Is Monzo's account security enough?

Hey all just want to shed some light on a personal situation and through some dirt around about wether Monzo’s account security is enough.

Unfortunately my house was broken into over the weekend and quite a few handheld tech devices were taken. As a tech savvy person anything related to me is passworded, however my house mate isn’t so savvy, she has an iPad it doesn’t leave her bedroom nobody goes in her bedroom essentially nobody ever sees she has an iPad so why on earth does she need a password in her mind? Imagine her panic a day later whilst still figuring out what’s missing etc getting a magic link email from Monzo. She hadn’t requested this and the emails already been read by someone else, (the their stole her iPad).

Immediately I told her to phone monzo firstly I when she rang she was presented with a little automated message followed by a (if this is urgent please use the in app chat) message.

Normally I think the chat is fine but in situations like this I think it’s perfectly fine to want a human to reassure you they’re doing everything for her and now three little dots to denote the fact somebody is typing a message.

So I’ll give monzo their praise here they immediately froze her account which she was told would stop any payments coming in or leaving the account - and then this is where it all goes funky.

Someone has access to her email which she can’t change the password too because of Microsoft requiring time for validate a change in security credentials she’s not a tech savvy person so doesn’t have MFA and backup codes safely stored.

But from the point they froze the account she could still login but was unable to perform anything. I assumed the time they froze the account was to allow them to make it safe, e.g change the email, change the pin but no. Anytime she spoke to them she got a cut and pasted message that someone would get back to her soon bla bla bla as if she was a customer who’s account had been frozen and they couldn’t talk to her under the rules of not tipping off which was not the case here.

So several hours later she got a message in chat saying they had completed their review and her account was now good to use.

Well I ask what on earth did they do in this time? Nothing it seems to me and she had told them several times while her account was frozen for a few hours that she would like to update her email as the their has access to her email account. This was updated but only after her account was unlocked.

Also is it now time for some sort of secondary password or pin or even a SMS to login to a monzo account? I don’t know any other bank in the entire world that allows a customer to login with just a magic link and not even any device enrollment.

If this was her lloyds account they would’ve never gained access due to it having a password and not just a link in an email.

I’m sorry to hear of the break in.

There is already a thread on the forum arguing that the magic link method has the potential to be unsafe.

Is that anything to do with Monzo account security , surely your friends security needed the upgrade ?

6 Likes

There’s two parts to this;

Firstly the login situation; yeah that can be improved and I’m educating her on that now but as monzo grows it’s going to be attracting more and more customers and many of these aren’t going to be tech savvy. Is this going to become a much bigger issue?

And the second point is the fact monzo froze her account made zero changes she requested what would be needed to keep her account secure followed by unfreezing the account leaving it in the same state before they froze it.

hmmm I don’t really see its a Monzo security issue when the user doesn’t have ANY security on their email account so any thief can login and change an account email and the user doesnt seem to want to secure it , I dont leave my car unlocked in a car park , with its windows open and keys in the ignition and expect it to be there when I come back, its just basic common sense isn’t it ?

I accept your point about attracting more customers not being tech savvy though, and maybe Monzo need to try and educate these people during sign up for a tech bank ?

Presumably nothing more has happened to your friends account since Monzo unblocked it for them , I have no idea what they may or may not have put in place to “protect” it for them , but so far so good ???

perhaps the title of the thread should be - "Is my friends account security enough ? " - No

9 Likes

Monzo is not any issue in this scenario.

2 Likes

The important thing to remember is that no money can be moved from the account without further verification - pin, biometric etc.

Passwords are only as secure as the people using them. Most browsers allow you to see your saved passwords in plain text with just a couple of clicks. If people are just reusing the same password (or variations of) everywhere it won’t take long to get into any account.

I’m not sure an SMS would be good enough either if a device has been stolen. Quite a few phones will display message contents on the lock screen too without unlocking.

You also have to bear in mind that 2FA would likely be optional if implemented. If you already have an insecure email account you’re probably not the sort of person who is going to bother switching it on.

