In App switches and location based security


(Michael Jenkins) #5

If you had a secondary card for travelling, this could make sense.


(Alex Sherwood) #6

In that case you could just freeze the card until you needed to use it.


(Francesco) #7

I am indeed. They have been around for a while and I like to try different products. Ultimately both Monzo and Revolut are wanting to become a new form of bank, so it makes sense to compare the products :slight_smile:

I believe contactless fraud might increase as contactless payments become more and more popular. I personally don’t like contactless payments and prefer to use something like Android Pay or Apple pay as you need to authorise the transaction by unlocking your phone or with your fingerprint. Disabling contactless might also help with card clash avoiding to pay with a card you did not intend to use if you have more cards and more accounts. I use contactless payments only when my phone is dead.

Disabling online payments is quite interesting as it prevents someone to pay for something with stolen credit card details. Additionally if the payment fails because you forgot to enable it you might just log into the app and enable it. On websites like Amazon it should not a problem as they store your card details and get a continuous payment authority. I might have to check that. I’ve never paid attention to that.
Additionally, even if every bank refunds the money, it is an extra step the customer needs to take and, while I haven’t had occasion to leverage the Monzo refund policy, it is normally a chore simply as it involves calling a contact centre or visiting the bank (Monzo might differ on this).

Cash withdrawals are an interesting feature to block as there are many situations in big cities where cash machine skimmers are installed with many mechanisms to capture the pin number. So at least while I’m on holiday I don’t need to worry about my card and can just lock the bits I’m not using. Plus I’m rarely withdrawing cash, so as it is a feature I don’t often use it might make sense to block it.

In addition… placebo effect is a great thing. If customers feel more secure, they will use the card more :slight_smile:

But good points, and interesting conversation.


(Gareth) #8

It would only disable the authorisation, the reader would still read multiple cards and clash.

Your details are charged at the time: for example if you preorder something then cancel your card (say you lost it), the payment will fail when they go to charge it. Same concept applies if online payment was disabled. Direct debits are continuously authorized, but only PayPal uses that.


(Gareth) #9

I will add Barclays added some of the switches you talk about (ATM and online), but personally I only find the ATM daily limit useful (you can raise or lower it in £10s right down to £10 or 0).


(Rika Raybould) #10

Very true, there has been some discussion around it being technically possible to disable contactless on a Monzo debit (not the current prepaid) card by sending an issuer script over the payment network to the card inside an ATM, though it would have to be at least semi-permanent and would likely require asking support if it were to become available.


(Francesco) #11

It would, but it would prevent you from paying with the card you didn’t not
intend to use should at least one card payment go through.


(Matt) #12

This can also easily be achieved by freezing your card?

Also if people are that scared of contactless which I don’t believe the vast majority of monzo users are scared since they are making the switch to a tech first bank then perhaps monzo would consider a non-contactless enabled card?


#13

Why be scared of contactless? The liability has to be on the card provider.

I’m actually much more scared of chip and pin fraud where the issuers insist that it is perfect, yet there have been several hacks on it.


(Naji Esiri) #14

We do plan to make the settings more granular at some point in future, so I expect at that point the option to toggle certain security features and notifications may be possible.

I also think there is a lot to be said for this point

Our priority is to pro-actively identify security risks and safeguard against them in the best way we know how. This may not always match what people perceive as secure based on cues that are familiar to them and it’s important we don’t ignore this. Customers should feel comfortable and safe managing their money using the app (trust counts for a lot) so as long as it doesn’t compromise our approach to keeping your money safe, there’s no reason, apart from time constraints, why we shouldn’t make efforts to provide these options for people too.


(Marta) #15

I agree about placebo effect, it’s a good thing. @Naji, but why the same wasn’t said about app pin/password that were requested A LOT on forums?

Monzo keeps saying that ‘magical link is safe enough’, but plenty users would prefer to enable inconvenience/security of having a pin/password. So what makes extra card security features different from password/pin on Monzo app? Both fall under ‘placebo effect’ in my eyes.


(Alex Sherwood) #16

When Hugo commented on this, he said that Monzo would make an effort to educate users, rather than build features just for the placebo affect. After all, if the non-placebo approach is more secure &/or convenient & you can build trust in other ways, isn’t that the better option?

I can’t help feeling that there must be a more simple & less time consuming way to address these concerns than building useless features, for the sake of addressing a perceived risk, that isn’t really there.


(Andy Little) #17

I can see Monzo’s point about educating users, but I think there is a balance to be struck and some improvements to be made. A (slightly off topic) example being the magic link for log in, I can barely go a month without hearing someone I know complain that their email account has been hacked, as it stands that will get someone into your Monzo.

Limited damage as it stands since they can’t actually spend any of your money, but down the line it could be problematic.


(Alex Sherwood) #18

And that’s why more safeguards, for the new functionality, will be put in place at that point :slight_smile:

But we’re talking about actual security now, not placebo security so lets move the conversation to the below topic if you have concerns about the magic links.

For anyone who’s wondering, here’s why the Monzo team adopted magic links -

& since Monzo are liable for unauthorised access of users accounts (as long as the user follows the T’s & C’s) , it’s in their interest to get this right.


(Francesco) #19

I’m not sure that’s good enough :slight_smile: After all Monzo are still building their trust and image.

In addition, the only reason contactless was introduced on cards is because the convenience of small transactions encouraged greater spending than with regular chip and pin. Security was not the main driver :slight_smile:


(Hunter) #20

I agree contactless fraud may increase but it is already pretty widespread. Not being able to turn of the contactless payment with a flick of a button like with the Revolut card is pretty alarming but i really hope they add this feature ASAP. It is not always handy to keep your card in an RFID wallet after all. As easy as contactless payments are and as much as i love it i have as much hatred for it due to the never ending security issues and the fact that someone doesn’t even need to mug you anymore to get your details they can just sit beside you on the train and smile at you.

Ideally i like to keep my card locked down as much as possible by disabling contactless, cash withdrawals, online spending etc and only enabling them when needed. Is anyone else like that? When traveling it really is the smartest thing to do!


(Alex Sherwood) #21

That may be your perception but the good news is, that’s actually not true. 1% of all fraud is contactless & obviously an even smaller fraction of that will be people with readers taking contactless ‘payments’ in public places.


(Patrick) #22

“Barely go a month without…”? That common? I’ve only ever heard about two occurrences from people I know, didn’t know email hacking was that common. Also: What would the “forgotten password” process be if we cannot rely on emails? Would we have to go to a Monzo branch to get our fingers printed, iris scanned and passports combed with magnifying glasses just so we can get a new password? :thinking:


(Andy Little) #23

Less and less since more people started turning on 2FA. I think the problem is the “I’ll just have one password I use everywhere mentality”.

I can see your point about password reset, but I’d like to see a 2nd factor on login. Perhaps a text message or Google Authenticator code. With a text the user wouldn’t even have to type it it, the Monzo app could read the text directly al-la WhatsApp.


(Marta) #24

I’ve stumbled upon many articles that actually bashed text messages as insecure method. Not the easiest ‘hack’ to do, but doable. https://www.theregister.co.uk/2016/12/06/2fa_missed_warning/ seems like a decent summary.

Even today, metro bank showed me a funny popup that immediately makes me trust less in text messages:

Don’t get me wrong, I’m all about 2FA, but for now I’m good with what Monzo has.