back to article PIN the blame on us, says Monzo in mondo security blunder: Bank card codes stored in log files as plain text

Trendy online-only Brit bank Monzo is telling hundreds of thousands of its customers to pick a new PIN – after it discovered it was storing their codes effectively as plain-text in log files. As a result, 480,000 folks, a fifth of the bank's customers, now have to go to a cash machine, and reset their PINs. The bank said the …

  1. Anonymous Coward
    Anonymous Coward

    And BigBank?

    If this had happened at BigBank we'd never get to hear about it. And why anonymous? Because I work for BigBank.

    1. streaky Silver badge

      Re: And BigBank?

      Not a Monzo customer, and probably never will but you have to give them huge respect for being transparent about it. Probably happens every day at larger banks and they bury it all down a big hole I'm guessing.

      1. anothercynic Silver badge

        Re: And BigBank?

        I use Monzo and am very happy with their transparence.

      2. Dave314159ggggdffsdds

        Re: And BigBank?

        It's worth opening an account and using it when convenient. If my experience is typical, you'll end up using it regularly.

        They're trying to grow fast, which is often when it all falls apart, but so far they're unbelievably good compared to normal banks.

  2. Anonymous Coward
    Anonymous Coward

    Not concerned...

    Have been a Monzo customer since the beta trials. Obviously it’s not great to log this sort of data, but they’ve corrected the issue quickly.

    And from my point of view, an employee having my PIN is pretty much useless without having physical access to the card - which is the only time the PIN is used. That, plus the fact that any spend appears within 2-3 seconds as a notification on the app, means I’m confident this is a minor issue from an end-user perspective.

    Disclosure of 16-digit numbers, CVV codes and expiry dates would be more concerning.

    1. Ben Tasker Silver badge

      Re: Not concerned...

      > which is the only time the PIN is used.

      Erm... you've been a Monzo customer since beta, but have you actually been *using* them?

      The PIN is used quite frequently, with no access to the card required, the first 2 that spring to mind are:

      - Create a new payment/SO - enter PIN into app to confirm

      - Confirm/authorise an online transaction - enter PIN into app to confirm

      That's not to say this issue is a major one, they've handled it very well by all accounts, it just surprised me to see you say that you only need the PIN when you're physically using the card, given just how much Monzo rely on that PIN for auth purposes

      1. Anonymous Coward
        Anonymous Coward

        Re: Not concerned...

        My mistake (@Ben) - I have had FaceID enabled, which seems to reduce the number of PIN entries needed within the app. Point taken that the attack surface is slightly higher than my original post stated.

        Obviously the other concern is more about other services that users might use the same PIN for - but that’s more general security hygiene.

      2. Anonymous Coward
        Anonymous Coward

        Re: Not concerned...

        I do believe there's a difference between the app pin and the card pin, no?

        1. Anonymous Coward
          Anonymous Coward

          Re: Not concerned...

          They are the same on Monzo.

        2. Ben Tasker Silver badge

          Re: Not concerned...

          Nope.

          Monzo uses your card's pin (and even prompts for it as a card pin)

  3. Warm Braw Silver badge

    So does this cock-up make it...

    ... The Monzo Dog Doo-doo Bank?

    1. Fruit and Nutcase Silver badge

      Re: So does this cock-up make it...

      Could have easily been Bedtime for BonzoMonzo

  4. EnviableOne Bronze badge

    Should have gone to Starling

    they dont spend money on flashy adverts and do the security right.

    1. Ben Tasker Silver badge

      Re: Should have gone to Starling

      Erm, did you miss this - https://www.fintechfutures.com/2019/01/starling-bank-gets-passport-to-security-issue-hell/

      Some PINS available to staff they shouldn't be, in encrypted storage versus we'll publish copies of your verification documents onto the internet for anyone to grab.

      And don't even talk about the response. Monzo seem to have gone with "Oh shit.. fuck fuck fuck... right, that's been addressed within 24 hours". Whereas Starling's response was " We don’t regard it as a breach or an issue for the ICO"

      I know which one seems to be doing security right, and it aint Starling.

    2. Michael H

      Re: Should have gone to Starling

      I gather you haven't been near any London public transportation for the last 2 years?

    3. Fruit and Nutcase Silver badge
      Alert

      Re: Should have gone to Starling

      They may do their "security right", but then it all gets hosted in the cloud...

      "With Capital One now facing lawsuits and the possibility of Congressional hearings for its mishandling of records on 106 million people, a few mishandled PINs won't get much play in the news cycle."

      https://www.theregister.co.uk/2019/08/06/wyden_amazon_letter/

  5. TimMaher Bronze badge
    Meh

    “Not much play in the news cycle.”

    The Independent have run it.

    Just sayin’.

  6. macjules Silver badge

    credit due ...

