Is Monzo requiring access to contacts for joint account opening / Monzo.me necessary & secure?


#1

I actually hate that it insists on having access to my contacts just so it can push monzo me - and if you block access to contacts you cant access any payments at all.

It now looks like you can’t open a joint account either without granting access to contacts.

It’s obvious that Monzo doesn’t need access for the Monzo.me or joint account features, so the question is - why more or less force users to provide access? If it smells like data capture…
Even if there’s no particular intent behind this, it still is very much in the Google vein of “you can use our service, but only if you give us access to as much of your data as possible”.

Starling’s Settle Up and joint accounts work just fine without contacts access.


Monzo vs Starling - heart versus head
( related to Monzo CEO, Investor in Monzo ) #2

lol - Nov 17 - thats like a lifetime ago


(Marcel Ruhf) #3

I don’t know why that’s the case, but the reason “data capture” actually becomes a lot viable if you read how the the feature was implemented.


#4

About 240 days. Is there a cut-off point for issues?


#5

But why is this necessary at all for these features?
Even the most secure system will have its flaws, so why should I have to provide contacts to use a feature when I don’t need them at all?


(Alex Sherwood) #6

@lee-am’s comment is (now) incorrect. If you disable Payments with Friends you can still make bank transfers.

Monzo’s does too :slightly_smiling_face: I assume that Monzo asks for access to your contracts for Monzo.me so that it can use the p2p transfers for transfers to users which saves them money.


( related to Monzo CEO, Investor in Monzo ) #7

no not at all just seems funny that you comment on a post so old :slight_smile: - at least apple pay is now here :fire: :slight_smile:


#8

Not true for opening joint accounts, at the moment at least:

You can disable access to contacts, but then you can’t use Monzo.me (I don’t think I had an account when that would have stopped bank transfers!).
By contrast, Starling lets you use Settle Up without contacts access.

Contacts access seems to be firmly ‘baked in’ to Monzo - not great, in my opinion, in particular because I can’t see why it would be essential to the above features.


#9

Ah!
It was the only relevant post I could find when I ran a quick search.
Therefore, looks like this is not a major issue for most users.


(Alex Sherwood) #10

Ok that makes sense too - I expect Monzo needs to see your contacts in order to find the person (Monzo user) that you’re opening your joint account with.

This is the alternative to Starling using their proximity feature to find the other user. Which prevents users who aren’t in the same room from opening a joint account together.


#11

But why oh why the necessity? How many joint accounts can you open anyway? Does it really need access to all my contacts?

Surely there’s a simple way of doing it without this level of access.

Same for Monzo.me

Shame that these big features are predicated on unnecessary exposure of users’ contacts.


(Alex Sherwood) #12

I’m not quite sure what you’re imagining there. Here’s how Monzo secure’s that data -


#13

I don’t think either starling or Monzo have bad ways of setting up joint accounts. I am quite happy with Monzo having access to my contacts but I can see the issue if you don’t want that to happen.


#14

I’m thinking more of the principle that you should only collect the minimum data necessary in the first place, then protection and security are unnecessary altogether.

I don’t think anyone could claim to have a totally secure system with a straight face these days :wink:


(Alex Sherwood) #15

Great, it sounds like we’re both on the same page then :slight_smile:


#16

If you are agreeing that contacts access is unnecessary for these features and a data risk, then yes, we’re on the same page!


(Marcel Ruhf) #17

Totally agree - which is why if someone were to gain access to Monzo’s contact data store, they would find something similar to this for a contact, in place of their name / phone number / etc: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Not much an attacker could do with that.
That’s what the “hashing” process does to your contact’s details, as described in the screenshots I referenced above.
Plus, any contact that doesn’t currently use Monzo has their hash deleted from Monzo’s servers.


#18

Pass the hash maybe? I’m sure there’s someone here who can think of potential routes for an exploit. Gaining access to the data store is surely not the avenue of choice these days. I’d do some behavioural manipulation of the right engineer :wink:


(Andre Borie) #19

You’re assuming the servers are the problem.

What if you don’t trust the app to begin with? The app has full access to your contacts and can do anything it wants with them, like silently stealing them in plain text before doing the hashing process.

There’s also the issue of third-party SDKs.


#20

Yes! The iceberg is huge