Which? ranks Monzo last for app security

But you can’t sanction anything without the customer’s PIN number :man_shrugging:

3 Likes

Without?

1 Like

I don’t know what you mean :see_no_evil:

3 Likes

Besides altering payee details sure. But it’s a pre-existing auth factor that can be easy to social engineer or even guess. It’s -1 factor. Which are right in suggesting a separate app specific passcode would be a more secure option.

Edit: because I feel I need to reiterate this. No one is saying Monzo is not secure, or not secure enough. It is secure. Just less so than banks that adopt multiple other factors and steps in favour of usability. It’s not a bad thing at all.

2 Likes

agreed. the over bearing security is what made me leave first direct, it was ridiculous!

3 Likes

Natwest have got a new ‘facial recognition’ feature for sending payments, where you have to blink to prove the video is live, of course it barely works

2 Likes

Is that how it’s supposed to work? I just had to take a photo to enroll so wasn’t sure how that was supposed to be secure

It’s like a video selfie, but you just have to blink to prove it’s live, I guess. That’s what the instructions say

1 Like

I don’t know why they wasted their time, when they could authenticate the payment through, oh. I don’t know, FaceID built into iPhones, TouchID built into older iPhones. or a fingerprint reader built into Android phones

1 Like

Sounds like it works like Atom’s. It’s a good second factor for more important stuff that can’t be overridden by a device passcode. That’s why they do it over the usual Face ID. They support on device Face ID too, but that’s for logging in.

It’s not like a video selfie at all. The blink triggers a capture, to prove you’re a live human rather than say a photograph. They’re stored and processed as an algorithm, and that is what gets compared, by a machine, not a human.

Security theatre? No. Easy to spoof? Maybe. The point is it’s another factor independent from pins, passcodes, and passwords, and is easy to remember. Good to have in situations that benefit from a third factor of authentication the most.

1 Like

That’s a good point, but it sometimes doesn’t detect my blink as the reflection of my glasses (that I have to wear to see) gets in the way - granted, I’ve not used the feature a lot as the account is just used for paying in cash

1 Like

I guess with these someone could access your phone and authenticate payments whilst you’re asleep?

1 Like

Unless you’ve turned it off, FaceID requires “attention detection” so you need your eyes open and looking at it.

The fingering (snigger) would work though

7 Likes

With FaceID, technically no. Touch ID, yes

Which lost credibility a long time ago.

Adding additional complexity often makes things less secure. For instance, my Mum who has a notepad file on her desktop named ‘Natwest and Halifax passwords’… :roll_eyes: Worryingly, she’s probably not in the minority either…

6 Likes

Still only mid-Jan and this post is already 2022’s innuendo winner :trophy:
Bravo :clap:

1 Like

Lloyds, Nationwide, Santander, and TSB also dropped points because online and mobile banking require the same login credentials.

Dear god separate details for both… that would lead to far far worse security practises for many out there with notes and password reuse. Next you will lose points if the bank doesn’t require a 32 character password changed daily with a different password for each action.

Security needs to be considered for all, not just those who know how to do IT properly.

10 Likes

That can’t be judging criteria I’m afraid, as there’s often a maximum password length of 10 - 12 characters :joy:

1 Like

:rofl: but it would be a boon for postit notepad sales.

How is password reuse worse than using the same password for both? :joy:

1 Like