So theoretically speaking a banking company should be secure by nature.
Say my email gets hacked, or social engineered, etc etc.
It would take 10 seconds to search for “Monzo” in my email app and deduce that I do in fact use Monzo.
Now they would only need to download the app, and enter my email address, generate a magic link and they have full access to my bank account.
What was wrong with passwords, or 2FA, or even passwords and then Magic links to verify. Magic links are not secure on their own and incredibly dangerous.
Note that they would also need your PIN if they want to do anything with your money.
Edit: Not to excuse that they might be able to get in there and see what you’ve been spending on, what other services you use (although that would probably be already clear from email), or glean more info to break/engineer into other services.
Whilst I don’t feel that the login links are “incredibly insecure” I do agree that an email link alone should not verify a login to your bank. Sure, I also have MFA on my email, however, there are going to be a large number of people out there who do not, especially with percentage of market share that Monzo are aiming for.
I feel they should offer various forms of MFA for your account. e.g text message/one time password/other etc.
Magic links are incredibly convenient and I dont feel its the method that is insecure, rather the destination that could be insecure. At the end of the day, it is the user’s responsibility to keep their accounts safe and secure.
However, perhaps this is where Monzo could step in from a social aspect and educate new customers about online security, email 2FA etc.
Your point is a valid one, but I feel that moving forward companies should work to educate users rather than design around naivety. Barclays is an example of this. They have run many campaigns on TV and billboards around Online Security and keeping your information safe
I think it’s probably more important for Monzo to teach users about 2FA on their email accounts. Ultimately email companies should be enforcing it as standard. If someone gets into your email they can get into a lot of things!
It’s surprisingly easy to reset a Lloyds online banking password with details that aren’t that difficult to get.
To add it’s also important to remeber the worst they can do is view your feed etc. No money can leave your account without Touch ID or your pin being entered.
I assume most have email on their phones, if your phone is taken in a street mugging whilst you had it unlocked (not uncommon in London)… I’m pretty sure that you wouldn’t need any extra authentication to get into your mail app.
Either way, it’s not he security I want on my finances.
I understand why its currently not the default. Having worked at a fruit stand tech support, I have seen many people enable 2FA and then get locked out because they didnt understand what it meant and what they were doing. Emails are vital to a lot of people, as its the main form of account recovery for most online services and accounts. If you lock yourself out of your email, you are in for a tough time!
But you are asking for something based on no evidence whatsoever. That’s security theatre and I don’t need that kind of friction in my life.
You have stated ‘Magic login links are incredibly insecure’ - they are only as insecure as the person using them. I don’t want every provider to be legislating for stupidity.
