Lax Security in app?

Hi

Bit concerned about security. I used to bank with Barclays but now use Monzo. I just noticed that by default the app needs no credentials to be used, so if phone was unlocked someone would be straight in. Even more concerning is that I can transfer money to someone else with no intermediate security checks. So, unlocked phone, straight in and transfer my entire balance to themselves. I have now enabled Face ID but wow! I think Barclays are over zealous with security but this seems ver lax? Or am I missing something?

Thoughts?

Hi :wave:
You need pin/thumb/face to make a transfer.

2 Likes

From another thread about this:

2 Likes

Hi
I made one earlier tonight without any checks, this is what set me off thinking and prompted me to turn on face id though

This is incorrect. You need to enter your PIN to transfer money.

Was it to someone you had previously transferred money to before? This is standard behaviour for any banking app, though. If I make a transfer to a new person with First Direct? I have to authenticate it. Next time I transfer to the person? As I’ve already authenticated the person, they trust the transfer and don’t ask me to authenticate again.

Having the app open by default is a design choice prioritising ease-of-use over security theatre. It’s good practice to have a lock on the phone as there are far more damaging angles off attack than Monzo - email access being the biggest one.

In any case, you may be pleased to know that the new Secure Customer Authorisation regulations mean that the app will periodically request the user to reauthenticate app access.

I don’t think I can make a transfer to anyone in my app without a fingerprint or pin being required, new or old.

10 Likes

Indeed. Even for a Monzo to Monzo payment to an existing friend I paid to before I need a fingerprint

1 Like

That makes Monzo more secure than First Direct, then! :+1:t2:

Also, I’m obviously not paying enough attention when I’m transferring out of Monzo - that or the implementation minimises the friction so much I’m not even noticing it.

1 Like

Read this topic too:

I completely get that what Monzo have implemented matches very well to what they consider their typical customer’s threat model / security-easiness trade off. However not mine PLEASE can we have a toggle in settings to require PIN/Finger print/Nothing to enter the app - it’ll keep those who are happy as is and those who keep asking for this or similar happy.

1 Like

That’s already there as far as I can tell. I can turn on fingerprints on Android and I believe the same can be done for Apple.

I have a feeling that if you don’t have a fingerprint scanner for Android you might be out of luck though, it’s been a while since I’ve had a phone without one so I’m not sure if that’s been changed.

Exactly but no PIN option.
My phone is unlockable by fingerprint for ease of use with every other sensitive app protected by a PIN or password. Monzo doesn’t give me that option.
My (really strongly) preferred security/convenience balance is something I am to open the phone and something I know to access a sensitive app.

1 Like

It wasn’t someone I had paid previously from within Monzo but I have recently done an account switch from Barclays and it appears to have brought across all my payees, so maybe it didn’t check because of this. Will keep an eye out next time I make a transfer

Thanks