You can read in the announcement the need to update the app, meaning it was the app that logged the PIN and this led to internal logging.<p>I love Monzo, but one thing that does concern me greatly are banking apps (or any apps that touch highly sensitive pieces of information) that include third party components or make any communication to third parties.<p>In the case of Monzo: <a href="https://reports.exodus-privacy.eu.org/en/reports/88809/" rel="nofollow">https://reports.exodus-privacy.eu.org/en/reports/88809/</a><p>+ Facebook Analytics<p>+ Facebook Login<p>+ Google Ads<p>+ Google CrashLytics<p>+ Google DoubleClick<p>+ Google Firebase Analytics<p>And according to NetGuard locally:<p><pre><code> ws-eu.pusher.com
graph.facebook.com
e.crashlytics.com
app.adjust.com
graph.accountkit.com
</code></pre>
Of those, aside from generally "Why?" I'm most concerned by crashlytics.com . Is this like Sentry? Does it send a stack on a crash? If I'm paying someone and entered my PIN and it crashes, did my PIN go to a third party?<p>I saw an app recently that gave me the option in the settings to opt out of crashlytics - more of that please!<p>I'd be much happier seeing nothing third party in apps that deal with sensitive information.<p>And I'd be happy to memorise a 2nd less important software PIN for app transaction authorisation that wasn't the same as the ATM and hardware PIN.
Seems like credentials being stored in logs is something that happens at pretty much every tech company - see e.g. Facebook[1] and Google[2]. Perhaps client <i>and</i> serverside hashing should be standard - at least then the actual credentials wouldn't be leaked, and the salt could be rolled the next time the user inputted it<p>[1] <a href="https://krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-millions-of-user-passwords-in-plain-text-for-years/" rel="nofollow">https://krebsonsecurity.com/2019/03/facebook-stored-hundreds...</a><p>[2] <a href="https://www.theverge.com/2019/5/21/18634842/google-passwords-plain-text-g-suite-fourteen-years" rel="nofollow">https://www.theverge.com/2019/5/21/18634842/google-passwords...</a>
As someone who is fully drunk on Monzo kool-aid, well done to them on (a) identifying the problem and (b) immediately telling customers what to do.<p>Imagine how long this would have been an issue if it had happened at Barclays or TSB.
I remember we worked for a well established (no startup) EU bank on a completely new mobile banking (which later won several awards) and I always kind of wondered why they didn't want any 3rd party services like Google Analytics or Fabric. Well now I completely understand. Also, the PIN (which was a "password" to enter into the app) never left the app and the bank didn't know the PIN. A SRP (Secure Remote Password) protocol was used so that the passwords never left the device and actually even the communication could be done over HTTP (instead of SSL) and the attack would not gain the passwords/keys. I became a customer after working onsite for them and seeing the code and working with the devs at the bank :-).