If this had happened at BigBank we'd never get to hear about it. And why anonymous? Because I work for BigBank.
Trendy online-only Brit bank Monzo is telling hundreds of thousands of its customers to pick a new PIN – after it discovered it was storing their codes effectively as plain-text in log files. As a result, 480,000 folks, a fifth of the bank's customers, now have to go to a cash machine, and reset their PINs. The bank said the …
Have been a Monzo customer since the beta trials. Obviously it’s not great to log this sort of data, but they’ve corrected the issue quickly.
And from my point of view, an employee having my PIN is pretty much useless without having physical access to the card - which is the only time the PIN is used. That, plus the fact that any spend appears within 2-3 seconds as a notification on the app, means I’m confident this is a minor issue from an end-user perspective.
Disclosure of 16-digit numbers, CVV codes and expiry dates would be more concerning.
> which is the only time the PIN is used.
Erm... you've been a Monzo customer since beta, but have you actually been *using* them?
The PIN is used quite frequently, with no access to the card required, the first 2 that spring to mind are:
- Create a new payment/SO - enter PIN into app to confirm
- Confirm/authorise an online transaction - enter PIN into app to confirm
That's not to say this issue is a major one, they've handled it very well by all accounts, it just surprised me to see you say that you only need the PIN when you're physically using the card, given just how much Monzo rely on that PIN for auth purposes
My mistake (@Ben) - I have had FaceID enabled, which seems to reduce the number of PIN entries needed within the app. Point taken that the attack surface is slightly higher than my original post stated.
Obviously the other concern is more about other services that users might use the same PIN for - but that’s more general security hygiene.
Erm, did you miss this - https://www.fintechfutures.com/2019/01/starling-bank-gets-passport-to-security-issue-hell/
Some PINS available to staff they shouldn't be, in encrypted storage versus we'll publish copies of your verification documents onto the internet for anyone to grab.
And don't even talk about the response. Monzo seem to have gone with "Oh shit.. fuck fuck fuck... right, that's been addressed within 24 hours". Whereas Starling's response was " We don’t regard it as a breach or an issue for the ICO"
I know which one seems to be doing security right, and it aint Starling.
They may do their "security right", but then it all gets hosted in the cloud...
"With Capital One now facing lawsuits and the possibility of Congressional hearings for its mishandling of records on 106 million people, a few mishandled PINs won't get much play in the news cycle."
People who consider this evidence that Monzo isn't (as) secure as other banks are living in a dream world. Incidents like this slip through the net sometimes, and get noticed and fixed, at every company, everywhere - Humans aren't perfect. Monzo is being transparent about it and resolved it really quickly. Other banks, it is kept quiet. The only time it wouldn't be kept quiet is if someone external noticed, at which point they'd have to own up to it, but they'll do that in a way that diverts blame from the company.
You can freeze your card until you happen to be near a cash point. If you choose not to and there is any activity on your card you will receive an instant notification. If this activity is not authorised by you, it should be a straight forward case of having Monzo refund you, unless they tried to claim your failure to change the PIN was negligence on your part (which I can't see them doing).
Still, it's an excuse to walk into town and pop into the pub.
Various people told me to get a Monzo card.
There was something about their marketing that just said - these people don't have a fucking clue what they're doing. So I didn't.
To use a line from The Mighty Boosh, "I hate you trendy modern wankers and everything you stand for".
I'll stick with a proper bank thanks.
I am unclear why so many comments are confident that all the "proper" banks would have buried this? They all have to adhere to the same regulation and the impact if they get caught is the same.
The only possible exclusion to this could be the Lloyds TSB group. They really are the worst of the worst but for totally different reasons.
Monzo provides a great current account service. Opened an account for the sole purpose of a two week train trip with the family through Europe last month because there's no transaction fee or pumped up exchange rate for card payments abroad. Now thinking of switching permanently - it's brilliant. Like someone said transactions, even abroad, ping immediately into the app so you can see whether some dodgy trader has ripped you off while you're still staring them in the face. No more ten day waits until things appear on your account. This is a current account as it should be.
Not too happy about the logging bug, but in the grand scheme of things it's not catastrophic and they've owned up and cleaned up.
