Various Security/Safety/Privacy questions


#1

I think an advantage of an established bank is reputation effect (if bad things happen it hurts), FCSC and other protections, more resources. So as a large number of businesses fail with 5 years (so I guess reputation issues less helpful), how do you respond to the following? I really want to use you for budgeting my variable spending but I worry about fintech. I guess it might be something like driverless cars, the early uses might have to take some big/more risks as the established companies may be more cautions due to regulations; though I think that is not quite right hence my questions? Hopefully this comes across ok! :slight_smile:

Please could you explain why you are safe? As with a bank with branches I can access it to complain to management, withdraw all my money and close the account. So I feel that online only banks need much higher customer service
Can I go to your registered office and withdraw all my money?

"Investment Ethics
Current Statement
If you are on the Monzo prepaid card, your deposits are held by Wirecard Card Solutions Ltd. in a ring-fenced client-monies account and not used in any other way.

If you are on the Monzo current account, a very small proportion of your money (around 10% of total deposits) will be lent to Monzo customers in the form of unsecured personal overdrafts. The rest sits in cash in our Reserves Account at the Bank of England or be used as collateral for payment schemes.
In the future, we are likely to do more personal lending and invest some of the money in high quality liquid assets like UK government bonds."
Monzo Investment Ethics

How are you safer than a traditional bank who have much more resources to fight against fraud…?

How do you protect our data given out, due to the open banking changes?
What happens when you are hacked? Is most or not all data encrypted?
I don’t know what the major banks do, perhaps it’s easier for you as you can build it from scratch and not have as I have seen windows xp on ATM machines.

"What you find when start working on an existing piece of software can be best described with an image."


Pasted from https://blog.toggl.com/programming-like/

Everything is broken
Programming Sucks

How do you think you will not have similar issues to Natwest when it’s app was broken into?

Henry Bodkin 6 DECEMBER 2017 • 8:30PM

Scientists have discovered a flaw in banking apps used by millions of customers that left them vulnerable to hackers exploiting wifi.

Researchers ran a tool on apps from HSBC, Natwest, Co-op banks and others and found online criminals would have be able to con the software into revealing personal details.

(http://www.telegraph.co.uk/science/2017/12/06/flaw-discovered-banking-apps-leaving-millions-vulnerable-hack/)

Protecting contactless from card scanners? Is that needed?
"NFC, though, is very short-range, working over distances of 5cm (2in) at most. “I’d be surprised if this is reading cards that are more than 4cm away,” says Dave Birch of Consult Hyperion, which provides consultancy into electronic transactions. "Reading something in your backpack? No. Reading a card that’s in your wallet which you put down on or by the reader while you looked for the card you wanted to pay with? Yes." (His office tested it on Monday with a real M&S reader. Result: doesn’t work beyond about 5cm. (Though this article is from 2013)

Even so, it’s worrying. But never fear – you can buy wallets or purses with metal mesh woven into the fabric that will prevent this happening. (“We’ve tested them – they do work,” Birch concedes.)…

The cheaper alternative is to wrap your contactless card in aluminium foil. (And perhaps a little for your head? Seems a shame to waste the opportunity.) The even simpler alternative, I’ve found, is to have more than one contactless card in your wallet. The card reader then can’t decide which card you want read, and declines the transaction. London-based commuters can put their Oyster card in their wallet alongside a contactless card – and hold up rush-hour tube travellers as the gate’s reader get confused. A great new way to make friends. Well, acquaintances."

Pasted from https://www.theguardian.com/money/shortcuts/2013/may/20/contactless-payments-consumer-affairs

Open Banking Security
There is an advantage in a physical bank as you can get your money out, like with northern rock.
(The open banking changes do seem a bit like buyer beware, due to the protection issues.
I think perhaps with online only some issues are: access, trust and customer service, you can always go into a branch and complain, as person as limited options to just ignore you…)

However “Your bank cannot hold you responsible for unauthorised transactions just because you have shared your credentials with regulated AIS and PIS providers.”
(https://savingschampion.co.uk/news/savings-news/open-banking-brave-new-world/1)

Initially, Open Banking should make it easier for consumers to compare current accounts and other banking services, but over time more online applications and tools could become available to help personal finance management, including identifying where money can be saved. It is important to highlight again that no access will be given to your accounts, unless you provide express permission.

