I actually hate that it insists on having access to my contacts just so it can push monzo me - and if you block access to contacts you cant access any payments at all.
It now looks like you can’t open a joint account either without granting access to contacts.
It’s obvious that Monzo doesn’t need access for the Monzo.me or joint account features, so the question is - why more or less force users to provide access? If it smells like data capture…
Even if there’s no particular intent behind this, it still is very much in the Google vein of “you can use our service, but only if you give us access to as much of your data as possible”.
Starling’s Settle Up and joint accounts work just fine without contacts access.
But why is this necessary at all for these features?
Even the most secure system will have its flaws, so why should I have to provide contacts to use a feature when I don’t need them at all?
@anon25115823’s comment is (now) incorrect. If you disable Payments with Friends you can still make bank transfers.
Monzo’s does too I assume that Monzo asks for access to your contracts for Monzo.me so that it can use the p2p transfers for transfers to users which saves them money.
You can disable access to contacts, but then you can’t use Monzo.me (I don’t think I had an account when that would have stopped bank transfers!).
By contrast, Starling lets you use Settle Up without contacts access.
Contacts access seems to be firmly ‘baked in’ to Monzo - not great, in my opinion, in particular because I can’t see why it would be essential to the above features.
Ok that makes sense too - I expect Monzo needs to see your contacts in order to find the person (Monzo user) that you’re opening your joint account with.
This is the alternative to Starling using their proximity feature to find the other user. Which prevents users who aren’t in the same room from opening a joint account together.
I don’t think either starling or Monzo have bad ways of setting up joint accounts. I am quite happy with Monzo having access to my contacts but I can see the issue if you don’t want that to happen.
I’m thinking more of the principle that you should only collect the minimum data necessary in the first place, then protection and security are unnecessary altogether.
I don’t think anyone could claim to have a totally secure system with a straight face these days
Totally agree - which is why if someone were to gain access to Monzo’s contact data store, they would find something similar to this for a contact, in place of their name / phone number / etc: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Not much an attacker could do with that.
That’s what the “hashing” process does to your contact’s details, as described in the screenshots I referenced above.
Plus, any contact that doesn’t currently use Monzo has their hash deleted from Monzo’s servers.
Pass the hash maybe? I’m sure there’s someone here who can think of potential routes for an exploit. Gaining access to the data store is surely not the avenue of choice these days. I’d do some behavioural manipulation of the right engineer
What if you don’t trust the app to begin with? The app has full access to your contacts and can do anything it wants with them, like silently stealing them in plain text before doing the hashing process.
I assume that Monzo asks for access to your contracts for 
- at least apple pay is now here 
