The reason I stopped replying to this topic was the brick walling of people’s principles and the fact that people are so happy to shift security from their bank to their email service.
As I mentioned before, some of you are clearly happy with having privacy of your bank account in the hands of your email provider.
Hvaing the options there for people who are concerned about privacy and security and not shifting it off to another “unknown” email company should be essential.
Social engineering is a thing, MFA is not enforced or even available on all email providers.
The fact that having one service (your email) hacked should not mean we have to accept that every other service should succumb to the same fate. The security of my bank should not be tied to the security of my email.
Just have the option of MFA Auth, whether that be magic link and passcode, Magic Link and Token Auth, Magic Link and SMS verification Password and SMS, etc, etc.
Usually trivial things, but hard hitting things for services to implement.
I do wonder if shifting security to a third party is more a way to cut down on support costs … hmm.
My parents use Monzo, not tech savvy people and both still have old Hotmail accounts filled with 10000 spam emails they would never read, and entirely sure they don’t have MFA and both have weak passwords that are reused on other services.
Not entirely outside the ordinary.
People in this thread assume a certain level of technical knowledge about internet security.
And to further add to this point if the magic link then asked for a password as part of the login process wouldn’t your parents use the same one as usual?
Can someone explains to me why this very own forum offers it as an option? Why doesn’t this forum just use magic links, if they’re so secure and relying on a password and 2FA is unnecessary? I have even added it to my account on here. Why is it okay to have it optional on a forum, but not a bank account?
Why are you so concerned about implementing this as an OPTION?! If you don’t want it nobody would force you to add it, surely?
No one is arguing this. They’re arguing about the security of your financial data.
… Exactly. Monzo have zero visibility over 3rd party email security. magic links do not authenticate the user, that’s the issue people have here. Some people want their financial data to also require user authentication.
I presume they mean BT email in the context of the last few posts?
No need. People can make their own choices. Should we encourage email providers to implement good security measures, sure. Force them? i don’t think its needed.
My mistake, I chimed in without checking what had happened since my last visit. I wonder how many people use BT email though, I thought ISP email was dying out.
What happens if you are subject a man in the middle attack?
You have secured your email, you have a strong password, 2FA is enabled however you log in on some public WiFi in Starbucks and your email gets sniffed, if that happens it is pretty much game over.
They can’t do anything with your money as the pin is not exposed but they now have enough information to hijack your identity and contact Monzo support pretending to be you.
While it is the responsibility of the email account owner to ensure their email is secure, lots of people are just not aware that your email can get compromised on public WiFi etc.
This probably isn’t a common occurrence. Even if your on public Wi-fi, your connection to gmail (for example) uses TLS so it’s encrypted. They’d sniff encrypted traffic but wouldn’t be able to do anything with it. They’d need to compromise that as well.
They could grab the URL when you click it, but the timing on that would have to be perfect to be able to use it.
More likely is simply people (family and friends) who have access to your email with or without your knowledge.
TBH I think there’s a bigger chance of a Phishing campaign having success than any type of Middle Man attack etc.
As long as there is due diligence and people check there magic links there will never be an issue.