I’m not sure people realise the importance of internet security - with the number of lists of passwords floating around the web there’s definitely an education process that needs to take place.

4 Likes

No, and I’m saying this as someone who uses Monzo as their main bank.

People have their email services on things like iPads, which will already be logged into their email provider through the Mail app (90% of the time, at least). In these scenarios, a magic link simply isn’t secure enough as it relies on the security of the device itself, with 2FA already being bypassed on the device.

The reality is most people (most) will have a PIN on their tablets that is easy to remember, for example month and year of birth or something else related.

Saying “oh well she needed a better PIN” or whatever the other solution would be literally defeats the point of Magic Links. The entire point is Monzo argues passwords are inherently insecure (and number PINs are just less secure passwords considering on an iPad for example they can only be 6 digits long and consist of the characters 0 through 9).

“Being able to browse through emails” isn’t enough of a security token, if a new device logs in, I really don’t see why they don’t get people to verify via Authy or Google /Lastpass/Microsoft Authenticator etc. Just once. To verify the device. Or even just put in the PIN to log in to the device for the first time that they’ll need to do to verify transactions anyway…

2 Likes

Not trying to dispute your points. But you can actually set alphanumeric passwords for iPads and iPhones. But a 6 digit pin has millions of possibilities if it’s not an easy to guess one like 123456 etc.

I think this could be quite a neat solution to satisfy everyone. Not too much friction and only requested on the first login from a new device.

Edit: just to clarify this is in addition to the magic link.

4 Likes

While I agree a second authentication would help, I’m not sure Google authentication is the best one here. If you lose the device, if you haven’t chosen a solution which backs up these codes, you become locked out of your account.

It needs to some form of information only the user would know and had to set up during registration.

If you don’t secure your device properly, you can secure the app. Device security is important and ultimately down to the user. Not the bank.

1 Like

Or even if there’s a device already logged in send it a push notification to verify the new login.

If the current device says no or doesn’t respond then do a little kyc.

Onus is on the user to secure their devices. Not on Monzo. Unless I missed something in the Ts&Cs when I signed up…

The fact that many people don’t do it, and don’t have ‘better security’ is not good but will never change. So I see no reason for Monzo to change their stance.

Anyway, this will (already has?) spiral into a ‘what if’ discussion so you all have fun!

2 Likes

A 6-digit PIN has exactly 1,000,000 permutations… 000000 to 999999.

To the OP, things can always be made more secure but, as Monzo is a new kind of mobile-centric bank, you have to find a balance. Given mobiles and tablets have good security features built-in, I think it’s reasonable to expect the user to secure their device with a PIN, strong password or fingerprint. (I moved from Nationwide to Starling as I was sick of finding I couldn’t perform certain account actions without the supplied card reader.)

The failing here is with Customer Services. It sounds like a misunderstanding about why the account was frozen and then a failure to make the required changes before unfreezing the account.

4 Likes

This would be the optimal solution, apart from what if a user only has one phone and then gets an upgrade. I suppose in that scenario you could just reverify with SMS or something (not that SMS is 100% secure either). I’m sure there’s ways around that but assuming the device isn’t lost this is probably the most secure method.

Oh yea of course they can offer other means of security on top of what’s already there. Was just pointing out the extra security available on the devices the OP mentioned :slightly_smiling_face:

@m8tt Just to get an better understanding on this, the Email Account that is against Monzo, I’m guessing the perpetrator has access to this Email account via the iPad? So that they can also see Magic Links coming through from Monzo??

Or has your Roommate managed to change the Email Address against their Monzo account?

So now the email account has been changed on the monzo account.

But they had access to the email so could and did request a new magic link to login to her monzo account.

1 Like

Wait, has she done a remote erase of her iPad yet ? or at least log into her accounts and remove her iPad from the log-in option where available ?

Has she considered using Find my iPad to disable her iPad? If she has an iCloud account, it ought to be possible to render it permanently unusable.