Security - it doesn't 'feel' secure


(Ashley) #1

I’ve only been using mondo for a week now, all low value stuff. However after using lots of mobile banking apps I can’t help but feel this isn’t as secure. Don’t get me wrong I know banks can use passive security measures but having no login, no step up authentication and my pin sitting in my texts can’t help but feel this would be quite easy to breach if someone got their hands on my phone. Thoughts or words of reassurance?


Security and Monzo
Setting to lock app
Monzo Source of Funds
Passcode for App
Historical data migration from PP to CA
Historical data migration from PP to CA
Improve Account security via in-app chat
Improve Account security via in-app chat
Historical data migration from PP to CA
Fingerprint override/pin option
Additional Security?
(knows someone who knows Tom quite well) #2

I certainly don’t leave PIN texts on my phone, why would you?


(Danny) #3

I changed my pin straight away, I would like to see touch ID login.


(knows someone who knows Tom quite well) #4

In general, I keep my phone locked, so I don’t like having to re-authenticate every time I open an app.


(Mike Griffiths) #5
  1. Delete your PIN text - if you have trouble remembering the PIN then change it at an ATM.
  2. Secure your phone using the facilities available. If you share your phone then you have many more security issues to worry about…
  3. If you lose touch with your card you can suspend it instantly from the app on your phone - no calling the bank.
    3a - just a late thought - keep your phone and card wallet in separate pockets (not inside your phone case)
  4. You can keep a near constant check on spending from the card with the app - anything odd could be spotted well before a traditional Bank’s algorithms spotted something and they suspended your card.

all in all the Mondo card is much better secured than a standard debit card.


(Hugo Cornejo) #6

The process that @MikeG is saying is exactly what we had on mind for alpha/beta. It’s really easy for us to send SMS and it gives freedom to users to delete it or keep it. So that’s why we did it like that.

But we’re totally aware that that’s not enough. We’re working on better ways to deliver the PIN and soon we’ll give users the option to use TouchID to open the app :slight_smile:


(knows someone who knows Tom quite well) #7

I’d prefer it to ask for TouchID when I’m about to do something potentially dodgy, like adding a new payee or sending more than a nominal (configurable?) amount of money somewhere.


(Hugo Cornejo) #8

Well, we already do that, with every P2P payment you need to verify either your PIN or TouchID. We’ve basically followed Apple Pay’s pattern.


(knows someone who knows Tom quite well) #9

That’s good - but I don’t have any mates so haven’t sent any p2p yet :wink:


(Edouard) #10

An interesting question for the Mondo team is have you already faced any level of fraud (both against your servers and against Mondonauts)? And how have you managed it?

Also, what is your charge-back process in case the card is used fraudulently online? (not with the PIN)


(James Billingham) #11

Deleting the PIN text simply isn’t sufficient though. Every time I get another SMS from Mondo, the old ‘deleted’ ones appear again, and due to iCloud, I still have a few rarely-used iOS devices where the PIN is still showing on the lock screen.

I also don’t like to change bank PINs, as I consider their randomly generated ones more secure than any likely flawed PIN I’d come up with myself.


(James Billingham) #12

There is also the issue with breaking explicit PCI rules with having users enter their real card PIN into the app:


#13

Admittedly my phone is an Android but I have my phone encrypted so have one password to unencrypt the phone on powering it on, a PIN code for my SIM, and a password for my screen saver. I also have Norton software with a pattern lock to gain access to my email and banking apps…so I don’t want or need any further passwords or PINs to access my banking as it is secure enough. Also any card PIN is safe as be it over SMS or thru post I change it as soon as I get it.


(knows someone who knows Tom quite well) #14

Pretty much any PIN is as good as any other. The people trying to crack you have three goes at it - negligible in a 9999 number space.


(Freddie) #15

… lighten up James :rolling_eyes:


(Steven Pick) #16

Also thought about this issue when I was using the app the other day and it mentioned making it more secure with TouchID - I would like to have some kind of passcode layer to get into the app proper. I know TouchID is being bandied about as a thing though not beneficial if you have a phone that doesn’t support it.


(Gareth) #17

There is no security when you close and re-open the app. A quick simple App up-date could fix this. A pin or Touch ID would be ideal. Any plans Mondo?


(Tristan Thomas) #18

Check out the Profile section :slight_smile: You can set Touch ID!


(Si) #19

Delete tje text with your pin in it after you have memorised or changed it as mondo recommend . Simples.:sunglasses:


#20

I just topped up my monzo for the first time after getting the card and I also didn’t feel secure. What strikes me is that my debit card details are saved in the app, and can be used to topup my monzo without any kind of authentication.
I would definitely feel better if I could login to the app using fingerprint sensor / random characters from a password, or at least being asked to re-enter security number of my debit card. That should also prevent accidental topups.