Monzo are rated the best bank in Britain

I might get mugged walking the street. Should I put a lock on my wallet so they can’t get my cash out? They could cut the wallet open instead, should I carry my wallet around in a miniature safe to keep that secure? What if they take the safe off me and run to the nearest repair shop to find tools to hack it open? Should I handcuff it to my wrist to stop them doing that? What if they try and cut my arm off? Should I wear a suit of armour at all times?

At each step there is a risk and I’m taking a step to make things more secure - but I’m doing far more than is reasonable.

Yeah Android Samsung thing…

I imagine there are plenty of other similar apps available.

Probably, but then some scams are run on the basis of infiltrating your circle of trust and building a close relationship. Happened to my grandma. Her husband became her husband as part of a large con to defraud practically my entire family. Took place over the course of a decade back in the 80s, went unnoticed and he got away with all of it, leaving my grandmother’s side of the family essentially bankrupt with over a million in debt. He was never caught.

The security/privacy debate with Monzo’s default approach has been had many times, but the reality is it’s both. The lack of privacy opens up some security weaknesses, such as being able to acquire a bank statement without authentication, or being able to amend payee details also without authentication. Monzo are culpable here in my opinion if either of those things lead to fraud.

Comparisons to email are bizzare, given that it’s an inherently insecure system anyway, so shouldn’t have anything sensitive there.

Other apps may have security vulnerabilities that are exposed through lack of privacy protections too, but I’m not sure why those are relevant when folks are feeding back what they’d like to see from Monzo. Amazon doesn’t do it so why should Monzo isn’t a justifiable refute in my view.

Where can I find this setting please?

image1170×2532 210 KB

Click the little cog top right when you’re on the list view

But presumably the people who feel Monzo is insecure still use email?

I agree. But I wasn’t using that as justification for why Monzo should do something, I was asking the OP’s thoughts on Amazon’s privacy, as a comparison.

While I’m sorry to hear about what happened to your family, Monzo putting a lock on their app by default wouldn’t social engineering of that extent happening in the slightest.

Comparisons to email are not bizarre - they are made because the common cry is ‘identity theft!’, for which email is far more of a treasure trove than any one app. It doesn’t even have to be complicated or take hours of reading - just send an email to everyone in the address book saying you’re on holiday and your wallet has been stolen and could I please borrow some money to buy a new flight home/pay for my hospital care/whatevs.

Thank you! Though I was meaning specifically the PIN option! That’s what @Lightning720 said doesn’t exist, you said it does!

I consider myself one of these folks, so I can answer this relative to me. I consider the security issue with Monzo to be very minor so I don’t want all the stuff the other banks do. Just an optional passcode that’s separate from the device security would be enough to remedy my misgivings.

The second FaceID scan to open Monzo works for me, so I don’t complain proactively about it, but I will back any request for a passcode.

I do still use email, but no sensitive information I would consider to weaken my privacy or create a security issue will ever be sent by me over an unencrypted email protocol. I use PGP where available, and my inbox primarily consists of order confirmations, marketing spam, (I have little control over these, and it frustrates me when a merchant includes my full name and address) and the occasional support query.

With that said, I can and do delete emails regularly, so nothing is stored for long.

Ah, okay. My apologies.

FaceID will fall back to the pin in the circumstances that it needs to.

To be clear, I have no problem with people stating that they feel Monzo is insecure, but I do like to establish some kind of baseline and find out if these same people also believe that typing in three characters from a password, or having the bank text them a code, is more secure.

I think a lot of people do think these are secure, or at least more secure than they actually are for a few reasons.

1. Banks tell them they’re secure.
2. They’re annoying and complicated.

People seem to get anxious when things feel too easy. So when you make security less complicated than what folks are used to, a few do worry that it’s no longer secure, or as secure.

When we get the balance of ease of use and security right the most common thing I hear from focus group testers is that can’t be as secure as this vastly more complicated way can it?

Only the new simpler way usually is more or just as secure. It just doesn’t feel it because it’s so much easier. I’ll gladly rally against any implementation of security theatre. I despise it. Alas, when I was at Barclays, marketing was still driving these decisions, not us engineers.

Which is basically what the couple of posters on here have encountered today – rational, factual rebuttals to their feeling that Monzo is insecure.

OK as the OP. I will not try to reply to all the individual posts but try to condense it as follows.

Firstly to the few who have done so please do not take what I say and then morph it into something I did not say. I have never mentioned family, I have never said my phone is left lying around unlocked. It isn’t.

Monzo are a bank, it is good practice for banks to provide security which works for all their customers. I deliberately include privacy in “security” - we’ll not get deep into the debate about which is which, because they are intertwined - happy to do that another time.

Monzo think biometric security is a good idea to stop people being able to get into the Ap, they do not provide a fallback to a PIN or alternative if biometrics don’t work. So some people have a lower level of security like it or not.

It happens that I use biometrics with other APs and they work fine, so it’s not the phone’s fault. Something about the Monzo implementation makes biometrics fail too frequently to be useful. I am not buying another phone to try to fix this.

