Lack of security? Suggestion for improvement

Folks,

Some interesting discussion here - but taking away the discussion of password strength, the issue here is that there is very limited security upon installating the Monzo app.

Here’s a hypothetical scenario:

  1. A website is breached (fairly common) and customer e-mail addresses, passwords and credit card numbers (or bank account numbers/sort codes) are leaked online

  2. Somebody filters down the list to show only sort codes in the 04-00-04 range

  3. The majority of users re-use their passwords, so there is statistically a good chance that a hacker will be able to log in to the victim’s webmail account with these stolen credentials

  4. Hacker installs Monzo app and attempts to authenticate with user’s e-mail address and no additional security - magic link sent to webmail account that they now have access to

  5. Hacker presses ‘Show PIN’ in iOS card information screen

  6. Hacker is now able to transfer any amount of money from the victim’s account

This is the problem here :slight_smile:

Part of my day-to-day employment is to act as the European IT Manager for my organisation and I would never assume that my users have adequate password or security measures in place.

1 Like

Is this really possible? Last time I reinstalled the app it wouldn’t show me my pin until I entered my pin which I’d forgotten so had to chat to COps to get it back.

I don’t believe you get access to the pin on a fresh install

Hi Simon,

I’ve removed/reinstalled the app several times today and can immediately show my PIN.

Have reported to COps who are investigating further…

That’s not good. Are you on android? I’ve just had a play about and it always asks for authentication for me either via Touch ID or a short video and ID.
I tried logging out, uninstalling, with Touch ID, without Touch ID, cannot get it to just display…

I have an iPhone X running the latest iOS patch here :slight_smile:

Ah, I actually believe Monzo uses Face ID in this case. It’s just so fast and seamless you don’t notice.
Would be good to have confirmation on this though as it would be a terrible security hole

Hi Simon,

As far as I’m aware, when an application is freshly installed and asks for permission to use Touch or Face ID, what it is in fact doing is adding the current application to iOS’ keychain, meaning that future requests will be authenticated by verifying against the keychain entry.

The first authentication upon installation should ask for an additional security step (e.g. ID verification) before requesting to use Touch/Face ID for authentication :slight_smile:

iOS 11 and up has a bug/“feature” where system keychain entries are not deleted when apps are uninstalled, so it could be that some authentication token still persists there and so allows you to get your PIN immediately.

Could you try and see if it behaves the same on a brand new device you’ve never logged on before?

Just had a reply from a chap in Monzo’s security team confirming that it looks as though my device is retaining the keychain entry/token.

Unfortunately I don’t have a spare device to test with, but I’m now much happier.

Chris

1 Like

Yep, reinstall Monzo it doesn’t ask for permission to use Touch ID, it just uses it. The device clearly remembers it from before. I don’t know how to clear that manually, try to install on a new device to test but I don’t think it will allow Touch ID without authentication

Never mind any encryption, I don’t think that password example would be anything other than the least secure password used if I came across it in a work enviroment. Why? Because it would be written down somewhere on account of how no-one would be able to remember it.

It would be in my password safe, the password for which is long, random, and etched into my brain. Thus it is safer than ANY password you can remember.

3 Likes

I think the security level is perfect :ok_hand: Requires finger print or password, anything more and it will start to feel like a traditional bank.

They could perhaps add a second layer for those with concerns, but I personally wouldn’t use it.

2 Likes

Maybe for some but I have at least three that strong with 18+ characters, never written down. Not saying everyone is like that, but I am, therefore it’s not the least secure at all…

To further put your mind at rest, if I have TouchID disabled, after tapping the button to view my PIN, I have to enter the security code from my card and then submit a selfie with me and photo ID (I bailed at the last step). So it’s definitely not trivial to get the PIN revealed.

I’d like to highlight this, because of a pervasive mindset that the secuirty of email is based on the security of accessing the client or webmail website.
Fundamentally, email is plaintext in-the-clear transmission. Unless you are using a 3rd party application to encrypt before sending (e.g. GPG) then anything sent or received via email can be considered no more than ‘back of a postcard’ secure or private, and relies entirely on intervening mail servers pinky-swearing not to read it; this remains the case even if you layer security ‘on top’ like STARTTLS (though that does reduce the chance of anyone sniffing your emails as the packets are routed between servers). There is no end-to-end encryption present in any of the email protocols (POP, IMAP or SMTP).

2 Likes