That seems like it just creates a lot of friction for no gain… One of the great things about Monzo is your information is a tap away - and I do that several times a day. If you get logged out you then have to go through getting an email and logging back in several times a day? That would suck.
6 Likes
Big time, please don’t do this!
5 Likes
To clarify, do you mean “only ask for TouchID (if enabled) after a certain period”?
That would be completely different from being signed out (requiring email log in etc).
Ofcourse, so once you’ve bypassed initial security such as using Touch ID /Pin to enter the Monzo app, the auto sign out would be a timing out feature that will re-request your pin / Touch ID after a selected amount of time of inactivity. As I noticed that when you sign in, the app stays open for around 2- 3 minutes and can’t be adjusted by the user.
If a user is carrying out transactions on the app, presses the home screen button forgetting to close the app correctly as they were distracted. For example, showing someone a picture etc… They could select for the app to timeout immediately once leaving the Monzo app closing that 2-3 minutes threshold of them remaining signed in. Preventing a person from seeing account information if the application management feature is accidentally tapped or used without consent.
Another example; If the phone being stolen in use and the user is using the multitasking feature. The app would close immediately once leaving the Monzo app preventing unauthorised use rather than staying open for a few minutes.
Hope his makes sense! 
So at the moment there is no security on the App… no log in or pin required. So if someone was to get on my phone they could clean my account out…
This needs sorting ASAP. Also now I have the current account the App is pretty awful… it worked for a top up card but it needs some serious changes and updates to be an App for a current account.
2 Likes
Yeah it seems the way things are at the moment, Monzo are being very very naive… or just dumb.
I’ve heard people can reset their PIN with just a date of birth… wtf?? and if someone gets hold of your phone they can clean your account out no problem. Not even a PIN to open the app! This should surely be at the very top of any to do list?!
As it stands I wont be using this account for anything meaningful until this is addressed. Definitely not having my salary paid into it…
2 Likes
Not if you have some kind of security on your phone.
I appreciate that people are concerned about the minimal security on the app, but if you don’t have any kind of pin/passcode on your phone and someone gets hold of it you are pretty much screwed anyway.
2 Likes
I think when users read this thread that point has been repeated ad nauseum, however the problem is obviously one that concerns many people (hence it constantly being raised) so it is disappointing it has been treated with such distain and no action taken in the long period since the original launch of the prepay. I know they may address the issue sometime in 2018, however the fact it has taken this long to even consider it is a reflection on Monzo’s attitude to the security of our personal data.
I’m not sure anyone has treated it with disdain?
If I haven’t made it clear I accept this is totally valid point.
I’m not sure it really helps us going over and over it “ad nauseam” - Monzo really need to make a statement on this and what they intend to do.
2 Likes
Nobody can clean your account out without your PIN.
7 Likes
Reading this has reminded me; I may have missed it, but are you able to share your findings from the ICO correspondence and Monzo meetings on this issue? I’d be interested to know what the ICO said about privacy, which I was under impression isn’t in their remit.
1 Like
Let’s not over dramatise.
If they got hold of your phone once you had unlocked it (assuming it’s locked):
Could they clean out your account? No.
Could they see what you spent at Tesco last week? Yes.
Some have concerns here that they feel aren’t addressed by their phone security but financial loss is not one of them.
If they crack your PIN for the device to get in then you’re in different territory anyway.
3 Likes
I have no problem with the way monzo currently treat my personal data. Following your approach to its logical conclusion would mean putting secondary authentication on every app that has any personal data on it, calendar, contacts, email, spreadsheets, documents, etc etc.
Anyone wandering around my phone will have access to way more info than I want most people to see.
Hence I protect my phone, not the individual apps.
I am perfectly happy with the way monzo protect the secondary money movement functions, it is a sensible balance of security and ease of use.
2 Likes
Before bringing the law into the conversation, please be Very Sure, preferably with quoted text.
‘Pretty sure’ doesn’t really cut it, in my opinion, if you really want to take this path.
Maybe so… is it true you can get a new pin in the chat with just a date of birth??
1 Like
I am unable to because the meeting was postponed and despite correspondence with the ICO they will not reach any conclusions until after receiving feedback about the meeting or receipt of a copy of the final definitive response letter from Monzo to the complaint. Subject to the content of the meeting what is discussed or decided may be confidential and any conclusions not publicly released without the agreement of Monzo or at the discretion of the ICO. I am not here to stir up trouble just persuing a point of principle.
Sorry, just responding to a post you’ve since deleted. It seemed sensible that any recourse to law was backed up by info on the particular law you thought was being breached. Sorry you found it condescending, that wasn’t the plan.
If you’re down to personal insults then I think we’re done here. It really doesn’t support your case very well.
4 Likes
Thread is now closed. Some closing thoughts…
Anyone know if there’s plans to secure the login experience? It’s probably now the only thing now stopping me from using my current account. Even expanding the login experience to ask for something as simple as last4 from card number / DOB (or other random snippets) would be a great improvement.
Unfortunately with email, a secure transfer protocol is not always guaranteed, and email rarely sits encrypted at rest.
It would be relatively trivial for any sysadmin* between myself and Monzo to:
- Sign in to the app on their own device with my email address
- Grab the link contents from the email in transit
- Delete the email before it ever reaches me (I’d then have no idea this had happened).
Whilst TLS helps with this, it’s not guaranteed with email, and in many cases an email will be decrypted before actually hitting the users mailbox. Additionally hardly any providers encrypt email at rest.
- Sysadmins could work for anyone, depending on your mail provider (and Monzos). From your ISP to Google (Gmail) to your work email system administrators etc.
3 Likes
Howdy folks,
I’m loving the Monzo life. Long time user, first time idea posting.
I was just wondering now that you’ve introduced the wicked current account, are there any plans to add password protection to the app. Just as an added level of security?
Cheers
Jas
3 Likes