Security issue with the Monzo app

My friend got robbed recently with a knife pointed at him. The guy only took his phone, but before leaving he was smart enough to ask my friend for his phone PIN.

When he told me this, I thought “even if he has the PIN, he can’t access the bank accounts, since they require biometrics”, so it’s mostly safe. And I was right about that - except for Monzo. I checked 1password, Revolut, HSBC and Monzo. The first 3 show me the screen to login using my fingerprint, WITHOUT the option to enter the PIN. Monzo, on the other hand, has the “USE PIN” option.

This probably can be fixed with a single line of code (disabling the PIN option in the biometric authentication dialog).

Edit: as @HoldenCarver mentioned below, you need your card PIN to move money on Monzo; I confirmed you also need it to see credit card details. So this is not as big an issue as I initially thought. But it’s still a security issue. They can see your address and other personal info, as well as bank account info about your friends (favourites and recently transferred to), all your purchases (including the places you usually visit), your income, and savings on all your bank accounts (if you connect your monzo to other accounts, like I do). It’s a lot of sensitive information, some of which I don’t even share with close friends (like how much I have). On top of that, many people reuse their PINs when possible - it’s definitely what I was doing, my phone PIN was the same as my monzo card PIN - which would nullify the need for the card PIN to perform some operations. I still think this is a security issue. The fact they’d be able to steal other info about you from other apps (like gmail) if they got your phone and PIN doesn’t make this any less of a security concern.

But unless they also asked for his card PIN, they still can’t move any money out of his Monzo account.

That’s a good point. I’d prefer if they couldn’t access the app at all, since that gives them access to my address, but knowing they can’t move money or see my card details puts me at ease.

It’s not a security issue.

Your address will be in hundreds of your emails if that’s your concern.

It’s not a single line of code and this is also a terrible idea.

My biggest concern about email would be the fact they could request password reset emails for all manner of sites and services I might use. Steal my money? That’s one thing. But steal my identity? That could cause problems for years.


Not really, I keep my inbox clean. It’s basically empty. But they do get access to my, where I store all important documents, so same thing. The worst part was that I used the same PIN for my card and my phone - well, I used the same PIN and the same password for literally everything until I started using 1password a year or so ago and caring about security. I just switched my PIN to something else, but I do wonder how many other people share their PIN/password between all their accounts.

I don’t have Android Studio installed atm, so I can’t confirm, but I’d expect it to be pretty straightforward. Edit: just out of curiosity, I tested it. It’s indeed literally just changing one line of code, removing the DEVICE_CREDENTIAL from the allowed authenticators passed to the auth dialog builder does the trick.

I don’t think it’s a terrible idea though. Every other banking app does this, and so does 1password, and no one says it’s terrible. Edit: I tested my trading apps as well as some other apps. None of them gave me the option to enter the PIN, so far it’s only Monzo.

Yes, that’s a huge concern. I just found out my phone allows me to add an extra lock on selected apps, so I’m enabling that for my gmail right now.

I tested several finance apps a while back. Monzo was the only one I tested that could be unlocked via phone pin.

Other option is to use a provider for your main email which is different from the phone OS provider. Can then use built in security settings for that 3rd party email app to lock the app. But out of curiosity, which phone brand allows you to overlay extra locks on apps?

If it’s Android then many antivirus solutions provide the option to lock individual apps with biometric and fall back to a pin set within the antivirus.

1 Like


I wouldn’t go as far as using a different provider. Simply using a different email is already a great idea. I had to lock basically every Google app, because they all allow the user to “manage the account” in the same app, instead of opening some other app that does it - meaning that if any single one of these apps is unlocked, they can mess with the Google account. I ended up locking everything Google related.

As for the brand, it’s OnePlus. I don’t use any apps for that, it comes with the system. After I unlock the phone, if I open one of the locked apps, it asks for my fingerprint. Then I don’t have to input the fingerprint for that app again until I lock the phone (turn off the screen).

@AaronB1 I guess that’s also a viable option, for those who don’t have it builtin.

1 Like

Think people miss a bit here though overall.

Change your SIM pin.

Even if they don’t get the phone pin, they can get the sim out, put it in another, start registering apps on new device, change Apple ID details, alsorts.

eSIM is a little more secure because they can’t remove it, but just taking your physical sim out and you have OTP options to log in to emails and so forth, easy entry to everything from there.

1 Like

Revolut does indeed hve the option to enter your pin, just make the pin different from your iPhones passcode

First things first - I hope your friend is ok. That must have been absolutely terrifying and Im not sure any of us could say “we would’ve done different”

I’m not sure I’d agree there is ‘security issue’ - I would like it if they considered having FaceID as the default for login (and they now have it as an option over card PIN for transfers).

Where it perhaps is weaker is in if they can get into email, they can install the app on another device and login via the magic link. Ideally over time that would be improved.

Another great tip, thanks. If they have the phone pin, they don’t need the SIM pin, but in most cases they’d just steal your phone without you noticing (no weapons or talking involved), so this is even more important than protecting apps locked by the phone pin.

Maybe only when using face recognition? Or maybe only on iPhone? It doesn’t have the option on Android when using fingerprint. Edit: ah, I misunderstood your comment before. If you can make the pin different from your iPhone’s passcode, I guess it’s okay, at least you have the option of making it secure - even though many people would still use the same PIN for both

I agree that getting access to email is generally way more dangerous than getting access to Monzo. I’m not sure I agree that this isn’t a security issue, considering I literally posted how to break into the app by simply having access to the phone and some authentication pin that is unrelated to the app. Of course, our email app is even more insecure. And if they have access to your SIM, they can get into Monzo easily anyway.

It’s clear our phones are, by default, not secure. Until 1-ish year ago, I used the same password for everything. Then something happened to a friend, and I decided it was time to change all my passwords and move to a password manager with 2FA everywhere. And after what happened this time to another friend, I got really scared about carrying my phone around, considering how easy it is to get access to it by force and that - in the wrong hands - it carries enough information to make my life miserable for many years, until I manage to get it all sorted. Now I’m very serious about protecting my data from common attacks in the real world - not just the “virtual” world.

But to be fair, I don’t care anymore whether Monzo changes its auth. There are other ways to protect it which I can do by myself.