Magic Login Links are incredibly insecure


(Jamie 🏳️‍🌈) #101

Great answer. Thanks for answering in the spirit in which I asked the questions.


(Chris Jones) #102

Hey

So, I was just looking at this magic link situation because I’m finally moving my current account to Monzo and… I’m not thrilled with what I’m seeing, at least for the web app.

Let’s abandon all of the theoretical attacks and hyperbole and look at some facts that I think are concerning:

  1. The magic link emails are delivered by a third party (Mailgun) so the integrity of their systems/staff are crucial in protecting our Monzo accounts
  2. The emails are not end-to-end encrypted (nor could they reasonably be)
  3. The magic links don’t seem to be tied to the browser that requested the login, so intercepting a link works fine

Personally I would prefer to use a 2Fa code (not SMS), but I do think that addressing the 1st and 3rd points, particularly the 3rd, would go a long way to making the magic link system more trustworthy.

Fixing the 1st point would be relatively simple, so there’s no real need to discuss that.

The 3rd point was quite a surprise to me - I used two separate browsers (Safari and Chrome), one to visit web.monzo.com and start a login, and then the other to open the magic link in my email. The login worked fine, which tells me that the magic link is not tied to the originating browser (by cookie or local storage or something similar).
My guess was that maybe it would at least be tied to the originating IP address, but I was able to repeat the test using WiFi to start a login, and 4G to open the magic link, so it’s not tied to the IP address.

I happen to think that requiring a password to login, is absolutely fine, and/or requiring 2Fa is absolutely fine, and I would like either/both of those, but even if we discard my personal preferences, I think it’s pretty hard to make a sensible case that the magic link shouldn’t be tied to the browser that originated the request?

I’m not completely sure yet, but I think in the case of the iOS apps, the magic links are tied to the originating instance of the app - I haven’t yet been able to get my iPad to login with an email generated from my iPhone, or vice versa, but I can’t immediately tell if that’s because they are actually tied, or if there is something about the sequencing of two concurrent logins happening.


(Rika Raybould) #103

:+1:

It’s worth noting that web.monzo.me uses the same flow that a 3rd party integration would and has a significantly restricted set of permissions compared to the iOS and Android apps.


#104

Apologies if someone suggested this already, but can someone explain what would be bad about the app requiring the magic link then your PIN to log you in? Seems like a simple way to improve this a lot without hoop jumping or having to remember more passwords.

I know it’s already required if you want to move money around, but simply being able to see someone’s transactions can tell you a lot about them that they might want to keep private (“oh look they went to a gay bar at 2am”).

If you then think about abusive partners/exes, who have a decent probability of having access to their email to begin with, Monzo’s awesome instant transaction notifications become a scary tool they could use to literally track them (“the [abusive expletive] is at a cafe, let’s pay her a visit…” etc). Yes the customer would be logged out, but it’s not like the app explains why that happens (I got logged out a few days ago and have no idea why), and the magic link makes it so easy to log back in I could imagine someone not thinking much about it.


We’re turning off debit card top-ups for everyone on 2nd October