Bit concerned about security. I used to bank with Barclays but now use Monzo. I just noticed that by default the app needs no credentials to be used, so if phone was unlocked someone would be straight in. Even more concerning is that I can transfer money to someone else with no intermediate security checks. So, unlocked phone, straight in and transfer my entire balance to themselves. I have now enabled Face ID but wow! I think Barclays are over zealous with security but this seems ver lax? Or am I missing something?
Thoughts?
phildawson
(Sorry, I will have to escalate this.)
2
This is incorrect. You need to enter your PIN to transfer money.
Was it to someone you had previously transferred money to before? This is standard behaviour for any banking app, though. If I make a transfer to a new person with First Direct? I have to authenticate it. Next time I transfer to the person? As Iāve already authenticated the person, they trust the transfer and donāt ask me to authenticate again.
Having the app open by default is a design choice prioritising ease-of-use over security theatre. Itās good practice to have a lock on the phone as there are far more damaging angles off attack than Monzo - email access being the biggest one.
In any case, you may be pleased to know that the new Secure Customer Authorisation regulations mean that the app will periodically request the user to reauthenticate app access.
That makes Monzo more secure than First Direct, then!
Also, Iām obviously not paying enough attention when Iām transferring out of Monzo - that or the implementation minimises the friction so much Iām not even noticing it.
I completely get that what Monzo have implemented matches very well to what they consider their typical customerās threat model / security-easiness trade off. However not mine PLEASE can we have a toggle in settings to require PIN/Finger print/Nothing to enter the app - itāll keep those who are happy as is and those who keep asking for this or similar happy.
Thatās already there as far as I can tell. I can turn on fingerprints on Android and I believe the same can be done for Apple.
I have a feeling that if you donāt have a fingerprint scanner for Android you might be out of luck though, itās been a while since Iāve had a phone without one so Iām not sure if thatās been changed.
Exactly but no PIN option.
My phone is unlockable by fingerprint for ease of use with every other sensitive app protected by a PIN or password. Monzo doesnāt give me that option.
My (really strongly) preferred security/convenience balance is something I am to open the phone and something I know to access a sensitive app.
It wasnāt someone I had paid previously from within Monzo but I have recently done an account switch from Barclays and it appears to have brought across all my payees, so maybe it didnāt check because of this. Will keep an eye out next time I make a transfer