Magic Login Links are incredibly insecure

(Jordan) #143

I think it would be a practical middle-ground but I can understand the issue of being “harassed” by security prompts/messages

#144

You’d hope this doesn’t fire often mind. Google are pretty bad at sending me these, but that’s due to cookie expiry forced low in my browser and travelling so new IP ranges seen.

Monzo’s application token rarely expires in my own experience, so you’d hope it’d be a rare sight to see (unless of course someone else does have access).

(Starling Guru) #145

I use TouchID on my iPhone, I don’t need anything else, also can’t hack E-Mail if you don’t know what it is.

1 Like
#146

Would you say something as simple as entering your pin when logging in on a new device for the very first time would add any tangible inconvenience? And would you be prepared to do that once per new phone if it meant your financial information was more secure?

TouchID isn’t relevant here. That’s only for protecting your own phone. It doesn’t prevent someone else from logging into your account on their own device. Unless you’re in a position of power, a hacker is generally unlikely to target you specifically. It’s more likely they’ll find your email in a breach list and try their luck “en masse”.

FWIW - I recommend trying your email here and seeing if it’s ever been on any breach lists:

2 Likes
(Starling Guru) #147

I know my E-Mail is not on that list coz I have my own domain.

#148

Why would having your own domain mean your email isn’t on that list?

#149

To clarify - I’m not saying it is. Just wondering. :relaxed:

I agree there’s some merit in having an email dedicated to Monzo that’s unique, and unguessable. Doesn’t prevent someone from having access to your email though, or a middle-man intercepting.

(Marcel Ruhf) #150

Having your own domain doesn’t prevent your email address from appearing in that list. The site tracks breaches and examines leaked lists of email addresses and passwords (they don’t actually store them in cleartext, rather, they store the hashes corresponding to email addresses and passwords).

2 Likes
(Bruno Sousa) #151

Apologies if this has been mentioned or answered, but I was under the impression that the magic link was valid for only a specific amount of time after which it would expire and could no longer be used to log onto your account?
Also why would you keep your magic link login after you’ve logged back into your account?

(Jordan) #152

What about the Location-based security already in App? If a hacker were to be able to obtain access to your account Monzo seem to suggest that they would know when fraudulent activity is occurring, maybe this is why no further security is baked in?

(Marcel Ruhf) #153

I believe so, as well as being limited to the device it was requested on if I remember correctly.

#154

Doesn’t help here I’m afraid. If someone signs into your Monzo on their own phone, it’s going to be that device location Monzo use for this feature. Also, only applies to transactions. Doesn’t prevent someone from seeing all your past transactions (including location data) simply by logging in from the email link.

1 Like
#155

Aye I believe you’re correct here. :relaxed: Old links are not really a concern, but more if someone has access to your email there’s nothing to stop them requesting a new one and getting access to your personal data.

1 Like
(Jamie 🏳️‍🌈) #156

Just for some context, Gav, do you work in cyber security or have some level of expertise?

I don’t, but have taken my lead from other posters further up who have convinced me that Monzo is secure enough. Monzo itself, by having the app set up in this way, convinced me it’s safe enough, because I trust my bank when it tells me the login procedure is secure.

Also, which legacy banks do you use, so I can compare Monzo to them and your argument?

2 Likes
#157

(Cyber) security is ultimately about identifying risks and the determining the appropriate level to mitigate them.

Monzo is within my risk appetite. The weak point is access to my email. As has been pointed out many times before, if you lose access to your email, or your email is breached, you probably have bigger things to worry about than Monzo.

For the uninitiated, without your PIN (or biometrics that you needed your PIN to set up) the most that can be done is viewing your transactions. No money can be transferred through this exploit.

Now, this is within my risk appetite. It might not be within others’. But I’d challenge those people whether they are after privacy or security. I think another step would afford the former and not the latter.

But in any event, if it’s outside your risk appetite, unfortunately the answer has to be just don’t use Monzo at the moment.

(Quick PS - I’d like to see apps like Freetrade and Starling offer me Monzo like functionality of no login - just verification of id when I carry out a potentially sensitive function like transferring money).

8 Likes
#158

If I were to use Monzo as my main current account, it’s quite likely that Monzo would be the biggest thing I’d have to worry about with an email breach.

The rest (various communities, the odd online store), are lesser concerns. Credit card and legacy banks using that email would be of no concern as you need much more than just access to email to get any information.

Very well put! Personally, and it is only my own humble opinion, I feel there’s enough information in transactional history to make further attack vectors possible (including monetary loss) after an email breach, especially when you consider the location element of offline transactions.

Imagine the following all too common scenario:

  • User is a novice internet user
  • User is using Monzo as current account
  • User is not using MFA on email
  • User is using the same password everywhere

User is a regular user of SiteX. SiteX still stores passwords unencrypted in the database, and suffers a data breach.

Hacker purchases User data, and gains access to User name, User email, User phone and User password from the SiteX breach. By browsing User past emails, Hacker is able to tell that User is a Monzo customer.

Hacker makes the following phone call to User:
“Hi there, this is Mr Z from Monzo. To prove I’m really from Monzo, these are your last 4 transactions and where you made them. Could you please in return give me your pin to quickly confirm it’s User I’m speaking with?”

No matter how many times it’s stressed don’t ever give anyone your pin, or trust anyone calling you direct with any banking information you find people still do. If that inbound call includes further validating information within that request, the success rate of such requests sky-rockets [1].

Hacker then uses Pin to transfer money whilst user is still on the phone.

User may even be unable to claim refund from Monzo as banks are not obliged to help where user has offered security information willingly to a third party. [2]

No problem at all. :relaxed: Security falls as part of my remit as the Lead Engineer for an online community of 75 million+ members. Legacy banks for me include HSBC + Halifax, amongst others.

[1]

[2]

1 Like
(Marcel Ruhf) #159

Couldn’t have said it any better :+1:

For us folks who protect their email with MFA etc, this setup isn’t too much of a big deal, but it leaves the average Joe quite vulnerable.

3 Likes
(Simon) #160

Good post.
A lot of people I know use the year they were born as a pin :woozy_face:

(Jordan) #161

I understand your own risk appetite means that you won’t go full Monzo - but with the example you give, this wouldn’t happen to you? You’re clearly not a novice, you use MFA and I guess you have different passwords.

The same example but *insert any legacy can still happen. My example:

  • Hacker calls a Legacy Bank User claiming to be from X company
  • Hacker claims someone is wrong with X service, or X device (most usually a laptop)
  • To fix the issue Hacker explains to User that they need to download software
  • User downloads software, Hacker has full access to laptop, emails and all

I’m not saying it isn’t right for a Bank to take security and privacy seriously - quite the opposite, but where does the responsibility begin/end? Is it for the Bank to ensure that it is not at all possible for any hack/breach ever? I just don’t think it is possible to completely ensure something like that.

1 Like
((╯°□°)╯︵ ┻━┻) #162

1 Like