I completely agree however I was just explaining that there is some security in place.
Moore’s law is over: Moore’s Law Is Dead. Now What? | MIT Technology Review
I now see what you mean, however salting makes the biggest difference in slowing down brute force. Sofware like John the Ripper is very advanced at handling brute force in an efficient way however when salted even JTR dies a little inside.
I’ll take a look thank you 
The only reason I use the services of Yolt is to see where my money is being spent. The fact that Monzo does this for me a I see no reason for it from a personal point of view.
On the other hand I don’t have multiple accounts so maybe others would like the option.
Salting the passwords does not slow down a brute force against one password if you have both the salt and hashed password (and they’re usually stored together, so think database compromise). One round of SHA256 plus salt isn’t a good idea given the plethora of hardware available (mostly due to bitcoin) that can do SHA256 at a great rate.
I fear you missed my point regarding Moore’s law. Regardless of the rate at which things are getting faster, the advantage is you can tweak BCrypt to make it more expensive with the cost parameter.
True. But usually the point of database hacks is you go through trying to crack all of the passwords so having individual salts massively slows that down.
Indeed - but there is a cost/benefit of increasing the cost of hashing. If it is salted and a modern algorithm then why make it so it takes 5 minutes to compute?
salting is there to make the use of rainbow tables more difficult
Yes! I would trust you.
I would be open to sharing my information to other financial providers. Personally I love having all my different type of accounts in one app meaning that they are all with the same bank.
For sure. I’d like to add my Credit Card, see it’s balance and transactions. Means I know what I need to pay off without opening another app.
Same for savings as Virgin doesn’t even have an app!
It’s also there to make it much harder to bulk brute force lists of passwords as you have to compute a hash for each row, rathe than just one and comparing with every row.
Yes, but read only, similar to the way YOLT have done it.
Having it as an option would be another great selling point as of Monzo for those who are willing to sacrifice security for utility (Of course people who are worried about security need not subscribe to the feature.) - I believe there is always a trade off to be made when it comes to these things and allowing user choice with this should be encourage so long as appropriate warnings are given.
I love this idea. I agree with the others that it needs to be read only. It’s frustrating having to have multiple apps downloaded and having to keep logging back in when I’m trying to tot up all my money. That said, my main reason for having multiple accounts is so that I can ringfence money for different purposes. Depending on how the pots feature works in practise, I might not need to continue doing this in the future!
Edit: gosh, “tot up all my money” doesn’t sound how I meant it! I actually have quite a tight budget, so I have to tot things up to make sure I’ve got the right amount of money in one place to bills, another for day to day living, and another for when I’m saving up for something like Christmas.
Yolt is not read only - they just claim to be.
If I give Yolt my bank passwords they have as much power to spend money as I do. They design their systems so there are no normal ways to access the write function, but they still have the power. Compromising their app or password management would still give the compromiser as much access to your bank account as you have.
This is why I’d prefer to wait for APIs that have read only access at the bank account end. A compromise of this would be the responsibility of the bank providing the access and so they would be responsible for the loss.
The functionality would be great @simon
I wasn’t aware PSD2 was restricted to current accounts only - I believe credit card companies are complying too as I got a email from barclaycard about PSD2.
The ability to have a meaningful relationship with the data in my monzo app would be good, like for instance I currently have a balance transfer with barclaycard that I’m paying off - so if monzo could tell when that expired and let me send payments towards the Barclaycard that’d be great.
And with savings accounts hrld elsewhere I’d love the ability to top them up (these are held in legacy banks). I’d like to see meaningful data, like savings rates, and I don’t think screenscraping do this, so it seems better to wait for a API, where integration can be 1) official 2) complete.
Being able to see my Metrobank current account would be good, as i occasionally use it for cash and cheques and the ability to move this money into monzo would be good - read only doesn’t help me much.
Why not focus on marketplace providers with full read-write integration and rethink this PSD2?
I would like this. Seeing the balance of my credit card and other accounts would help me see exactly where I am without having to log in to the seperate sites.
I used to have an aggregator called OnTrees until a certain somebody told me it wasn’t a good idea due to the amount of access they have.
I would like to have a ‘one stop shop’ to all my financials and depending on what’s opt in/out I can see that being something I would use with Monzo.
I’d want to keep it quite compartmentalised from the rest of the Monzo CA stuff though.
I agree with what you say to an extent. That’s why I tried to give an equipoised answer. This feature will certainly not be for everyone and if Monzo do go through the route of asking for passwords I think strong, bold disclaimers should be given to the user to explain why this isn’t the most secure thing to do while also given the benefits and leave it up to individuals to decide.
My Barclays account app is effectively read only if I login with just a password.
To move money or setup a new payee I am prompted for the code from the code generating calculator thing
Absolutely a good idea, and the way forward - I have used MoneyDashboard for years…
Many online expenses companies and online accounting programmes do it via Yodlee or someone else, so the security is already proven.
I wish FD would do a version of this - not have the tedious calculator - instead make the online system such that if you log in without the generated code the account is read only, but with it allow you to make transfers.
Then I could allow yodlee etc to acces it and have the benefit of aggregation without fearing the inevitable compromise.
Nope, sounds weird to me. I’d rather that monzo focused on having a top class tech stack and making your API well featured so that other people can build stuff on top of it like aggregators. It just feels wrong to have another bank inside monzo (seems like it would make the UI less trustworthy) and especially if it’s only read, it’s going to be a bit half baked. It exists already (ie yolt) and they’re probably going to have a better product since it’s their primary function.