And this is the problem, isn’t it? That you are depending on a 3rd party being truthful here. And that’s really difficult to check …
Indeed, I can no longer access said app so i can not check and tbh I am too lazy to ask them via E-Mail but I should not have to do that, I should be able to have just made a request to Monzo that they break the link and be safe in the knowledge that it was done.
2 Likes
In the first instance we do ask that you contact the AISP because they may also cache or retain data and by just revoking the token on our end, it could cause unexpected problems for them 
Of course if you (or they) are unable to, we can revoke then from our end 
Can you not just revoke also?
1 Like
Agreed. Should be done first.
Two problems:
- revoking access from your end should be a standard 2nd step. It should not only be done if I or they are unable to do that.
- It’s quite a serious issue that users are apparently told that access cannot be revoked from your end. You need to train your customer service people in this regard!
1 Like
I’m not sure I necasarily agree here I’m afraid. There are some fairly complicated rules around how this works and as long as the AISP abandons their token then they no longer have access to the customers account. If they continued to use the access token then there is a bigger issue.
Obviously, with the ability to revoke access from the app this would cease to be an issue.
I’m really sorry that this hasn’t been handled appropriately. From what Danny said, I believe he was advised correctly however I will bring this up internally.
1 Like
True. But the point is: I don’t trust a 3rd party to deal with this properly. I’ve said it before: By the same token as I revoke a 3rd party access from within my [Google/FB/Twitter/whatver] account, and not just from within the 3rd party app, if I want to terminate my relationship with them, the same should be done from within my Monzo account. It’s a matter of principle.
Google, FB, Twitter, all of these companies that live of selling our data, and really don’t want us to revoke access, still make it easy to do so. But Monzo doesn’t? Do you really want to be “worse than facebook”?
1 Like
Sure, and if you contact COps we can do that and as I mentioned, we are also building this into the app as part of a wider project 
2 Likes
I sure hope nobody emails the ICO unnecessarily 
1 Like
Yep my middle finger is still high for TalkTalk.
The reason I don’t see as much of an issue with Monzo is because ultimately the key to the account is still within the user’s control, as in the email or the device’s access token. When saying I don’t care I was referring to the issue of security questions being in the chat history, which again, I do not care about - if an attacker has made it this far there’s not much to save, my data is already in their hands. I do agree however that third-party access token revocation should be within the app.
1 Like
Interesting that this should come up today.
For reasons that are largely boring, I was looking in the Starling app for permissions that I’d given to third parties (they’ve got a very good implementation of giving control to the user, by the way).
I’d previously played with Yolt for a bit but I ultimately deleted my account, deciding that it wasn’t for me. Surprisingly, it was still present on the list of apps that had access to my Starling account. I tapped to cancel it.
On Monzo, I chatted with support and permissions cancelled.
I’m happy that it’s on the to do list (although any chance of adding it to the Trello board, @HughWells?) but it’s not something I’m losing sleep over just yet, given I still have control. But, as always, others will have different priorities.
1 Like
I believe This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.