics for login
- The ability to easily remove any device from Monzo and prevent re-login via magic link (this can easily be compromised)
Anything else is likely too much and out of Monzoâs control. Not everything should be on them to fix in terms of security of devices.
1 Like
If youâre using FaceID for phone pin/Monzo auth, then youâre never entering the pin for someone to see.
1 Like
I didnât realise it did that. On a number of other apps, it falls back to a secure code or key. Not something easily got by a thief.
But if the baddie has your card pin, what does this solve?
You need a third pin, and thatâs for âreally secureâ things, but as evident on here, people freeze and unfreeze their card all the time, so theyâd be seen using their third pin.
If youâre really this security conscious then you have to take the extra precautions yourself. No ApplePay, turn off contactless, complex long phone pin which you donât enter in public, donât enter your Monzo pin in public.
Android has extra secure folders I think.
Or you can live your life and get refunded if it happens to you
1 Like
You could have a fourth PIN to unlock the third PIN.
2 Likes
And thatâs open when the phone is unlocked? Thatâs so bad. I keep my passwords on Bitwarden, it needs either my fingerprint or the master password to get in, even if the phone is unlocked, as (I believe?) do most other 3rd party password managers.
Equally bad. A password manager should have an independent pin/password to the one that unlocks the phone.
What is âitâ for clarity?
Thatâs not really possible when itâs all held on your iCloud account.
Keychain basically isnât a very secure way to store passwords, same as storing them in your chrome browser or whatever. Well - itâs as secure or insecure as your relevant devices.
1 Like
Genuine question: would you say iCloud Keychain is more or less secure than something like 1Password?
The Phone, apologies, I thought this was implied.
Part agree. If someone knows your device Pin, and your card Pin then this wonât really work. In this instance I think having a separate PIN, while painful, might be the best option for those that are security conscious.
Like most banking apps, the Halifax one also supports biometrics (fingerprint/Face ID) to login.
Your partner just needs to switch it on in the app settings if they have not done so.
1 Like