    ""No one outside Monzo had access to these PINs," Monzo said in its attempt to reassure customers."

    ©2018 British Airways. All Rights Reserved.

    1. John Brown (no body) Silver badge
      Thumb Up

      Re: credit due ...

      "©2018 British Airways. All RFlights (of fancy) Reserved."

      FTFY :-)

  7. clocKwize

    People who consider this evidence that Monzo isn't (as) secure as other banks are living in a dream world. Incidents like this slip through the net sometimes, and get noticed and fixed, at every company, everywhere - Humans aren't perfect. Monzo is being transparent about it and resolved it really quickly. Other banks, it is kept quiet. The only time it wouldn't be kept quiet is if someone external noticed, at which point they'd have to own up to it, but they'll do that in a way that diverts blame from the company.

    1. Fruit and Nutcase Silver badge

      In terms of banks keeping quiet, here's an interesting read

      https://www.theregister.co.uk/2005/10/21/phantoms_and_rogues/

      Persevere until page 2 - it gets better... ref: "Rogue Bank"

  8. Anonymous Coward
    Anonymous Coward

    So who pay for the trip to the cashpoint ?

    Which would not have been needed if they hadn't ****ed up.

    1. Dave 126 Silver badge

      Re: So who pay for the trip to the cashpoint ?

      You can freeze your card until you happen to be near a cash point. If you choose not to and there is any activity on your card you will receive an instant notification. If this activity is not authorised by you, it should be a straight forward case of having Monzo refund you, unless they tried to claim your failure to change the PIN was negligence on your part (which I can't see them doing).

      Still, it's an excuse to walk into town and pop into the pub.

  9. andy 103
    Mushroom

    All the no's

    Various people told me to get a Monzo card.

    There was something about their marketing that just said - these people don't have a fucking clue what they're doing. So I didn't.

    To use a line from The Mighty Boosh, "I hate you trendy modern wankers and everything you stand for".

    I'll stick with a proper bank thanks.

    1. joewilliamsebs

      Re: All the no's

      The difference between this and a "proper" bank is that there is no way a proper bank would disclose that this had happened.

      1. hoola Bronze badge

        Re: All the no's

        I am unclear why so many comments are confident that all the "proper" banks would have buried this? They all have to adhere to the same regulation and the impact if they get caught is the same.

        The only possible exclusion to this could be the Lloyds TSB group. They really are the worst of the worst but for totally different reasons.

    2. Dr Who

      Re: All the no's

      Monzo provides a great current account service. Opened an account for the sole purpose of a two week train trip with the family through Europe last month because there's no transaction fee or pumped up exchange rate for card payments abroad. Now thinking of switching permanently - it's brilliant. Like someone said transactions, even abroad, ping immediately into the app so you can see whether some dodgy trader has ripped you off while you're still staring them in the face. No more ten day waits until things appear on your account. This is a current account as it should be.

      Not too happy about the logging bug, but in the grand scheme of things it's not catastrophic and they've owned up and cleaned up.

      The entire holiday was done with booking.com, airbnb, the trainline and heavy use of google maps and translate en route and what could have been a disaster was a triumph. We only pre-booked some of the stuff in advance and did the rest on the fly. We all moan about the cloud on the Reg, but if you just step back and think what's possible now that was either impossible, or at the very least unbearably more complicated, just a few years ago it's pretty amazing really.

      OK, so I may have told some Italian waiter that his mother had the face of a pig and he himself was of dubious parenthood, but you know, Google's not perfect - and I probably would have got some instant offline feedback from the waiter.

      1. andy 103

        Re: All the no's

        "if you just step back and think what's possible now...or at the very least unbearably more complicated"

        Ah, that old chestnut. You see this is part of the problem. Everyone wants convenience and speed, and it seems that these things trump all other things. There's a reason that some things were "complicated" before and took a bit of time. I'm waiting for the day when some hipster wanktard brings out an app which lets you buy a house in 1 hour...and then for everyone to go... oh shit, there might be a downside to this.

        This mentality of "everyone can have everything they want and have it immediately" is the fucking problem.

        1. BuckeyeB

          Re: All the no's

          I have bought a house in an hour(well just about). It was an online auction and I bought it sight unseen(mostly). Couldn't go in the house, nor knock on the door. The previous owner was still in there and this was a foreclosure auction. I did drive to it and park. Walked the sidewalk and looked at the house from the outside. I did knock on the neighbor's door and asked what he knew about the house and looked over the fence from his yard. While it did take a few weeks to get the title work done after the winning bid, it wasn't the normal process and was pretty quick.

      2. Dog Eatdog

        Re: All the no's

        "We only pre-booked some of the stuff in advance"

        I downvoted you for "pre-booked".

        1. Loyal Commenter Silver badge

          Tautology Club

          The first rule of tautology club is the first rule of tautology club.

