Magic Login Links are incredibly insecure


#21

But you are asking for something based on no evidence whatsoever. That’s security theatre and I don’t need that kind of friction in my life.

You have stated ‘Magic login links are incredibly insecure’ - they are only as insecure as the person using them. I don’t want every provider to be legislating for stupidity.


(Luke) #22

What evidence do you want? Banks should have a proactive rather than reactive response.

I’m pretty bored of this now.


#23

I want evidence that it is a problem - it takes effort that could be spent on other things to add security and it is a waste if it isn’t necessary.

If monzo said 30% of our magic links are used maliciously, then I’d support them changing things. But if it’s a fraction of a percent then why bother?

(And I apologise if I seem blunt, blame the old age)


(Eve) #24

If the hacker were to get hold of your phone and find your email has no form of security on it, they still would not be able to do anything. Mobile payments and inter-bank transfers all require your Touch ID/ PIN, and they don’t have your card. Furthermore, if by some chance they took your wallet as well Monzo would refund the amount they fleeced you of.

Personally, I like the ease of a magic login link and the fact that I don’t have to have a password to open the app since I already have touch ID/ password on my mobile phone. I have used so many banks that required faffing about with tokens + PIN + password which made it extremely grating to use the app, or when they keep trying to time me out (which I’d imagine would go hand in hand if you want extra privacy options).

How do you propose this should change? Adding a bank token or a OTP via SMS? An additional password in-app?


(Luke) #25

There was a poll elsewhere on this forum that indicated around 60% of people use 2FA. And that’s 60% of people who use this forum, who arguably are more tech savvy than you’re average person.

That’s still over a third of all people who do not use 2FA who are at risk.

I accept the fact that they all need your PIN to move money etc, but I would still not be happy having my financial history available like that.

As many of you mentioned you’re are happy with Magic Links that is fine, you are entitled to be.

I was merely asking for options, perhaps at sign up whether we would like to use enhanced security with an additional password + magic link.

This is an ideas forum after all.


(Graham - Mental health professional) #26

That it is Luke :slightly_smiling_face:


(Jamie 🏳️‍🌈) #27

Monzo are essentially telling you there’s no need for it. You trust Monzo to keep your money safe at their end, why don’t you trust Monzo to keep your money safe at your end?


(Eve) #28

You can definitely suggest it- I made my response assuming you were worried about the security/ safety of your bank balance but now you’ve feedbacked that it’s also a privacy concern of yours. Maybe if you wait about you might get a couple of responses from people who feel the same and can discuss how you prefer to have this in the app :raised_hands:t3:


(Peter Roberts) #29

Email is usually the lynch pin that can be used to reset passwords and that’s why a login link sent by email is mostly as secure as a password


#30

The magic link is one of the best features of Monzo for me.

I would hate it if I had to use an OTT method used by other banks. I’m happy enough withe magic link for privacy and the PIN for security to move any money out.

I recently tried First Direct and have had to write down my three passwords and most of the security questions required. :roll_eyes:

The only thing I’d perhaps like is email/SMS/notifications if my account is used on a new device in the unlikely event my email is compromised. But then again, I think Gmail provides this if it detects suspicious login attempts.

It might be a good idea to detect the email provider users use when creating an account and guiding them through 2FA and it’s importance.


(Marcel Ruhf) #31

I agree 100% with this.

Of course our email accounts should be secure, but for services to assume so exposes a single point of failure: email account compromised then means your financial details are exposed too.

Especially when it comes to banking, the security of email accounts should not be seen as a given fact, because that’s not how it is in the real world. Many people reuse passwords, and don’t change them for a long time, making them an easy target.


#32

I like the Monzo magic log on makes life so much easier.


(Michael) #33

Satander make you choose a picture to login with too!


#34

I like magic link as well…
but I think Monzo can add extra security by enabling some phone checks… For example if I got a new phone… application should require some extra information - pin or password


(Ravi) #35

I’m also not a fan of the magic link (alone). Emails are like postcards. You don’t just need to be able to compromise an email account to be able to read emails.

At least for the first login I would be far happier with a magic link and password.

Yes, other banks have stupid card readers and memorable words and pass codes which are just annoying.

But a strong password which you have to input once at initial login after installing the app doesn’t seem very burdensome to me and would definitely give me peace of mind. Along with something like 1Password the increased friction would be tiny.


(Jonathon) #36

I’m a long standing hater of 2FA - so please do not enforce it.

If you ARE going to enforce it, I don’t want it relient on my phone. For me, personally, I’m overseas too much with just wifi not phone service. It’s a pain in the butt when I log into, say, my credit card online and it sends me a text - great, I guess I’ll pay my bill when I’m back in the UK then…

I know this is very specific, but for me it’s important that I can access my banking wherever I am in the world.


(Andy) #37

How about using the google Authenticator app or an app similar? This would allow offline OTPs to be used.

If I’m honest I was going to suggest 2FA using a magic link and an OTP. I don’t think Monzo needs it since emails should be secured and have 2FA enabled but if it helps reassure people then it might be worth investigating.


(Jonathon) #38

I’m totally OK with any 2FA that allows access without a phone signal.

Personally I don’t have it with my email. If I had to choose a better system it would be one where I was notified if someone logs in to a new place/browser, where I can shut it down immediately.

Frankly I have a fairly secure password, and if it came to it add some information like a passcode or questions. Or you know, let me take the risk! I won’t blame anyone but myself if someone hacks into my emails.

PS. Please don’t hack into my emails. Cheers.


#39

This isn’t really true any more, your email provider talks to their email provider directly using encryption.


(Allie) #40

If someone has access to your unlocked phone and/or email, you’ve already lost the game. The fact they can be on your Monzo account is not even close to your biggest worry at that point.