Of course it can! And it still will. But in your scenario the Hacker won’t have access to any of my transactional/banking history to “validate” their claim.
I agree - however just by asking for an appropriate second authentication factor when someone first downloads Monzo^ offers added protection against the above, with minimal inconvenience to the end user. To me, it seems a real no brainer.
I’m not sure if I’d personally ever vote against extra security, when it comes at such a low cost?
^ Don’t have the figures, but you’d suspect the average user only needs to login after downloading the app once or twice a year at most - notwithstanding any bugs.
Just to poke at this (again). Low cost to the user yes, low cost to develop, no.
Plus, how many users are complaining about this? 1? 5? 10? 100?
Let’s say I’m a development team, and I’m looking at 50 things we COULD build. Which ones would I choose to do? The ones for 1 person, for 10, for 100, for 1000? And considering security steps, the testing needs to be doubly good, so will cost more again.
Again, not disagreeing with your risk appetite versus that of others, but everything costs, and for an app that is rapidly being developed on an expanding service, these decisions matter. Things like this can’t ‘just be done’.
Dropping out now as this is becoming a bit samey in terms of discussion points. I get you want this, but repeating it as a defense isn’t really progress what is, in my opinion, a dead end of a conversation.
This is maybe where people (and companies) go wrong.
Customer demand is not a valid consideration when dealing with security improvements. How many users complained to Equifax about their version of Apache Struts being out of date before their breach that affected 145.5 million users? How many users complained to Monzo before their own 3rd party breach last year?
I don’t believe anybody here was asking for it to “just be done”, but just for it to be on the list at all, to get round to at some point. At the moment it’s not even on the back burner as far as I’m aware.
This is especially frustrating when:
a) It’s not a particular complex development piece. We implemented MFA as an ‘opt-in’ add-on to our platform of 75 million users (spanning Web, iOS and Android) in a little less than a week of development + QA time, in an industry subject to similar levels of regulation. We’re shortly moving to ‘force’ MFA on all users, as in recent weeks we’ve seen a steady increase in credential stuffing attacks across our user base. We find it’s often Joe Average who suffers here.
b) you see some of the updates and releases Monzo have done, that some of the threads in this community prove, literally no one was asking for.
This is however just an opinion from someone who clearly has a wealth of knowledge in this space.
But if Monzo are doing all they are required to do legally, and as @gmclean has said for 99% of the user base is a non-issue, it won’t be something that is being thought about. It doesn’t matter if people such as yourself are complaining/asking for it, if the current package is doing everything that it needs to do.
But I can guarantee that there is a use-case for it, a pros/cons for it, and an overall appetite to do it - whether that be profitability, some bug fixes, expansion etc etc.
Whilst your opinion is that it is achievable and is something you’d like to see to go full Monzo, doesn’t make it a universal truth that Monzo must do it.
In my view, Monzo should not be reactive developers in the sense you seem to want. If they’ve run out of ideas of their own and are just here to respond to user requests then things are going to go downhill very quickly.
Struggling to think of anything they’ve introduced that nobody has asked for. Pretty sure every conceivable thing in the universe has at least 3 threads dedicated to how if Monzo did this 1thing the OP would go full Monzo
Apologies if this was meant for me. I’m not suggesting they should be, that was in response to gmclean.
Very well put, and valid points!
I would hope that Monzo has an overall appetite for continuing security improvements mind, and that these are never considered to be of low importance. If Monzo have the kind of internal culuture that puts profitability & expansion before security & privacy we’re heading on a road to disaster.
Security improvements are always a hard argument to win in any company. They rarely directly improve your profit margins, are unlikely to attract new customers, and indeed may even make it harder for your customers to convert - I sometimes find myself describing them as an insurance policy. Without them, and especially now under GDPR, you not only risk share price with negative publicity, but administrative fines of up to 4% of annual global turnover or €20 million – whichever is greater.
As a direct example of this issue, Barclaycard have just today released a new login process to further secure access to personal data on behalf of their own customers. To login you are now required to supply all of the following:
Family name
Customer code
Customer pin
Two characters from password
Yes, that’s a pain. No, I don’t think that’s the ideal solution. But it does show a great sense of corporate responsibility to do the right thing (as well as offering them more protection of course).