For those of you keen to know more, you may see these new services referred to as Account Information Services (AIS) or Payment Initiation Services (PIS). From 13th January, companies who offer AIS and PIS must be authorised or registered by the Financial Services Authority (FCA), although companies that have been providing these services since before 12 January 2016 do not need to be authorised by the FCA until the end of 2019, so may not appear on the FCAs register until a later date. As Open Banking progresses and evolves, this should be revolutionary but as ever its important to make sure you know who you are giving your permission too. The FCA has provided the following words of warning on its website:

Before you use one of these services be alert, and make sure you are confident that any organisations you share your information with are who they say they are. You should make sure that you understand the service and that you are happy with who will be providing it to you.

Giving consent for access to account data
When you sign up with a company for account information services, the AIS provider should give you enough information to understand the nature of the service being provided and how it will use your data, including whether it will share your data with anyone else.

Sharing security details
Currently, businesses that provide AIS and PIS often ask you to share your bank security details with them, such as your login and passwords.
Under existing data protection law, these businesses must protect your data and PSD2 will require these businesses to put further measures in place to keep your credentials safe and secure.
Your banking terms and conditions should not prevent you from sharing your credentials with regulated AIS or PIS providers. Your bank cannot hold you responsible for unauthorised transactions just because you have shared your credentials with regulated AIS and PIS providers.

Currently and at a very simple level, Open Banking should allow consumers to view all of their savings and investments in one place, to give them an easy real-time view of their entire financial situation.

We have already seen a number of savings apps launched, that link with customer bank accounts via Open Banking and use algorithms to analyse spending habits in order to work out what you can afford to save and then automatically transfers that amount into a savings account. While this is a really useful tool that will enable savers to determine what they can afford to save and help those that never get around to opening a savings account to actually get started - it is important check the rate of interest being offered on the account that your savings are automatically transferred into.

Our research to date has not found any best buy rates – so while we are always in favour of any resources that help people get saving, it is equally as important to ensure you make your savings work hard for you and that means making sure you have an account that earns the most interest.
(https://savingschampion.co.uk/news/savings-news/open-banking-brave-new-world/1)

(https://savingschampion.co.uk/news/savings-news/ask-anna-what-open-banking-and-can-i-opt-out/)

Open Banking Negative effects on rates?
How can you avoid companies such as yourselves or 3rd parties that you want to offer users changing their pricing at a negative affect to a user that wouldn’t be the case if they didn’t use open banking?

Comments from: Ask Anna – What is open banking and can I opt out?
"anthony smith • 2 months ago
I don’t know whos brainchild this was but it sounds to me like an open invitation to even more identity theft and financial scams. I for one will not be signing up for any other company’s to access and collate all my financial details into one place, assuming that I am understanding this article right.

5
•Reply•Share ›
Avatar
Mary Branscombe • 2 months ago
if Savings Champion linked this to the rate tracker it would be an immediate view of your savings portfolio and an accurate list of accounts for rate notifications - could be handy

4
•Reply•Share ›
Avatar
Tony Conrad Mary Branscombe • 19 hours ago
Could be handy but does one want other banks and Building Societies to know everything about us much less the government. I prefer privacy personally."

…Emma, which is an anagram of the initials of its founders (Marino and Edoardo Moreni, who met at the University of Manchester) should now be able to take advantage of the UK’s new Open Banking initiative.
“Our goal is to build a private wealth manager, an artificial intelligence that sits between our users and their financial services with the aim of helping,” said Moreni.
The business has so far been funded without external help, and according to the founders has attracted “thousands” of users already.
Emma, the “banking app for millennials”, gets FCA approval and announces it will integrate Monzo and Revolut

@ianlyon More info on the following please?

App and Mobile Security
How are you securing mobile phones and the app? Given android fragmentation, given for example lack of updates on older phones, not everyone will upgrade to the latest model?

Data Use Policy
How is the data from the app used?
How is it anonymised?
Can I export it when I close my Monzo accounts?
How will it be secured once someone closes their Monzo account?
I appreciate I think laws state you need to keep records, even with the data protection laws, it is more giving users control over their data, rather than it floating around online.