ALL the other online banks that I have experience of (at least 6) have what I am asking for. Why can’t Monzo.
Regarding the debate about whether 3 characters from a password or a PIN adds any security, I would say two things. Firstly it does depend on the implementation and the way multiple false attempts are handled, Secondly if you don’t think they add any security why are you content that this is all that protects against being able to transfer funds etc.

As for the attempt to suggest weakness in my email, Amazon… security/privacy absolves Monzo. Rubbish. Firstly you don’t know how secure my email is, or if I even have an Amazon Ap.

I am asking for something very simple, a PIN alternative to biometrics for when biometrics don’t work (for whatever reason). That’s it!! Revolut, for example, do it very well.

Over my career I have seen a lot of security breaches and a lot of bad practice. Normally it’s carelessness, or lack of imagination, or poor communication. Monzo is the only example I know of where it is deliberate management policy.

Please if you want to comment on this please do so in a constructive way and address what I have actually said.

You’re being very dramatic about it all.

If someone gets hold of your phone and can look at your app, that’s likely carelessness on your part. If it’s forcibly stolen from you, then they are unlikely to say “Oh, it’s got a pin. Have it back”

If security is of such concern, maybe consider a more secure and privacy focussed operating system. This is standard on an iPhone.

You can’t declare two things to be intertwined like that and expect everyone to agree. I fundamentally disagree that they are intertwined, as Monzo’s app is secure (money cannot be transferred without knowing my PIN) and my phone lock deals with the security for me. Having a lock on the Monzo app adds no extra security for me at all. Therefore, I can’t accept this as an axiom.

My understanding is that Monzo don’t deal with the biometrics themselves, they pass that through to the phone to deal with. So it’s surprising to hear you have a particular problem with Monzo in this regard. Have you tried reporting it to Monzo’s COps?

I don’t, which is why I was asking. My intention when I ask this question is to try and establish a baseline, and understand if people are concerned about the security of all their apps, or if they’re just picking on Monzo. In the past when it has been the latter situation, it can feel like someone making a big issue about having locks on their house windows while leaving the front door wide open.

I hope that helps you understand that I wasn’t trying to imply anything, and that I was asking a genuine question. Perhaps the part of my reply in spoiler tags threw you; if so, I apologise. I put that there to try and short-cut some of the expected back and forth replies.

When this topic has come up in the past Monzo staff have explained why they use biometric and have chosen not to fallback to PIN. I’ll try and find these replies and link them if I can, as that may help your understanding. My recollection is that it’s actually far harder than you’d think, as they have to consider issues like using card PIN versus app PIN, and whether the PIN should be stored centrally or locally (implications if offline).

I agree. That’s precisely why I said I’d be happy to have the debate elsewhere.

Yes I have and they have offered no solution. But bear in mind the interface is probably not trivial and therefore there are probably differences in the way it is invoked. That is where I think the problem lies.

Great. I don’t have a lot of sympathy with their developers though. Plenty of others have managed it, so it can’t be rocket science.

To help you with your baseline, I do know what I’m doing with technology, and I have worked in and with finance systems for most of my career. I’m not just picking on Monzo, but I do think a banking up should be up there with the best.

The fundamental difference between us, then, is that for me a banking app being up there with the rest would be other apps being more like Monzo and removing some of the unnecessary barriers to access

• When N26 were still operating in the UK I got locked out of their app because I used it infrequently enough that the lock pattern reset and I forgot my PIN.
• When my old phone broke, getting the First Direct app working on my new phone was a MASSIVE pain in the bottom that required resetting the tens of different passwords they use in order to be able to have them deactivate the app over the phone so I could reactivate it on my new phone
• Updates have logged me out of my Halifax and MBNA apps. I need to use my password AND memorable information to log back in, so I haven’t bothered (these cards get paid off by DD anyway)

None of these barriers make the apps any more secure for me, and in the majority of cases they actively put me off using them. Monzo, on the other hand? Easy as, and still secure.

I’m not worried about the lack of a PIN on the app as my phone has a PIN, it locks at the drop of a hat (low inacitivity timeout, locks instantly when turned ‘off’, and I turn it off every time before I put it down).

In a nutshell, I don’t think either of us a ‘wrong’, necessarily. Rather, we’re two different customer profiles. I’m a customer who is a good match for Monzo; you’re a customer who, if the issue is that important to you and you’re not willing to use phone locking or security features to manage the app instead, maybe you’re a better match for another bank. As I’m fairly certain that Monzo is betting there are lot more customers like me out there.

Oh my, that is horrific!

I just tested it, and getting a statement wasn’t possible. The app tried FaceID, but as I covered the sensor it then asked for my card PIN

My bad! I was looking at Statement of Fees!

Though in the case of editing a payee’s details, this isn’t the case. There’s nothing to stop me going into your app and altering the details of your most frequent payee to my details. Unless you have Face ID for accessing the app of course.

Here’s a gif of me doing just this to Freetrade:

And then when you try and pay them, you’ll get the notification to say it doesn’t match.

I get that for Freetrade anyway. Along with quite a few of my payees. Or their bank doesn’t support it.

This thing is so hit and miss I’d be surprised if it actually saved folks from scammers at all.