New iOS Update: View your PIN in-app!


(Tristan Thomas) #1

https://monzo.com/blog/2017/01/03/pin-in-app/ :tada:


(lee) #2

Good idea, only seen mbna as the other people that do this.

Seems way more secure then reposting a pin out anyway!


#3

The blog suggests that iPhone 5 and onwards have Touch ID. Touch ID started with the 5S.


#4

other banks like Monese also do this, but I think every bank should do so, so well done Monzo


(Adam Hockley) #5

Old news allready have it😊


(Michael) #6

Interesting to see in the screenshot that Leah has a profile image - is this something that’s been released, or is this just a mockup screenshot?

Or are you using some other method to pull in the user’s image - such as Gravatar?


(Alex Sherwood) #7

If you assign an image to a contact, in the default iOS Contacts app, then it’ll be visible in the Monzo app too :slight_smile:


(Alasdair Allan) #8

While I appreciate the convenience, having the PIN in app is trading convenience for security by reducing the number of things you need to know, or have, to use the card by one. You’ve traded something you know, the PIN, for something you have, your fingerprint.

However your fingerprint was already securing the app, and the phone itself. So you’ve reduced security down to a single point of failure, the biometric security of your fingerprint, and that was bypassed just days after the iPhone 5s was released, see http://makezine.com/2013/09/24/hacking-the-fingerprint-scanner-on-the-apple-iphone-5s/ for details of the hack. It is actually pretty trivial.

I’m actually sort of torn here. In theory this is not a good thing. But in practice, I think this is probably better than SOP, because most people will now not resort to writing their PIN down.


(Alasdair Allan) #9

Interesting. That doesn’t seem to work for me.


(Alex Sherwood) #10

The thing is

If that does happen, which seems unlikely (& as far as I’m aware, there haven’t been reports of this being a common issue), then they’ve acquired your PIN fraudulently which (subject to Monzo’s terms) which means that Monzo is liable for any resulting loss of funds.


(Alex Sherwood) #11

What steps are you taking to assign a photo to the contact?


(Michael) #12

No. I’m talking about my image. So in that screenshot it’s the user’s profile showing they have an image assigned. I’m not referring to other user’s images on the transaction list.


(Alex Sherwood) #13

My bad, I missed that :blush:

I don’t have a profile picture in the Monzo app either, even though I do have an image assigned to my contact record in the Contacts app.


(Michael) #14

Indeed. That’s what I’m asking – whether it’s an actual screenshot (if so, how is the image assigned), or if it’s a mockup.


(Alasdair Allan) #15

I think my real fear about using the fingerprint in this fashion isn’t this use per se, but how this single instance might expand. There’s a real danger with biometrics being seen to be secure enough to stand by themselves that they move from being used for authentication, to authorisation. There is a real difference between authentication and authorisation, and many people (even some security other professionals) confuse the two…

…so not this, exactly although I’m still sort of torn by how one things I know and one thing I have has suddenly become just one thing I have, but how creeping incrementalism means that holes open in security.


(Alex Sherwood) #16

Hopefully Richard’s comment goes some way to addressing your concern here -

I understand where you’re coming from but personally, I trust Apple & Monzo to understand the issues that you’re raising. If the situation that you’re anticipating does become a reality then I’ll definitely join you in raising it!


(Ben Green) #17

It’s understandably not for the hyper security conscious as something you know if done right is harder to force than biometrics. It’s just a matter of convenience and as @alexs says the common opportunistic thief won’t be going through the trouble of duplicating your fingerprint.

You can choose to not enable it if you wish. If do you choose to enable it then you’ll need to enter your card pin and use your saved fingerprint before you can view the pin. In other words its better to enable it while you know it before you forget it, if you want to that is.

If you later decide you want to disable it, you can switch the toggle on your new settings page (link displayed in screen shot) under “Touch ID for payments”.


(Tristan Thomas) #18

It’s a mockup :slight_smile: We’ll fix it tomorrow to be accurate when a designer is around — good spot!


(Alex Sherwood) #19

Hugo’s just shared a preview of an improvement to this feature which should make a few users (who have older iPhones or can’t use Touch Id for whatever reason) pretty happy…