Fraud protection
Could you go into more detail about this, as I think you don’t have a passcode on the app itself?
I appreciate others have explained why this should or shouldn’t be an issue. However I view it like a house, you have a good lock on the front doors/back door (access codes to the phone), but you might keep your valuables (monzo/pictures) in a safe (additional passcodes)?
There is a partial trade off usability vs security

@nanos

Q: Should you use Monzo, if your security and privacy are more important to you than convenience?

A: Given that Monzo make it very difficult to revoke API access, don’t have pin protection for the app (on Android), show previous security questions and answers visible in the app (which is usually unprotected), and a number of other issues, it seems fair to conclude that Monzo generally prioritise usability and convenience over security and privacy. Thus, if you do not share this view you may consider alternative options instead.

If I was to invest in Monzo, how are you mitigating costs if fraud happens and people make off with mine or others money? I appreciate you have reserves as mentioned here

"…a very small proportion of your money (around 10% of total deposits) will be lent to Monzo customers in the form of unsecured personal overdrafts.
The rest sits in cash in our Reserves Account at the Bank of England or be used as collateral for payment schemes."
Monzo Investment Ethics

(Hopefully this makes sense and comes across like I am trying to make informed decisions)


#2

but that is not just with established banks but any bank


#4

quite the contrary… the Government had to bail out old huge banks to stop them failing! (Royal Bank of Scotland, Lloyds TSB, Halifax Bank of Scotland)


(Change Works) #5

If this would ever become necessary, you’d have exactly the same problem at traditional banks with branches. If every Barclays customer turned up in branch and demanded all of their money tomorrow, there wouldn’t be enough to go round.

On the other hand, as Monzo only loan out a small proportion of their cash, you’d be more likely to be able to transfer it as Monzo are probably more liquid. And there’s also FSCS protection up to £85,000.


#6

Thanks, yep I just wondered if Monzo/other smaller/challenger bank/Buildings societies would also be bailed out… Sorry I knew about the old bank bailout…
Deleted old comment to try to shorten this forum post


#7

:slightly_smiling_face: Good, I thought withdrawing everyone’s money worked with northern rock?
Thanks :slight_smile:


#8

Since the economic problems leading to the near collapse of the legacy high street banks, and the consequent bailout by the taxpayer, the Bank of England have changed liquidity requirements and other rules so all registered banks are now in a more secure position, making any need for further bailouts highly unlikely. Also some big banks are being forced to split into separate legal entities with personal banking ringfenced from more riskier banking forms which fintechs are not currently involved in.


(Allie) #9

Wow, that’s a lot! And I was told people on here don’t want technical explanations, so just a warning in advance, I’m only going to respond to part of it and it’ll be fairly technical so don’t read if that doesn’t interest you.

First, to start, Monzo’s current offering is a full British current account with FSCS protection and all that goes with it.

Second, I’m only going to comment on the contactless payment part, since that’s what I know best and others can provide better comments on the rest.

Contactless cards are designed to assume that they can be read by a fraudster, this was considered as part of the creation of them. Doing so is tricky, but not impossible. Every time a news article comes out claiming that they saw someone read a contactless card, I sigh. So what? Everyone knows they can be read. Same with passports, which are also designed on this assumption, and I’ll address.

