Magic login links, insecure?

:+1:

It’s worth noting that web.monzo.me uses the same flow that a 3rd party integration would and has a significantly restricted set of permissions compared to the iOS and Android apps.

5 Likes

Apologies if someone suggested this already, but can someone explain what would be bad about the app requiring the magic link then your PIN to log you in? Seems like a simple way to improve this a lot without hoop jumping or having to remember more passwords.

I know it’s already required if you want to move money around, but simply being able to see someone’s transactions can tell you a lot about them that they might want to keep private (“oh look they went to a gay bar at 2am”).

If you then think about abusive partners/exes, who have a decent probability of having access to their email to begin with, Monzo’s awesome instant transaction notifications become a scary tool they could use to literally track them (“the [abusive expletive] is at a cafe, let’s pay her a visit…” etc). Yes the customer would be logged out, but it’s not like the app explains why that happens (I got logged out a few days ago and have no idea why), and the magic link makes it so easy to log back in I could imagine someone not thinking much about it.

2 Likes

Anyone know if there’s any plans to finally get round to properly securing the login experience?

It’s still inherently insecure after all these years, and is now the only thing now stopping me from using Monzo as my current account. Whilst I appreciate a PIN is needed to transfer money out, any personal data (remember these include location) lost from a breach in this way would be concerning.

As I’ve raised before - unfortunately with email a secure transfer protocol is not always guaranteed, and email rarely sits encrypted at rest. As such it would be relatively trivial for any sysadmin* with access to any servers in the flow between myself and Monzo to gain access to my account.

The flow would work as follows:

  • Rogue Admin signs in to the app on their own device with my email address
  • Grab the link contents from the email in transit
  • Delete the email before it ever reaches me

Whilst SMTP over TLS helps with this, it’s of course not guaranteed with email, and in many cases an email will be decrypted before actually hitting the users mailbox anyway. As above, hardly any providers offer encryption at rest.

A password, or some form of verification other than “click this link” would greatly improve this process.

*Sysadmins in this instance could mean anyone with access to any server your mail uses along the way, and could work for a number of people. From your ISP, to Google/Gmail, to your work email system administrators etc.

1 Like

This has been discussed to death at least twice.

‘No changes have been announced so expect nothing to change’ is the short answer.

Opinions will continue to be divided on this one.

6 Likes

I don’t think ‘inherently’ is quite the case here?

I agree with your flow as being a weak point but the chances of a ‘Rogue Admin’ remain very small, surely? How many times has this happened in the past? It’s a theoretical issue yes, but a practical one? I doubt it?

I’ve not seen these discussions but can imagine how they go! Opinions divided for sure.

I think if you’re worried about rouge sysadmins scraping your emails for auth tokens for Monzo… You probably have much, much bigger issues with your security beyond you’re Monzo account details :smiley:

9 Likes

the chances of a ‘Rogue Admin’ remain very small,

Agree the chances are small, however compared to my current bank, the risks are higher. Especially when the cost to fix is just implementing a secret.

I think if you’re worried about rouge sysadmins scraping your emails for auth tokens for Monzo… You probably have much, much bigger issues

I see your point, but do disagree. No one would be able to gain access to any of my other financal information simply by having access to my email.

Sure, they might be able to reset some community site passwords, and a few online shopping sites, but that’s a whole different ballpark to access to your entire financial information.

Is part of the reason I refuse to use Noddle. They rely on email address for security and password resets in a similar way.

I can understand why some people think the risk is small - but I guess my question is, what harm would offering it really cause?

Seems like a great security improvement, for minimal effort.

Protects your finances even if your email got hacked (taking aside the rogue sys admin for a minute).

Could even be something you opt in to if some people are more nonchalent with their finances + online security.

An interesting read, a big one is that many, many people use the same password for absolutely everything (My other half does for sure), at which point having a password is almost pointless anyway.

If we’re talking about single point of failure, then having MFA, disabling apple mail or apps that don’t require MFA and a password manager for your email will do leaps and bounds more than having single passwords for applications.

There is a LOT of things someone could reset through your email address, most legacy banks would be included in this umbrella.

Nice article! Thank you. :blush:

Apologies - I definitely mean Monzo should use both, rather than just a password - that may not have been clear. MFA of some form.

  1. Login link emailed
  2. App opened
  3. Some secret confirmed
  4. Account information displayed

Many, many people use the same password for absolutely everything

Agree, though do you feel that makes it even more important for Monzo to require a second method of authentication? Many people may have their email password exposed in a separate breach of another site without ever realising.

The secret at (3) could (and arguably should) be something other than a password. Even just confirming card number/pin (like you do in app already anyway), would be a great improvement and prevent someone from gaining access to your account just by having access to your email (rogue admin, hacker or otherwise).

SMS MFA could even be considered here as a poor man’s option, but worth highlighting that SMS for MFA also has it’s own implementation flaws, as Reddit famously found out the hard way:

Going back to my original point, it feels like this would be a quick win, with an immediate benefit. I agree the risks are low(ish), but I don’t think anyone could sanely argue that it’d be a bad idea to request a second authentication factor upon login.

Can an admin/mod please merge this topic with the existing, very lengthy one, here please:

@cookywook @Feathers @tomsr @Peter_G

I don’t think I can cope seeing another huge repeated discussion about how an extremely edge case makes the whole Monzo app “insecure” :weary:

3 Likes

Done. I couldn’t find it earlier.

To whom?

2 Likes

To any Monzo customers who actually care about who has access to their personal data. :relaxed:

Having read this old thread, I’m a little flabbergasted. I’m completely dumbfounded that in this day and age people could argue against MFA for their finances. Indeed, there’s plenty of people above who say they don’t like MFA for anything.

It is not an edge case, or a small risk. At the moment - if your email account gets hacked, by whatever means, someone can gain access to your financial information.

That is not the case with ANY of my legacy bank accounts, and is the sole reason I don’t use Monzo for any serious banking.

2 Likes

People are different and have different opinions. :man_shrugging:

Just because you think it’s beneficia doesn’t make it a universal truth such that it would need quite a hard sell in some resentful quarters.

1 Like

It is an edge case.

It’s easy to think it isn’t, given the large volumes of email addresses that are ‘hacked’ (the MongoDB one a good recent example), but the large majority of those are used for spam, not for the type of security issue you’ve suggested.

Personal, I use an Apple iPhone with requires FaceID to unlock it. Once it is unlocked, you need to use FaceID to access Monzo. That’s plenty of security for me. Just my opinion of course.

1 Like

Which is great, this is why we have a competitive market place, so you have a choice! Bravo.

1 Like

Requiring a second factor on login immediately solves all these concerns, and I must admit that I fail to see how this could be so controversial. It’s a simple step, that fixes a possible issue.

Just because you think it’s beneficia doesn’t make it a universal truth

I agree, but these aren’t just my own opinions. They’re the opinions of experts in this field, Troy Hunt, and Scott Helme included.

Which is great, this is why we have a competitive market place, so you have a choice! Bravo.

We do, and I do. :relaxed: . However, wouldn’t it be great if I could trust and use Monzo too!

1 Like

It would be great. For you.

I already trust and use Monzo :slight_smile:

5 Likes

If they get past the 2FA on my email account, crack the impossible password then steal my phone, then crack the password on that, then steal my fingerprint.

All without me locking out access to either my email, my phone or freezing my card.

Not an edge case? :roll_eyes:

3 Likes