Magic links and social engineering


(Matt) #1

So firstly some background of where this comes from I’m a software developer and I’ve been looking into the security of Magic links (auth via email) and from the research i’ve done so far the level of security most companies put into magic links in their auth (Including Monzo but i won’t name drop anyone else :bulb:).

So onto my point lets not kid anyone that email is secure, there are plenty of people that will argue it’s the person’s email is for them to secure but there are times that people leave their phone unlocked or walk away from their computer in an office plenty of time for someone to send an auth message for monzo and forward that onto them-self.

So my question is if we ignore the details on how someone could manage to get a login email for my account and someone did get into my Monzo account. What is in place to stop someone hijacking my account, changing my details to their own and requesting a new card to be sent to the new address?

Just to add if this isn’t something monzo are happy with discussing in public i’m happy for the post to be unlisted.


#2
  • Security questions at the point of requesting a change of address?
  • Not having the pin to make transactions? Assume you also need security questions to change pin?

Which is a decent call for COps to delete the answers to security questions from in app chat history after each conversation so they can’t be used again by someone going through past chats.


(Matt) #3

In my experience the only info required to change address is the Date of birth which can be found from within previous chats if the info hasn’t been deleted. Not having the pin is a blocker i’m aware to get a pin reminder you need to send a selfie video which is five :star:️.

But if I can request a new card to the new address, there’s nothing stopping me adding the card to Google Pay and spending money there?


#4

This is coming close to another ‘how to do a fraud’ topic :persevere:


(Matt) #5

No not at all, I’m happy to remove details from my previous post if monzo would like but I just want to know what Monzo have in-place to stop the social engineering of their own support to protect users hard earned money?


(Marcel Ruhf) #6

I agree, it would be interesting to see a response to this.


(Andre Borie) #7

If magic links are insecure, how is that different from being able to reset your passport on any other site with access to the email account?


#8

This is an issue that has been raised in various forms on various occasions, including by myself.

I feel Monzo’s security posture is very deficient as it totally depends on the security of the device, the registered email, and some ridiculous “security questions” which are quite simply useless.

Sadly, this is something that Monzo see differently and I have come to the conclusion that if I do t share Monzo’s views in this matter, than I must take my custom elsewhere…


(Matt) #9

I don’t think anyone has ever been under the impression that an email link is secure, sure it doesn’t matter for most things but when it comes to important things and I can’t believe i’m using paypal as an example here but when you want to reset your password there you are required to provide 2 extra bits of information as well as clicking the password reset link.


(Richard Cook) #10

Hey all,

Please check out our recent post about this kind of topic:

That contains some really good blog posts that give a bit more information about what we do to keep everyone’s Monzo accounts safe and secure.

I’ll lock this thread for now. Thanks.


(Richard Cook) #11