We’ve fixed an issue that meant we weren’t storing some customers’ PINs correctly

Must have missed all of that somehow as this thread mainly seems to be a flaming bin fire of discontent (understandably)

5 Likes

I don’t have a clue to be honest.
I think the installation package can generate a key during the app being installed and a key index will then tell the HSM which key was used.
That or a different doodah, the point is that the PIN isn’t stored anywhere in clear.

PCI guidelines explain how the PIN should be handled, but the security implementation is managed by the hardware/software vendor and the development team.

1 Like

Except on the developers screen when it’s in a log. It said it was encrypted but it must have been decrypted at some point or they would have never noticed. The fact it was encrypted was irrelevant then.

Maybe the technical arguments with acronyms nobody can understand should go into a separate thread?

1 Like

Right but that isn’t what I’m saying. I’m saying that clearly this isn’t the primary way they are storing the PINs, this is an aside from that, a mistake. This is not them going, ‘Oh woops, we’ve been doing everything wrong all along, arn’t we silly’.

It doesn’t change anything. The point of full encryption is that those things shouldn’t be logically possible in a live systems.
Developers should only be able to store these things when test data is used, but the production system should be fully isolated.

2 Likes

Except that it shouldn’t be technically possible for it to be in a log. Having a backdoor means someone can exploit it, it doesn’t matter if only developers or the Pope know about it at a given moment in time.

1 Like

I’ve done neither but got the email.

I have set up a standing order recently.

Are you sure those two events are the only ones to worry about?

1 Like

Was this reported to the ICO as an incident?

The financial times wrote that it was reported to them as a ‘precaution’

it has been now, I’ve reported it myself.

1 Like

Banks are not currently legally obliged to tell customers when they log their own data into their own internal-only logs.

As an enterprise software developer of more than a decade, I have no idea what you’re talking about.

Anything a system can get hold of, it can log. You’ve acknowledged what others have said that even a basic cashier at a normal high-street bank can see your PIN number if they want to and somehow you think that’s less of a threat than a few high-privileged software developers being able to?

6 Likes

Part of the problem is that this mistake was allowed to happen in the first place. It points to processes that aren’t robust enough. I’ve said it many times, this type of error just shouldn’t be possible for a bank.

But cashiers and call handlers are logged into the system with their own credentials, and they can only access a customer’s file with permission of that customer, which is then verified by the security details you confirm with that member of staff. The member of staff will have been vetted and checked under FCA rules, and they leave their footprint on your account when they access it and see your sensitive data. So if they were to start using your PIN, or transfer money or anything like that, the bank will know who to go to.

Software engineers can log in, do what they like then clear the logs. I’d trust a cashier over a random software engineer anyday

2 Likes

Surely they would need something else in addition to the PIN? (Like access to the App on the phone etc)

Hi all! I’ve been collating answers to your questions from the relevant staff members.

Concerns about the email / how it’s been communicated

Thanks for everyone who had feedback about how we communicated the issue - we’re taking it seriously. We’ve sent out an email for now, but of course it’s important to us that everyone who’s been affected receives the information. We’re keeping an eye on things to make sure people have seen our message, and we’ll review soon if we need to get in touch with anyone through a different channel.

What’s the risk of not changing my PIN?

If somebody got access to your PIN and wanted to use it, they’d either have to steal your Monzo card, get access to your unlocked phone, or they would need to have access to your email account (to log into the app).

We keep strict records, and after reviewing them, we’re confident your data hasn’t been used for anything inappropriate. But we’re recommending you change your PIN number as a precaution.

If you think you can see anything suspicious on your account, please get in touch with us straight away through in-app chat or by calling the number on the back of your debit card.

As @kolok reported earlier from their conversation with Customer Support, it’s very unlikely that you’ll experience any fraud because of this issue. But if you do, Monzo will cover that loss (unless our investigation finds that you made the transactions or failed to protect your information, which is always the case when we investigate report of fraud).

Has this been communicated to regulators?

We’ve told the ICO, the FCA and the PRA, and told them about our plans to fix the issue immediately and communicate what happened to customers.

How was the issue discovered, and how long had it been going on? How can I know for sure that the issue has been resolved?

One of our security engineers found the issue while working on something else. This has been happening for the last six months – we discovered the issue on Friday 2nd August. The information was stored in records we don’t need to check for other reasons, which meant we didn’t spot the issue sooner.

We’ve checked all the accounts that have been affected by this bug thoroughly, and confirmed the information hasn’t been used to commit fraud. But as you know, we’re also recommending people change their PINs. We know it’s not convenient and we’re sorry about that, but the safety of your account is our priority.

Does this affect personal accounts only, or joint accounts as well?

It’s affected less than a fifth of UK customers across all types of accounts. If you’ve received an email, you should change all your Monzo PIN codes.

What happens if there’s no option to update the app?

This is probably because you’re already on the latest version, which is iOS 2.59.0 and Android 2.59.1.

Why did I receive an email if I haven’t used the two affected features?

We’re sure that these are the only two features affected – so if you received an email, it’s perhaps that you don’t remember using them in the last six months.

20 Likes

The software engineers will also be logged into the system with their own credentials and they likely don’t have any ability to clear said logs.

I’d personally trust 5-10 highly paid professionals who are passionate about the company they’re working for and who already have access to tonnes of your data and have been shown to not abuse it but have accidentally stumbled onto a bit more of it over 10,000 people who earn an average wage and could have taken the job specifically in order to commit fraud. I’d also trust a software engineer to keep their credentials secure over someone outside of IT. It wouldn’t surprise me at all if half of the people in a bank branch knew each other’s credentials and even had to often login as each other to get round limitations in their systems.

I can assure you that this sort of thing happens quite regularly at regular high-street banks and probably wouldn’t even bother being flagged up in the first place. I know quite a few people who have contracted with UK banks and some of the stories they tell…

20 Likes

The breach allowed to see private messages exchange between customer and the bank. That issue has been reported with the ICO and is now fixed with the bank.

2 Likes

A cashier is not a risk factor as they can’t do anything with the PIN. If you say they can clone the card data and then use the PIN I’ll wet my trousers laughing :slight_smile:

As for logging, I disagree since Monzo clearly admitted to logging sensitive production data rendering the encryption useless. There is no reason to log the PIN using encryption known to individuals as that makes the encryption useless.

They can clone the card data and then use the PIN

12 Likes