Is the Monzo app PSD2 compliant?


(Andy Ramsden) #1

I notice on the iOS version of the Monzo app that Touch ID is optional, so if switched off by the user, the app has no authentication. Will this have to change to be PSD2 compliant? Even with fingerprint auth this is still only 1-factor authentication and PSD2 mandates two factor.

In contrast my firstdirect banking app has fingerprint auth plus phone registration - I need to have my phone and my fingerprint to login, and so appears to be two-factor and seemingly PSD2 compliant.


Monzo app - PSD2
(Andre Borie) #2

Wouldn’t the device count as an additional factor?


(Andy Ramsden) #3

Yes device registration would be a second factor, but I can’t remember whether or not I had to register my device when I signed up. If so, then Monzo would appear to be compliant except when TouchID is disabled by the user? I guess it’s the optional piece that’s confusing me.


(Alex Sherwood) #4

That’s a privacy feature, as opposed to a security feature - you’re required to complete additional verification e.g. enter your card’s PIN or CVV before you can remove money from the account.


#5

Currently a pin or biometric to enter the monzo app is optional-will we see this become mandatory when PSD2 requirements come into force?


#6

God I hope not, I don’t think @Rjevski could handle it


(Allie) #7

I couldn’t handle it either! It’s ridiculous. The phone is a trusted device.


#8

But the phone itself is only one ‘element’, under PSD2 the customer has to be authenticated using 2 elements at least every 90 days before seeing their account information :thinking:not sure how they will do this without making pin/biometric mandatory…


(Andre Borie) #9

I mean if it’s once every 90 days it’s not that big of a deal, but honestly this is a bullshit regulation.


#10

It’s a good thing I never

  • Hand people my phone to change music
  • Let people give my directions from google maps whilst driving
  • Ask people to take photos of me on my phone
  • All lock screens are 100% invulnerable and will never be breached
  • Let people on scooters steal my phone as I use it

(Andre Borie) #11

You still have a PIN in the app for taking money out so it would protect you in these scenarios.

All lock screens are 100% invulnerable and will never be breached

You really have much bigger problems to worry about if someone managed to crack your lock screen and has access to your device.


(Allie) #12

Enforce a secure lock screen, same as Google Pay does.


(Gareth) #13

Shout OK GOOGLE, SELF DESTRUCT?


(Tom ) #14

Hey I’ve moved your topic here to keep this discussion in one place.


(l8n.me) #15

Yes, involving all those photos and videos I take alone after dark…


(Andre Borie) #16

Or your email from which they can take over all your accounts by doing a password reset. Plus they even have your phone number to answer any security challenges or get 2FA texts.


(l8n.me) #17

Yeah, they can rob me blind for all I care as long as they don’t distribute those pics… that angle is not kind to anyone.


(Leon) #18

:thinking::grin::joy::sob::+1:


#19

So, I use Airmail on iOS which can let me require TouchID or a PIN.
My 2fa is also behind a PIN.
My old texts are on rolling delete. And I browse the web through my password manager anyway.

Most of the apps that doesn’t require something extra are games on my phone.

I used to be an app developer people borrowed my phone all the time.

There’s information on the home screen of monzo I wouldn’t want some people knowing, salary, over draft state, I might need to buy stuff for private medical things…


(Andre Borie) #20

I mean if you’re happy to type & remember PINs all over the place it’s your call. I would consider that extremely paranoid (and I consider myself paranoid but this is a whole new level IMO).

But my argument is that we should let people decide for themselves what kind of security they want, and not perpetuate the myths of bullshit legacy-bank-grade security theatre (it’s even counter-productive because it gives a false sense of security; I’ve seen idiots installing all kinds of malware and saying “but my bank had a PIN so it’s secure, right?”).

If people still decide to enable fingerprint/PIN after this then it’s their choice, but it needs to be an informed decision, not “well every other shit bank does it so I must do it right?”, and it should be made clear that protection on the app is not a silver bullet and you’re still vulnerable if your device is compromised.

I used to be an app developer people borrowed my phone all the time.

Maybe you’re trying to use the wrong tool for the job and expect everyone to conform to your use-case? You’re using a single-user operating system as a multi-user one… no wonder not all apps support (nor plan to support) this by offering in-app PINs & whatnot. Not to mention, at the end of the day, this is still a fairly narrow use-case and not everyone (maybe less than 1%) of Monzo’s user-base routinely give away their phone as a test device to debug apps on.

I use Airmail on iOS

Unrelated, but check it against email privacy tester and enjoy the carnage. Last time I checked it was vulnerable to Javascript execution inside emails. :joy: