If they try and change the email address associated with your Monzo account, they will almost certainly fail. This is because if you ask to change your email address, COps will typically ask you to go through selfie verification again. They will not change the address on a simple say-so.
Although they would be able to see your financials, they wouldn’t be able to do lasting damage in the app as they would need to know your PIN in order to transfer money.
If you have Google/Apple pay connected, then potentially they could make <£30 payments using that? I forget if the phone needs to just be turned on or if it it has to be unlocked for NFC payments to work.
But overall, you are more secured than you may think, especially considering you have 2FA on your email - which is the real weak link of anything on your phone.
Google pay needs the phone to be unlocked via a secure method to work. In order to set up either on another phone, you would the cards too. I think you can freeze the cards with the emergency website as well.
As for data protection, yes maybe but do people realise how much of their information is already out there?
For example if you have registered for voting but failed to tick the edited register there will be a number of sites where your address and phone number can be found? And most people’s email is on face book, as well as their mobile.
It’s probably time this thread was locked, there is already one discussing magic links and whether they’re secure or not and this is just another variation of that same discussion.
It’s a terrible security feature that just passes the security requirements over to your email provider, a true “it’s someone else’s problem now lol” solution.
True 2FA OTP and Yuibkey should be options built into Monzo.
As a slight aside …
IT Security experts suggest that your email system should have the strongest password, with two factor authentication.
This is because it is at the centre of your kingdom. Should someone have access to your email, then they have access to all of your accounts. Want to login to Dropbox? Sure, reset password! Want to login to your Amazon. Sure, reset password!
Again, I’m sorry to hear about your burglary, and glad that you’ve been able to stop the situation spiralling out of control.
It’s not terrible. I get your frustration and upset but it’s up to individuals to secure their devices. If the device had been secured this conversation would not have been raised.
It is an issue and I believe from earlier posts that it will be update.
As for yubi key, how many banks do you know of that employ that sort of 2FA?
Plus it’s a device which can be lost or stolen.
It just needs some user authentication to verify the user.
One time codes can be breached if a person’s mobile is stolen or sim swapped.
There is no perfect answer, but yes it needs something.
There is already a thread covering this though. Hence why this should be locked.
I would say it’s terrible because almost everyone remains logged into their email application. While the device itself should have security, adding additional layers for finance is only sensible. To rely on user behaviour for an essentially unrelated app is, from a security point of view, terrible. The only reason it’s gained popularity is because it’s meant to be more customer friendly (i.e. easier to use), but if security is easy, is it really any good?
If Monzo worked on the idea of “how many banks do X” Monzo wouldn’t exist! They should really be at the forefront of security and allow at least 2FA OTP login, TOTP to be exact, making spoofing impossible and the swapping of a SIM card irrelevant.
Argue what you want, but a Yubikey, or physical based 2FA system is by far the most secure solution on the market today, unless you want to look into 3FA or or other more experimental solutions (behaviour analytics etc).
Firstly, you can secure the email. You can have a pin, finger print etc to get access to your email. This doesn’t apply to all apps but there are plenty out there that do.
Second, device security is paramount but ultimately it’s up to people whether they choose to use or it not. Certainly on new Apple devices it actively encourages you to set a pin and fingerprint/face id and you cannot use apple pay etc without it being enabled.
Third, not everyone is tech savvy, so any security has to be balanced with keeping things secure but ease of use and convenience. Having some physical token device is good but it’s also something that can get lost and not everyone will be comfortable setting one up. 2FA via an app like Google authentication is great, till the phone goes and then unless you’ve chosen a solution which backs up your codes, or you’ve remembered your back up codes, you’ll be locked out.
Anyway I could go on but I’m not, I’m going to have to agree to disagree to your view and see what Monzo decide to implement to cover this issue.
Which brings me back to my first point that relying on another apps security is both lazy and dangerous as there is no way to monitor whether people are securing their email apps. If it was done in the Monzo app, they at least would be able to monitor user behaviour.
It is up to the user to turn on a lot of security features, but app developers can enforce better security practices. Over the years, there has been a significant increase in websites and apps demanding strong passwords. What devs can’t do is enforce good security practices on apps outside of their own, taking me back to my point about email login being terrible.
Absolutely, but email login is leaning far too much towards ease-of-access than an unbearably difficult and secure login process.
Go on as much as you want, but basic security practices will always say the same thing: replying on a third party app for one-click access is a terrible security practice. At best it’s pseudo-2FA, at worst, it’s security driven by a UX team rather than engineers.
Really sorry to hear of the break in. Always a horrible feeling to have your home violated in this way. :( I hope things get back to normal soon!
With regard to your friends security, I’m going to play devils advocate on this one. Your point about magic links is valid, especially seeing as there’s initially no extra step involving biometrics etc.
However, lets say for example that your friend was using a 2FA/MFA hardware token like a YubiKey on their email account. Naturally, us techies would say ‘great idea, much more secure than just a password’. But ultimately, if she’d left the YubiKey plugged into her laptop and then her laptop was stolen it becomes just as insecure as not having it at all. Yet I’m sure you’ll agree that neither the mail provider or Yubico are at fault - the device shouldn’t have been left unattended.
This is essentially what we’re saying here. Yes, perhaps Monzo could sprinkle a little more security goodness over their login process. But ultimately if users aren’t taking their security responsibilities seriously then there’s always going to be a way in.
Although you can login and view everything with just the magic link… You need to enter either your bank card pin or use Touch/Face ID to send or transfer any money.
To be brutally honest, the single point of failure here was your friend not having at least a 4 digit code locking their iPad.
If Monzo sent SMS codes instead of emails then you would have this same issue if someone stole your phone.
This is going round in circles. No one is arguing about payments, there arguing that the similar security isn’t considered for your financial data. This has been said maybe half a dozen times.
iPad could contain private information in images, messages, internet history, etc… There could be tonnes of private data up for grabs just because they couldn’t be bothered with a 4 digit pin code.
Personally, my spending habits is no more important to me than my emails. Maybe should logout of the email client or just use the 4-6 digit code?
no i’m saying the end user is responsible for the security of their device. However… yes monzo adding an extra layer (especially as a toggle-able option) would not hurt.
I hope things get back to normal soon!
