I think you’ve missed the issue completely. the last dozen or so posts point out the issue.
If your looking at Monzo specifically and it’s current authentication method which in this case is email via a magic link there is a single point of failure, it doesn’t matter if email is 2FA enabled or not if the email is compromised so is potentially your access to Monzo.
Personally there should be an option for a second layer, if people are happy with the security that the magic link brings that is fine, but maybe an option so everyone who is not can enable an additional layer be that an authentication code through Authy or whatever.
1 Like
When exposed, they are. If anyone other than yourself somehow comes across it (plenty of situations posted throughout this thread show how that’s possible) then it’s basically game over for your financial privacy.
Sure, I’m more than happy they can’t make payments. That’s one thing. But then the question arises as to why they don’t make new app logins require the pin as well? It doesn’t make much sense considering it’s hardly security theatre, it’s putting in four digits and only on a new device, nobody doesn’t have time for that.
Also, I believe you previously mentioned about new devices being logged somewhere. Can you show me where I can view all devices logged in? Because I don’t see it - only “Manage Apps” which shows each type of app connected to the account (EG Monzo for Android), I don’t believe it shows the same thing multiple times if another Android user logs in, and doesn’t give further details than that, either. So I’m not sure where I’m supposed to be getting this notification that my account has been logged into from another device.
Again - the entire point of two factor authentication is that there is no single point of failure. The problem with the current setup, is that there is one - your email. I’m not sure why people are comfortable that their financial privacy has complete 100% dependence on their email account…
This specifically would be user authentication, the magic link currently doesn’t authenticate, it just allows anyone with access to a box (email, which monzo has no visibility of) access to your account.
There should be an option i think, at the very least like there is with the app, the option to add a user authentication layer, so even if your email is accessible by others, they have zero access to your financial information.
1 Like
You might as well say those little card readers some bank use for 2FA don’t authenticate, they just allow anyone with access to the card and reader to have access to the account.
Monzo authenticate you when you open and account and link this to your email address. When you try and change your email address, they ask you to authenicate this request.
The magic links allow the authenticated user to log in to their account. It is on the user to keep their email secure.
And anyone who doesn’t keep their email secure has much bigger problems than someone potentially getting read-only access to their Monzo account.
But they don’t, they authenticate the user via the users pin, an item controlled by the bank. This isn’t what monzo are doing.
The magic links by design cannot authenticate the user, there just a link. There’s no user authentication step in the process at all.
All the link knows is that someone with access to an uncontrolled (by the bank) email account requested and clicked the link. Monzo has no idea who.
Yes, that’s peoples point.
Monzo has no visibility over someone’s email. They don’t know how it’s setup, where it’s being accessed, or who has access. They have no control over this. Monzo cannot reliably make any assumption on who’s on the other end. To get by this problem everyone else puts a layer of user authentication in there, monzo don’t really do this. If you have the link you have access. They know this is a problem because they require user authentication when making payments but they don’t to view financial information.
That’s what people are arguing here, that the privacy of their financial information is as important as the ability to make transactions.
1 Like
One could apply the same line of argument and say that knowing the PIN doesn’t authenticate the user, only that someone with knowledge of the PIN has requested access and the bank has no idea who this is.
The bank has no visibility over someone’s PIN. They don’t know how the user chose it, where they wrote it down, or who might have access. They have no control over this. They cannot reliably make any assumption on who’s on the other end.
A pin is something you know, set by the bank, and controlled by them. The same cannot be said for email, it’s been mentioned several time’s why it’s different. Really don’t know why your grasping to defend magic links, no one is saying they’re terrible only that they don’t protect data very well.
2 Likes
But I made my own PIN and can change it easily?
This is what I’d like Monzo to do.
Furthermore, don’t make it optional, force it on everyone. Making it optional won’t protect the customers who are most likely to fall victim of a compromised email account.
It’s hardly an inconvenience to enter a 4 digit PIN when setting up the app on a new device and would add a layer of privacy protection.
This would solve everyone’s issues?
Don’t know. I would prefer it to the current approach.
1 Like
Agreed.
Anyone complaining about the “inconvenience” and “hassle” of having to spend 3 seconds extra every 2 years they upgrade their device to put in their PIN and thinks it’s too much for the additional security has a few screws loose, IMO…
3 Likes
I’m not sure that chucking insults around strengthens your argument. 
5 Likes
Very little truly authenticates a user.
All most of these things do is prove you’re in possession of a particular piece of information that only the legitimate user should have. Fingerprints are forgeable if someone gets hold of yours, even selfies could be social engineered out of someone if you tried hard enough.
Proper 2FA on new installs would be an improvement (not keen on pin really… people have a nasty habit of writing pins in their address book as ‘bank 0171 123 xxxx’ which any thief with half a braincell knows to look for… but it’s better than nothing I guess).
2 Likes
Wrong.
I am not ‘grasping to defend’ magic links. I’m simply pointing out that the exact same argument you’re using against them can be used against the other methods you’re holding up as being better.
If you were to hold PINs up to the same standards as you’re holding magic links to, it can equally be said of those that they don’t authenticate the user.
1 Like
I don’t think, PIN numbers and magic links should be held to the same standards as they’re completely different with completely different functions.
The only real way that theoretically a Magic link could be hijacked is probably through a Phishing campaign. But that would require them to send an email at the same time as you request one from Monzo.
But I would argue that’s unlikely to happen due to the time and returns are probably quite low. There is a reason why ransomware is so successful, its easy to implement and the data is valuable.
A pin number is just an easy way to access your money.(More secure than Signatures)
In all honesty I would be more worried about being robbed at knife point than someone over the internet hijacking a magic link
Surely they’d phish your email details, then search your emails to see which services you’re subscribed to, and then start resetting passwords and requesting magic links?
The attacker doesn’t need luck to get the timing right - they activate all these things after they’ve got access to your email.
My email address was leaked recently in a data breach, but I’m not particularly concerned as my email is ring fenced by two factor authentication and an absurdly long unique password.
The reason I say “they would need to send one at the same time” is check when I have authorised a magic link. Any magic link I’m not sure of I don’t/wouldn’t click.They would have a better chance if they loaded an email with the fake link at the same time as I send the request and then deleted the original.
On top this I have antivirus software that can scan links if I’m unsure.
Is anyone asking for “security theatre” every time you open the app?
Isn’t the argument to just have some form of authentication to initially install the app on a new device?
1 Like