  10. Hans Neeson-Bumpsadese Silver badge

    Monzo says anyone whose PIN was exposed in the logs will be given a message instructing them to change their codes

    A message from a bank asking you to reset your details because of a security issue? Well, that certainly won't look like a phishing message which people will be inclined to ignore

    1. Dave 126 Silver badge

      The notification will come from the Monzo app itself, displaying the the Monzo 'M' notificatiin, not via SMS or email.

      I haven't heard of a malicious email or text being able to spoof the notification icon of a different app.

      Of course there's nothing to stop a bad actor sending out emails purporting to be from Monzo, but they're not likely to fool many users, since they are used to interacting through the Monzo app.

    2. Anonymous Coward
      Anonymous Coward

      Hans - how *would* you suggest they communicate then, or are you suggesting they shouldn't??

      Confused of Monzoland

      1. Hans Neeson-Bumpsadese Silver badge

        Don't get me wrong, I'm all for them communicating with their customers....I was just idly making the observation that phishing messages masquerading as this type of notification have become so prevalent that it's pretty much a reflex action to bin them. That's got to make life harder for banks when they genuinely need to get a message through.

        1. BuckeyeB

          The difference is probably this. The legitimate will probably be an in-app message saying something like, "Your pin has been compromised. Please use the change password option from the account settings screen". A phishing attempt will be an email or SMS that says, "Your account pin has been compromised. Please click here to fix."

  11. Anonymous Coward
    Anonymous Coward

    "On Monday, the last of the logged data had been deleted."

    So that sounds like 2 sets for daily backups plus a single set for weekly backups... why waste space taking so many backups, you're never going to need them...

  12. Anonymous Coward
    Anonymous Coward

    I bank with Monzo... As in actively, it's my main bank account for day to day use. This isn't great, but even so, I still have far much trust for them than any of the traditional banks and the way they handled this only reinforces this to me.

    I have a feeling based on what friends in the traditional banking business have said, in other banks, this sort of stuff happens alot ... We just never hear about it.

  13. scrubber
    Childcatcher

    vs traditional banks

    Did they sign me up for an expensive product I didn't ask for?

    Did they get me to take out useless insurance for financial products?

    Did they launder money for terrorists and drug cartels?

    Did they wreck the economy a decade ago?

    Do they overcharge me when using my card abroad?

    Do they lobby politicians to give them tax breaks and stifle competition?

    Do they view fines from regulators as simply a cost of doing business?

    Do they hire politicians into well paid fake roles in order to encourage current politicians to treat them nice?

    Do they hire regulators and place staff into regulators?

    Did they take people's homes fraudulently after the financial crisis?

    1. Anonymous Coward
      Anonymous Coward

      Re: vs traditional banks

      Is the answer "yes" or "no" for Monzo?

  14. Loyal Commenter Silver badge
    Holmes

    Log files as a security risk

    This is what happens when you get managers telling developers to log everything for troubleshooting purposes, but not highlight that this shouldn't include unredacted sensitive information.

    I wonder how many bits of software there are out there that start spewing out detailed log files if you stick an nlog.config or similar in their program directory (or somewhere in their path).

    1. andy 103

      Re: Log files as a security risk

      telling developers to log everything for troubleshooting purposes

      Logging stuff isn't an issue. It's where you put logs and who has access to them. Good developers know this.

      1. Loyal Commenter Silver badge

        Re: Log files as a security risk

        Logging stuff isn't an issue. It's where you put logs and who has access to them.

        Well, yes and no. If your logs contain sensitive information (such as PID), then you need to be able to know what is in them, where they are, and manage that data, to be compliant with GDPR. You have the potential problem of PID proliferation, where you need, under elgislation, to be able to tell a data subject exactly what data you hold on then, and, if requested, remove all of that information. That includes the data, if it is in a human-readable form in a log file (or can be converted to such).

        There's a world of differnece between loggin that patient ID 12345 was brought into surgery with item 522 inserted into their 89347, and replacing those IDs with things that are human-readable. For example, if patient 12345 has their record expunged under GDPR, the log file wouldn't tell you their name, it would just point to a deleted, or redacted record in your database.

        Logging authentication requests is another area where you would want to not include certain things in the log files as a matter of course, such as user names and passwords, unless you were trying to trouble-shoot a specific issue that required them, and then you would be careful to remove such logging after you were done with it and delete the log files if they contained real credentials. It's akin to people uploading their AWS keys to github and then being surprised when they get a bill for £2k worth of compute time because someone has used them to mine Bitcoins.

        Things like NLog can be a minefield, especially since they tend to search quite a wide path for config files. If you can manage to inject a config file with settings that output the logs at a trace level to somewhere under your control, it represents an attack vector for data extraction. Such vulnerabilites tend to be expolited in conjunction with others, so a user may be able to place such a file in a place where they do have access, without having access to the more sensitive locations that may read it and act on it.