  1. Privacy concerns. Contactless cards do not reveal your name over the contactless interface, which was done to address most privacy concerns. No one can read your card and get your name, which addresses the privacy aspect and some fraud aspects. However, they can get the PAN (Primary Account Number) and thus, the BIN (Bank Identification Number, the first six digits of the PAN). This will tell the fraudster what bank you use, and thus what country that account is from. If you have a need for this level of privacy, a shielded wallet might not be a bad idea; but for most of us, it’s totally unnecessary from a privacy perspective.
  2. Card cloning. The mythical idea that someone can copy a card by reading it. This just isn’t true, and I highly recommend reading the Contactless EMV Specifications for more detail. In effect, a secret key is stored by the card in secure memory and this key is never revealed, but used for cryptographic proof the card is genuine. A card simply cannot be cloned from reading the chip (magstripes are easily cloned, but that’s a different story).
  3. Pre-play attacks. A pre-play attack is where an attackers asks the card in advance for a transaction, then completes it later. EMV has strong mitigations against pre-play attacks, though these are dependent on ‘unpredictable numbers’ being genuinely unpredictable. Some early EMV terminals used sequential number generation, but this has been fixed. An older contactless mode, magnetic stripe emulation, is especially vulnerable to a pre-play attack. This is a minor concern as this is only widely used in a few countries, for example the United States. Countries where this contactless mode is widely used also widely use the far less secure (actually cloneable) magnetic stripe. A pre-play attack gets you one transaction (the CVC/CVV changes), cloning a magnetic stripe has far higher payoff for generally less effort.
  4. Unauthorised purchases. This is where a genuine contactless EMV transaction occurs without your consent. Whether the card is stolen or, in the more sci-fi esque fright stories, someone runs around with a wireless card terminal charging people through their wallets. The latter is unlikely - one, because of card clash; but two, because merchant accounts require identification - any crook stupid enough to do this will quickly get caught. Stolen cards can, however, be used for transactions up to the CVM waiver limit (£30 in the UK), yup. You’re protected against unauthorised use, however, as long as you report the theft as soon as you’re aware of it. You won’t be out of pocket unless you are negligent - unlike the cash the same thief also took from you, which is almost certain to be gone forever.
  5. Bonus point - passports. eMRTD (Electronic Machine Readable Travel Document) passports and ID cards, as defined by the ICAO, are also contactless smart card-like devices. Your privacy is protected by something called BAC (Basic Access Control). In order to read the data, you need a decryption key derived from the data in the MRZ (Machine Readable Zone, the two to three lines of characters on the bottom of the photo page) of the document. Thus, unless they already can read the photo page, an attacker can’t read the chip on your passport. The chip simply is a way to prove the photo page is genuine. This is why ePassport gates require you lay down your passport open - without the encryption, you’d be able to put them in however you want*. Some countries have additional data (such as fingerprints) protected by EAC (Extended Access Control) where the chip also authenticates the reader, and only releases data to authorised readers. However, I will note that if you have reason to ensure no one knows the country your passport is from, like with contactless cards, a shielded wallet isn’t a bad idea - this is because you could find things like the chip manufacturer and the UID range (though the UID does get randomised) and use them to derive what country issued it, without reading it.

*exception - US passports have shielding in the cover and can’t read when closed.

Contactless really isn’t a tech you have to worry about, it’s far more secure than the cash in your wallet!


(Change Works) #10

I think people all got their money eventually, but not everyone who turned up on the day were able to withdraw all of their money. It was all government protected, so as safe as it could have been, but the branches didn’t all have enough cash to give out.

At the end of the day, Monzo is as safe or vulnerable as any other UK bank because of FSCS protection.


#11

Thanks that helps :slight_smile:
I heard that they might be issues with contactless fraudulent purchases due to the way not all transactions are entered “instantly” like I guess chip and pin is see below
It would be good if monzo was able to better verify the transactions are from the user rather than someone else using the card with less/no privacy issues with that though… (sorry forgot to add)

I don’t know to what extend this is true/still true:

“However, most customers will not realise that the cards cannot be completely cancelled if lost or stolen, and that some banks will expect the customer to spot and report fraudulent payments to reclaim their cash. Cards do contain a chip which limits losses, but they may be used until this limit is reached if the payment terminal is operating offline.”

“While a shop’s payment terminal might go online to process a payment and verify the card before allowing a sale, some transactions are made offline and only processed with the bank later. While this allows payments to be processed quickly, it also means that lost or stolen cards may be used even after being cancelled.
(https://www.theguardian.com/money/2015/dec/19/contactless-payments-card-fraud-after-cancellation-bank-account)


(Allie) #12

another techy post, tl;dr - the concerns don’t really affect Monzo, or most cards now that Visa has zero floor limit in the UK

Monzo cards are programmed to only allow offline authorisation as a last resort. Likewise, Visa has officially required this for all Visa cards in the UK market starting this year. American Express hasn’t said anything, but my Amex cards also seem to always go online now. Mastercard still has an offline floor limit, but again, Monzo doesn’t use it.

Contact (let’s not use ‘chip and PIN’ since this is ambiguous - both contact and contactless can be used for chip and PIN, even though traditionally contactless isn’t in the UK) also can be offline or online; it was a market segmentation thing in the UK - low-value offline contactless to give ‘instant’ transactions. With faster data links to terminals, this is becoming unnecessary, and most contactless transactions now go online.

That is true, however, the Monzo card will rarely allow an offline transaction, so it’s far less likely to occur than with older cards where there was a floor limit. Also, note they say that some banks will expect customers to report fraud - is that unreasonable? Monzo also makes this easy, if offline fraud somehow slipped through (and there are very few situations it could), you’d get a notification as soon as it posted.

Please note the date on that article. That said, it can still be an issue with some cards, but not with Monzo :slight_smile: Monzo has never had a floor limit below which offline was the default.


(Allie) #14

Like is good :slight_smile: even with a floor limit, you were always protected from fraud. Banks took a calculated risk, and they ate the cost of any fraud losses as long as you promptly reported the card stolen. Having to report which transactions weren’t you never seemed unreasonable to me… Two things have changed:

  1. The EU has capped interchange at 0.2% for consumer four-party debit and 0.3% for consumer four-party credit. This reduced, obviously, how much fraud issuers could afford to eat.
  2. Payment terminals now have much faster connections. 2G and dialup are being replaced by 3G/4G and broadband.

These two things combined made having an offline floor limit (an amount below which transactions normally occurred offline) for contactless much less appealing for issuers.


#15

:slight_smile:
Though part of the reason I guess for people to use cards/banks is the fraud protection that banks do, I guess as a consumer you want them to eat the fraud costs, but the bank to make it easy to avoid/spot fraud… Perhaps the increasing use of data may help a bit with this though that could backfire…
I guess a quick check of your statement would be fine for most people, it is just spotting the fraudulent £10, £20 transactions in the rest of the similar transactions.
I guess having a floor limit stops fraud getting to certain levels, maybe a bit like a credit card limit?

“…Software that interacts with a conventional payment network like Visa or MasterCard must take into account their complex security models and the risk that a payment could later be reversed by the network. They have to worry about anti-money laundering rules. It often takes a day or two for transactions to clear—partly to give human customers an opportunity to spot fraudulent payments.”
[Want to really understand how bitcoin works? Here’s a gentle primer] (https://arstechnica.com/tech-policy/2017/12/how-bitcoin-works/)


(Allie) #16

Not necessarily, that is stopped by a separate total offline transaction limit. E.g. up to £100 can be approved offline (just an example) before a risk counter in the card either forces everything to go online or forces an insert (so the risk counter can be reset, this was popular in Britain but is a really bad strategy from a user experience perspective so has been mostly abandoned now).

The floor limit mostly just reduces the incentive. Who wants to steal a card and risk prison just to go buy a bunch of McDonald’s meals with it?

And no one does that better than Monzo. You get a push notification every time they get an authorisation and/or a transaction posts. No need to try and remember later if it really was you!


(Ian Lyon) #17

Hey @Yap :wave:

We have a full, unrestricted UK banking license. This means that, just like every other bank in the UK, we’re regulated by the Financial Conduct Authority and the Prudential Regulation Authority. You’ll be covered for up to £85,000 under the Financial Services Compensation Scheme. We’re very risk averse in the way we use your deposits; it’s worth taking a look at this interview with our CEO, @tom, where he discusses our approach to banking and comments on how we sensibly use deposits to drive revenue.

We hope you’ll never feel the need to complain, but if for any reason you do, you can contact us via the in-app chat, by email, or by phone - whatever you’d prefer. We are of course an online-only bank with no traditional ‘branches’, but this is no impediment to the way you can raise a complaint. We don’t hold cash at our registered office, but we can of course look at ways for you to access your entire balance on a case-by-case basis - usually by transferring the balance to another one of your accounts.

Without wanting to ‘blow our own trumpet’ as it were, we truly believe that we have some of if not the best customer service in the banking industry; our primary goal is to deliver a delightful, human service, and make sure you’re happier for having spoken to us. The feedback we receive suggests we’re doing a pretty good job of that - but I’ll let our users give you their own recommendation!

It’s impossible to combat every instance of fraud, but we’ve done an incredibly good job of this so far, and our financial crime team is staffed full of incredibly talented and smart people. We also have the benefit of running on up to date, modern technology - a far cry from the old ‘mainframe’ systems that the legacy banks run on.

We have the benefit of a supercomputer in your pocket; it knows your location, it can give you notifications as soon as a payment is made, you can freeze your card instantly and stop all transactions (including contactless!) from being approved. We can use this incredible technology as just one of the tools we have to combat fraud.

When you choose to share your data with an authorised third-party, you’ll be prompted at every step to inform you of the permissions the third-party will receive, and what data they’ll have access to. Third parties authorised to handle this information under PSD2 are themselves regulated by the FCA, which means they have to fully comply with all regulations in place to protect customers’ personal data.

Sensitive data within Monzo is securely encrypted and we have a significant number of security measures in place to ensure that your data is protected.

Broadly speaking, our platform runs on AWS, rather than the ‘mainframe’ systems used by legacy banks. This is similar to how modern technology companies such as Google, Facebook and Amazon run their services. We own the full technology stack, so we have flexibility to quickly react to changes and roll out new functionality in a matter of hours and days, rather than weeks and months.

We don’t use Windows XP, but it’s worth bearing in mind that we also don’t own any ATM machines. Internally, we generally use very few Windows machines - we’re more of a Mac company.

We’d never say we’re immune to problems like this, but security is a massive priority for us, and given that we can quickly react to changes and security threats, we can implement fixes much quicker than legacy banks in many instances.

I think @Merkitten has done a great job of going into detail on this one :+1:

With this one, again, we don’t operate a physical branch network but we’ll always do our best to make sure you can access your money one way or another. We’d also never ignore you just because you contact us in-app :wink:

The regulations around Open Banking are designed to protect your data whilst offering you the ability to share your data with trusted third parties, should you give your explicit consent to do so. There’s a lot of FUD (fear, uncertainty and doubt) around this because it’s been a bit misreported in some news outlets and people assume the worst, but you will always be in control of your data and can opt to revoke access to it at any time :slightly_smiling_face:

Whilst we couldn’t control the pricing decisions of third-party companies, when it comes to our planned Marketplace, we’d like to make sure that everyone on there is of an acceptably high standard and doesn’t charge rates that are over the odds; ultimately we’d like to save you money using the opportunities that Open Banking provides, so it’s not in our interests to promote companies on our own Marketplace that would do the opposite.

Let me know if I’ve missed out on any of your points, or if there’s anything else you’d like to know about from a Monzo perspective!

Thanks to everyone else for pitching in on some follow-up questions :heart:


(Allie) #18

This explains so much… ducks out to avoid going off-topic


#19

Please could I have much more detail on this, as I guess this could be quite bad for consumers? Power should be with consumers… I would prefer to avoid things like as the cookies on your browser say you have been comparing insurance, energy, internet, the prices vary when you use the next comparison site (BBC Moneybox talk) I can find more information if you want…


(Allie) #20

Remember a lot of the comparison sites have the same owner (e.g. MSE and MoneySuperMarket) or the same data sources. They don’t need cookies, they can just use their database about you, assuming you gave them name/etc. I’m not saying MSE/MoneySuperMarket specifically do this, just that, they wouldn’t need to drop cookies.

Actually, I think this is a place Monzo has a real chance to shine, they’re going to, potentially, be a new independent aggregator of comparison data. If they pull that off well, we could really benefit as consumers. Time will tell.


#21

@ianlyon and @Merkitten Agreed it might be slightly off topic, but proper security is important. Macs can get malware too! :slight_smile:
Some more detail on security might be good? I don’t know what can be public, but some of the replies a bit wishy washy…? Thanks


(Allie) #22

Ah, I wasn’t referencing security, that’s quite on-topic. I was referencing the fact that a lot of new features (thankfully, not mobile payments - the most important feature to me, by far) seem to be developed on Apple first :slight_smile: