Security at Mondo


(Aran) #1

With Mondo intending to be a fully digital bank with an API and allow other apps and services to access my account data I was wondering if could get some ideas about how Mondo plan to protect my data other than the conventional SSL and encryption of data in your databases.

I’ve mentioned a couple of questions below that I’m interested in knowing about and understanding

  • How are you intending to protect my data from being misused by other apps that interact with Mondo API?
  • Will apps have to go through a approved/verified process to ensure they protect my data?
  • What are your thoughts on articles like https://blog.teller.io/2016/04/26/tauth.html? saying OAuth 2.0 is not adequate which based on reading the article I kind of understand and get.

(Jonas Huckestein) #2

Hi Aran, all very good questions, thank you :slight_smile:

Only apps that you have given access to your data will be able to see it. Once a third party developer has received your data, there is nothing we can do to guarantee it won’t fall into the wrong hands. This is similar to you giving somebody a bank statement today to prove your identity. That party could now go and steal your identity using information on the statement. I think we can do a combination of a few things to protect our customers:

  1. Establish the identity of the app developer through a KYC process. If anything goes wrong they won’t be able to just disappear

  2. Allow our users to share very granular bits of data and possibly time-box them. E.g. if you apply for a loan on a website and “connect with Mondo”, they only need access to your data for a short period of time

  3. Make it very easy for our users to see and revoke previously granted permissions

  4. Educate developers how to securely deal with customer data. Incompetent developers are a bigger threat than malicious developers

How the approval process will work exactly is still unclear. Especially because in a PSD2 (the European Payment Services Directive that mandates banking APIs) world it may be the FCA/regulators that need to approve third party developers, but they don’t know how exactly that would work, either.

I’ve responded to the TAuth article over at Hacker News: https://news.ycombinator.com/item?id=11637128 The short answer is that OAuth 2 and client side certificates aren’t mutually exclusive. Client side certificates also aren’t the only way to defend against that kind of MITM attack. The entire HN thread has some really good input from other people, too, including a post from @oliver about a more secure OAuth implementation.

Our API is only a prototype and doesn’t allow you to move money, open accounts, etc… As we add those more dangerous capabilities we’ll look to mitigate the attack Stevie describes.

Hope that helps :slight_smile:


(Aran) #3

Thanks @jonas brilliant reply :thumbsup:.

With something like this would be also be able to manually set in a very detailed way what information they can take? e.g. payments only made for my car finance, or mortgage, maybe a special mondo email address/alias, or even a certain day/month/years transactions. For example I wouldn’t care about last years transactions being accessed. But this years may contain information more sensitive to me at that present moment.

I think this is a very important feature to have. Maybe even automatically revoking permissions to apps that haven’t been active in awhile. Or apps that I haven’t logged into for X amount of time. I always forget to revoke permissions to apps on Facebook and few months later I go back and look over them and think why did I ever give that permission. Hate to think what my Twitter/Google accounts look like!

I totally agree and I think at the moment that is what I’m most worried about with Banks with APIs. I have to say I’m more worried about my current bank Yorkshire Bank creating an API than you are but that’s a different matter all together.

Thanks I’ll be sure to check out your responses. I was very curious as to your specific response as I’m planning on making :mondo: my bank so want to make sure everything is going to be safe and fully understand the security aspects of Banking with APIs.