Security - it doesn't 'feel' secure

(Andy Potts) #21

Totally agree that it isn’t secure enough on android. People on iPhones that can use touch ID are fine, but for me as an android user without touch ID, all someone needs is my phone and my phone passcode, which is really easy to get from watching someone type (as i do this so frequently) and then they can empty £400 per day from my bank account, with no additional security measures within the app.

On android there should be the option of an additional pin to view the app, or at least transfer more money to the card. If this doesn’t happen soon you will loose me as a customer, which is a shame as other than this issue i like monzo.

0 Likes

(Alex Sherwood) #22

Yes “£400 per day”…onto your Monzo card…

You can use a third party app (i.e. Norton’s) to protect the app if you like while Monzo are working on adding fingerprint lock support to the app.

2 Likes

(Andy Potts) #23

And if they have my monzo card and phone I’m screwed. It isn’t difficult for someone to steal both at the same time, as a lot of people store their cards in their phone case wallet.

0 Likes

(Alex Sherwood) #24

I know I’m repeating myself here but Monzo are liable for fraudulent use of your card so assuming that you’ve kept within their terms, you will get your money back.

If you’re still worried about this unlikely scenario happening & the resulting inconvenience, perhaps it’s worth carrying your card separately? I’m sure that someone as security conscious as yourself does this anyway.

4 Likes

(Adam Williams) #25

all someone needs is my phone and my phone passcode

Why aren’t you using a 16 character password?

3 Likes

(Andy Potts) #26

Who uses a 16 character passcode to unlock their phone?

0 Likes

#27

that is like having kept a cheque card with your cheque book or hanging up your front door key by your front door, it is foolish and irresponsible and customers should take simple precaution steps and store them in separate pockets

5 Likes

(Adam Williams) #28

Who uses a 16 character passcode to unlock their phone?

I do (or it might be 15 chars actually, not entirely sure when Android caps it). It includes mixed case letters, numbers and symbols. There’s a lot you can access when the phone is unlocked (SSH keys, email, SMS) and I think it’s important to keep it secure.

Also worth noting that if you use encryption you want something that can’t be brute forced.


I’d also like to add this: once the phone is unlocked, you’ve pretty much lost. From there you can enable USB debugging, uninstall the real Monzo app and install a patched copy that sends your money to a scammer once you open it and login.

2 Likes

(James Billingham) #29

I use a long password on my phone, because I just use Touch ID all the time anyway - only have to input the password once a month or so.

2 Likes

#30

Check Barclays internet banking application… you need to enter 3 digits code and card expiration date to view PIN…
So you have to request some information/questions to view PIN… DOB for example or postcode, and NEVER send it by message

0 Likes

#31

Just got my monzo card. Seems great! And look… here’s the PIN texted to me.
Now that seems like a bit of a security lapse - I’m normally super paranoid about having my pin written down anywhere unless heavily encrypted. So I make a note of it in my encrypted password safe and delete the pin.

But then I notice anyone who has access to my phone can easily get my pin texted. When I tried it out all it asked for was date of birth which isn’t hard to find.

Since my phone and card will very frequently be together (they’re pretty much all I take with me on a night out) I can imagine the chance of my losing both is fairly high. I do have a passcode lock on the phone but I’m not sure how much to rely on that (just look at the fingerprint smudges)

I wish there was a way to disable PIN reminders or at least make them more difficult. The app (at least the android one) feels like it really needs more security at least for some actions.

3 Likes

(Alex Sherwood) #32

I’ve moved your topic here, as there’s been some discussion about this here (& even more here!). I hope that makes sense :slight_smile:

It’s worth noting at this point that the security of the app will change when the current accounts launch.

Hopefully your concerns have been addressed or at least acknowledged here though. If there’s anything we’ve missed, please do let us know.

0 Likes

#33

The smudges probably don’t tell anyone the order of the digits in your passcode. Nevertheless, you can improve that side of things by enabling the option to scramble the layout of the PIN screen (in Android 7 it is under Settings, Security, Screen lock (click the settings cog wheel)). Depending on how much you are enjoying your night out, this doubles up as a test for how sober you still are :grin:

4 Likes

#34

Well I did have a pattern lock so the smudges pretty much gave it away. I’ve changed it to a PIN (takes slightly longer but presumably more secure).

I’ve also added a Norton App lock code to the Monza app.

But this all feels like I’m patching a gaping hole in Monza security - that it’s so easy to find out the pin number.

What really worries me is the comment above about how foolish it is to keep my phone and card together. I now rarely bother taking my wallet out - no need. I take my phone, a card and a small amount of cash. It’s far easier to keep all that together in the mobile phone case. If I keep my card on its own I suspect I’m much more likely to lose it. So now I’m not sure what to do…

1 Like

App, Security and Privacy (Fingerprint, Pin, or Password)
(Alex Sherwood) split this topic #35

3 posts were merged into an existing topic: Android App, Security and Privacy

0 Likes

#36

Security theatre[0], while completely stupid, is something that most people are used to, and so should be kept in mind.

[0] https://en.m.wikipedia.org/wiki/Security_theater

2 Likes

#37

A solution would be to have a section of the app explain why Monzo does things differently and how it affects risk, and what you can do to protect yourself (as in really protect, and not just “feel” protected).

4 Likes

(Ben) #38

Hi @nathankw I use Touch ID so to view my pin I have to use my thumb print. I’m not sure whether you’re on iOS - but that seems pretty secure from my point of view. Short of someone physically taking my phone, then taking my hand and placing my own thumb onto the app, I don’t see how anyone would access it.
I must admit though, it’s a bit of a weird feeling to actually have an app where I can do everything I need with regards to my pin etc.

1 Like

#39

That sounds perfect. But I’m on android so no Touch ID sadly.

1 Like

(Ben) #40

Ah - I can understand your concern then! I’m sure given that the Android app is significantly younger than the iOS one they will bring more security features in eventually. Fingers crossed for you. Sounds like you’re making it as secure as you can at the moment, remember it is still a beta after all. :slight_smile:

1 Like