Edit: This is a bit of a train–of–thought post. Jump to the last paragraph if you want.
I’ve never really been bothered by the card reader, especially as I have a couple at home, one at work, and my folks have one too for when I stay there. It’s got to be better than authentication via SMS which I hear is easily spoofed.
I guess they could build it into their app, so there’s less kit to have to cart around. Barclays do this, and First Direct.
In fact, they could just set it up to use Google Authenticator or something (I guess, I’m not a techie.) If that’s good enough to stop people getting into my email/website, it’s good enough for my banking, surely?
Having said all that, Monzo covered the something you have, something you know method in just the app, so Nationwide should just allow payees to be set up within their app without the need for extra hardware.
This comes up every now and then, but it’s not really true. Monzo’s security hinges entirely on the security of your mailbox, since no password is required to log in, once you receive the link.
Obviously your email address might be protected by 2FA (and, no, requiring a code sent to your mobile is NOT 2FA, it’s 2SV), but I’d guess that for most people it isn’t.
And either way: from Monzo’s POV it’s still single factor (I’d consider it “something you know”, but one could probably debate that).
(2FA: two factor authentication. 2SV: two step verification)
It’s worth bearing in mind that for any action on your account over and above viewing your transactions (i.e making payments), you’re required to either enter your PIN, or confirm with Touch ID/Face ID.
Getting to this point also assumes you’ve been able to get by the passcode/biometric security on your phone itself to get into the app in the first place
That’s a good point. But still 2SV, as it’s not two independent factors: as I said a above, I’d consider both my email address and my pin things I know.
Missed that one: this doesn’t really have to do with login to the app, though: if you are already logged in, then you have access to the app after unlocking the phone. That’s true. But to log into the app you need access to the email.
(the status of your app on your phone is akin to locking your PC while you are logged into the online banking interface of your other bank.)
Yes, but I don’t need a fingerprint to log into Monzo, do I?
I have just recently set up Monzo on my new phone, and wasn’t asked for any password, or fingerprint, to do so. Unless that has changed in the last couple of weeks?
That wasn’t my point. I need a fingerprint to make any sort of payment (in place of the password) so I was asking your opinion of the ‘two things you know’ statement under those circumstances.
No, I don’t think so: these two things have nothing to with one another. The one is to authenticate yourself to your phone, the other is to authenticate yourself to Monzo.
That you in practise have to do the one, before you do the other, is of no significance. Especially given that any attacker could just log into the app on another phone, as your authentication to Monzo rests on your email address (+ pin in certain circumstances).
Edit: oh, I may have misread your post. Do you mean you use a fingerprint to authenticate the payment to Monzo, rather than the pin, as is usually the case?
I still don’t think it counts, as an attacker, after logging in on a new phone, won’t need the fingerprint, but your pin.
I do get your point although I’d say that Monzo is liable for any fraud so it’s in their best interest to minimise this as much as possible. If they can do it with less friction to the user then I’m all for it.
I would be very interested in some fraud stats from Monzo…
Yes, they are liable for fraud. However, firstly I just wanted to clarify the point that Monzo doesn’t have 2FA. Regardless of whether we think they should.
Secondly, in this day and age data leakage is something that concerns me far more than a few quid (especially given monzo are liable here). And monzo can’t put that right, if someone were to use info they gleaned from my Monzo account after logging in there.
Point taken. I don’t have the solution to this. I just can’t take those stupid calculator things other banks use. If it’s possible to increase security with minimal friction, I would be happy.
I actually mostly withdraw cash from all my banks because I’ve long accepted that my data is probably not private and I don’t like it