Half a million customers of Monzo, one of the UK’s digital challenger banks, have been advised to change their PINs after they were left in a vulnerable file accessible by the company’s engineers for more than half a year.
Monzo, which announced the issue in a blog post on August 5, 2019, admitted that 480,000 customers’ PINs were theoretically accessible to rank-and-file employees for months. So what does that really mean for you if you’ve got one of the company's bright pink bank cards?
“The Monzo data security breach is an internal one,” explains Guy Warren, chief executive of ITRS Group, a supplier of technology to 190 banks worldwide. “Monzo software engineers wouldn’t normally expect to be able to see sensitive data like this, but the design flaw meant they could.”
The PINs were held erroneously in encrypted log files created by customers who had used two services from the digital bank: receiving a reminder of their card number and cancelling a standing order. Around one in five of Monzo’s customers had used one or both of the services, and therefore their PINs were held in an insecure way.
At the same time, Monzo has rolled out a new version of its app to fix the “bug” in their system. The company has insisted the PINs were encrypted, but Marios Kyriacou, founder of cybersecurity consultancy The Security Bureau, says that “at this point, we do not know what ‘encrypted’ means. Given that PINs are made up of four digits, it wouldn’t be difficult to decrypt these and find out what the real PINs were.” It is also estimated that 110 engineers had access to this data, which, adds Kyriacou, makes one wonder why so many Monzo staff would need such access and whether their internal security procedures are up to scratch.
“This is pretty embarrassing because they are a financial institution, one of these new digital banks,” says cybersecurity expert Graham Cluley. “This isn’t the kind of thing you want to have to tell your customers – to change their PIN numbers.”
Warren says that the fundamental issue is providing too much access to a particular file to too many people. “It was a design flaw when building the application. That data shouldn’t have been stored in a log file. Design review should have caught that before building.” And Monzo might not even have been aware that something in the company's network permissions or access control had gone wrong and gave far too many people access to sensitive data.
Customers who are affected will have to visit an ATM to change their PIN, and the bank are assuring customers that there has been no fraudulent action on their accounts. The company has been clear that – to the best of its knowledge – no one outside Monzo had access to the PINs and no one has lost money from their account. They haven’t been hacked, and the data appears not to have spread beyond Monzo. Because of that, there’s little reason for people to worry based on current evidence.
While the bank hasn’t explained how the issue occurred, every process in an electronic banking system needs to be coded at some point – and it appears this is a simple human error. “We’re all capable of making mistakes,” says Cluley. “You can patch an operating system but you can’t patch people’s brains. IT people will make mistakes setting up systems. You only have to click the wrong button or forget to deselect something and too many people may have access to a particular piece of data.”
Though the company has been at pains to say it has not seen any fraudulent behaviour, asking users to change their PINs is still the right thing to do, says Cluley. That’s not because the accounts are at a higher risk of fraud per se, but in case the erroneous file containing the PINs accidentally made it outside of Monzo headquarters. That would be an issue not necessarily because the Monzo bank accounts would be at risk – the company is likely to be keeping a watchful eye over movements in and out of affected customers’ accounts – but because other accounts held by the same customers with other banks could be.
The reason for that is our willingness to duplicate PINs across accounts. “You find there’s a high preponderance of PINs starting with '19' and the reason is people will use their birth year,” says Cluley. That’s bad information security practice. “You should be just as random in your choice of PIN as in your choice of password.”
Read our Monzo review for the WIRED verdict on using the challenger bank
This article was originally published by WIRED UK
