Personal data security

I’ve just done a bit of a test of how easy it is to access my personal data. The premise for the test is that someone has access to my email (I know lots of people who use the same password everywhere, it only takes one site with poor security).

Assuming access to my email, Monzo can be logged into. While an attacker couldn’t take any of my money means they do have access to my:

  • Name
  • Address
  • Account number and sort code for this and other accounts (some mine, some not)
  • Phone number
  • Transaction history
  • A degree of location history
  • Salary

This seems like a lot of information to have behind single factor authentication. Particularly an authentication method so many people are lax about.

Does anyone else think that this is concerning?

2 Likes

Your other points notwithstanding, Monzo is using two-factor authentication: something you know (your e-mail address), and something you have (access to your inbox). Of course, this ultimately delegates the security of your Monzo account to your e-mail service provider, and maybe that is a bad thing. However, you point out that many people use the same password for multiple services – would Monzo adding a password be more secure?

If a hacker had access to my email - my bank balance would probably not be my biggest concern.

There was a very lively discussion around this not too long ago:

However I’ve never been a massive fan of magic links and would quite like to see Monzo also implenent an OTP requirement as well as the magic link when logging in

5 Likes

If you start with the premise that the main part of your digital identity has been compromised you will find that bad things happen, in my view.

8 Likes

This has been looked at before, and tends to go round in circles of discussion. Another example thread is:

I do not find this concerning, as I have 2FA set up on my email, as should anyone who uses it for anything sensitive, which I would assume is everyone… I would not want extra friction on top of this, but if anything is considered needed it would be education and prompts to add 2FA to user’s email addresses, as this benefits them for everything they use.

5 Likes

Email is sensitive and needs 2fa. Your mobile phone is sensitive and needs 2fa.

That’s the minimum before you can start to evaluate security. Without that you’re just worrying about whether the door is locked whilst your house is on fire.

5 Likes

I disagree. It’s using something I know (my email address) and something I know (my password).

I’ve had email accounts hacked after insecure websites lost got hacked (this was before 2FA was commonly available). In fact, I’ve hit forgotten password links and had my password emailed back to me in plain text fairly recently.

2 Likes

I’d just like to note, to all the “why don’t you have 2fa!” replies, I have a hard time getting people like my parents or older co-workers to even understand why they should bother with it. Let alone actually persuade them to use it.

It seems to me that the majority of users on this forum are fairly tech and security savvy. I’m trying to consider those who don’t understand it.

1 Like

This has been brought up before. I’ve made my view clear there:

4 Likes

That’s a good motivation. Do you have a solution in mind, though?

2 Likes

I think the issue here is not monzos security and it’s not the lack of educational resources out there (banks alone are spending millions on education around security) it’s that the message and understanding is just not getting across. What can Monzo et al do to get this message across?

3 Likes

Very very little, the reason people ignore security measures and even though the threat is out there comes down to how they calculate risk and more the risk of them being ‘hacked’/personal data security. Most people believe simply that they will not get hacked or compromised therefore don’t use 2FA or anything similar.

1 Like

2FA is the way forward on anything if you can help it. Every service I have that supports it I have it turned on. It’s handy as I also get the pop up on my watch to authenticate.

I think it all comes down to how people manage their own security. I constantly rant to my friends to stop using their ‘usual’ password on things they sign up for when those same credentials are in a pastebin on haveibeenpwnd but it’s one of those things where nobody listens until it happens to them.

A second layer of authentication on initial install might work well. For example a text or phone call with an authentication code.

That way you need something you know (email account password) and something you have (your phone).

As it would only be on initial sign in, it wouldn’t be much inconvenience.

Another option might be requesting the card PIN if the app is installed on a new device? Although that option isn’t really 2fa.

I dunno, security for security’s sake seems pointless. If you can’t take proper care of your email security and therefore quite a lot of your personal privacy I don’t see why you would want to add additional security for your bank privacy.

A lot of the personal data mentioned would be accessible from your email anyway. :man_shrugging:

A second layer of security on installation might be the least offensive, but is it really worth it for the hassle? What happens if you have a new number etc.

There’s a few things that have been mentioned on here that the Devs seem to be keen to implement though. Things like what devices your account is active on, notifications of new log ins and so on.

2 Likes

I think it is. But I guess it’s a matter of opinion.

One thing which does confuse me I’d that so many people say “why wouldn’t you be using 2fa on your email?” but seem perfectly happy for their bank to not even provide the option.

Another thing I’d like to add:

https://twofactorauth.org/#email

Not all email services provide a 2fa option.

1 Like

Monzo do provide the option - you can enable fingerprint authentication in the app.

The problem of course being the kind of person who won’t use 2fa on email isn’t going to use that either. Education is probably the ultimate answer.

1 Like

That’s only after you set it up.

If someone signs in on another device they have immediate access to your personal data. Your email, which might not even support 2fa, is the only thing they would need.

1 Like

So if I understand your argument correctly you’re saying that Monzo is insecure because your email account is insecure? :thinking:

Short answer. Yes.

Longer answer:

The only barrier to my personal details is access to my email. Monzo have no way of knowing how secure I keep that, nor do they know how vulnerable the email provider might be. There could, theoretically, be a vulnerability which allows an attacker to get into my account without even knowing my password.

As an example of poor security, I once got to the 2fa prompt for my paypal account. Since I didn’t have my phone on me I hit the relevant link on the page. In order to access my account from there it only asked for my date of birth, something which could be found easily enough.

Saying it’s secure because my email is secure is not acceptable. Monzo cannot delegate responsibility for securing my personal data to a third party, particularly a third party over whose selection they have no say.

1 Like