Major issue with Monzo security repeatedly locking my account

For the past 6 weeks or more I’ve had weekly or biweekly security issues with my account.

The issue started with being unable to transfer money to one Atom Bank savings account but it was allowed on another.

Then I got a message saying my device logged in elsewhere and they’d secured the account until I did a video check. This was worrying because the only way to login to my Monzo account is using a magic link in my email and my email account.

Because my email account is the reset point for almost my entire online life I take security very seriously, using a 64 character random password and Yubi key for authentication. There is no way my email account has been hacked not to mention the notifications I get to another similarly secure account with another provider whenever anyone logs in, authenticates new API keys or changes security settings.

So then I know my Monzo hasn’t been ‘hacked’ into, I reauthenticate an and think nothing of it until the next week when it happens again, and I call up.

I reinstall the app and it happens again a few days later.

This time it’s late so I report it to chat who promptly respond in the morning by cancelling my card, blocking my account, changing my pin etc…

I reauthenticate and raise a complaint, the new card is incredibly annoying.

Then a few days later it happens again, I tell chat, they cancel the card again before it even arrived, which thankfully wasn’t possible for them to do. They remotely log out all my sessions to ‘fix’ it and I have to go through some tedious process because I don’t have a card or pin any more. I asked for a manager call back, nothing.

Just this evening it’s happened again my new card is now on the account so I sent a message saying DO NOT block my card, please get the manager you said would call.

What to do? I have never had this issue before and at this point the security lockouts make the account unusable because Monzo takes so damn long to actually check the video and reauthenticate.

It’s also worth noting I only have Monzo on one phone.

EXAMPLE:

IMG_2398750×865 200 KB

Monzo are seeing your account logged into by different devices. If you say you are only logging in on one phone that means someone has your account details and probably your pin as well. Whatever security you think you have double and trip check it, then change all your passwords.

You lost me at this point. I’m happy you believe that, you might even be right, but do you really know it?

I know I haven’t been hacked because it kept happening even after changing my Google password, security questions and checking back up emails, and third party linked apps.

I also know this because:

1. Nothing has been taken.
2. Google has not notified me of new logins.
3. Monzo staff said they could see the notification but no new sessions/attempts to login.

Just to clarify, did you get any monzo login emails when these logins occured?

It seems like you haven’t actually logged in since the issues started but the other logins have been blocked so you haven’t been logged out if I understand correctly , so try a login at web.monzo.com to make sure emails are still coming to the correct place and it’s not a backend bug sending them to someone else who is clicking on those links.

Also is the email address in your settings the correct one?

Finally I would check there is no email forwarding rules been maliciously setup in your account or email client somehow.

.
.
.

Edit:
One more thing, is your monzo account itself connected to any 3rd party services such as open banking or the API?

No, another reason why I know it’s an app issue.

Yep, it’s coming through.

Yep.

None of those.

I pressume you mean under Apps in Privacy and Security, nope.

Yeah I’m talking about there.

I think I agree with you that it’s a monzo issue, the question is how serious it is , is it ‘just’ a bug or is monzo accidentally sending an auth token for your account to someone else and the only reason they can’t get in is because they entered the pin wrongly a few times?

Has the deadline for monzo responding to the complaint passed, what did they say?

My suspicion is it’s an iOS app bug, maybe when apps unload from memory or when you close them it decides to reauthenticate triggering and erroneous alert.

if your using ios there’s a setting for monzo app in the phone settings that says reset session maybe that toggle is on

image1242×2688 244 KB

Sadly thats not it, it’s off.

You also need your card PIN to login with a magic link.

I take it from that you are also not trying to use more than one iOS device to log into your Monzo account e.g. an iPad and an iPhone? As that can prompt the relogin dialogues.

Didn’t think about that, yet another reason why the previous suggestions my account was hacked even though I made it clear it wasn’t are wrong.

Correct, I have tried that once back in September 2019 from my work phone but it signed me out of my personal phone so I assumed that meant only one device at a time.

Point being I removed the app and only now use it on my personal phone.

Update:

Finally after a lot of conversaion and back and forth with support, 2nd tier and developers they admitted a bug in their backend was causing this and they’ve patched it.

No more issues since then.