Which? ranks Monzo last for app security

The article doesn’t mention Monzo, but the table shows Monzo as last.

1 Like

Just reading through the which result How safe is online banking? - Which?

It seems their main problems with Monzo were probably over passwords (it doesn’t have any and shouldn’t) and the fact it doesn’t log you out of the app every five minutes (please god no).

Just by not having a desktop interface that allows you to make transfers etc it’s already several times more secure than a bank that does, they don’t mention that I don’t think.

Ultimately the breaking the security of your Monzo account requires access to your device or your email, and your PIN number. If one or much more preferably both of those things are secure there’s nothing to worry about.

They mention things like pro security testing tools, but don’t actually say they found any weaknesses anywhere that would allow account access, almost certainly because they didn’t.

23 Likes

@AlanDoe

Interesting. Monzo have previously claimed - and I have no reason to doubt them - that their fraud losses are lower than many of their counterparts. Maybe the Which? survey is looking at the wrong things?

3 Likes

Again almost all remote fraud I’ve seen and heard of takes place via manipulating web browsers over desktops or installing malware with attacks that can’t really be replicated on mobile devices.

2 Likes

What leads to Starling ranking higher?

(I’ve never used Starling)

1 Like

More than likely. I haven’t seen the linked one yet, but the last time I saw Which? do one of these surveys, they were giving extra marks for features that were, essentially, security theatre. IIRC not having 2FA was an automatic fail, for example.

ETA: looking at the table in the linked article, they give Monzo one star for ‘Navigation and logout’, from which I think it’s safe to assume that their biggest issue is that the app stays logged in (and they’re perhaps not taking into consideration the fact that (a) the user can turn on biometric locks, and (b) even logged in, you still need the PIN to do anything.

3 Likes

Reply rather than editing this time, as I found the Which report:

As I suspected, they had an issue with the ‘always on’ nature of the app:

Monzo was the lowest-scoring app we tested by some margin. It’s the only provider that doesn’t ask you to log in every time. It told us this is a ‘conscious design decision to strike a balance between risk and customer experience’.

They go on to say that while they recognise that a PIN is needed for further actions, they “don’t agree this is the right approach for a bank”. In other words, they’re pretty much saying “Security theatre nao, pls”.

We also marked Monzo down for asking users to enter their debit card Pins to authenticate sensitive changes. While it does block three consecutive incorrect Pin attempts, after which it requires a selfie video and photo ID to proceed, we prefer banks to ask for app-specific passcodes.

(Emphasis mine). This is perhaps a fair point, although I’m sure staff in the past have discussed why they decided against using different PINs - IIRC it was at least in part because a separate app PIN could lead to potential performance/security issues if the app was offline (PIN stored locally, not secure; PIN only held by Monzo, app won’t work if offline).

the TL;DR is, Which? have a picture of how banking security should work, and Monzo have a different picture. It doesn’t actually mean Monzo is any less secure (IMO), just that they’re not doing what Which? want.

(Strikes me as analogous to a maths teacher marking a student’s homework down even though they’ve got the right answer, because their working doesn’t demonstrate the method that was taught in class.)

16 Likes

It would be a lot easier if they just said they don’t understand the difference between privacy and security.

9 Likes

Indeed. I’ll note also that they rank First Direct as best for security, which may be true by their metrics, but it’s f****** annoying; they have so many different passwords and memorable words that I’ve had to reset everything at least three times, due to putting the wrong thing in the wrong place too much and locking myself out.

I’ve had to create an entry in my password app to hold all the First Direct codes for future reference, but you can bet that there will be many people out there who have solved the problem by… writing them down. Probably in a notebook or on a sheet of paper in a desk headed “First Direct passwords”. Something Which? clearly don’t take into account and absolutely makes First Direct, in reality, actually far less secure than they may appear to be.

8 Likes

Like this?

7 Likes

I actually closed my FirstDirect account because I found the security so annoying, there has to be a balance between security and usability.

10 Likes

In fairness, the assessment isn’t necessarily wrong. Just don’t take it as which saying Monzo isn’t secure, because that’s not actually what they’re saying.

I’ve rarely been fond of which?’s methodologies, and I’m not here either, but that doesn’t mean the result is incorrect. Monzo is much less secure than any other bank in the U.K, that’s fact, but that doesn’t mean they’re not secure, they are. The trade off is they’re much easier to use. I don’t think it’s the right balance, but I think they strike the best balance among all the banks.

It’s easy to want to dismiss this and write it off as it’s just because there’s no security theatre. Whilst true to an extent, it’s not that. There’s a lot of security theatre with legacy banks, and there’s even some with Monzo too, but not every component of security is just theatrics. Some of it actually does enhance security, and some theatrics can also weaken it. To Which?’s credit here, theatrics don’t seem to have had much influence at all on their findings.

5 Likes

sorry to repeat myself but I think any bank with a desktop portal is less secure than any existing one that’s app only.

1 Like

Depends on the threat model and the threat actor(s) you’re wanting to defend against.

Which seem to be coming it at it from the angle of someone being able to go on your phone and get into the app and sanction stuff.

If I were a threat actor looking to gain access to peoples accounts and defraud, I’d actually target those with mobile only banks. It’s much easier to pull off a social engineering attack with these.

Monzo used to have a flaw that made it as simple as intercepting the magic link email for instance.

2 Likes

I don’t think you can call someone having their email hacked a ‘Monzo flaw’. :thinking:

4 Likes

Well, that’s sort of wrong imo. The most secure the bank for the average consumer is the one that protects against most of the things criminals commonly try and use and are able to exploit and therefore prevents the most fraud. Reality, not hypotheticals, are what’s important.

Most fraud seems to happen from abroad through a mixture of social engineering and browser manipulation & malware.

4 Likes

I don’t think it is. Security against unauthorised account access is important too. It’s a much easier attack vector to exploit.

Browser vulnerabilities to malware are a bit of a distraction in assessing the security of a bank account imo. In the same way a user not having 2FA on their email account and having that compromised is not a Monzo flaw, a user having their browser compromised is not a flaw with their bank (you’ll note I never said the email account needed to be compromised to intercept the link, because it doesn’t). Android can also have just as many, if not more attack vectors.

Social engineering and unauthorised account access are by far the more common instances of fraud. You just don’t hear about them as much, because they’re individual, and in many cases can be personal, domestic issues that never get reported.

3 Likes

Monzo is not the only app to score strangely on navigation and logout either.

First Direct, which seems to work the same as HSBC, scores much lower than HSBC and appears way down the table as a result.

It seems like a fairly useless criteria to be judging to me, the other categories seem far more important but appear to be weighted equally in the scoring?

They’ve missed the point too, since you can always turn on authentication in Settings, so the app can behave exactly how they want it to.

1 Like

I presume a password, and a new device login requires video verification which I belive is reviewed by one of their team (at least in my experience it’s tended to take a few hours to gain access after changing/resetting devices). Neither of which I agree with as being “more secure”.

2 Likes