Mobile-only bank Monzo has apologised for a gaffe which left the PINs of a subset of its customers exposed to its internal engineers.
The company says that on Friday 2 August it discovered that some users’ PINs had been stored in an internal system in encrypted log files, and these log files were accessible to Monzo engineers.
According to the digital bank, around a fifth of Monzo’s UK customers had their PIN stored for up to six months in the log files after they made a request via the app to be reminded of their card number, or cancel a standing order.
By 5:25am the following morning, Monzo had released updates to its iOS and Android apps fixing the issue, and by Monday morning had permanently deleted the incorrectly stored data.
Although there’s undoubtedly concern that a breach like this could have occurred, some credit has to be given to Monzo for addressing the issue so rapidly and its transparency in informing customers about the problem.
By now many customers will already have updated their smartphone’s Monzo app, and affected users should have received an email notification regarding the issue.
Although some users have mentioned that an in-app notification might have reassured them that the email wasn’t fraudulent, I get the impression that Monzo is trying hard to fix a problem here and be seen to taking the incident seriously. That’s at odds with how many companies respond to a breach, where they wring their hands claiming they “take security seriously” but don’t leave the impression that lasting lessons have been learnt.
What’s important to recognise is that there is no suggestion that Monzo has been hacked. Furthermore Monzo says that it has examined affected accounts and not seen any evidence of fraudulent activity.
In short, it’s perfectly possible that none of Monzo’s engineers who had access to the log files containing customers’ PINs did actually access them, let alone exploit the information maliciously.
With that in mind, should you change your Monzo PIN if you are one of those 500,000-or-so customers who was affected? Undoubtedly.
Even if there is only a slender chance that a criminal might have managed to get their claws on your PIN, you should assume the worst and visit an ATM to change it.
And, just like passwords, you should be careful to ensure that you are not reusing the same PIN in multiple places.
Back in 2011, iOS app developer Daniel Amitay published his alarming research into the most common four-digit passcodes used by iPhone users after anonymously collecting and recording 204,508 PINs.
Naturally, 1234 is the most common passcode: mimicking the most common internet passwords. To put this into perspective, these 10 codes represent 15% of all passcodes in use. Most of the top passcodes follow typical formulas, such as four identical digits, moving in a line up/down the pad, repetition. 5683 is the passcode with the least obvious pattern, but it turns out that it is the number representation of LOVE (5683), once again mimicking a very common internet password: “iloveyou.”
Interestingly, 1990-2000 are all in the top 50, and 1980-1989 are all in the top 100. I would interpret this occurrence as a subset of users that set their passcodes to the year of their birth or graduation.
I have no reason to believe that human behaviour regarding choice of PINs has changed much in the intervening eight years.
It might be interesting to compare with the contents of Monzo’s log file of 500,000 PINs, but somehow I doubt they’re very keen on that idea… (and have, quite rightly, deleted the data anyway)
Hear more about the Monzo incident, and Daniel Amitay’s passcode research from 2011, in this episode of the “Smashing Security” podcast:
Smashing Security #140: 'Love, PINs, and 8chan'
Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...
How can they provide password usage statistics? Do the passwords visible to them or through a survey?
I think you're referring to Daniel Amitay's research from back in 2011, right?
He wrote an iOS app that took a photo of people as they attempted to "unlock" an iPhone using his own bogus passcode lock screen. The passcodes were sent on to Amitay, who then examined them and sorted them by popularity. (This later caused Apple to chuck him out of the iOS App Store).
It's explained in greater detail in Amitay's blog (linked to in the article above) or in "Smashing Security" podcast episode 140: https://www.smashingsecurity.com/140