Magic Login Links are incredibly insecure


(Jordan) #161

I understand your own risk appetite means that you won’t go full Monzo - but with the example you give, this wouldn’t happen to you? You’re clearly not a novice, you use MFA and I guess you have different passwords.

The same example but *insert any legacy can still happen. My example:

  • Hacker calls a Legacy Bank User claiming to be from X company
  • Hacker claims someone is wrong with X service, or X device (most usually a laptop)
  • To fix the issue Hacker explains to User that they need to download software
  • User downloads software, Hacker has full access to laptop, emails and all

I’m not saying it isn’t right for a Bank to take security and privacy seriously - quite the opposite, but where does the responsibility begin/end? Is it for the Bank to ensure that it is not at all possible for any hack/breach ever? I just don’t think it is possible to completely ensure something like that.


((╯°□°)╯︵ ┻━┻) #162


#163

Of course it can! And it still will. But in your scenario the Hacker won’t have access to any of my transactional/banking history to “validate” their claim.

I agree - however just by asking for an appropriate second authentication factor when someone first downloads Monzo^ offers added protection against the above, with minimal inconvenience to the end user. To me, it seems a real no brainer.

I’m not sure if I’d personally ever vote against extra security, when it comes at such a low cost?

^ Don’t have the figures, but you’d suspect the average user only needs to login after downloading the app once or twice a year at most - notwithstanding any bugs.


#164

What about a 2FA option? And not SMS because that’s also insecure.


(Sarcasm is the finest form of wit.) #165

Just to poke at this (again). Low cost to the user yes, low cost to develop, no.

Plus, how many users are complaining about this? 1? 5? 10? 100?

Let’s say I’m a development team, and I’m looking at 50 things we COULD build. Which ones would I choose to do? The ones for 1 person, for 10, for 100, for 1000? And considering security steps, the testing needs to be doubly good, so will cost more again.

Again, not disagreeing with your risk appetite versus that of others, but everything costs, and for an app that is rapidly being developed on an expanding service, these decisions matter. Things like this can’t ‘just be done’.

Dropping out now as this is becoming a bit samey in terms of discussion points. I get you want this, but repeating it as a defense isn’t really progress what is, in my opinion, a dead end of a conversation.

Over and out!


#166

This is maybe where people (and companies) go wrong.

Customer demand is not a valid consideration when dealing with security improvements. How many users complained to Equifax about their version of Apache Struts being out of date before their breach that affected 145.5 million users? How many users complained to Monzo before their own 3rd party breach last year?

I don’t believe anybody here was asking for it to “just be done”, but just for it to be on the list at all, to get round to at some point. At the moment it’s not even on the back burner as far as I’m aware.

This is especially frustrating when:

a) It’s not a particular complex development piece. We implemented MFA as an ‘opt-in’ add-on to our platform of 75 million users (spanning Web, iOS and Android) in a little less than a week of development + QA time, in an industry subject to similar levels of regulation. We’re shortly moving to ‘force’ MFA on all users, as in recent weeks we’ve seen a steady increase in credential stuffing attacks across our user base. We find it’s often Joe Average who suffers here.

b) you see some of the updates and releases Monzo have done, that some of the threads in this community prove, literally no one was asking for. :grinning:


(Sarcasm is the finest form of wit.) #167

Ahh so you have experience in this.

OK. Have fun with the rest of the discussion.


(Jordan) #168

This is however just an opinion from someone who clearly has a wealth of knowledge in this space.

But if Monzo are doing all they are required to do legally, and as @gmclean has said for 99% of the user base is a non-issue, it won’t be something that is being thought about. It doesn’t matter if people such as yourself are complaining/asking for it, if the current package is doing everything that it needs to do.

But I can guarantee that there is a use-case for it, a pros/cons for it, and an overall appetite to do it - whether that be profitability, some bug fixes, expansion etc etc.

Whilst your opinion is that it is achievable and is something you’d like to see to go full Monzo, doesn’t make it a universal truth that Monzo must do it.


(MikeF) #169

In my view, Monzo should not be reactive developers in the sense you seem to want. If they’ve run out of ideas of their own and are just here to respond to user requests then things are going to go downhill very quickly.


(Emma (still not the app)) #170

Struggling to think of anything they’ve introduced that nobody has asked for. Pretty sure every conceivable thing in the universe has at least 3 threads dedicated to how if Monzo did this 1thing the OP would go full Monzo


(Simon) #171

I’d go full Monzo if they matched my salary each month with a “gift from Monzo”
Just putting that out there. :wink:


#172

Apologies if this was meant for me. I’m not suggesting they should be, that was in response to gmclean.

Very well put, and valid points! :relaxed:

I would hope that Monzo has an overall appetite for continuing security improvements mind, and that these are never considered to be of low importance. If Monzo have the kind of internal culuture that puts profitability & expansion before security & privacy we’re heading on a road to disaster.

Security improvements are always a hard argument to win in any company. They rarely directly improve your profit margins, are unlikely to attract new customers, and indeed may even make it harder for your customers to convert - I sometimes find myself describing them as an insurance policy. Without them, and especially now under GDPR, you not only risk share price with negative publicity, but administrative fines of up to 4% of annual global turnover or €20 million – whichever is greater.

As a direct example of this issue, Barclaycard have just today released a new login process to further secure access to personal data on behalf of their own customers. To login you are now required to supply all of the following:

  • Family name
  • Customer code
  • Customer pin
  • Two characters from password

Yes, that’s a pain. No, I don’t think that’s the ideal solution. But it does show a great sense of corporate responsibility to do the right thing (as well as offering them more protection of course).

I would bet my life savings that they had no customers asking for it to be harder to login, that this change won’t allow them to expand any faster, nor will it lead to greater profits - however it was still implemented, before other features I’m aware they’re working on, because it’s the responsible thing to do.

I like to hope that there’s a team in Monzo working on ways of improving security and privacy for all their users!


Reading back through this thread I notice there’s a lot of users who still don’t want to use MFA/2FA, and are against this for just that reason. I suspect there’s several who may be using the same password for everything …

… if literally nothing else comes of this thread, I implore you to please consider using MFA whenever offered, and start using a Password Manager. It honestly isn’t that much trouble, and really, really does help. You may have been lucky so far, but please, please don’t leave it until you suffer the indignity of having your personal data compromised before taking some serious steps to secure your online presence.

It is 100% worth subscribing to this free service to monitor if your email address appears in any data breaches: https://haveibeenpwned.com/

And have a good read of some of the awesome work done by Troy Hunt and Scott Helme in this area if you’re in any doubt on the effectiveness of MFA and unique, secure, passwords:

https://scotthelme.co.uk/


#173

If you have a dig into how Monzo appear to develop features, the answer is no. This feature is complete and won’t change until they decide its to go back onto their pipeline.

Of the new features over the last year there’s a reasonably consistent approach of putting out a feature that covers a small number of use cases and marking it as ‘done’. Good or bad that’s how they seem to do it. Once its out nothing happens to it for a good while. I think part of it is to rush it out the door so they can say they have ‘x’ feature even if its only half functional or only works for 1/10 peoples use case. and I assume they just don’t have the developers to work on more than a couple of things at a time.

I doubt they’ll change this in a long time considering all the other features that either need to go back to the drawing board or need a lot of work to really be considered fully functional.


(If there's the wrong end of a stick, you'll find me holding it.) #174

Haha. I have this vision that the person who developed the international transfers, sad a cheery ‘see ya,’ as they walked out of the door, and was never seen again. :joy: