Sim swap hacking


(Mimi ) #1

Just read about sim swap hacking, which frightens me as my online banking has previously been hacked. This is where companies send text messages to verify your identity. I’m a little concerned that Monzo still uses text messaging to verify identity. Could there be another way you can verify identity?


(Eve) #3

Which identity verification are you referring to? Eg a forgotten pin, identity confirmation when opening an account, etc.? As far as I know this is done in-app with a selfie video function. I think only Apple Pay goes through a text message, but I think that’s standard for all manual Apple Pay setups since I got the same for other cards. Maybe someone else could confirm this for me since that’s the only text message I’ve got from Monzo.


#4

Looking at my messages the only message I can see is a verification code. As long as you don’t follow any links on messages or respond then it’s not really going to be a problem. Always go into the chat on the app if you get an unexpected text message rather than any link or phone number you’re given


#5

@Rat_au_van Was that verification for Apple Pay/ Google Pay? I can’t remember Monzo ever asking for one when setting up an account or when logging in on a new device?


#6

When I first signed up, after the cringe worthy video judging by the date on it

Edit: actually think it was when the app downloaded before the video stage


#7

Ah ok.

Sending a verification code via SMS when setting up an account shouldn’t be a concern. It’s just a check to confirm that you are in possession of the phone number and links this number to your account. At least this is what I believe.

I think the issue with SIM swapping or ‘phone port hacking’ is when banks use it as a form of 2FA (Two Factor Authentication). That is, every time you log into your account you’ll need a password and then a code will be sent to your phone.

It’s not the best solution but it’s a better solution than just a password. Someone would need to know your password and also have access to your phone or go through the hurdles needed to SIM swap or port it so that they could access your account by intercepting this SMS.

Monzo’s security is more or less linked to your email security (which can also include this form of 2FA). It’s kind of an odd topic and one I’m hardly qualified to discuss though - maybe there’s someone a bit more knowledgeable about it?

I’ve hidden this response as I felt it could be misleading.


(Kevyn) #8

You need your Monzo card PIN to do any in-app transactions so it is 2-factored in that way.


#9

The sim swap is where they cancel your phone number and have it reactivated on their phone so they don’t need access to your phone.
Generally they get your account details through some sort of phishing beforehand tho. They’d need the pin which would have to be done by selfie (I think that would be the case on any new download) so I doubt would be get any joy targeting a Monzo account


#10

Yeah, sorry I tried to rewrite it so it didn’t sound like you physically needed the phone/SIM to swap it. But Kevyn and yourself are right you still need the PIN after all of that to actually transfer money - and that requires a video matching your ID and initial video. :+1:

Is there a blog post or video explaining Monzo’s security and privacy protection?


(Andre Borie) #11

The phone number verification is only when opening accounts, and it’s most likely to work around some regulatory nonsense - the phone number is never used after that, so there’s little risk in it being compromised.


(Mimi ) #12

Yeah? When setting up Apple Pay that’s the last time they sent me a text


#13

Hmm, this would probably need someone from Monzo to breakdown. At least Monzo don’t allow you to verify by simply phoning up (from any phone) like Halifax :angry:.


#14

This is an Apple Pay verification :+1:

The only time we send a text is to confirm your mobile number during signup stage.

We do not even send PIN reminders via text any longer.