I actually hate that it insists on having access to my contacts just so it can push monzo me - and if you block access to contacts you cant access any payments at all.
It now looks like you can’t open a joint account either without granting access to contacts.
It’s obvious that Monzo doesn’t need access for the Monzo.me or joint account features, so the question is - why more or less force users to provide access? If it smells like data capture…
Even if there’s no particular intent behind this, it still is very much in the Google vein of “you can use our service, but only if you give us access to as much of your data as possible”.
Starling’s Settle Up and joint accounts work just fine without contacts access.
Not true for opening joint accounts, at the moment at least:
You can disable access to contacts, but then you can’t use Monzo.me (I don’t think I had an account when that would have stopped bank transfers!).
By contrast, Starling lets you use Settle Up without contacts access.
Contacts access seems to be firmly ‘baked in’ to Monzo - not great, in my opinion, in particular because I can’t see why it would be essential to the above features.
Totally agree - which is why if someone were to gain access to Monzo’s contact data store, they would find something similar to this for a contact, in place of their name / phone number / etc: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Not much an attacker could do with that.
That’s what the “hashing” process does to your contact’s details, as described in the screenshots I referenced above.
Plus, any contact that doesn’t currently use Monzo has their hash deleted from Monzo’s servers.
Pass the hash maybe? I’m sure there’s someone here who can think of potential routes for an exploit. Gaining access to the data store is surely not the avenue of choice these days. I’d do some behavioural manipulation of the right engineer
What if you don’t trust the app to begin with? The app has full access to your contacts and can do anything it wants with them, like silently stealing them in plain text before doing the hashing process.