I would bet my life savings that they had no customers asking for it to be harder to login, that this change won’t allow them to expand any faster, nor will it lead to greater profits - however it was still implemented, before other features I’m aware they’re working on, because it’s the responsible thing to do.
I like to hope that there’s a team in Monzo working on ways of improving security and privacy for all their users!
Reading back through this thread I notice there’s a lot of users who still don’t want to use MFA/2FA, and are against this for just that reason. I suspect there’s several who may be using the same password for everything …
… if literally nothing else comes of this thread, I implore you to please consider using MFA whenever offered, and start using a Password Manager. It honestly isn’t that much trouble, and really, really does help. You may have been lucky so far, but please, please don’t leave it until you suffer the indignity of having your personal data compromised before taking some serious steps to secure your online presence.
It is 100% worth subscribing to this free service to monitor if your email address appears in any data breaches: https://haveibeenpwned.com/
And have a good read of some of the awesome work done by Troy Hunt and Scott Helme in this area if you’re in any doubt on the effectiveness of MFA and unique, secure, passwords:
If you have a dig into how Monzo appear to develop features, the answer is no. This feature is complete and won’t change until they decide its to go back onto their pipeline.
Of the new features over the last year there’s a reasonably consistent approach of putting out a feature that covers a small number of use cases and marking it as ‘done’. Good or bad that’s how they seem to do it. Once its out nothing happens to it for a good while. I think part of it is to rush it out the door so they can say they have ‘x’ feature even if its only half functional or only works for 1/10 peoples use case. and I assume they just don’t have the developers to work on more than a couple of things at a time.
I doubt they’ll change this in a long time considering all the other features that either need to go back to the drawing board or need a lot of work to really be considered fully functional.
1 Like
Anarchist
(Press ‘Help’ search ‘Contact us’ or email help@monzo.com or call 0800 802 1281)
174
Haha. I have this vision that the person who developed the international transfers, sad a cheery ‘see ya,’ as they walked out of the door, and was never seen again.
Sorry to bump an old thread, but I’d like to throw in my thoughts.
I’ve recently became a Full Monzo user, with this being my main Current Account, but this really does trouble me a bit. No matter what anyone here says, the fact is that if someone can get into your email somehow, they will have access to your Monzo account. Fact. That makes the email a single point of failure.
Yes, I have 2FA on my email address, so it isn’t likely this will happen. However, there are plenty of people who don’t have 2FA on their email (for example if they’re using their own domain with an outdate provider that can’t add this feature) and I don’t think Monzo should assume the security settings of the email the account is tied to (it can’t do a check, can it) and as such the Devs should implement optional 2FA extra security if people want it.
I cannot understand why people would rally against an option they don’t have to implement? Seriously, making an extra check that they can receive SMS as well as the magic link (two step) is not a massive inconvenience since people will only be logging into the account on the app one time per device anyway.
Having a single point of failure is always a terrible idea, whether or not you say “but that single point of failure can be protected”.
Hell, who is to say that the 2FA associated with some email address won’t have a vulnerability? Monzo having their own would make things more secure. More security in banking is not a bad thing…
They don’t need a fingerprint if it’s a new login. However if they have access to your email they do not have your Monzo password to get the magic link
No, they don’t. The fingerprint only secures your app on your phone - if they log into their phone using a magic link, your fingerprint is not requested.
@SouthseaOne Yes, I agree, and it probably isn’t the biggest deal in the world, but my point is having a single point of failure is not the best thing in the world when it comes to a banking app. Banks have to be as secure as possible. Again, what if the 2FA implementation on the email side has a vulnerability? Then the Monzo account is also vulnerable. Monzo having their own 2FA implementation would mean that any vulnerabilities in external third-party tools (such as Outlook, Gmail etc) wouldn’t be passed on to Monzo accounts. Which is a big deal.
“they do not have your Monzo password”? What Monzo password? Monzo doesn’t use passwords, you just type in the email and press send. If they have access to your email, they have access to your Monzo.
All you’re doing is repeating the same stuff that has already been addressed in this topic. If you claim to have read it already, you will know it’s nothing like you’re describing.
