New to the forum because I thought this needed to be shared.
Photos of receipts are currently being stored insecurely.
You can test this yourself. Go to Account > Settings > Statement History
Then download a month (in which you have saved a receipt photo) in .csv format.
Open that file in excel and there is a receipt column containing links.
These links can be opened in any browser without logging in. They are your photographs, containing your private data.
It has to be said that these urls contain random strings, so you can’t simply guess links to other peoples’ receipts, but it’s not beyond a bot to trawl through and collect information on every monzo user who uploads their receipts.
My main concern is it puts your receipts at the same level of security as your browser history.
In principal my data should not be accessible without a login. Thankfully I’ve only bothered to save a receipt once or twice.
It’s not a simple case of many bits make it secure. This is like storing passwords in plain text in complex hidden folders.
The main vulnerability is if AWS have a security issue, they only need to see that folder and they get everyones’ receipts.
Financial and personal data needs to be encrypted, not just hidden. This is not adequate security for a bank. They’re relying on another organisations security to be safe. It would not be difficult to secure users data properly.
I suppose the privacy issue is if someone you don’t want to have access has the URL - and you can’t deny them permissions. But in those circumstances I’m assuming that deleting the receipt then reuploading it would fix it?
It won’t*, but it gets lost in obscurity. The old thread included an attachment image I deleted and that’s still up.
Personally I still feel like that’s skirting the edges of responsibility, but given I don’t use receipts, the data is low risk and access is essentially removed unless the URL was guessed or internally accessed… meh.
.* 11 months and counting, but they may purge eventually
Again, the URL is multiple trillions of combinations long - and this is a paper receipt.
In the scenario that someone has accessed your browser history, obscurity is not a defence. The url is already known.
It’s also a way someone can access data without being it being logged or the user knowing.
The data is not low risk if someone uses the feature. The receipt I’ve just deleted includes purchase history, price, location, time, signature. name, and signature.
In the event someone’s photographed an invoice it would include your home address.
The feature isn’t fit for purpose if it is not encrypted. Encrypted cloud storage is trivial to set up these days, there’s no excuse for a bank to do anything less responsible than that.
What I’d like to see Monzo do in the future is have a granular permissions system, both for API access, but also for sharing (share a link with a transaction viewable on a browser etc) but under total user control.
I’ll file that in “nice to have in the future” and “user needs not wants”…
Whilst I understand concerns around this, it is pretty standard industry practise to simply hide images and documents behind impossible-to-guess randoms URLs when they’re being stored on CDNs (such as AWS S3).
I’m pretty certain GDPR rules would prohibit that practice for personal data now.
For one thing, requests to delete data must be complied with. In this case it’s not data relevant to their operation as a bank.
I’m not the litigious type, but if my receipt continues to remain viewable after 28 days I’m pretty sure they’re in breach.
If they’ve deleted the link to and are unable to locate the photo themselves, as I requested it deleted. They’d also be in breach if I made a subject access request under GDPR and they did not supply it. So long as I could prove it’s still on their AWS server, they still have it.
These days personally identifiable data needs more careful handling. Receipts often fall into this category.
It kinda depends on the tech. If you ask for transactional data held in an easily accessible database to be deleted then, all other things being equal, it should/can be immediately. Things like backups are often seen as problematic, but the common interpretation seems to be that waiting for the data to fall off the backup cycle (e.g. If backups last 7 days) that would be a reasonable amount of time you wait, as long as they’re not being actively restored / accessed during that time. For long period backups, bets are probably off!
Specific to the Monzo images question, it would take a court to determine whether tapping to delete a photo of a receipt in the app is a delete request under GDPR. My instinct is that it isn’t, but IANAL.
If anyone really did want them deleted under GDPR, I’d suggest asking in-app support. I think a few days is reasonable to triage (they’ve probably not seen it before), pass to the right engineer then actually delete the image.
