Magic login links, insecure?

Yes the email link itself isn’t that secure if you look at it in isolation. But if you put it into context, which I mentioned earlier that someone would need to hack your emails, then see you had Monzo, then login, the WORST they can do is view your transactions and your balance (and a lot of your transactions would be available in your email anyway). So I’m essentially trusting the security of my email is good enough and if compromised, the actions they can take with Monzo is extremely limited.

So in that sense, yes, it’s secure enough for the actions they can undertake if they managed to hack my email

Why not keep the magic link as it is, but when the app receives the ‘Magic Link Login’, it then prompts for the card PIN as ‘additional confirmation’?

Therefore if somebody’s email does get hacked, they can’t really get much further without also knowing the PIN (I was going to suggest the CVV/SecureCode on the back, but then that is disclosed to internet merchants who also probably know your email address and also probably ask for ‘a password’ - so increases the chances of them having all the info needed).

Also - if a new app is being setup and Monzo ‘knows’ the account is already logged in elsewhere, perhaps send a notification to the logged in app saying ‘Hey - just to let you know, an iPhone 6 from IP address 127.0.0.1 <somewhere near Birmingham, UK> is logged into your account - if this isn’t you, please contact us’

I think this would work really well. If it’s only for the initial login then it’s not adding much friction either.

I’m still unsure why anybody is happy with people snooping in their bank account at all, regardless of the level of access. By nature, any unauthorised access should be reason for concern.

I can have 2FA for this forum as an option, why not for my bank.

There’s been some great ideas in here, i.e. using magic link and PIN for new devices.

Seeing your transactions and balance can be a large risk, its not all about just spending money. Think identify theft. Someone may break into your email to generally steal your info, not necessarily to break into your bank account.

The issue isn’t that the magic login links can be secure, its that Monzo cant assume they are secure. Monzos security staff should have been fairly concerned with the use of just links to grant access to systems (or bypassed the risk by writing something in the TOS the puts the end user to blame).

Assuming they have done their work, they obviously think (for now) this works OK and have accepted the risk, but people here shouldn’t be thinking that the solution is “just use 2FA on your email”. Your email isn’t your bank, and your bank should assume you have the minimum level of security on your email if they are using it for authentication and authorisation.

While it might be good enough for now, I would expect Monzo to up their game in regards to securing accounts more, its not something that has to be overly complicated.

A magic link + 2FA would be great. And not all demanding!

With the new iOS 12 (or was that also before not sure) it is effortless. When an app requires a sms code and one is received (on the same device) it figures that out and autofill the code.

Let me know if you want to see that in action. Could try and make a small video.

OR instead of sms one could choose to use an app like google’s Authenticator. I only have my 2FA on that Authetocator app on one device. If that device was to get stolen/lost I would knew my accounts might be compromised.

I don’t think anyone is happy about someone snooping in their account. But I’d be more concerned that someone was snooping in my emails than my bank.

I’d be satisfied with a notification on my logged in device or a text saying, a new login has happened from this location/ip. If it wasn’t you, click here to block and report.

So the thing for me is that I have secured my email with 2FA, which objectively is more life critical than an app which shows a list of transactions and other info which thousands of people know (even if temporarily) or could get from things like internet shopping. Monzo’s current set up is good for me. I feel it would be stupid for Monzo to force security theatre on me when their setup is good.

But others want that theatre, it would seem. Even if email is secured? Strange but OK. So do Monzo force the security on everyone unnecessarily?

Or do they leave the security theatre optional for those that “want it” as suggested earlier in the thread? Then we get into all sorts of strange groups of people:

1. The people, like me, who won’t turn it on because I know my email is secured and that’s good enough.
2. The people who have 2FA on their email but also want it on the Monzo app – why??
3. The people who don’t know about 2FA – are these people likely to turn on an option in Monzo if it’s optional?
4. Those who are open to switching on 2FA. If they do for their bank, to make Monzo secure, wouldn’t they be better served being educated to switch it on for their email, which would by default make the Monzo magic links secure, as well as the rest of their life…?

It just seems to me if you’re technically competent to realise a magic link should go to a secure inbox, you’ll switch on 2FA for your email. And if you’re not, you either need educating about email security or you just don’t realise what the debate is all about anyway and leave it all off by default.

Why would anyone who understands this still want security theatre on Monzo?

Who’s email? You’re thinking of your self like a lot of people here, and you’re simplifying things far to much.

Monzo have one piece of information, what email provider someone uses. If that provider doesn’t enforce strong authentication then they cant assume everyone uses it. You’re suggesting Monzo just pass the buck because you use 2FA (do you use it on your phone? I doubt it).

Monzo can only assume so much from an email address, that’s not security theatre.

I haven’t read this whole thread so not sure if this has come up, but one thing I’ve been wondering with magic links is can Monzo hold someone responsible for fraudulent use of their Monzo account if they’ve been negligent with their email security (e.g. sharing their email password, storing it in an insecure way, etc) in the same way I assume a standard bank could hold a customer responsible for being negligent with their banking account credentials?

I don’t know how Monzo could demonstrate customer negligence here, but in theory could it happen?

I doubt anyone here can give anything other than a personal opinion. It’s not a question that we’ll be able to resolve on a customer forum.