The entire holiday was done with booking.com, airbnb, the trainline and heavy use of google maps and translate en route and what could have been a disaster was a triumph. We only pre-booked some of the stuff in advance and did the rest on the fly. We all moan about the cloud on the Reg, but if you just step back and think what's possible now that was either impossible, or at the very least unbearably more complicated, just a few years ago it's pretty amazing really.
OK, so I may have told some Italian waiter that his mother had the face of a pig and he himself was of dubious parenthood, but you know, Google's not perfect - and I probably would have got some instant offline feedback from the waiter.
"if you just step back and think what's possible now...or at the very least unbearably more complicated"
Ah, that old chestnut. You see this is part of the problem. Everyone wants convenience and speed, and it seems that these things trump all other things. There's a reason that some things were "complicated" before and took a bit of time. I'm waiting for the day when some hipster wanktard brings out an app which lets you buy a house in 1 hour...and then for everyone to go... oh shit, there might be a downside to this.
This mentality of "everyone can have everything they want and have it immediately" is the fucking problem.
I have bought a house in an hour(well just about). It was an online auction and I bought it sight unseen(mostly). Couldn't go in the house, nor knock on the door. The previous owner was still in there and this was a foreclosure auction. I did drive to it and park. Walked the sidewalk and looked at the house from the outside. I did knock on the neighbor's door and asked what he knew about the house and looked over the fence from his yard. While it did take a few weeks to get the title work done after the winning bid, it wasn't the normal process and was pretty quick.
Monzo says anyone whose PIN was exposed in the logs will be given a message instructing them to change their codes
A message from a bank asking you to reset your details because of a security issue? Well, that certainly won't look like a phishing message which people will be inclined to ignore
The notification will come from the Monzo app itself, displaying the the Monzo 'M' notificatiin, not via SMS or email.
I haven't heard of a malicious email or text being able to spoof the notification icon of a different app.
Of course there's nothing to stop a bad actor sending out emails purporting to be from Monzo, but they're not likely to fool many users, since they are used to interacting through the Monzo app.
Don't get me wrong, I'm all for them communicating with their customers....I was just idly making the observation that phishing messages masquerading as this type of notification have become so prevalent that it's pretty much a reflex action to bin them. That's got to make life harder for banks when they genuinely need to get a message through.
The difference is probably this. The legitimate will probably be an in-app message saying something like, "Your pin has been compromised. Please use the change password option from the account settings screen". A phishing attempt will be an email or SMS that says, "Your account pin has been compromised. Please click here to fix."
I bank with Monzo... As in actively, it's my main bank account for day to day use. This isn't great, but even so, I still have far much trust for them than any of the traditional banks and the way they handled this only reinforces this to me.
I have a feeling based on what friends in the traditional banking business have said, in other banks, this sort of stuff happens alot ... We just never hear about it.
Did they sign me up for an expensive product I didn't ask for?
Did they get me to take out useless insurance for financial products?
Did they launder money for terrorists and drug cartels?
Did they wreck the economy a decade ago?
Do they overcharge me when using my card abroad?
Do they lobby politicians to give them tax breaks and stifle competition?
Do they view fines from regulators as simply a cost of doing business?
Do they hire politicians into well paid fake roles in order to encourage current politicians to treat them nice?
Do they hire regulators and place staff into regulators?
Did they take people's homes fraudulently after the financial crisis?
This is what happens when you get managers telling developers to log everything for troubleshooting purposes, but not highlight that this shouldn't include unredacted sensitive information.
I wonder how many bits of software there are out there that start spewing out detailed log files if you stick an nlog.config or similar in their program directory (or somewhere in their path).
Logging stuff isn't an issue. It's where you put logs and who has access to them.
Well, yes and no. If your logs contain sensitive information (such as PID), then you need to be able to know what is in them, where they are, and manage that data, to be compliant with GDPR. You have the potential problem of PID proliferation, where you need, under elgislation, to be able to tell a data subject exactly what data you hold on then, and, if requested, remove all of that information. That includes the data, if it is in a human-readable form in a log file (or can be converted to such).
