Today, I opened Monzo on my Android phone. Usually, it goes to fingerprint verification, but this time, invited me to create an account or to enter my email address. Weird, but OK. Then it sent me link to log me in. Also OK.
Here is where security has fallen through the floor. Now, when I launch the app, there is no verification process whatsoever, no fingerprint verification and no PIN entry. I tap on the app, it opens, I can making payments and undertake all admin functions.
This makes me feel a bit vulnerable, if I am honest. Last time I used the app was three days ago, I think. And support chat is not open at this time of day and, weirdly, you canât leave a message out of hours.
Anyone else having issues?
(My other bank accounts are behaving normally and requiring a fingerprint or PIN login, so this is a Monzo specific issue.)
You might think that, but I made an online purchase using monzo card. An authorisation was sent to the app. I opened the app with no verification and authorised the payment without being asked for PIN or fingerprint.
well that sounds probably normal online flow , if you order something online , have your card with the CVC code , have your phone and authenticate the purchase on your phone ??? dunno thats I think usually the flow I go through when purchasing online -
I think when you reinstall the app again it does let you enter the app without fingerprint verification, otherwise you wouldnât be able to get in to the app initially ???
To enable fingerprint login again youâll have to go to your account details (picture icon in top left), click in the settings cog in the top right and select privacy and security.
AlthoughâŠit surely canât be right that Monzo allows the app to opened without some verification, eg PIN. If I leave the biometrics turned off, the app launches without PIN verification. What used to happen was that if I launched the app, it would either accept my fingerprint or demand PIN entry. PIN entry seems to have been removed. If I canât provide fingerprint verification now (eg wet fingers), the only other option is to log out, after which, the only way forward is to have a link sent to my email account (which doesnât seem to be time limited), and then it asks me to prove who I am by entering a PIN.
Also, in Recent Apps, account entries can be clearly seen, whereas before it would show a placeholder for the app, not any details. The sense I am getting is of an update badly implemented, which is making the app feel very flakyâŠwhich is not a pleasant feeling of oneâs banking app. It feels really messed up atm
tbutz
(đłïžâđ Producer of "low value commentary")
8
You were logged out, for whatever reason. Monzo does not retain the link between your biometric checks on the phone and the login when this happens, so any security must be re-enabled when you re-login to Monzo.
This has been reported many times before and Iâm sure there is a legitimate rationale for this behaviour, but youâd have to do a search to find it.
If I am logged out, I can understand biometrics not working. However, if I disable biometric, then I can open the app just by tapping itâŠno PIN or other verification. That makes it an insecure app, IMV, and it didnât use to be like that a few days ago.
True. But the fact remains that biometrics got turned off through no action of mine (and presumably could happen again in the future), and having requested an email link, the app opened right up just by tapping it. That is not secure banking, not in anyoneâs book, I would have thought.
Itâs an option, you can have the app protected or not. Your choice.
Some people determine their locked phone to be secure enough, some put the app in a secure folder which in itself is protected - the list is endless. You donât always need to enable Monzos app security.
If youâre walking around with your phone unlocked and no password on your emails then youâve got far greater security issues in my opinion.
If you are logged out, the lock settings are reset. When you then log back in you need to re-enable the lock settings if you want them. By default, they will not turn themselves on.
Itâs neither a security issue, nor is it major in many peoples opinion. At worst itâs a privacy issue which is why itâs optionally available for those who feel the need.
