Magic Login Links are incredibly insecure


(Jack) #61

This is true, I was just trying to emphasise they can’t do anything distructive.

I’d imagine I could get into some people’s online banking just by guessing some basic password reset info. I don’t think it’s anymore secure, it just makes you think it is.


#62

But what’s relevant is what competent agencies (in this case Monzo) do.

This is a good idea


(Dave) #63

If you email provider fails to offer Monzo an encrypted connection then the message will be delivered unencrypted. Hence my suggestion they could refuse to deliver the message (maybe they do?).


#64

Sorry, I alexs’d you!


(Micky) #65

My email 2FA code is regenerated every 30seconds it’s makes brute forcing near impossible. It would be more likely the server itself is compromised. I don’t have the answer though, I defer that to someone else


#66

I just get you to tell me it - social engineering - it’s happened many times.

‘Hi, this is <email provider helpdesk> we’re having trouble synchronising to your 2FA app, can we just run some checks…’


#67

I don’t have 2fa on my email but my email is on my own domain. Are there any good suggestions?


#68

Are you running your own SMTP server?


#69

No it’s just imap on who I am hosting with.


#70

So it’s your IMAP program logging in to pick up your email?

It will be using some form of crypto key exchange so I wouldn’t worry - just change the password to something strong - I’d randomly generate it at 64 chars or so, only their server and your imap prog need ever know it.

Your 2FA needs to be on whatever you run your mail proggie on


(Peter Roberts) #71

If you mean the Monzo mailserver(s) that send magic links refuse to send an email unless they send using TLS/SSL - that is possible. However it doesn’t mean the mail server it sent to can’t just then forward it on insecurely etc. Email is decentralised - you don’t get to control everything and making it totally secure (PGP etc) adds a lot of friction

Since the magic links work on the basis of effectively returning the correct randomly generated ID then you would need to compromise the network to snoop the traffic if unencrypted. Now barring people using insecure WiFi networks - doing this enmass means you’re either a trusted party (network provider etc) or something getting towards nation-state attacker level

You’ll never get perfect security. That said, I’m not against Monzo requiring a password to initially log in - it wouldn’t really add any more friction for me as long as they don’t start requiring it every time I open the app! But I’m also happy with things as they are :man_shrugging:

TL;DR you will never get perfect security but imo Monzo is good enough - they know what they’re doing and tend to take an evidence based approach to things


(Ravi) #72

That strikes me as a straw man argument.

Locks can be picked but we still use them to secure our homes. Any security is breakable but that’s not an argument for forsaking it.


(Dave) #73

Yes, that’s absolutely true. Monzo can only be responsible for the parts they can control. As you say, PGP does add considerable friction in my experience (mostly in getting people to actually set it up than in actual use).


#74

Very true, but we’ve gone from a situation where all email was transferred in plaintext and often stored and forwarded to one where a significant if not majority percentage of email is handled by a couple of major providers who talk to each other using strong encryption and certainly do not store and forward, so the risk is small.

If monzo tell me there is no significant risk in using magic links then I’m pretty ok with that. I’ve watched @oliver 's talks at conferences and I think he’s a smart cookie, surrounded by smart cookies.

If they are not setting their security approaches based on evidence then I’d like to know!


(Marcel Ruhf) #75

They could get access to all your CS interactions (with your name, DoB, email address for things that needed additional security checks by Monzo before they would carry out your instructions). Your home address is visible in the app as well. That’s enough to commit ID fraud.


(Andre Borie) #76

But your email alone is enough to commit identity theft with all the juicy information in there. :wink:


(Jun Siang Cheah) #77

Which an attacker would have anyways if your emails were compromised.


(Andre Borie) #78

Seems like pretty much nobody here noticed the real threat with emails, is that the flow of messages uses opportunistic encryption (at best), which is still vulnerable to interception.

That would be my most important concern - my email is secure already with strong, unique password + 2FA, but the opportunistic encryption thing is a vulnerability baked into the SMTP spec.

Not that I care - Monzo is still liable should something bad happen, so if they’re happy to pay the bill in exchange for offering a better user experience that’s fine by me!


(Marcel Ruhf) #79

Depends how careful you are with what you keep in your email account. I rarely send emails from my personal account, apart from asking my landlord for meter reads and routinely delete emails that contain my personal info (DoB, address, etc). The sort of things that can’t be deleted from the Monzo’s app, for obvious reasons.


(Andre Borie) #80

True, although in my case I would be the most vulnerable as I archive all my mail instead of deleting it. Fortunately I don’t rely on many services that depend on knowledge-based authentication so I think I would be fine even if my email history was leaked. Sure, there would probably be some personal & potentially embarrassing things in there, but I don’t think it would allow them to compromise any of my accounts.