        What is more, a user with legitimate access to a program's location may be able to craft a config file that will cause software to log things that otherwise would remain secret to them. This could range from trivial information about the structure of the software, to priveliged information about other users' accounts, encyption keys, et al. Best practice suggests that they really shouldn't be able to do so, but I bet you there's plenty of leaky software out there.

        Good developers know this - I've met plenty of good developers in my time. I can categorically state that I've also met more of the other type.

        1. Anonymous Coward
          Anonymous Coward

          Re: Log files as a security risk

          That's not entirely true. If someone gets hold of the item list it quickly becomes more possible to personally identify the person and derive other data. This is especially true if the item is unusual[1].

          In a GDPR deletion procedure I've developed, it only logs the identifying id of the person it deletes, and the date it did so. Even that is personally identifying, because deletion occurs based on data being aged out, so you could derive some very limited information if you knew the identifying id of the person and knew the retention period.

          The deletions do really need to be logged in case a mistake is made by a customer and someone's data accidentally removed, so after a month the date the deletion occurred is removed.

          In reality no-one would bother to try to find this information, because social engineering would be far more effective, but that's not really the point.

          [1] Lookup list : item 3242 : Cyberdyne industries morpho brain, location 2432 : metal casing. Quick, put out an APB for anyone that looks like a young Arnold Schwarzenegger.

    2. Anonymous Coward
      Anonymous Coward

      Re: Log files as a security risk

      No, this is what happens when you let over-sharing millennials, a generation utterly baffled by privacy and deep thinking, write banking software. God knows what other agile horrors are lurking in the Monzo codebase.

      Even their full disclosure sounded like it should've been on Instagram. Perhaps it was.

  15. Mike 137 Bronze badge

    "UK bank updated its mobile app so that no new PINs were sent to the log collector"

    The app decides where the PIN is sent? Client side decision? <sarcasm>Good thnking Batman!</sarcasm>

    1. tellytart

      Re: Backhander

      Actually, from reading the details fully, the app was logging the fact the user viewed either the full card number and/or the PIN from within the app, but was also incorrectly logging the card number/PIN when it should only have logged the fact they were viewed.

  16. popetackler

    Monzo is my main bank. Happy with how they've disclosed this and no issue using them in the future.

  17. manalive

    Monzo are awesome

    I switched fully to Monzo about 3 months ago and haven’t looked back.

    I got their email at the weekend and changed my PIN tonight - literally as the ATM was changing my PIN my iPhone notified me of this event, and the App showed me on a map exactly where it happened.

    As others have said, I admire their transparency. I know for a fact that all of the major banks would not have been this forthcoming with the truth, they’d either never mention it or be forced to admit it if it was somehow leaked.

    Monzo is a great bank IMO.

    1. Anonymous Coward
      Anonymous Coward

      Re: Monzo are awesome

      ...and the pin was logged for safety.

  18. John Smith 19 Gold badge
    Unhappy

    Not good, but then again....

    How long has this bank been in business?

    The UK banking sector needs some diversity.

    The way the Big Four bi**hed about credit unions opening up their membership restrictions before wholesale branch closures left sub post offices holding the baby for physical access to depositing (not getting) cash into peoples accounts.

  19. Anonymous Coward
    Anonymous Coward

    PCI

    Worryingly, I can’t believe that Monzo are actually logging the PIN itself in clear. Normally, you only ever transmit an encrypted PIN block and the PIN (or PIN offset) itself is only ever constructed and checked within a HSM.

    That’s a significant failing and seems to indicate that their solution isn’t Payment Cards Industry (PCI) compliant.

    More worryingly, if they are transmitting the customer PIN in clear then they are at real danger and I wouldn’t bank with them.

    1. Anonymous Coward
      Anonymous Coward

      Re: PCI

      This.

      I work in the industry and we have to play by PCI rules.

      We also get audited by independent third parties, who actually know what they are doing so sniff logs and network traffic looking for any signs of sensitive information.

      There should have been no way for any developer outside of an HSM/low level kernel dev to have even been able to log a PIN or PAN, much less actually made it available, while the low level devs should have peer review and security training and be aware of the rules. If this was an app developer, then even worse; the client app should never see a raw PIN.

      So yeah, if they are not playing by PCI rules then don't trust them.

      If they are PCI certified (and can't be bothered looking them up) then they can expect some audits coming along with hot-pokers.. the sort of thing that if I was the developers or security officer, would make me want to look for another job.

  20. TechieSid

    Whither "Compliance" ...??

    Sorry to be sounding negative but this incident does demonstrate a serious lack of Compliance ...!! - should get reported to the ICO ...??

    1. alun phillips

      Re: Whither "Compliance" ...??

      Thankfully you can rest easy, Monzo have reported the issue to the relevant.authorities.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019