There's a world of differnece between loggin that patient ID 12345 was brought into surgery with item 522 inserted into their 89347, and replacing those IDs with things that are human-readable. For example, if patient 12345 has their record expunged under GDPR, the log file wouldn't tell you their name, it would just point to a deleted, or redacted record in your database.
Logging authentication requests is another area where you would want to not include certain things in the log files as a matter of course, such as user names and passwords, unless you were trying to trouble-shoot a specific issue that required them, and then you would be careful to remove such logging after you were done with it and delete the log files if they contained real credentials. It's akin to people uploading their AWS keys to github and then being surprised when they get a bill for £2k worth of compute time because someone has used them to mine Bitcoins.
Things like NLog can be a minefield, especially since they tend to search quite a wide path for config files. If you can manage to inject a config file with settings that output the logs at a trace level to somewhere under your control, it represents an attack vector for data extraction. Such vulnerabilites tend to be expolited in conjunction with others, so a user may be able to place such a file in a place where they do have access, without having access to the more sensitive locations that may read it and act on it.
What is more, a user with legitimate access to a program's location may be able to craft a config file that will cause software to log things that otherwise would remain secret to them. This could range from trivial information about the structure of the software, to priveliged information about other users' accounts, encyption keys, et al. Best practice suggests that they really shouldn't be able to do so, but I bet you there's plenty of leaky software out there.
Good developers know this - I've met plenty of good developers in my time. I can categorically state that I've also met more of the other type.
That's not entirely true. If someone gets hold of the item list it quickly becomes more possible to personally identify the person and derive other data. This is especially true if the item is unusual.
In a GDPR deletion procedure I've developed, it only logs the identifying id of the person it deletes, and the date it did so. Even that is personally identifying, because deletion occurs based on data being aged out, so you could derive some very limited information if you knew the identifying id of the person and knew the retention period.
The deletions do really need to be logged in case a mistake is made by a customer and someone's data accidentally removed, so after a month the date the deletion occurred is removed.
In reality no-one would bother to try to find this information, because social engineering would be far more effective, but that's not really the point.
 Lookup list : item 3242 : Cyberdyne industries morpho brain, location 2432 : metal casing. Quick, put out an APB for anyone that looks like a young Arnold Schwarzenegger.
No, this is what happens when you let over-sharing millennials, a generation utterly baffled by privacy and deep thinking, write banking software. God knows what other agile horrors are lurking in the Monzo codebase.
Even their full disclosure sounded like it should've been on Instagram. Perhaps it was.
I switched fully to Monzo about 3 months ago and haven’t looked back.
I got their email at the weekend and changed my PIN tonight - literally as the ATM was changing my PIN my iPhone notified me of this event, and the App showed me on a map exactly where it happened.
As others have said, I admire their transparency. I know for a fact that all of the major banks would not have been this forthcoming with the truth, they’d either never mention it or be forced to admit it if it was somehow leaked.
Monzo is a great bank IMO.
How long has this bank been in business?
The UK banking sector needs some diversity.
The way the Big Four bi**hed about credit unions opening up their membership restrictions before wholesale branch closures left sub post offices holding the baby for physical access to depositing (not getting) cash into peoples accounts.
Worryingly, I can’t believe that Monzo are actually logging the PIN itself in clear. Normally, you only ever transmit an encrypted PIN block and the PIN (or PIN offset) itself is only ever constructed and checked within a HSM.
That’s a significant failing and seems to indicate that their solution isn’t Payment Cards Industry (PCI) compliant.
More worryingly, if they are transmitting the customer PIN in clear then they are at real danger and I wouldn’t bank with them.
I work in the industry and we have to play by PCI rules.
We also get audited by independent third parties, who actually know what they are doing so sniff logs and network traffic looking for any signs of sensitive information.
There should have been no way for any developer outside of an HSM/low level kernel dev to have even been able to log a PIN or PAN, much less actually made it available, while the low level devs should have peer review and security training and be aware of the rules. If this was an app developer, then even worse; the client app should never see a raw PIN.
So yeah, if they are not playing by PCI rules then don't trust them.
If they are PCI certified (and can't be bothered looking them up) then they can expect some audits coming along with hot-pokers.. the sort of thing that if I was the developers or security officer, would make me want to look for another job.
Biting the hand that feeds IT © 1998–2019