Issue:
While using Google assists to launch Monzo, this bypasses the need to login without the need for a pin/biometrics. This essentially gives access to users account to anyone using the phone.
Details to reproduce:
1.Ensure device is unlocked
2.Ensure Monzo app is not already open
3. Launch Monzo with Google assistant - “Hey Google launch/open Monzo”
4. User is taken straight into account without the need to enter login details
Just tested it on my Pixel 5, opening Monzo via voice still asks for my fingerprint.
It only asks for fingerprint after a certain amount of time though, or if Monzo is closed fully.
Try swiping the app away from the recents list, then launching via voice again. That causes it to ask for fingerprint again.
Oh strange I’ve just dived into my Monzo settings and it appears unlock with biometrics had been disabled despite previously having it set still wouldn’t explain why it wouldn’t request a pin though
The app updated to 4.11.1 recently. I’ve found that following app upgrades, biometrics have been disabled on my phone in the past. Although I’ve not spotted a pattern to it yet - and the recent upgrade didn’t disable the enabled biometrics for me this time.
I get that an update may have disabled biometrics (which is a bug in itself) but the fact that it didn’t even ask me for a pin to access my account is quite worrying.
Remember though, even if someone got into your app, they can’t do anything to transfer money out without needing pin or biometrics. Yep they’ll see your balances and transaction history etc but that’s all.
I have a pixel 6 with the same app version and biometrics are still turned on.
Have you recently changed some biometrics or security settings such as adding a fingerprint or changing your phone unlock pin?
I don’t think that’s what caused it but I’m curious.
Think I’ve found the pattern. I do a teardown of the Monzo app to see upcoming features/changes and part of this process is switching to another phone to run Monzo briefly, before switching back to my daily driver. I have found I can reproduce something similar…
Try this:
In Monzo, go to Settings>Privacy & Security and ensure ‘Unlock app with biometrics’ is enabled. If not, enable it
Close the Monzo app (don’t log out) and go back to your home screen for a minute
Open the Monzo app - it will ask for your fingerprint. All good so far.
In the Monzo app, go to Settings>Log out and confirm you wish to log out, you’ll be returned to the Monzo log in display - tap on Log in, enter your email & follow the instructions to get access to your Monzo app. Part of this process is to enter your (Personal account) PIN and once you’ve done this, you’ll have access to your Monzo app.
Now, if you look at Settings>Privacy & Security, the biometric setting you previously enabled is now disabled - BUT - don’t change it yet. Close the Monzo app (don’t log out) and go back to your home screen for a minute, in fact, let your phone go to sleep through non-use first. When it has, wake your phone, go to the home screen and tap on the Monzo icon to open the Monzo app - voila - instant access without a fingerprint or PIN required
Dangerous - access to view the account is possible. But a PIN is still required to move any money out of the account so it isn’t totally compromised.
Only when you go to Settings>Privacy & Security and enable biometrics again do you protect the login sequence.