Security Weakness

Feedback & Ideas
#1

There is a significant security problem (I know there are those who will say that the App is secure enough, but hear me out).

If your phone falls into the wrong hands and is compromised, then there may well be nothing to stop them accessing your Monzo account. They may not be easily able to move money, but they can get a lot of information about your bank balance account details and transactions, other accounts that you may have etc. That is a significant issue.

How does this happen. You leave your phone somewhere, by mistake. It was switched on. Someone picks it up and sees that they have access to the phone.Then there may be no protection to stop them using the Monzo App. You may have set up fingerprint protection, but have you remembered to set it up again EVERY time you log out and in again? Because whenever you log out it unsets all your security settings.

I raised this originally a year ago.

It seems that Monzo management actually want it to be this way. Nobody has really explained to me why it is a good idea, but apparently it has something to do with making it easier for people to recover from some form of phone hardware failure. Guys, there are better ways of doing that!

This is why I canā€™t use Monzo as my main account and why as I look at other challenger banks, who donā€™t have all the good things that Monzo has, Iā€™m still tempted.

PS. Iā€™m also a shareholder. :frowning:

#2

Why are you logging out every time :thinking: itā€™s not required simply exit the app and to get back in you need to use whatever security verification was set up

2 Likes
#3

Iā€™m not and I donā€™t want to, I try to just exit, but the fingerprint recognition on my phone with Monzo (but only with Monzo) is not good and often it throws me out and then I have to log in again. There are other times when it may be necessary but they are much less frequent. Nevertheless the point is that I should not have to reset my security settings. Once set they should remain until I want them changed.

#4

What is the ā€˜itā€™ which unsets your security settings? And what phone does this happen on?

#5

This doesnā€™t make any sense.

#6

Security and privacy getting all mixed up again

6 Likes
#7

Security is personal also, personally as a rule I delete any emails that provide a magic link one used and also empty or never store deleted emails, then if you are being constantly being logged out then they need to know the email address you (Granted you may have one or several on ur phone, they would have to try them all).

And so what if they see all you account details what can they do, they canā€™t transfer money out, ok they can see ur address etc, but then if they check ur contacts list is maybe stored as ā€œmy cardā€ and you have added ur details, same with using Apple/google maps I am not aware of that requiring a password or biometrics if you have stored ur home address.

They could create a direct debit but by that time you will have gained access to ur account via the emergency web app and probably replaced the phone and signed in and back up and running.

So for me personally security is not an issue.

#8

Through accidental discovery I can attest that the magic links do stop working after a handful of hours

#9

:wink: I am aware of that it is more of that if there is no email with a magic link then in it, they have to try more email addresses to get the link I have about 10 email accounts in my phone as I do web hosting :joy:

3 Likes
#10

Not really. Itā€™s called ā€œPrivacy and Seccurityā€ on the setings tab.
Security helps ensure your privacy.

1 Like
#11

The ā€œitā€ is the Monzo App

P10

#12

Email addresses per se donā€™t provide a lot of protection. Security after log in really relies on your PIN.

OK you can argue that it relies on physical possession of your phone, your phone security, the correct email and your PIN, but, the email address is not really relevant here.

I donā€™t have any problem with how log in is done. My problem is that when I decide what security levels I want they should not then be arbitrarily undone.

Last year it wasnā€™t just log in that was causing the problem. Every time there was an update to the app the settings were reset! That one is now, I think, fixed.

#13

If youā€™re careless enough to continually keep leaving your phone unlocked and left around for strangers then youā€™ve bigger problems.

If I was nefariousā€¦ Iā€™d use your unprotected email account to reset your password for every website so I could take over all your accounts. I could do more damage with that.

I therefore think you need to implement your own enhanced security for more that just the Monzo app. Something like Android secure folder :slight_smile:

5 Likes
#14

Thatā€™s an unhelpful post. My security is probably a lot better than yours, and I have never lost a phone!

My point remains security setting should not be unset without my consent except in rare circumstances, and then I should be notified.

Imagine how silly it would look if the whole story was told on the relevant settings page.

Privacy and Security

ā€œThese settings are only temporary and will be unset from time to time. You should check back here regularly to see if they have been unset!ā€

Because that is the situation.

#15

If all of this is just about your fingerprint setting coming off - just say that. I think your main point is getting lost in all your other ramblings.

Report it as a bug (not here as an idea) or contact them in app and Iā€™m sure they will look into it :+1:

1 Like
#16

This thread is tricky to follow.

So you have thumb/face/pin/pattern to unlock your phone, and you then have thumb/face/pin to access the Monzo app.

Itā€™s really weird if youā€™re logging out of Monzo app each time. Nobody does that.

1 Like
#17

My mum would :joy::joy: she logs out of everything, refuses to save passwords and prints emails out before deleting them so her inbox is clear!

1 Like
#18

ā€œā€¦ the fingerprint recognition on my phone with Monzo (but only with Monzo) is not goodā€¦ā€

Thatā€™s not how modern biometric authentication works. Monzo donā€™t write any code related to biometrics- itā€™s all handled by your phoneā€™s OS.

4 Likes
#19

Perhaps now that Monzo are hitting 4m and getting a wider demographic that donā€™t realise how security or apps work it needs an overlay when you discover the log out and says ā€œyou really donā€™t need to log out and login each time, the pin / thumb / face can be used to authenticate, are you really sure you want to log out? Itā€™s making your life a lot harder and achieving nothing by doing it this wayā€

I guess thatā€™s quite a long modal, but you get the gist.

If someone has my phone and has got into my Monzo account Iā€™d be more worried Iā€™m down a thumb.
:dagger: :+1:

6 Likes
#20

It is. Iā€™ll attempt aTLDR.

The OP uses a P10, but I suspect that this happens on any phone.

  1. Log out of Monzo app.
  2. Leave phone unlocked.
  3. Another person can open the Monzo app because the biometric authentication has been disabled.
  4. This person could presumably then log back into the Monzo app using an emailed link.

The OP reported this a year ago and was informed that it was expected behaviour.

4 Likes