They clearly don’t just store everyones pin in a text file on their server 
This is only a recent issue due to PINs being included in data that shouldn’t have the pins with it from my understanding.
3 Likes
Why are you storing clear PIN data anywhere, including the CDE?
The PIN, once created should be passed to the HSM which will then respond with an encrypted block that’s created using the HSM local master key
Do you have an HSM? If so, do you use it? Do you also use it to encrypt PAN, the CVV’s and other card security data?
If not, how in the world did you pass certification?
1 Like
you have MASSIVELY misunderstood the issue. I suggest re-reading the post.
1 Like
Where do you get these ideas? They’re legally obliged to tell us. They do tell people when things like this happen.
It’s not Monzo being heroic here’s its standard industry practice now.
7 Likes
There’s no such thing as data including PIN’s when it shouldn’t 
The whole point of encryption is to avoid that.
HSM = Hardware Security Module
PCI = Payment Card Industry
I got to here and new acronyms came along!
2 Likes
I suggest you do some reading on card security data before making assumptions.
My statements were factually correct, because banks never store the PIN in clear anywhere and under any circumstances.
I worked for a big bank in a customer service role and had access to customers PIN numbers, so yeah… they do.
2 Likes
You’ve confused me now.
Why did you ask why Monzo did something they aren’t allowed to do, after they said they didn’t do it?
4 Likes
Hi
Noob question, how would I see the pin in plaintext in my app if the HSM sends the encrypted block, at what point is it decrypted ?
No they don’t Harry. Your GUI accessed the HSM through a one-time command. The HSM returns the clear PIN because it knows what the value is, no else does (or should know).
The data was not stored in clear, unless the bank was not following security guidelines.
The HSM alone can decrypt it, and send it back to whatever service the app uses to access the HSM command.
It’s likely the HSM encrypt the PIN under a key known to the app, then the app can decrypt it…I hope
1 Like
Is there a list of email domains that Monzo use?
I was suspicious of the email asking me to change my pin at first as it came from monzoemail.com whereas normal log on emails come from monzomail.com (no e).
Would be useful to have a full list of valid email domains somewhere for the future.
Well done at being up front with this and informing customers. Suspect similar things happen in other organisations and never get publicised.
3 Likes
They said they stored the PIN in a file that was encrypted, which the developers had access to.
If the developer can decrypt the file and see the PIN in clear, then the PIN is not stored securely.
Where would the app get that key from if I install the app on a new phone (not the phone that I chose my pin on originally)
1 Like
Phishing emails can use your real name too. It’s bad practice to teach people that an email is genuine if it uses your real name.
4 Likes
Very true - my name is my email address so it’s somewhat obvious anyway.
I’m pretty sure John.Smith@something.com belongs to a John Smith…
Do understand where people are coming from though with the email address - I wonder what the reason is for not just using the @monzo.com domain.
1 Like
Oh I don’t disagree - but it is one of the first things that people are told to look for.
Must have missed all of that somehow as this thread mainly seems to be a flaming bin fire of discontent (understandably)
5 Likes
I don’t have a clue to be honest.
I think the installation package can generate a key during the app being installed and a key index will then tell the HSM which key was used.
That or a different doodah, the point is that the PIN isn’t stored anywhere in clear.
PCI guidelines explain how the PIN should be handled, but the security implementation is managed by the hardware/software vendor and the development team.
1 Like