There is a significant security problem (I know there are those who will say that the App is secure enough, but hear me out).
If your phone falls into the wrong hands and is compromised, then there may well be nothing to stop them accessing your Monzo account. They may not be easily able to move money, but they can get a lot of information about your bank balance account details and transactions, other accounts that you may have etc. That is a significant issue.
How does this happen. You leave your phone somewhere, by mistake. It was switched on. Someone picks it up and sees that they have access to the phone.Then there may be no protection to stop them using the Monzo App. You may have set up fingerprint protection, but have you remembered to set it up again EVERY time you log out and in again? Because whenever you log out it unsets all your security settings.
I raised this originally a year ago.
It seems that Monzo management actually want it to be this way. Nobody has really explained to me why it is a good idea, but apparently it has something to do with making it easier for people to recover from some form of phone hardware failure. Guys, there are better ways of doing that!
This is why I canât use Monzo as my main account and why as I look at other challenger banks, who donât have all the good things that Monzo has, Iâm still tempted.
Why are you logging out every time itâs not required simply exit the app and to get back in you need to use whatever security verification was set up
Iâm not and I donât want to, I try to just exit, but the fingerprint recognition on my phone with Monzo (but only with Monzo) is not good and often it throws me out and then I have to log in again. There are other times when it may be necessary but they are much less frequent. Nevertheless the point is that I should not have to reset my security settings. Once set they should remain until I want them changed.
Anarchist
(Press âHelpâ search âContact usâ or email help@monzo.com or call 0800 802 1281)
#4
What is the âitâ which unsets your security settings? And what phone does this happen on?
Security is personal also, personally as a rule I delete any emails that provide a magic link one used and also empty or never store deleted emails, then if you are being constantly being logged out then they need to know the email address you (Granted you may have one or several on ur phone, they would have to try them all).
And so what if they see all you account details what can they do, they canât transfer money out, ok they can see ur address etc, but then if they check ur contacts list is maybe stored as âmy cardâ and you have added ur details, same with using Apple/google maps I am not aware of that requiring a password or biometrics if you have stored ur home address.
They could create a direct debit but by that time you will have gained access to ur account via the emergency web app and probably replaced the phone and signed in and back up and running.
I am aware of that it is more of that if there is no email with a magic link then in it, they have to try more email addresses to get the link I have about 10 email accounts in my phone as I do web hosting
Email addresses per se donât provide a lot of protection. Security after log in really relies on your PIN.
OK you can argue that it relies on physical possession of your phone, your phone security, the correct email and your PIN, but, the email address is not really relevant here.
I donât have any problem with how log in is done. My problem is that when I decide what security levels I want they should not then be arbitrarily undone.
Last year it wasnât just log in that was causing the problem. Every time there was an update to the app the settings were reset! That one is now, I think, fixed.
If youâre careless enough to continually keep leaving your phone unlocked and left around for strangers then youâve bigger problems.
If I was nefarious⊠Iâd use your unprotected email account to reset your password for every website so I could take over all your accounts. I could do more damage with that.
I therefore think you need to implement your own enhanced security for more that just the Monzo app. Something like Android secure folder
â⊠the fingerprint recognition on my phone with Monzo (but only with Monzo) is not goodâŠâ
Thatâs not how modern biometric authentication works. Monzo donât write any code related to biometrics- itâs all handled by your phoneâs OS.
4 Likes
phildawson
(Sorry, I will have to escalate this.)
#19
Perhaps now that Monzo are hitting 4m and getting a wider demographic that donât realise how security or apps work it needs an overlay when you discover the log out and says âyou really donât need to log out and login each time, the pin / thumb / face can be used to authenticate, are you really sure you want to log out? Itâs making your life a lot harder and achieving nothing by doing it this wayâ
I guess thatâs quite a long modal, but you get the gist.
If someone has my phone and has got into my Monzo account Iâd be more worried Iâm down a thumb.
6 Likes
Anarchist
(Press âHelpâ search âContact usâ or email help@monzo.com or call 0800 802 1281)
#20
It is. Iâll attempt aTLDR.
The OP uses a P10, but I suspect that this happens on any phone.
Log out of Monzo app.
Leave phone unlocked.
Another person can open the Monzo app because the biometric authentication has been disabled.
This person could presumably then log back into the Monzo app using an emailed link.
The OP reported this a year ago and was informed that it was expected behaviour.