I’d hope that you have a passcode/touch id on your phone?.. It’d make it a lot more secure than you’re making it sound. As @crablab said, anyone with access to your phone is going to cause greater issues, look at securing your phone, and your bank will be more secure too.
However, “Android Fingerprint Lock” is on the roadmap for 2018, so it won’t be long for the extra security.
I would adopt something that Brian Krebs (he’s sort of THE online security master of the entire world) recently posted.
I think banking security NEEDS to be of the type that is inconvenient, especially if you have forgotten your password. I acknowledge that others may have different priorities, and thus this may be better resolved with optional measures, but I cannot take a bank seriously that doesn’t even offer me any (meaningful) security. I also acknowledge that Brian’s suggestion of showing up with ID at a branch in case of forgotten password is not a workable solution for Monzo, but resetting your banking password needs to be seriously inconvenient (I know TSB has a very elaborate password reset meachnism: (1) ask some KBA questions, (2) snail mails password reset info to the registered address, (3) upon receipt call up helpline again to give password reset info, (4) send a second reset token to registered mobile number (5) recite this to help line as well. (6) select a new passcode That’s super inconvenient and takes a lot of time, is very expensive for them, and I applaud them for this.)
I’m becoming more and more disillusioned by Monzo’s lack of care for security, and find it worrying that the community blindly supports this without questioning. Anyone who would like additional security is told “oh well, never leave your unlocked phone out of your hand”, and “I don’t want any inconvenient password/fingerprint/biometrics for my banking”. Neither addresses the point.
Sorry, but that’s uncalled for.
While I get you’re not a fan of this aspect of the implementation, that doesn’t mean you get to write-off everyone who doesn’t agree with you. People are allowed to have a different priorities/understandings of things without being accused of “blindly supporting” anything. Accusations like that involve massive assumptions add nothing to a debate and can’t be proven anyway.
Alright, you are right in that. I did not mean to write people off!
Let me rephrase that: every time one person says they’d like more security they get multiple replies that (a) more security isn’t needed because you need to keep your phone secure. (b) they don’t want additional security because of the friction it causes, while only very few would support the idea of additional security.
I do believe that is factually accurate (and you can just scroll up this thread to see this), and I believe neither addresses the issue at hand.
HMRC has a similar thing. If you forget your ID you have to fill out a annoying form and get posted a letter which contains it. If you’ve forgotten your password I think you go through a similar process.
My dad has degrees in Physics (Cambridge) and Electronic Engineering so he’s not stupid and can fairly competently use a computer (he’s built a few from components) and yet this system persistently fails for him. The letters never seem to arrive and the website is unintuative and unhelpful so as a user, he doesn’t get a good experience at all. Just using him as a test case, we can see that the system here is broken - so, due to all the security the users cannot use the actual service…which defeats the point here!
Passwords are deeply flawed and I think there needs to be a more ground up solution than making it very very difficult for people to access their account. There is a need for security, but there is also a need for usability and arguably usability should come slightly first as you can build the most secure system in the world, but if users cannot use it then it is pointless.
I would hate to have a bunch of extra ‘security’ foisted on me that I don’t want. I’m fine with people being able to add passwords and such but personally I already have to unlock my phone with a fingerprint or passcode
I don’t want to do that again in monzo, especially since I just use a password manager for passwords anyhow
That’s my opinion. Low friction all the way - nothing will ever be 100% secure so I’d rather monzo go for ‘good enough and nice to use’
Personally, I’ve never been a fan of the passwordless login system, you enter your email -> they send you an email -> click login. I’ve never been a fan, however, it works, it’s secure, and makes ease of use for the end user.
You don’t have to remember a ton of details, or worry about putting them into a phishing website.
The only difference is, security then becomes down to the end-user, how secure is your email, can someone get a hold of this, and do you have steps to get it back if anything happens.
Therefore I recently changed my email to another provider to offer me with 2 step authentication.
When it comes to the mobile, once you’ve authenticated a device, it then becomes the security of how secure your login is on that, how many people do you let on your phone… I personally don’t trust anyone and change my passwords for email and phone every 3-6 months.
no it is not uncalled for. Anyone who dares to express an opinion on securing the app with password or pin or making steps in the app have aditional security layers gets promptly attacked by a number of ardent zellots (often regulars) who active in the community.
We have no objection to their views and while a solution is to have any settings optional they try and stamp on such ideas so we don’t even have that
Just following this guide: "Users Who Criticise Monzo Get Shouted Down Here"
I’m not sure this conversation is going to be particularly helpful or solve the actual issue at hand. I suggest if you want to talk about people getting “attacked”, the above thread might be a better forum.
To summarise: the app is not massively secure, some people see this as a benefit others as a drawback. Discuss without responding to emotion in people’s posts.
Sorry you felt attacked - I know I have criticised having extra layers of security in past but never intended to ‘attack’
BTW, I never said don’t bring an optional setting if it keeps more people happy and feel secure but I can only say for myself that I don’t want to login once I unlock my phone
I know you feel very strongly indeed about this issue - we’re all well aware how many times you’ve raised it. However, diatribes like this just come across as trolling. You are adding nothing to the conversation. Can you not make a point without upsetting other people?
I also wouldn’t object to an optional setting for people that want it as long as it doesn’t make me less secure. My concern with a password/separate PIN is the weakness is usually in the recovery process. There have been numerous instances of social engineering of companies that have resulted in people losing control of their account because someone else was able to reset/recover the password. So if passwords become a feature, that is potentially another attack vector against my account, as well as those who want this feature.
Quite. Here at Royal Holloway it is possible to reset anyone’s network password as long as you know their ID number and DOB, ID isn’t personal information and DOB is trivial to find.
I am not trolling. An anti-pin or anti-password person trolls and when I reply to them I get attacked. You guys are happy to let posts when they reflect your view and critisise us if our views are different. If you let people post the one view you should not try and stop others with a different view replying to them
This is your perception, not reality.
Here I disagreed with a comment by Feathers to Nanos. I should be free to support another user if I wish. If you want to police, direct and control these threads why not have every posted comment submitted for approval before it is shown. You can then ensure all threads reflect the corporate line of the Leaders or Monzo.
The point is, it gets really tiring seeing you repeat the same point over & over again. As I’ve already mentioned, it’s not going to get you the functionality that you’ve asked for & it wastes everyone’s time explaining what the situation is.
We know that the app’s security is being redesigned for v. 2 of the app, it’s pointless to debate whether the security is sufficient until then.
You’re not doing your credibility any favours by changing your profile picture like that either.
My problem with your disagreement is that you seem to be saying that you DO believe that anyone who doesn’t want the same security implementation as you do is “blindly” supporting Monzo.
I don’t think I’ve taken a side in this debate so it’s the assertion of “blindness” I was questioning and which you seem to be supporting.
If you really believe that anyone who disagrees with you is simply “blind” then…
(I think this is discussing content and not attacking anyone but that’s just my opinion! 
)
If you actually don’t read the thread in the order it appears but see what post the other leader was replying to it was to a comment I made to feathers in response to his reply to nanos. I felt Nanos had made a valid comment and I was right to support them in that. Not reading the replies as they link together may take it out of context, but if the conversation thread is read rather than a succession of posts it makes more sence.