Security: no 2-step authentication for payments?


#1

I use Android and have converted my account into a full bank account. Much to my surprise, I noticed that entering the 4-digit card pin is all that’s required in order to make a wire transfer to another account.

Is this secure enough? I am not convinced and won’t use Monzo ad my main bank account till this changes (and joint accounts are added). I appreciate that, as long as there is no access via a website, no one can try to set up a fake website to intercept passwords etc, but, still, I don’t feel comfortable knowing that a 4-digit code is all that is needed to authorise payments from my account.

You might say that you also need access to the phone, but that’s weak security; e.g. many people use a pattern to unlock their phones; hold the phone at a specific angle, look at the smudges left on the screen, and that will give you a good idea of what the pattern was!


(Allie) #2

It is two factor authentication as you need both a knowledge factor (the card PIN) and a possession factor (the phone or the email the account is tied to).

Strength of each factor is another issue but you already know I’m just going to say both your phone and email should be very secure…


(Liam W) #3

If someone knows your PIN, they can access your money anyway (from an ATM). This is just as secure as that.


#4

So am I the only one who feels this way?

What do you mean by needing the email?

Unless Monzo requires password or pin locking (not pattern locking) on the phone, then possession of the phone is not particularly secure. I don’t use pattern locking but many people do. This is the reason why some corporate email apps require password or pin, not pattern.

The difference with the ATM card is that bank transfers have higher limits than ATM withdrawals.

Also, having the same code for both the app and the card is not very wise!


#5

I saw one report that said it was easier for shoulder surfers to remember a number than a pattern. Either way your comment on making phone pins different from card pins is very important to increase your security, if one is compromised the other isn’t. Plus if you get the chance to set a variable length pin go for 5 or 6 digits not just 4.


#6

Agree with this but didn’t Monzo(Richard) say they don’t support greater than 4 digits?


#7

Yes, their card (and hence where the app uses your card pin) has a 4 digit requirement. However if you protect your phone with an OS screen lock or have an app to protect the phone or individual apps that may allow longer pins


#8

Ever heard of ‘reverse smudge engineering’?


#9

I’m in full agreement with you, that Monzo’s security posture is woefully inadequate, in more aspects than just this one. (There are multiple threads on this, and I voice my displeasure in each and every one of them, so apologies to those who have read my rants before.)

No, it’s not. It may be 2-step verification (if we assume the phone has a PIN), but it’s not (inherently) 2FA as you don’t need the phone, you only need access to the email account. For email access you will usually only need a single factor, so all you need is your pin (something you know) and your email password (something else you know). This is NOT 2FA, it’s 2SV.


#10

The same thing has been said about pins. First digit leaves more dirt and grease than subsequent digits so greasiest is normally first digit and less greasy the last.


#11

It’s not exactly comparable. Why should the first digit leave more dirt? If I look at my phone now I can see some smudges which correspond to numbers in my pin and some which don’t. While I agree that it’s not ideal and that it can be a starting point to hack into my phone, I disagree that it is in any way comparable to the lower security of using a pattern; or, in other words, the odds of pattern security being broken are much higher.


(Peter Roberts) #12

Definitely not :grinning:. I actually don’t but I’ve read many people talking about the same issue

My question is do you think perhaps you feel this way due to the expectation set by other banks with their annoyingly complicated high security requirements?

I’m not convinced that most of them are rationally grounded so I’m pretty comfortable with the current level of security in Monzo

If it’s going to be the :bank: did everyone though it needs to be configurable for people who want more :peace_symbol:️ of mind though!


#13

Hello, I’m sorry that you feel it’s not secure enough for you, but we are looking for support fingerprint lock support.

Please see our Trello Roadmap to keep up to date with the upcoming! :monzo:

Additionally, as an Android user I personally find that my phone PIN and the PIN within the Monzo app work for me. There’s far more to worry about on my phone if someone unlocks it :speak_no_evil::scream:


#14

The problem I have with this, is that Security with Monzo often seems like an afterthought. In this example: Many months after release of the Android app you want to cobble together some fingerprint support. Another recent example: For the AISP API you want to implement the ability to revoke access from my end at an unspecified later stage, but are releasing the API now. Again: This gets bolted on later. It should be there from the beginning.

That just doesn’t evoke confidence. Security should be a primary consideration from the concept stage onwards. It shouldn’t be something that’s bolted on later, when someone notices. Those bolt-ons are where things usually break…


#15

I prefer the ease of use, and that is definitely a factor built into our banking :ok_hand:

We have however listened to the community and we are working on this feature :hugs:


#16

Over security? Have I misunderstood?


#17

Instead of remembering lots of passcodes, which personally puts me off keeping up with my banking.

I’ve never been more on top of it with Monzo :monzo:


#18

This is terrifying, isn’t it?


#19

You only have to remember one: The one to your password manager!


(Richard Bairwell) #20

Okay, if we accept using the card’s PIN and any associated phone provided security as “not enough”, what other things could Monzo offer?

  • SMS? It’ll go to the phone which is currently in the possession of “bad person” so that’s not possible.

  • Call? Again, same issue.

  • Email… Again, same issue.

  • Yubikey 2 factor (using NFC). Might work with NFC enabled Android phones, but additional expense and not compatible with Apple devices.

So that leaves really:

  • Card reader (as per Barclays/Nationwide). Additional expense and not really keeping with Monzo’s ethos in my opinion.

  • Asking additional account holder information (dob, middle bit of card number etc) or additional selfie steps.

For the majority of transactions, I think these will just be annoying (and Monzo already has additional selfie style steps for large payments - IIRC - and anything that “trips” their fraud detection system). Worse case scenario: Monzo has to refund you your money over the “theft”.