We’d like to remind Forumites to please avoid political debate on the Forum.

This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

Monzo customer? Check if you need to change your PIN after security error - MSE News

Former_MSE_Callum
Former_MSE_Callum Posts: 696 Forumite
Third Anniversary 10 Posts I've been Money Tipped! Newshound!
in Budgeting & bank accounts
Around 480,000 Monzo users need to update their app and change their PIN, after numbers were stored in files in a part of the bank's internal systems that could be accessed by some of its staff...
Read the full story:
'Monzo customer? Check if you need to change your PIN after security error'
OfficialStamp.gif
Click reply below to discuss. If you haven’t already, join the forum to reply.
Read the latest MSE News
Flag up a news story: news@moneysavingexpert.com
Get the Free MoneySavingExpert Money Tips E-mail

Comments

  • londoninvestor
    londoninvestor Posts: 1,351 Forumite
    Sixth Anniversary Combo Breaker
    MSE_article wrote:
    It says if you haven't been emailed, you haven't been affected – so you don't need to change your PIN. But it is asking all of its customers to update their app to iOS 2.59.0 or Android 2.59.1 by going to the Apple Store or Play Store, as it has released updates after finding the problem.

    It doesn't seem architecturally great if a problem like this requires a client-side fix (i.e. an app update) rather than being fixable on the server side by Monzo.

    Tech coverage in the media isn't always great though - perhaps the article is confusing fixes for separate issues.
  • Uxb1
    Uxb1 Posts: 732 Forumite
    500 Posts Third Anniversary Name Dropper
    So from the scant details provided it seems PIN numbers were stored in an ?plain text? file or possibly a file of some "non-one way only hashing encryption" that could be decrypted by staff.

    ...and these people are running a BANK?
  • 18cc
    18cc Posts: 2,120 Forumite
    I'm sure I don't have to say this but if you are with monzo and you do receive an email from them about this then make sure it really is monzo before you click on any links and enter any personal information
  • Chino
    Chino Posts: 2,031 Forumite
    Part of the Furniture 1,000 Posts Name Dropper
    Uxb1 wrote: »
    ...and these people are running a BANK?
    If you click on the following link where there's what is presumably a representative photograph of Monzo employees, most of the staff look barely out of nappies and so are unlikely to have much relevant experience in developing secure banking systems:
    https://monzo.com/careers/
  • Catplan
    Catplan Posts: 448 Forumite
    Sixth Anniversary 100 Posts Name Dropper
    18cc wrote: »
    I'm sure I don't have to say this but if you are with monzo and you do receive an email from them about this then make sure it really is monzo before you click on any links and enter any personal information

    No links to click in the email, it asks you to visit an ATM to change the pin on the debit card. It also states the file containing this pin was encrypted but accessible by engineers via these encrypted logs. My take is the engineers have no need to know your pin.

    It also asks to up the app via your App Store, my iOS device already had.

    Not great though and the communication hasn’t really addressed concerns. But they are sorry.
  • jonnygee2
    jonnygee2 Posts: 2,086 Forumite
    1,000 Posts Second Anniversary Name Dropper Combo Breaker
    So from the scant details provided it seems PIN numbers were stored in an ?plain text? file or possibly a file of some "non-one way only hashing encryption" that could be decrypted by staff.

    ...and these people are running a BANK?

    They were in an encrypted log file, as a result of a bug which recorded them during certain events in the app such as cancelling a standing order, according to the orginial press release. Essentially the pins were being held in a less secure part of their system, but still somewhere relatively secure.

    I work for a high street bank and for a long time lots of members of staff could access pins, even in-branch staff could bring them up on screen. They can't anymore - it's post reminders only, but I understand at some high street banks customer service still can.
  • Grandad2b
    Grandad2b Posts: 352 Forumite
    Part of the Furniture 100 Posts Photogenic Name Dropper
    MSE_Callum wrote: »
    Around 480,000 Monzo users need to update their app and change their PIN, after numbers were stored in files in a part of the bank's internal systems that could be accessed by some of its staff...

    If I had a Monzo account I'd be changing my PIN anyway. Are Monzo sure they know no other accounts have been compromised?
  • badger09
    badger09 Posts: 11,742 Forumite
    Part of the Furniture 10,000 Posts Name Dropper
    Hmmmm

    I read an article in one of the Sunday supplements yesterday

    (same article here)

    Scroll down to 4th from last paragraph about what keeps the CEO awake @ 3am

    https://www.theguardian.com/money/2019/aug/11/the-bank-manager-will-see-you-now-is-monzo-ready-to-grow-up
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 352.8K Banking & Borrowing
  • 253.8K Reduce Debt & Boost Income
  • 454.7K Spending & Discounts
  • 245.9K Work, Benefits & Business
  • 601.9K Mortgages, Homes & Bills
  • 177.8K Life & Family
  • 259.8K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16K Discuss & Feedback
  • 37.7K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture