Security - it doesn't 'feel' secure

My date of birth isn’t on there…

I only access facebook through a container on firefox. Not having that abomination tracking my every move.

Plus, I lied to them. :smiling_imp:

2 Likes

For the security conscious this would not be an issue.
However for the general public, which Monzo has to cater for this should be a consideration when using DOB as a security question.

EDIT:

I’m worried you got past KYC if you had an incorrect DOB :joy::joy:

Agreed. I’m just trolling you.

DOB is a terrible security question.

Yeah, I’m actually only 14 :wink:

Assuming you told Facebook your DoB, it’s here:
Facebook mobile > Burger > (me) > About … Basic Info
No login thanks to auto-sign in for convenience
IMG_20171113_205222

Yeah, I’ve just been in to make sure the date is complete rhubarb. :grin:

No, I’d say generally people are against fake security. It better be a pretty darn edge case, and a smart thief is going to find far more interesting things than a banking app. The banking app security model is just security theatre.

Against additional security theatre.

4 Likes

Against additional friction, not security. It’s already secure enough by asking for either Touch ID or card PIN when trying to move money out of the account. As far as an attacker seeing the balance and transactions, it shouldn’t be a big deal when the same attacker will have access to much more should they open your email app (which has no security either) or text messages or notes.

I use a password manager but I know a lot of people just have a “magic” note they put all passwords in and keep that around… (and I know a lot of those people would would be the the first to complain about how insecure Monzo is). :joy:

7 Likes

The problem there is that you then need a way of managing forgotten passwords via in-app chat. Presumably that comes back to date of birth or similar?

2 Likes

The issue is that it’s really hard to establish a trust relationship remotely without (at the very least) initial physical contact. Legacy banks get around that either by asking to come to a branch with ID or by sending you a card reader and using your card as a means of logging in. Monzo can do neither, so asking personal questions via chat is probably the best they can do at the moment, as passwords/secrets can and will be forgotten.

For Android there could be a way where the debit card includes some proprietary “Monzo” application (as in smart card application, in additions to the usual EMV apps) that could be accessed by the phone app (via NFC - contactless) and do the same as a legacy bank card reader would do, but for iOS there’s no such way.

Or just use the EMV application, no real reason it couldn’t be used to prove presence of the card.

True, in fact that’s how the legacy bank card readers do it - they use a standard called EMV CAP which uses the normal payments application. The signature (the numbers you get from the card reader) is actually a standard payment transaction. However I suggested using a custom app for ease of implementation down the line. As a developer I would very much prefer working with a card that allows me to sign a challenge (random data) rather than implementing the entire EMV flow like CAP does. I’ve tried to implement it once and gave up, it’s such a nightmare.

1 Like

Can you install a new app by issuer script, or would that require new cards be issued?

Probably depends on the original programming of the card - it could be that the existing app is designed in such a way to accept “updates” (hopefully verifying their signature first) in which case it’s possible, otherwise it would require replacement of the cards (I guess they could issue new ones which include the new app, and fall back to EMV CAP for the old ones).

But at that point, haven’t you done all the development work to implement EMV CAP, thus eliminating the value proposition of the custom app?

Yes, but still, a generic “sign me some data with your private key” could be useful down the line - eventually the CAP implementation could be deprecated as old cards expire and get replaced, or maybe some features that can’t be done through CAP like offline authentication (where a terminal remembers the card’s public key and can thus authenticate the card again without ever needing to talk to Monzo like it would need if it wanted to validate CAP responses).

2 Likes

There are plenty of ways.
Perhaps they could verify your ID using your phone’s camera like when you first sign up.

1 Like

Good news on this front:

I think we can take it that this will extend to TouchID and Android (given the commitment to feature parity). As far as I’m aware, this is the first confirmation from someone at Monzo that PIN protection will be offered as well as biometrics.

2 Likes

Hey Jolin,

The device PIN fallback is just being discussed in order to fix the issue where FaceID fails, as it’s an issue with an existing feature, and preventing people from accessing their account. I’m afraid it doesn’t mean that locking the Android app behind fingerprint or PIN is coming at the same time. We’re hoping to add that early next year, but we can’t squeeze it in this year as a bunch of backend work is needed to support cross-platform biometric authentication.

Regarding cross-platform feature parity, what we’re committing to in 2017 is platform-parity for new current account features. Other features that aren’t explicitly current account related will come next year, as we really need to focus on getting the current accounts solid.

Hope this helps clear things up a bit.

7 Likes

Thanks for makring this clear mate. Appricate it, now at leat we will be able to link people to this post whenever they mention App PIN/Password for Android :slight_smile:

4 Likes