At the moment Monzo account is only as secure as my phone is. If I was ever going to trust Monzo with my business transactions & money I would expect additional layers of security to be put in place. In particular I would like to have an option of using some kind of PIN Sentry device so that I don’t have to rely solely on my phone which can be hacked or stolen.
What security problems do you think there are now?
I’m guessing you have an Android for it to be hacked and have you never heard of a pin number to lock your phone?
Did you ever wonder why Barclays, Lloyds and other High street banks are issuing Pin Sentry devices to their business customers?
Yes because they have absolutely no idea about security.
- Put a passcode on your phone
- No one’s hacking it
- The app requires additional verification before money can be removed from your account
None, because pretty much nobody is using Monzo’s business banking offering. That’s including me.
I tend to disagree. Two factory security is industry-standard solution which offers higher level of security where it’s needed.
they issue them to personal customers as well, so its not just business
2fa doesnt have to be through a pin sentry. Biometics and magic link emails have the same affect
Biometrics and magic link emails are usually accessed via the same phone where Monzo app is installed. I would prefer having those separated. Preferably on an offline device like PIN Sentry is.
That isn’t going to happen
Do you have your phone locked?
Presumably your email on your phone is secured by 2FA?
They wouldn’t be able to open your emails if the phone is locked , plus they need your card pin when logging in a new phone which is multi factor authentication because you have pin + email as security.
People shouldn’t have biometrics on for transaction authentication if there’s another person’s biometrics saved on the device.
To bypass a relatively new androids lock screen you need Nation sponsored level of resources and as long as that isn’t your threat model then realistically your monzo app is safe.
That has nothing really to do with something being secure or not.
You’ve not really said what it is your worried about. You mention about your phone being hacked or stolen. But a secure phone has almost zero risk of your bank being compromised due to it being hacked or stolen.
If your phone is stolen they cant get into it because of the security in place, e.g. the pin, fingerprint or faceID. You can remotely brick the device as well, phones are practically useless to thieves these days.
On the hacking side… This just doesn’t really happen. Modern phones have security functions separated from the rest of the phone, and to ‘hack’ a phone you’d effectively need to have it rooted or do something foolish with it to let someone in. Considering your concern for security i can only imagine you have a un-rooted phone which is up to date and supported by the manufacturer?
Your concern seems partially rooted in the sometimes over the top shouts of fire from the media who fail to explain security situations effectively.
If you really want, you can use two different methods to use one to open your phone and one to make payments. e.g. pin for one faceid for the other.
Sigh. Here we go again. This exact same thing pops up regularly every couple of months. Go search the forum for something like “security theatre”.
PIN Sentry readers are a relic from pre–smartphone days. Barclays and others offer the same code–generating function on their apps, and they only have to do this because their web banking is also decades old.
Monzo was built from the ground up in the modern era and it doesn’t even have web banking. It doesn’t need extra security if you secure your phone with a PIN or fingerprint/face/ID.
Security Theatre would be a great name for my hypothetical new math rock band
Well to login to the app today after I reset the session on iOS, I was sent a magic link then asked to enter my card PIN number to access the app.
On top of accessing my phone via Face ID
So personally more than secure
PIN Sentry requires your PIN.
Transferring money in Monzo requires your PIN or equivalent.
I don’t want to rely on assumption that my phone is secure and cannot be hacked (excluding State actors). I rely on Assume Nothing, Trust no one (TNO) principle.
Phones can be bricked remotely only as long as they remain connected to Apple or Google services.
You’re right about my phone not being rooted and having most up-to-date software available to the general public.
It’s not a 2FA as long as all security steps are done via single device. That’s what I don’t like and want to be separated.
PIN Sentry also requires your bank card with a smart card chip inside it. PIN Sentry is also an offline solution.