Security - it doesn't 'feel' secure


(Hugh) #112

There was some annoyance and irritation when we started getting 4/5 new threads on “can I keep my prepaid card?” - then we created an FAQ and linked to it.

I’m not sure there is any particular annoyance? Generally what happens is someone will post “Maybe you should take a look at this: {{link}}” and it will get merged by a mod.


#113

that was one of the examples I thought of. Agree referal to existing threads is best way (with referal to Mods to merge threads as best they do it before the new thread gets too long)


#114

Bring back @AlexS


#115

he was like a Time Lord and merging a thread as the user hit the enter key


(Hugh) #116

I would try to do that…but I’m not a leader :stuck_out_tongue:


(Naji Esiri) #117

In some ways you’re right, if you were to consider the forum as the beginning and end of the community experience :slightly_smiling_face: The forum isn’t everyone’s preferred medium for connecting with both the Monzo team and other Monzo customers. We’re looking to build on the incredible foundations we’ve established here to reach as many of our customers as possible through things like in person events, social media and user testing sessions.

It’s important that the wider Monzo community feel connected and listened to, however they feel most comfortable.

In my eyes, the service we provide and community activity should be a single offering - continued feedback and input from our customers plays a huge part in building something of real value. Aside from this, it’s also a lot of fun :slightly_smiling_face: We’re working on bringing the community experience closer to the app experience so that thousands more of our customers can enjoy the best that the Monzo community has to offer!!


#118

I can can see what @Naji means… I saw this on my CA feed yesterday.


#119

There have been lots of posts in the past about lack of security on the Android app.
This time I was genuinely worried about how easy it was to reset my current account pin.

When using the in build chat advice, the only security question I was asked was my date of birth, which I don’t feel was a secure form of authentication. Especially, if an intruder already has access to my smartphone, and they could easily deduce it from the vast quantities of data people have on their phones.

Are there any plans to increase the level of security when dealing with sensitive information when contacting customer support? I would think the minimum level of security would be some form of separate password that I have to enter, or partially enter contacting support.


(Hugh) #120

But this is a really terrible user experience. Another thing to set and remember, what if you forget it?

Not sure what this means? Support won’t give out personal information on chat although I do agree this being persistent is a problem.

To be honest, if someone has access to your smartphone, the issues are going to be much greater than someone resetting your pin.


(Super-cali-fragi-listic-expiali-docious) #121

I’d hope that you have a passcode/touch id on your phone?.. It’d make it a lot more secure than you’re making it sound. As @crablab said, anyone with access to your phone is going to cause greater issues, look at securing your phone, and your bank will be more secure too.

However, “Android Fingerprint Lock” is on the roadmap for 2018, so it won’t be long for the extra security.


#122

I would adopt something that Brian Krebs (he’s sort of THE online security master of the entire world) recently posted.

I think banking security NEEDS to be of the type that is inconvenient, especially if you have forgotten your password. I acknowledge that others may have different priorities, and thus this may be better resolved with optional measures, but I cannot take a bank seriously that doesn’t even offer me any (meaningful) security. I also acknowledge that Brian’s suggestion of showing up with ID at a branch in case of forgotten password is not a workable solution for Monzo, but resetting your banking password needs to be seriously inconvenient (I know TSB has a very elaborate password reset meachnism: (1) ask some KBA questions, (2) snail mails password reset info to the registered address, (3) upon receipt call up helpline again to give password reset info, (4) send a second reset token to registered mobile number (5) recite this to help line as well. (6) select a new passcode That’s super inconvenient and takes a lot of time, is very expensive for them, and I applaud them for this.)

I’m becoming more and more disillusioned by Monzo’s lack of care for security, and find it worrying that the community blindly supports this without questioning. Anyone who would like additional security is told “oh well, never leave your unlocked phone out of your hand”, and “I don’t want any inconvenient password/fingerprint/biometrics for my banking”. Neither addresses the point.


(MikeF) #123

Sorry, but that’s uncalled for.

While I get you’re not a fan of this aspect of the implementation, that doesn’t mean you get to write-off everyone who doesn’t agree with you. People are allowed to have a different priorities/understandings of things without being accused of “blindly supporting” anything. Accusations like that involve massive assumptions add nothing to a debate and can’t be proven anyway.


#124

Alright, you are right in that. I did not mean to write people off!

Let me rephrase that: every time one person says they’d like more security they get multiple replies that (a) more security isn’t needed because you need to keep your phone secure. (b) they don’t want additional security because of the friction it causes, while only very few would support the idea of additional security.

I do believe that is factually accurate (and you can just scroll up this thread to see this), and I believe neither addresses the issue at hand.


(Hugh) #125

HMRC has a similar thing. If you forget your ID you have to fill out a annoying form and get posted a letter which contains it. If you’ve forgotten your password I think you go through a similar process.

My dad has degrees in Physics (Cambridge) and Electronic Engineering so he’s not stupid and can fairly competently use a computer (he’s built a few from components) and yet this system persistently fails for him. The letters never seem to arrive and the website is unintuative and unhelpful so as a user, he doesn’t get a good experience at all. Just using him as a test case, we can see that the system here is broken - so, due to all the security the users cannot use the actual service…which defeats the point here!

Passwords are deeply flawed and I think there needs to be a more ground up solution than making it very very difficult for people to access their account. There is a need for security, but there is also a need for usability and arguably usability should come slightly first as you can build the most secure system in the world, but if users cannot use it then it is pointless.


(Peter Roberts) #126

I would hate to have a bunch of extra ‘security’ foisted on me that I don’t want. I’m fine with people being able to add passwords and such but personally I already have to unlock my phone with a fingerprint or passcode

I don’t want to do that again in monzo, especially since I just use a password manager for passwords anyhow

That’s my opinion. Low friction all the way - nothing will ever be 100% secure so I’d rather monzo go for ‘good enough and nice to use’


(Super-cali-fragi-listic-expiali-docious) #127

Personally, I’ve never been a fan of the passwordless login system, you enter your email -> they send you an email -> click login. I’ve never been a fan, however, it works, it’s secure, and makes ease of use for the end user.
You don’t have to remember a ton of details, or worry about putting them into a phishing website.

The only difference is, security then becomes down to the end-user, how secure is your email, can someone get a hold of this, and do you have steps to get it back if anything happens.

Therefore I recently changed my email to another provider to offer me with 2 step authentication.

When it comes to the mobile, once you’ve authenticated a device, it then becomes the security of how secure your login is on that, how many people do you let on your phone… I personally don’t trust anyone and change my passwords for email and phone every 3-6 months.


(Hugh) #128

There was a discussion on Monzo’s use of JWTs: Security protocol observations


#129

no it is not uncalled for. Anyone who dares to express an opinion on securing the app with password or pin or making steps in the app have aditional security layers gets promptly attacked by a number of ardent zellots (often regulars) who active in the community.

We have no objection to their views and while a solution is to have any settings optional they try and stamp on such ideas so we don’t even have that


Starling Feedback
(Hugh) #130

Just following this guide: https://community.monzo.com/t/users-who-criticise-monzo-get-shouted-down-here/23891

I’m not sure this conversation is going to be particularly helpful or solve the actual issue at hand. I suggest if you want to talk about people getting “attacked”, the above thread might be a better forum.

To summarise: the app is not massively secure, some people see this as a benefit others as a drawback. Discuss without responding to emotion in people’s posts.


#131

Sorry you felt attacked - I know I have criticised having extra layers of security in past but never intended to ‘attack’

BTW, I never said don’t bring an optional setting if it keeps more people happy and feel secure but I can only say for myself that I don’t want to login once I unlock my phone