Security - needs some serious thought


(Dale) #1

Hey there,

Great system. Really stoked with it!

My one major concern which worries me is the lack of security specially with your recent Bank status and the fact we live in the world where it is becoming ridiculously easy it is to hack/by pass and access “secure apps” this should be a priority.
I know you have touch id, but i really think there needs to be at least a passcode added to the app. The fact i can just keep adding cash to my card with no passcode or confirmation is alarming and if it somehow did get into the wrong hands they would have a field day!
In addition, the section where you add more money to your card, this should have it’s own security to confirm that you are indeed who should be.

Thanks for an amazing app/service

D.


Password Protected Top Up
Security of Top Ups - Android
#2

if someone finds my phone and keeps adding money to my account all day long they are welcome to :grin:


#3

I completely agree @Raven66. I find it a little bit worrying how easy it is to top up without additional security checks. If someone did manage to get hold of your phone and card and knew what they were doing, you’d be in trouble.

Perhaps just offering the option to toggle on/off additional security layers would be the best compromise for people that don’t want them.


(Dale) #4

@MIROW Not if they have your card and phone that you happend to loose(had stolen) on a night out…


(Josh Bray) #5

I partially agree with you. One of the main things that really annoyed me with the likes of nationwide and first direct, HSBC. Was that I had to jump through hoops just to do anything. I think some banks have it right. Lloyd’s make you register your device by making you jump through hoops the first time and then on you just have to confirm three characters of your password if you’re on the same device.


#6

Just simple things like running Norton App Lock stop them getting into your Monzo app without entering in a finger pattern swipe, pin or password. Your phone security settings having a screen lock with a quick timeout, the device encrypted so it needs a decryption password on power on in addition to the regular power on password and the sim password. If people have an unencrypted phone with no passwords or any security software they are asking for trouble as they are making no efford to keep their personal data secure letalone and banking data. That said a simple 5 or 6 digit pin on starting the app or if toggling back to the app if it in the background, surely that is not too much to ask?


#7

my comment about adding money to the card was of course a joke if you did not see that :sob:


(Danny) #8

Just do what Starbucks do when you want to add money, use touch ID.


(Dale) #9

@MIROW I got it was a joke :).

@MIROW & @Jkb114 Dont wont to split hairs here as the general ask is to just improve security to a good level, but how many times have you been out and either with someone you have just met, friends or even at the bar seen someone type in their password into their phone. So easy to see memories and take advantage if you really had the intention. Touch ID is great, but it is more of a gimick than a reliable fool proof way of security.

Jkb I completely agree with you on the annoying difficult security protocols, but given Monzo have been able to approach the banking system is a user friendly more customer based service, I am sure they could apply the same focus to a equally good security measure that allows people to take them seriously as a Bank because with popularity that will surely come it will bring diversity of needs and that means the need for more security for certain users more so than others as their needs and the volume of money that is transferred requires it.


(Terry) #10

I think the security is fine as it is, my phone is protected with a pass code / Touch ID which would be very hard to bypass in the first place, yes once you are in you can top up as much and when you like, but if you want to send money to someone you need to enter your PIN number, so the worse they could do would be to add money to your account. That’s as long as they have been able to get hold of my phone and somehow break through my phones passcode, which I believe would be very hard to do as demonstrated in the FBI vs Apple case.

Now I understand that if you was to give your phone to someone and unlock it for them, they would still need your fingerprint to open the app (providing you have enabled this) and again if they wanted to send money they would need your PIN code.

I don’t want to be nagged every time I want to top up or perform an action.


Security of Top Ups - Android
(Ben Green) #11

The only slight concern I have over security is how blissfully easy it is to pay a large amount of money to a new merchant at a time that I don’t usually make any payments. Although Monzo isn’t the only card provider that’s guilty of this.

Last week I paid several hundred pounds for a hotel using a different currency after midnight to an online merchant I’ve never spent any money with before using that account. That was on Barclaycard not Monzo btw.

Some banks such as HSBC have intelligent behavioural recognition system built-in that detects anything out of the ordinary, flagging it as potential fraud before authorising the payment. I’m not entirely sure how the authorisation process works in this situation but I have heard of it happening to some users. They receive a phone call, either to the card holder’s mobile or the merchant’s phone and the card holder would then be asked to pass a security test over the phone.

All that sounds like a bit too much hassle but at the same time kind of provides peace of mind that my money would be so well protected.

In the case of Monzo, I’d imagine I receive a notification where I must either enter my pre-registered passcode or verify by Touch ID if my requested purchase not fit my usual spending habits. I might also be given the option to confirm that the requested transaction is actually fraudulent, in which case the location could be passed to the local police and the fraudster gets arrested.

http://feedzai.com/use-cases/authorize-payments/

Some key indicators for fraudulent behaviour might be:

  • Frequent high value transactions
  • Use of different currencies in quick succession
  • Use of card in multiple locations separated by long distance in quick succession
  • Use of card at an irregular time of day/night
  • High value transaction at a merchant never used on that card before

I can’t think of any other indicators. Would somebody else want to weigh in?


Handling fraudulent transactions
(Terry) #12

I know Monzo is looking at location for brick and mortar stores, so if your card is used in France and your phone is with you in London, Mondo can see this and go hey, something is not right here and decline the transaction. This could also work more locally too, I’m not too sure how far away the transaction needs to be before it’s flagged up.


(Ben Green) #13

I wasn’t aware that Monzo is aware of the phones location, just thought it went by the location of the shop requesting the transaction.

If that’s the case then it’d almost certainly be an attempt of fraud. Sometimes though I have left my phone charging at home while I popped to the supermarket for my weekly shopping. I’ll just need to remember about this security feature once it’s been deployed.


(CS) #14

Just curious, Why do you think TouchID more of a gimmick?

It seems that while it has been demonstrated that it can be bypassed by some creative means, it still takes a good amount of know how and effort


(Rika Raybould) #15

Additionally, please remember that Touch ID is simply a quick (but still fairly strong) authentication method, it is not directly used at any point in any encryption processes.

Your password/passcode at device boot is used along with other values in the SE to derive the data decryption keys. At a high level, all Touch ID is doing on the SE is confirming that it is still you using the device.


(Tom ) #16

Yeah I’d definitely pass on additional security for the app. My iPhone/iOS environment is my security. One of the reasons I like Monzo so much is that I’m straight in and can do what I need to do.


(Saveen) #17

+1


#18

I really like this about Monzo as well; its speed and simplicity. However it wouldn’t hurt to allow users to toggle on/off an additional layer of security for more sensitive transactions (just like you can toggle the touch ID on/off). It would just give people peace of mind for times when there is a higher risk of losing your belongings, i.e. on holiday or on a night out.


(Danny) #19

Lets just add the following:

Touch ID
A security question
A 6 or more digit pin that has to have 1 Caps, 1 Symbol and 1 number that changes every 30 days and the same password can not be used for a year
2FA

All of the above to open the app and then the same again to send money.

I think that should put everyone’s mind at ease over security

FYI This is sarcasm :smile:


#21

That is overkill if compulsory and will put many off. There should be options of these ideas, i.e. choices. Many of us will be happy with a 5 or 6 digit PIN but baulk at the idea of having a mix of upper and lower case etc changed every 30 day :angry: