Magic Login Links are incredibly insecure


(Luke) #1

So theoretically speaking a banking company should be secure by nature.

Say my email gets hacked, or social engineered, etc etc.

It would take 10 seconds to search for “Monzo” in my email app and deduce that I do in fact use Monzo.

Now they would only need to download the app, and enter my email address, generate a magic link and they have full access to my bank account.

What was wrong with passwords, or 2FA, or even passwords and then Magic links to verify. Magic links are not secure on their own and incredibly dangerous.


(knows someone who knows Tom quite well) #2

How does your email get hacked if you have 2FA on it?


(Luke) #3

Not mine, but I know plenty who don’t use 2FA.

A banking company should not assume that everyone uses 2FA on their email, but should definitely enforce it on their banking app.


(knows someone who knows Tom quite well) #4

I couldn’t agree less


(Vladislav Kozub) #5

Agree with @DaveTMG. No point having 2FA on every service if I can simply have it on my email, which stores all my accounts.

This whole “memorable word” and “2FA” for banks is just a security theatre. If someone has a capability to hack you, these won’t save you.


(knows someone who knows Tom quite well) #6

I want my banking app to learn how I use it then query me for further verification if it doesn’t seem like it’s me.

I don’t want any security theatre.


(Stephen Spencer) #7

Note that they would also need your PIN if they want to do anything with your money.

Edit: Not to excuse that they might be able to get in there and see what you’ve been spending on, what other services you use (although that would probably be already clear from email), or glean more info to break/engineer into other services.


(Luke) #8

I just want options, clearly y some of you are in favour of magic links, and some aren’t.

Give me the option to secure my data and finances as I sit fit.


#9

Whilst I don’t feel that the login links are “incredibly insecure” I do agree that an email link alone should not verify a login to your bank. Sure, I also have MFA on my email, however, there are going to be a large number of people out there who do not, especially with percentage of market share that Monzo are aiming for.

I feel they should offer various forms of MFA for your account. e.g text message/one time password/other etc.


(Harry) #10

Magic links are incredibly convenient and I dont feel its the method that is insecure, rather the destination that could be insecure. At the end of the day, it is the user’s responsibility to keep their accounts safe and secure.

However, perhaps this is where Monzo could step in from a social aspect and educate new customers about online security, email 2FA etc.

Your point is a valid one, but I feel that moving forward companies should work to educate users rather than design around naivety. Barclays is an example of this. They have run many campaigns on TV and billboards around Online Security and keeping your information safe :clap:t3:


(knows someone who knows Tom quite well) #11

Perhaps Monzo could tell us how many accounts have been hacked through magic links? I doubt it is many.


(Jack) #12

I think it’s probably more important for Monzo to teach users about 2FA on their email accounts. Ultimately email companies should be enforcing it as standard. If someone gets into your email they can get into a lot of things!
It’s surprisingly easy to reset a Lloyds online banking password with details that aren’t that difficult to get.


(Jack) #13

To add it’s also important to remeber the worst they can do is view your feed etc. No money can leave your account without Touch ID or your pin being entered.


(Luke) #14

I assume most have email on their phones, if your phone is taken in a street mugging whilst you had it unlocked (not uncommon in London)… I’m pretty sure that you wouldn’t need any extra authentication to get into your mail app.

Either way, it’s not he security I want on my finances.


(Paul) #15

Pleased to see I’m in the majority here, in thinking that my email should be secure enough. Would be quite frustrating for Monzo to step backwards, and make me jump through the hoops legacy banks force on people.


(knows someone who knows Tom quite well) #16

The obvious response is to use another bank that gives you what you want? FD have incredibly stupid amounts of security on theirs.


(Paul) #17

If someone steals my phone while it’s unlocked, they can just open the Monzo app from my home screen…


#18

I never use my phone in the street when I’m in a city. Too risky


(Luke) #19

I have to admit your replies are incredibly blunt and standoffish.

I’m asking for options to cater to the different people who want to use Monzo.

You seem to have a one size fits all approach, which I really don’t agree with.


(Harry) #20

I understand why its currently not the default. Having worked at a fruit stand tech support, I have seen many people enable 2FA and then get locked out because they didnt understand what it meant and what they were doing. Emails are vital to a lot of people, as its the main form of account recovery for most online services and accounts. If you lock yourself out of your email, you are in for a tough time!