She has now and would’ve done originally if she knew it was gone. I’m not sure if you’ve ever been burgled I hope not but there’s little things were still finding missing like photo albums? It wasn’t until bed time on Saturday night I realized my digital tooth brush was gone. Who on earth steals a tooth brush?
But you get my point all tech has been remote wiped where possible now.
It wasn’t a new enough iPad to have a secure enclave to allow this.
I agree it is not a great experience being burgled, having been burgled 3 times at different addresses myself over the years, you dont realise what’s gone until you look for it sometimes months afterwards. - glad Monzo sorted out a new email login address for your friend
I don’t understand the logic by how they took some stuff and not other like a wallet in plain view was still there yet a new pack of Costco AA batteries are gone.
lol when I was burgled last I had a drawer opened with around 100€ in notes in it , they didn’t take them, took my spare change penny pot with around £20 in pennies and twos , and wandered down the road with a 32" telly that they would offload in the pub for £20 , 
mindless idiots
This feature doesn’t actually require the secure enclave. It just requires iOS 5 (2011) or newer installed. It’s a built in feature of iCloud for iPhone, iPad, Mac and Apple Watch (before erasing the device, you just turn on Lost Mode, meaning it cannot be setup unless the original Apple ID on the account logs in on the device first)
So since posting this thread, I have found that monzo will be in fact adding a second layer of authentication before strong customer authentication requirements come in later this year.
You just described why this is an issue for Monzo.
As people (myself included) keep trying to explain, and apparently on deaf ears as monzo seemingly can do no wrong., the issue is this.
Monzo have zero visibility of peoples email accounts. They have no information at all on how secure they are. They can only put in place controls on systems they have control over e.g. your Monzo account.
In this case it is quite simple, your Monzo account information and financial data isnt secure from the perspective of Monzo as they have no way at all of determining the security of your email.
Monzo are aware of this as they require user authentication to make transactions, but they require no user authentication to view your financial information, they only require you have access to a persons email, something monzo are unable to have any view of security wise.
People here keep arguing that this isnt an issue, because apparently situations like described don’t happen i guess 
Queue the defenders of Monzo. But the fact will always remain the same, magic links do not authenticate the user and are inherently insecure by design in this particular aspect.
I do agree guys. There is a need for a 2FA. No security measure should be sacrificed for convenience.
On the other note:
Why did you not change the email password ?
If you change the email password, the mail account will request an updated password before loading the emails. Also as previous comments said: the iPad needs to be remotely wiped ASAP.
My email has 2F Authentication to login.
My mobile has FaceID or a 6 digit pin.
Monzo uses FaceID or the pin to login and needs a 4 digit pin to send money.
I’m not sure what the issue is with the security myself .
Monzo has zero visibility of this. That’s great you have it turned on. Monzo don’t know this so cannot simply assume so.
Monzo can confirm this on the device.
This seems to be a hard subject for people to understand ? Monzo have no visibility of your email, they cannot rely on or know if it is secure. Its not possible. They are clearly aware of this as they require user authentication when making transactions. They appear to not believe user authentication is necessary for access to your financial data. While they have decided to accept this risk, clearly plenty of people think the user should be authenticated to have access to personal financial information.
I’d say the onus is on Monzo to provide their own secure login method that doesn’t rely on the security of a third party system.
Perhaps a notification + notification centre item when a new users logs into your Monzo account could help with this. That way you could log them out and it would also tell you your email was compromised.
They actually don’t use any of these things to log into a new device. That’s the issue.
You don’t need a 4-digit card pin to send money?
Only on iPhone, I believe.
You do need a pin or face Id or finger print to send money, anywhere.
The concern is around if your email gets compromised, someone in theory could get a magic link and setup the app and see your bank account.
I agree it’s a problem and hopefully monzo will do something and earlier post suggests they will.
However I’m not convinced it is a massive issue. Given they’re a bank, I’d imagine it has been considered and imagine like most banks, they’re targeted in many ways daily.
Interesting thread - it made me think about my own security set up a bit more. I do have 2FA set up on my emails, but I think only on new devices, so assuming someone had access to my phone or laptop (and somehow got my password) I figure I would be a bit stuck.
So having a play with the app - if someone gets into my phone, they can get into my monzo account, and change the email address to anything of their choosing and receive a magic link. I assume from there, they could theoretically log in on a different device and do more damage?
The interesting thing I think is that as Monzo grow I expect they will become susceptible to more and varied attacks - and I wonder if there’s be a particular “exploit” that will be used.
You can lock the app on your phone to require a pin or fingerprint etc.
You also cannot make any payments without user authentication.
It’s unlike that both your password and 2fa would be breached, thus gaining access. You’re more at risk of a social based attack to get that information or to get you to transfer money yourself.
It’s not always about transfers. It’s more about personal data protection. 