Magic Login Links are incredibly insecure


(G) #41

2FA needs to be implemented the current set up is insecure and not what you’d expect from a bank.


#42

It’s what you’d expect of a bank who know what they are doing


(G) #43

Email accounts are compromised all the time. There are almost daily data dumps containing email addresses and passwords uploaded to sites such as have I been pwned.
Users often re use passwords. Meaning that it is relatively easy to compromise an email account.
I would like to see Monzo provide other authentication options to the user base


(Peter Roberts) #44

I’d rather monzo educate it’s users to change their email password to something different than their ‘usual’ password. That would be for the greater good


#45

They wouldn’t need my Touch ID, would they? The app would open on their phone, they’d click the link, and then their finger print would authorise the Touch ID…

PIN protection would help, as would an SMS verification code or something. I can’t remember how it worked when I set it up.


(Ravi) #46

I still would prefer a strong password for the initial login rather just an email. After that I’m totally fine with the way things are for launching the app day to day.


#47

This isn’t how TouchID works. It only accepts registered fingerprints which are stored in the phone secure chip. The person would need to add their fingerprint to iOS first which would need your iOS security passcode. If you turn off TouchID authentication you’d still need the card pin and sometimes the CVV code from the card


(Jack) #48

What I’m saying is what can then actually do from that point?

Nothing besides look at what you’ve spent your money on and your balance. This is no way they can disrupt you financially.

The worst they could maybe do is freeze your card and stop you spending :joy:.


(Micky) #49

I really like the convenience of magic links, they just work! But it does raise some concerns when I think about my family who are on Monzo and aren’t particularly tech savvy. Email 2FA is not something people in my family are using and in some cases these people are culprits of using the same passwords everywhere! So prime candidates for hacking and data breaches. I could explain 2FA to them or password manager and explain to them it would help secure their Monzo data and they need to do it but I know they’ll think it’s all too much fuss and switch back to using a legacy bank account.


(Jack) #50

I’d be disappointed if Monzo changed the current sign in system but… maybe a feed item when someone logs in on another device to your account? Saying that you can only be logged in once anyway and Monzo can force logout if required.


#51

But surely they are hacking my email account, so they get sent the link to their phone, so their finger print is already in iOS on their phone?

My finger print doesn’t come into it…


#52

I think @aCCount is suggesting that they use the grabbed magic link on their phone


(Jack) #53

Isn’t it too much fuss with 2FA of a legecy account though?

More than one password
Silly calculator card reader things.
Memorable information


(Jack) #54

Luckily it doesn’t work like that you’d need to set up Touch ID again for that app after logging in (each time you log out/in it disables it) and to do that you must enter your card pin which no one has.


(Micky) #55

For sure the legacy accounts are a pain with those card readers etc but the 2 banks we use the apps just need a finger print and you can do pretty much all your day to day stuff, including new payees


(Jack) #56

And that’s the same as Monzo now right? That’s how I use the app :slight_smile:


(Dave) #57

Although this situation is getting better, it isn’t universally the case yet. Of six messages I have just checked from various sources, two of them showed no sign of encryption during the process of being passed from one email provider to another.

What Monzo could do is check whether encryption was offered by your email provider, and if not refuse to deliver the message and provide you with feedback that you need to log in some other way.


(Micky) #58

Yes but you can’t access the legacy accounts by hacking an email account. I know the impact is small but data is personal and sensitive


#59

Passwords and 2FA are not the way to do this. Both can be hacked.

Security is moving to AI based approaches looking for abnormal behaviour cos that’s the way you protect against attacks you don’t even know about yet.

You don’t need 2FA to convince your mum it’s you - why should you need it with your bank?


#60

Aha, that makes more sense, thanks