UK-based Mobile-Only Bank Monzo Admits To Storing Payment Card PINs in Internal Logs (zdnet.com) 33
Monzo, a mobile-only bank operating in the UK, admitted today to storing payment card PINs inside internal logs. From a report: The company is now notifying all impacted customers and urging users to change card PINs the next time they use a cash machine. Monzo described the issue as a "bug" that occurred when Monzo customers used two specific features of their Monzo mobile apps -- namely the feature that reminds users of their card number and the feature for canceling standing orders. When Monzo customers used one of these two features, they'd be asked to enter their account PIN, for authorization purposes, but unbeknowst to them, the PIN would also be logged inside Monzo's internal logs. Monzo said these logs were encrypted and that only a few employees had access to the data stored inside. The company said it discovered the bug on Friday, August 2, and spent all weekend removing PIN numbers from its internal logs.
It really wouldn't take much more time (Score:2)
to do a TFA on your phone to authorize purchases than signing or putting in a PIN...
Re: (Score:2)
If users are sending their PIN over text message, it's going to be in more than just logs..
In some countries you enter your PIN into an app on your phone, rather than into the merchant's device (or website).
The PIN is NOT transmitted to the merchant. They only receive a one-time transaction validation number. It is absolutely not based on SMS text messages. That would make no sense at all.
So to make a transaction a criminal would need:
1. Your phone
2. Your phone login
3. Your payment PIN
In America, a criminal would need:
1. Your credit card number, expiration date, and CCV, all of which are pr
A "bug"? (Score:1)
Damn! The planet is run by a bunch of liars! And everybody says, *No biggie*...
Re: (Score:1)
Skimmed through it and you keep lying - I see you don't know that the minimum retirement age in Quebec is 60, with a reduced pension, as I've always said. Of course, if you could read French, you'd have found that out easily enough.
You're just pissed off that I pointed out that someone else now owns what you tried to make your personal brand - that anyone searching APK Hosts File on Google, Bing, Yahoo, or DuckDuckGo ends up at your competition, who unlike you have a website and offer free download for
This is a compliance issue (Score:3)
Regulations do not permit this. Book 'em, Dano.
Re: This is a compliance issue (Score:2)
No, they could use a pattern matcher that doesn't disclose password. That's fairly trivial to build.
Of course they could be reading passwords...
Re: (Score:2)
In other news recently, 7eleven launched a mobile payment app last month in Japan. Within 3 days, they had half a million dollars worth of fraudulent charges due to an insecure password reset mechanism that allowed attackers to send password reset links to their own email address if they knew the birthdate, phone number and email address used to register the account (birthdate defaulted to 1 Jan 2019 and many users did not s
Re: This is a compliance issue (Score:2)
"A pattern matcher still requires the password to be stored somewhere in plaintext.
That's ludicrous. It's not at all difficult to encrypt passwords, decrypt them internally. They would possibly be in plaintext in RAM... Or not. Please, just because some companies fail at this, don't assume all do.
Re: (Score:2)
Re: (Score:2)
So you persist in the fantasy that everyone, everyone ELSE, is so incompetent that they would do that.
Sure, you can. So many assumptions. Even I assume they would handle the keys correctly, but that's really just me hoping they would do it right. Not me assuming they are of such incompetence they would keep it all in a manila folder on their desk.
And yes, we are inundated with examples of even worse errors.
Re: (Score:2)
Re: (Score:2)
Banks know the rules.
Re: (Score:2)
Regulations do not permit this. Book 'em, Dano.
If we have draconian punishments for self-reported breaches, we will have less self-reporting and more breaches.
Re: This is a compliance issue (Score:2)
Doubt you'll have more breaches. But fewer and less forthcoming disclosures, yup... And not a good reason to minimize the penalties.
Re: (Score:2)
The EU has regulations for a lot. Indeed, the ERPB invited the EPC to design the SCT back in 2015... all standards with the force of legislation behind them...
And you know nothing about the GDPR and its impact on payments?