Security - it doesn't 'feel' secure

Check Barclays internet banking application… you need to enter 3 digits code and card expiration date to view PIN…
So you have to request some information/questions to view PIN… DOB for example or postcode, and NEVER send it by message

Just got my monzo card. Seems great! And look… here’s the PIN texted to me.
Now that seems like a bit of a security lapse - I’m normally super paranoid about having my pin written down anywhere unless heavily encrypted. So I make a note of it in my encrypted password safe and delete the pin.

But then I notice anyone who has access to my phone can easily get my pin texted. When I tried it out all it asked for was date of birth which isn’t hard to find.

Since my phone and card will very frequently be together (they’re pretty much all I take with me on a night out) I can imagine the chance of my losing both is fairly high. I do have a passcode lock on the phone but I’m not sure how much to rely on that (just look at the fingerprint smudges)

I wish there was a way to disable PIN reminders or at least make them more difficult. The app (at least the android one) feels like it really needs more security at least for some actions.

I’ve moved your topic here, as there’s been some discussion about this here (& even more here!). I hope that makes sense

It’s worth noting at this point that the security of the app will change when the current accounts launch.

Hopefully your concerns have been addressed or at least acknowledged here though. If there’s anything we’ve missed, please do let us know.

The smudges probably don’t tell anyone the order of the digits in your passcode. Nevertheless, you can improve that side of things by enabling the option to scramble the layout of the PIN screen (in Android 7 it is under Settings, Security, Screen lock (click the settings cog wheel)). Depending on how much you are enjoying your night out, this doubles up as a test for how sober you still are

Well I did have a pattern lock so the smudges pretty much gave it away. I’ve changed it to a PIN (takes slightly longer but presumably more secure).

I’ve also added a Norton App lock code to the Monza app.

But this all feels like I’m patching a gaping hole in Monza security - that it’s so easy to find out the pin number.

What really worries me is the comment above about how foolish it is to keep my phone and card together. I now rarely bother taking my wallet out - no need. I take my phone, a card and a small amount of cash. It’s far easier to keep all that together in the mobile phone case. If I keep my card on its own I suspect I’m much more likely to lose it. So now I’m not sure what to do…

3 posts were merged into an existing topic: Android App, Security and Privacy

Security theatre[0], while completely stupid, is something that most people are used to, and so should be kept in mind.

[0] https://en.m.wikipedia.org/wiki/Security_theater

A solution would be to have a section of the app explain why Monzo does things differently and how it affects risk, and what you can do to protect yourself (as in really protect, and not just “feel” protected).

Hi @nathankw I use Touch ID so to view my pin I have to use my thumb print. I’m not sure whether you’re on iOS - but that seems pretty secure from my point of view. Short of someone physically taking my phone, then taking my hand and placing my own thumb onto the app, I don’t see how anyone would access it.
I must admit though, it’s a bit of a weird feeling to actually have an app where I can do everything I need with regards to my pin etc.

That sounds perfect. But I’m on android so no Touch ID sadly.

Ah - I can understand your concern then! I’m sure given that the Android app is significantly younger than the iOS one they will bring more security features in eventually. Fingers crossed for you. Sounds like you’re making it as secure as you can at the moment, remember it is still a beta after all.

I also would like to see an answer to this question - as a new user who had OKish experience setting up so far. App crashes - had to reinstall. Email animation takes too long and if you quit/switch too early, takes you back to email field - leading to having request another email… What if I didn’t have the email setup on the phone?

I didn’t want my card details saved but it did save it. Neither did I want to top up £100 straight away… HSBC gave me £150 to start using their debit card, why would I want to pay Monzo to use it

What’s wrong with standard 4-5 digit pass/pin to login? Little things like that make me question how easy it is to get your money back.

Where are you going to store this PIN? You’ve already got more PINs/passcodes than you can remember - adding one more just means you’ll reuse an existing one and security goes out the window.

I’m grateful Monzo doesn’t ask me for a PIN every time, otherwise it would just be 0000 or something stupid like that (because I can’t be bothered to open my password manager and copy/paste a PIN just to see my balance).

You’re not - it’s your money to spend as you see fit. It’s costing money to produce these and I guess it’s one way of weeding out people who aren’t going to use it in this beta and provide Feedback?

I really like not having to wait for a spinning wheel to “authenticate” my device, tell me I’m offline (I’m not), crash, ask me for random digit’s from my unmemorable information and card number and then, finally, tell me my balance.

I agree, maybe there should be some more authentication for carrying out actions. I don’t necassaily agree that opening the app constitutes a need to authenticate. After all, I can open the Google Play app and browse my purchased content and that to buy. When I actually want to make a transaction or change some account information - I’m asked to authenticate. As long as you have a passcode on your phone I don’t think there is necassaily anything to be very concerned about.
It is now trivial to remote wipe devices and most are encrypted. There has to be a balance between usability and security otherwise we’d all be going around with air-gapped devices and USB ports filled with epoxy - Monzo != PNC or MOD database. (I speak as a developer and pentester!)

(Edit: my balance and transaction history is personal information and yes can be used as a social engineering tool, but if someone has got that far I think I should be more worried about what else they are doing with my contact list, email, social media etc. As long as they can’t carry out an action without further auth I see no real issue)

Finally someone sane who understands the real risks of an unlocked device and the importance of a system passcode. I find it quite funny that some people here will fight furiously to have a passcode in the Monzo app but are totally fine with an intruder gaining persistent access to their device by leaving malware.

Pin should be necessary in order to access your monzo banking

Totally agree, it is a HUGE privacy concern. It is neccessary to keep your personal data secure from prying eyes. That is why I am currently using another app for my main account.

I completely disagree - my phone is personal, it stays locked if I’m not actively using it, I don’t need yet another verification step…

So if they do add it, I hope it will be optional

If implemented it should be optional. I enjoy not having to put in a pin every time I want to view my balance or transactions. My phone is locked anyway so I see that as my security layer.

Touch ID can currently be used to unlock the app if you want it to.