Security Weakness

There is a significant security problem (I know there are those who will say that the App is secure enough, but hear me out).

If your phone falls into the wrong hands and is compromised, then there may well be nothing to stop them accessing your Monzo account. They may not be easily able to move money, but they can get a lot of information about your bank balance account details and transactions, other accounts that you may have etc. That is a significant issue.

How does this happen. You leave your phone somewhere, by mistake. It was switched on. Someone picks it up and sees that they have access to the phone.Then there may be no protection to stop them using the Monzo App. You may have set up fingerprint protection, but have you remembered to set it up again EVERY time you log out and in again? Because whenever you log out it unsets all your security settings.

I raised this originally a year ago.

It seems that Monzo management actually want it to be this way. Nobody has really explained to me why it is a good idea, but apparently it has something to do with making it easier for people to recover from some form of phone hardware failure. Guys, there are better ways of doing that!

This is why I can’t use Monzo as my main account and why as I look at other challenger banks, who don’t have all the good things that Monzo has, I’m still tempted.

PS. I’m also a shareholder. :frowning:

Why are you logging out every time :thinking: it’s not required simply exit the app and to get back in you need to use whatever security verification was set up

2 Likes

I’m not and I don’t want to, I try to just exit, but the fingerprint recognition on my phone with Monzo (but only with Monzo) is not good and often it throws me out and then I have to log in again. There are other times when it may be necessary but they are much less frequent. Nevertheless the point is that I should not have to reset my security settings. Once set they should remain until I want them changed.

What is the ‘it’ which unsets your security settings? And what phone does this happen on?

This doesn’t make any sense.

Security and privacy getting all mixed up again

6 Likes

Security is personal also, personally as a rule I delete any emails that provide a magic link one used and also empty or never store deleted emails, then if you are being constantly being logged out then they need to know the email address you (Granted you may have one or several on ur phone, they would have to try them all).

And so what if they see all you account details what can they do, they can’t transfer money out, ok they can see ur address etc, but then if they check ur contacts list is maybe stored as “my card” and you have added ur details, same with using Apple/google maps I am not aware of that requiring a password or biometrics if you have stored ur home address.

They could create a direct debit but by that time you will have gained access to ur account via the emergency web app and probably replaced the phone and signed in and back up and running.

So for me personally security is not an issue.

Through accidental discovery I can attest that the magic links do stop working after a handful of hours

:wink: I am aware of that it is more of that if there is no email with a magic link then in it, they have to try more email addresses to get the link I have about 10 email accounts in my phone as I do web hosting :joy:

3 Likes

Not really. It’s called “Privacy and Seccurity” on the setings tab.
Security helps ensure your privacy.

1 Like

The “it” is the Monzo App

P10

Email addresses per se don’t provide a lot of protection. Security after log in really relies on your PIN.

OK you can argue that it relies on physical possession of your phone, your phone security, the correct email and your PIN, but, the email address is not really relevant here.

I don’t have any problem with how log in is done. My problem is that when I decide what security levels I want they should not then be arbitrarily undone.

Last year it wasn’t just log in that was causing the problem. Every time there was an update to the app the settings were reset! That one is now, I think, fixed.

If you’re careless enough to continually keep leaving your phone unlocked and left around for strangers then you’ve bigger problems.

If I was nefarious… I’d use your unprotected email account to reset your password for every website so I could take over all your accounts. I could do more damage with that.

I therefore think you need to implement your own enhanced security for more that just the Monzo app. Something like Android secure folder :slight_smile:

5 Likes

That’s an unhelpful post. My security is probably a lot better than yours, and I have never lost a phone!

My point remains security setting should not be unset without my consent except in rare circumstances, and then I should be notified.

Imagine how silly it would look if the whole story was told on the relevant settings page.

Privacy and Security

“These settings are only temporary and will be unset from time to time. You should check back here regularly to see if they have been unset!”

Because that is the situation.

If all of this is just about your fingerprint setting coming off - just say that. I think your main point is getting lost in all your other ramblings.

Report it as a bug (not here as an idea) or contact them in app and I’m sure they will look into it :+1:

1 Like

This thread is tricky to follow.

So you have thumb/face/pin/pattern to unlock your phone, and you then have thumb/face/pin to access the Monzo app.

It’s really weird if you’re logging out of Monzo app each time. Nobody does that.

1 Like

My mum would :joy::joy: she logs out of everything, refuses to save passwords and prints emails out before deleting them so her inbox is clear!

1 Like

“… the fingerprint recognition on my phone with Monzo (but only with Monzo) is not good…”

That’s not how modern biometric authentication works. Monzo don’t write any code related to biometrics- it’s all handled by your phone’s OS.

4 Likes

Perhaps now that Monzo are hitting 4m and getting a wider demographic that don’t realise how security or apps work it needs an overlay when you discover the log out and says “you really don’t need to log out and login each time, the pin / thumb / face can be used to authenticate, are you really sure you want to log out? It’s making your life a lot harder and achieving nothing by doing it this way”

I guess that’s quite a long modal, but you get the gist.

If someone has my phone and has got into my Monzo account I’d be more worried I’m down a thumb.
:dagger: :+1:

6 Likes

It is. I’ll attempt aTLDR.

The OP uses a P10, but I suspect that this happens on any phone.

  1. Log out of Monzo app.
  2. Leave phone unlocked.
  3. Another person can open the Monzo app because the biometric authentication has been disabled.
  4. This person could presumably then log back into the Monzo app using an emailed link.

The OP reported this a year ago and was informed that it was expected behaviour.

4 Likes