Not really. I don’t know that much about this stuff, but I’ve seen this discussion go by a few times in the past two years, and I trust Monzo know what they’re doing in running an actual, proper, regulated, like–keeping–money–safe–from–real–bad–guys bank more than people on here who say “I don’t think it’s secure because my other bank asks for a password”

So exactly what I said in the quote. People thinking about what they think is secure not whats reality.

This may answer your concerns:

https://community.monzo.com/t/labs-feedback-3ds/44495/79?u=jackcrwhitney

Personally I’m all for the decision Monzo has taken here.

Totally agree. It absolutely makes sense when Monzo (the fantastic @Rika) explains it.

I said it above, I think because it doesn’t look like any other bank (username/card number; characters from your password) some people assume that the legacy banks are more secure and Monzo somehow isn’t, whilst forgetting (or not realising) that passwords in general are incredibly insecure because of the way virtually everyone reuses the same one for everything (and that same password is probably an English word, and it’s probably written down, and has probably already been cracked etc etc)

I reckon Monzo are pioneering here.

I personally don’t agree, as (for me) it definitely makes it less secure. But I understand that in general it probably increases security for the average user. As I said in the 3DS thread, it’s just nice to have some reasoning behind the decision.

Just so I can contextualise your stance on this, do you have expertise in this area? I don’t, but I have read the arguments Monzo and others who do obviously (@anon23935806) know what they’re talking about and I feel Monzo is at least as secure as High Street Bank plc.

I’ve read your four posts to this thread and you don’t put forward a convincing argument as to why a password (or characters of) is a better option. It reads as “it just doesn’t feel the same as other banks”. Your “emails are like postcards” comment was refuted, and your rejection of AI-based approaches to security didn’t put forward any evidence.

Are you saying that for your individual set up you can objectively prove Monzo’s use of magic links is less secure? Or are you saying that, having read Monzo’s justification, you still just feel like it cannot be as secure.

These are genuine questions, by the way. I’m not trying to troll you, I am however trying to understand your feelings on the matter.

I’m definitely not an expert. Just a consumer who tries to take security seriously (not to imply that Monzo don’t!) and falls more on the security side vs convenience.

To be clear, I’m not comparing to other banks. I have various accounts and some are better than others. Some definitely go to town with the security theatre (NatWest with their ******* PIN terminal) which is annoying to the point of just avoiding it.

I’m all for ML. I work for a tech company and we use a (highly publicised) combination of ML and humans to detect fraud on our customer transactions. I just have the opinion that these things are additive. Not either / or. I’ve also personally had fraudulent activity occur on my Monzo account which only failed because I didn’t have enough funds and then was quick enough to see the transaction and freeze my card.

I wouldn’t say my email comment was refuted. Just that some email is encrypted. Which is great but it it doesn’t completrly solve the problems.

I also was only ever arguing for more security when intially logging into a new phone. Not for every time you use the app. I think the increase in security is worth the trade off.

The comment by @anon23935806 also indicates that Monzo are solving for the average customer rather than the more security conscious. And that’s a perfectly fine goal. Perhaps it’s is a better solution for the majority of customers and it lowers support costs. But if you do happen to use strong unique passwords that isn’t really a problem you need solved.

I use a lot of online services and a strong unique password coupled with 2FA (not via SMS) seems to generally be a widely accepted good enough solution.

Great answer. Thanks for answering in the spirit in which I asked the questions.

Hey

So, I was just looking at this magic link situation because I’m finally moving my current account to Monzo and… I’m not thrilled with what I’m seeing, at least for the web app.

Let’s abandon all of the theoretical attacks and hyperbole and look at some facts that I think are concerning:

1. The magic link emails are delivered by a third party (Mailgun) so the integrity of their systems/staff are crucial in protecting our Monzo accounts
2. The emails are not end-to-end encrypted (nor could they reasonably be)
3. The magic links don’t seem to be tied to the browser that requested the login, so intercepting a link works fine

Personally I would prefer to use a 2Fa code (not SMS), but I do think that addressing the 1st and 3rd points, particularly the 3rd, would go a long way to making the magic link system more trustworthy.

Fixing the 1st point would be relatively simple, so there’s no real need to discuss that.

The 3rd point was quite a surprise to me - I used two separate browsers (Safari and Chrome), one to visit web.monzo.com and start a login, and then the other to open the magic link in my email. The login worked fine, which tells me that the magic link is not tied to the originating browser (by cookie or local storage or something similar).
My guess was that maybe it would at least be tied to the originating IP address, but I was able to repeat the test using WiFi to start a login, and 4G to open the magic link, so it’s not tied to the IP address.

I happen to think that requiring a password to login, is absolutely fine, and/or requiring 2Fa is absolutely fine, and I would like either/both of those, but even if we discard my personal preferences, I think it’s pretty hard to make a sensible case that the magic link shouldn’t be tied to the browser that originated the request?

I’m not completely sure yet, but I think in the case of the iOS apps, the magic links are tied to the originating instance of the app - I haven’t yet been able to get my iPad to login with an email generated from my iPhone, or vice versa, but I can’t immediately tell if that’s because they are actually tied, or if there is something about the sequencing of two concurrent logins happening.