Personal data security

But this delegation of security, isn’t this like your typical banks delegating to a 3rd party (postman) and assuming you keep your house locked?

1 Like
  • Assuming there are no robbers in your house wanting to rob the postman(in internet terms a Trojan on your device waiting for the email)

I don’t really see how they can improve it. Passwords are not secure (just click ‘forgot password’ and you’re immediately relying on email security again). SMS is both not secure and totally useless if the reason you’re reinstalling is because you lost your phone.

Surely you’re not suggesting hardware dongles…

1 Like

If that’s the case then you’re barking up the wrong tree. Your complaint needs to be directed towards your email provider.

To clear all of this up the only way Monzo could help would be to do a blog post to educate people on security along with best practises when it comes to using their app.

So it’s the responsibility of my email provider to provide 2fa so that my bank account is secure, but it’s not the responsibility of my bank to provide 2fa so that my bank account is secure…

I bank with 6 different banks for various products at the moment. Monzo is the only one which allows a single authentication factor for signing in on a new device.

2 Likes

Yes. How on earth is Monzo going to be able to force another company (your email provider) to do this. If you think that email is the weak point in your chain then tighten up your security there.

If the hacker were to get into your email account then they couldn’t do much with your Monzo account anyway. Mobile payments and inter-bank transfers all require your Touch ID/ PIN, and they don’t have your card. Furthermore, if by some chance they took your wallet as well Monzo would refund the amount they fleeced you of.

Anyway as others have mentioned, this discussion is going round in circles. Here is the topic where all of this has been discussed previously: Magic login links, insecure?

That’s twice in this discussion you’ve cherry picked a part of what I said in order to support your view. I can do that too:

Cool. Thanks for clearing that up. I’ll be sure to tell google that they are responsible for ensuring that Monzo looks after the data of its customers. Presumably they are also responsible for Santander, Halifax, First Direct & all the other banks?

To be completely honest, cherry picking like that is a tactic people tend to use when they can’t actually defend their position.

The thing we do agree on is that this discussion is now going in circles. I’ll pass my concerns to Monzo directly and just let this thread die.

2 Likes

Cool :sunglasses:

Well played. That made me chuckle.

1 Like

Surely the point is that everyone’s email should be secure. Arguing about how secure a website or an app is, when an email account is insecure, is like arguing that you want a lock on your desk drawer whilst you leave your front door open.

All anyone here is saying is “make sure your front door is secure, then you’ll find Monzo is secure”

Debating whether or not people do actually leave the front door open doesn’t negate the fact they shouldn’t.

And by ‘secure’ most people here are mistaken – they mean ‘private’. Even if someone gets into the desk drawer, it’s still ‘secure’ because nothing can be removed from the drawer without biometrics or a PIN. But if they’re already at the stage of looking in the drawer then they’ll almost certainly have taken control of the front door lock and you’ll never get past that ever again.

2 Likes

The point is, email is inherently insecure medium (and so are most other methods of communication on its own) and as such Monzo should not rely solely on email - pairing it with other insecure stuff (aka 2FA), however, makes it much more secure.

2 Likes

No, the point is, highly regulated Monzo Bank, the experts with EVERYTHING to lose, obviously don’t agree.

4 Likes

ANYTHING that is on the internet or a computer is insecure and vulnerable to attack, I don’t get the point of that email and 2FA is insecure. Basically anything including quantum cryptography is insecure as it dependent on the security of the external factors(Mostly humans). Therefore put a strong password on your computer and antivirus software on your phone and computer and don’t login into your controlling account apart from trusted computers and you’ll be fine and be mitigating risk. As all security comes down to risk and lack thereof.

3 Likes

Exactly, anything on the internet or a computer is insecure and vulnerable to attack, but requiring multiple insecure things makes the service more secure as a whole - typically only one of the two factors at a time would be compromised at a time.

I’ve read articles recently about the lax nature of 2FA via SMS.
What would be interesting would be if Monzo could work with Authentication App such as Authy.

I’d love if they added TOTP (Authy is just an implementation of that) but a big problem is people that don’t have 2FA on email probably don’t use Authy either…

1 Like

They’re also the type of people who think MACS/apple products can’t viruses :joy::joy::rofl:

2 Likes

So the approach is ‘more is better than less’?

Yes let’s each have eight passwords, seventeen characters from your memorable Shakespeare sonnet, four PINs and tap the sixteen squares of the picture which contain cake.

1 Like

Why not? It works for HSBC :yum:

More things is more secure but less convenient. There is a balance to be stuck. I find it strange that so many people say you should have 2fa enabled wherever you can, but seem to think the idea of Monzo having it is absurd.

As far as I know, nobody has suggested you need a password, pin, memorable word, secure key & several security questions.
When I signed up with first direct for my mortgage I had to create 3 passwords and 6 memorable answers in the end. I would say that’s ridiculous. I just think a second authentication factor is a reasonable compromise between convenience and security.

1 Like

The correct balance for me has been struck already for me :slight_smile:

4 Likes