Tembo account security

Joe901

I've recently transferred my old ISA into Tembo and am concerned at a possible account security flaw. Like most folk today, I used my phone/Google email to register a new Tembo account. I'm then used to systems where I select a fixed password as the password field, and then set up my phone number as a 2FA (additional verification step/code sent to phone). This means that while someone might get hold of my phone, they will never know the password for the Tembo account.
 
Concerningly, Tembo's account verification system is all tied to your email, where you enter your email then a simple code ('magic number') is sent to that same email that you then enter in. And that's it. Full access to my account. Effectively all you need is my phone for full access to my ISA - no separate, unconnected password required.

Does anyone else think this is serious step backwards in account security? I really don't like this. Is there any way I can change this to an unconnected password? I also can't see how to activate and force the use of my phone's fingerprint scanning for this Tembo app as an additional security layer. 

nottsphil

I've recently transferred my old ISA into Tembo and am concerned at a possible account security flaw. Like most folk today, I used my phone/Google email to register a new Tembo account. I'm then used to systems where I select a fixed password as the password field, and then set up my phone number as a 2FA (additional verification step/code sent to phone). This means that while someone might get hold of my phone, they will never know the password for the Tembo account.
 
Concerningly, Tembo's account verification system is all tied to your email, where you enter your email then a simple code ('magic number') is sent to that same email that you then enter in. And that's it. Full access to my account. Effectively all you need is my phone for full access to my ISA - no separate, unconnected password required.

Does anyone else think this is serious step backwards in account security? I really don't like this. Is there any way I can change this to an unconnected password? I also can't see how to activate and force the use of my phone's fingerprint scanning for this Tembo app as an additional security layer. 

Yes, I think it's lax too, even if funds are only accessible from the nominated account. That's presuming there is no Tembo password, which contradicts the last sentence in your first paragraph; maybe you meant for non-Tembo accounts?

I'm presuming your email is on an app and you don't log in, like I don't with the Yahoo app. Can you not set up the email to be only accessible via fingerprint? If not, perhaps somebody could suggest a fingerprint secured email that you could use just for this login.

Eyeful

You can:
1. Contact Tembo directly, state your concerns & see if they can  put your mind at rest.
2. Move your ISA to a provider that does security the way you like.
3. See if Tembo allows Yubikey for 2FA. If it does buy one & use it.

MeteredOut

Valid concerns, but other than withdraw your funds to your nominated account, could they do anything else with your money?

Even with FaceId in place, its possible to override it and allow login with the email code.

Joe901

Thanks for your replies.

Like pretty much all of us, for every other money/other account, I have the (what was) standard separate password that I created (under the respective pw rules set). For financial/important accounts that would be supplemented by a mandatory 2FA, normally a code sent to my phone. The main thing is, one of the login elements is completely separated from the rest.

With Tembo, if you have access to the 'username' (email) then you also have access to the password. That just seems very, very wrong. I generally try to keep my passwords in a local/non-online password manager on my home PC. Tembo (and other's, no doubt) practice changes that, meaning I'm even more concerned if someone gets hold of my phone.

I'll contact Tembo and ask them about other methods of login validation.

friolento

Joe901 said:

With Tembo, if you have access to the 'username' (email) then you also have access to the password. That just seems very, very wrong.  

I don’t understand what you mean. To get at the code sent by email, you need to have access to the email account, which presumably you have secured with 2FA? If not, why not?

booneruk

I'm not sure how gaining access to your email account will also hand over your Tembo password.

The risk would be if the 'magic number/link' sent in email allows the person using it to set the password to something of their choosing without having to enter the old password to do so. Then they have a new password, not your old one.

friolento

booneruk said:

I'm not sure how gaining access to your email account will also hand over your Tembo password.

The risk would be if the 'magic number/link' sent in email allows the person using it to set the password to something of their choosing without having to enter the old password to do so. Then they have a new password, not your old one.

It won’t reveal the password to you but it gives you access to the Tembo account.

Once in there, you can then withdraw from Tembo to a linked current account in your name. I don’t know whether the password is required to confirm the withdrawal but whoever withdraws needs to have access to the (2FA secured?) current account before they can take it further.

This security arrangement is perfectly fine for me.

wmb194

Does Tembo only allow withdrawals to a nominated account e.g., a current account? If so, there wouldn't be much someone could do except withdraw your money to an account belonging to you and secured by other means.

Usually with nominated account systems to change it requires some checks e.g., a bank statement showing your name and address and/or these days a COP check.

To answer my own question:

"Nominated Account: The account you nominate to made (sic) payments into your Account, and to receive payments out of your Account. Unless we agree otherwise, this must be a UK bank or building society in your name, which we will verify when you open an Account. We will not accept your account as a Nominated Account until we have completed our checks."

https://www.datocms-assets.com/15134/1739874437-complete-tembo-savings-customer-agreement-t-cs-v2-1-jan-25.pdf

Joe901

friolento said:

Joe901 said:

With Tembo, if you have access to the 'username' (email) then you also have access to the password. That just seems very, very wrong.  

I don’t understand what you mean. To get at the code sent by email, you need to have access to the email account, which presumably you have secured with 2FA? If not, why not?

The Tembo account only works through a phone/tablet app - you can't log in outside the app (I suppose a PC android emulator, for example, might be made to work). If someone got hold of your phone and unlocked it (or it was unlocked) then the phone's own email is the 'username', which most phone's will auto-populate to make it even easier, though viewing the Google email on your phone is simple. The password/'magic number' is then auto sent to you by Tembo - using this same email - every time you log in, thus, it will pop up automatically as a new email notification. But I'm needlessly overcomplicating this - don't overthink -->

The whole point I'm trying to get across is that Tembo is using ONLY an email address as a (traditional) username...and then sending the password to that SAME email address. Focussing only on that and comparing it to a 'traditional' Username/Password where the Username is NOT hard-connected to the Username - thus, it is not delivered to you on a plate - and hopefully you see the backward step.

booneruk

I've just had a quick read of Tembo's page (I don't have an account myself so am not familiar). It appears they don't use passwords: https://help.tembomoney.com/en/articles/5454427-how-do-i-log-in-to-my-tembo-account

The magic links they email should only be usable once - if not, that's a security concern for sure.

Don't allow your email account to be taken over by someone else if you want to avoid your ISA money being withdrawn to your own linked account.

There are bigger problems with having your email account taken over in the first place!