Evaluating Banking Apps’ Security Against Mobile Theft: A Monzo Case Study

Intro & Motivation

Every 10 minutes, someone steals a mobile phone in London, making phone security a critical concern for all of us. A recent Financial Times article highlights this surge in thefts, revealing our personal and financial information is at significant risk. As I learned from discussions with 2 of my neighbors that had their phones stolen by bikers, securing our phones is essential, not just advisable. In this post, we will first evaluate the security features of iOS and Android, focusing on theft prevention. We will then present a detailed attack scenario targeting the Monzo banking app in the event of device theft, assuming that jailbreaking a brand-new device is not possible.

Theft Scenarios

The article in FT mentions 2 theft scenarios that thieves consider successful:

  1. The attacker steals the phone while it is unlocked at that moment. They then try to gain access to sensitive functionalities such as: password manager(s), wallet(s), banking apps, social apps, shopping apps, photos, or any app that does not require any form of authentication such as Pin/ FaceID/ TouchID/ password .
  2. The attacker gains knowledge of the phone’s passcode (through shoulder surf, CCTV camera recordings, covertly filming targets, or other ways). Afterwards pickpockets it and tries to get access to the victim’s apple account, wallet(s), different financial applications using this passcode. In FT’s article, such a method was suspected to have been implemented in the case of a tech executive having his phone pickpocketed in a bar and next day having thousands of pounds missing from his bank accounts. Moreover, the FT article later mentions a research by Nuke from Orbit, which found that nearly 50% of people use the same PIN for their phone, apps, services, and bank cards, making it easier for criminals.

Regarding scenario #2, where the attacker possesses knowledge of the phone’s passcode, we will investigate which phone security features can effectively limit the impact of theft restricted to the device itself. Additionally, we will identify which banking apps are vulnerable, particularly those that utilize the phone’s passcode for authentication (e.g., Monzo). We assume that the device is modern, up-to-date, and jailbreaking is not an option. Our approach is to simulate the actions of a thief for a day. But first, let’s have a look at the iOS & Android security features related to theft prevention.

iOS Security Features

There are 3 key iOS security features to secure our phone & banking apps and limit the theft impact:

  1. Stolen Device Protection
  2. Use FaceID for sensitive apps
  3. Erase data

Stolen Device Protection

Firstly, we can enable the security ‘Stolen Device Protection’ feature. This performs 2 helpful actions in case where someone has stolen your iPhone and the attacker knows your passcode:

  1. Face ID or Touch ID biometric authentication: some actions, such as accessing stored passwords and credit cards, require a single biometric authentication with Face ID or Touch ID – with no passcode alternative or fallback option – so that only you can access these features.
  2. Security Delay: some security actions, such as changing your Apple ID password, also require you to wait for an hour and then perform a second Face ID or Touch ID authentication. This is useful in case the attacker wants to change the password and block your access to your own apple id so that you cannot erase your phone or track it.

This security feature is located in: Settings – FaceID & Passcode – Stolen Device Protection. I enabled it and set it to ‘Always’.

Use FaceID for other apps

Secondly, the iPhone users can enable ‘Use FaceID for other apps‘. This allows the selected apps you consider sensitive to use FaceID for authentication (if the app supports it too). The good part here is that once allowed, some banking apps (such as Lloyds Bank, Starling, Revolut, Paypal) use this feature by default for authentication. But the sad part is that other apps like Monzo require you to activate it manually in the app. I have set this feature to ‘allow’ for all the apps, especially the banking apps.
We can be enable this for each application in: ‘Settings – FaceID & Passcode – Other apps’.

Erase data

Thirdly, another security feature on the iPhone is: ‘Erase Data’. This erases all data on the iPhone after 10 failed passcode attempts. It is useful for when the attacker does not know the passcode. This is located in the same menu as the above 2 security features.
Beware to the following apparent ‘protection’ feature: ‘Turn Passcode Off’. We initially thought this will disable the Passcode and only allow the FaceID. This was a huge mistake because it actually disabled both the ‘Passcode’ AND ‘FaceID’. So now, your phone is without any authentication protection and everyone can lock it and unlock it. Apple, why is this even considered a ‘Security Feature’ ?

In addition, you should check that all your banking apps require FaceId or TouchID to secure access.

Secure banking apps access – Banking apps default behaviour

We checked a total of 8 banking apps, and found that only the Monzo banking app did not have the FaceID/TouchID authentication feature enabled by default. This allows a phone thief with or without knowledge of the phone’s passcode to access the app. You can enable it in the Monzo app in: ‘Settings’ – ‘Privacy & Security’ – ‘App Lock – Require iOS passcode or FaceID to access Monzo’. Unfortunately, even after you enable this security feature in Monzo, the fallback after 1 failed FaceID attempt on accessing the app is the iPhone’s passcode. Thus, you’re vulnerable again to scenario #2.

Banking AppDefault Auth methodFallback Auth methodApplication behaviorTips to their users
LloydsFaceId3 random characters from ‘Memorable Information’After 2 FaceID failed attempts it asks for 3 random characters from your secret ‘Memorable Information’_
HSBCFaceIdNo fallback optionafter 5 FaceID failed attempts I was blocked for 5minutes; then it unlocked automatically _
PaypalFaceIduser’s Paypal account passwordafter 2 failed FaceID attempts falls back to the user’s Paypal account password_
NatwestFaceIdapplication’s 5 digit passcodeafter 2 failed FaceID attempts falls back to the app’s passcode_
StarlingFaceIdapplication’s 4 digit passcodeafter 2 failed FaceID attempts falls back to the app’s passcode_
RevolutFaceIdapplication’s 6 digit passcode
(vulnerable if identical with phone’s passcode and the thief knows it)
after 2 failed FaceID attempts falls back to the app’s passcode1. Use a different app passcode than phone’s 6 digit passcode
MetroFaceIdapplication’s 6 digit passcode
(vulnerable if identical with phone’s passcode and the thief knows it)
after 2 failed FaceID attempts falls back to the app’s passcode1. Use a different app passcode than phone’s 6 digit passcode
Monzo
(default, no Applock)
None – in our tests
(Monzo: Auth is
done every 3 months, nearly equivalent to no Auth at all)
N/AYou are authenticated into victim’s account for max 90 days1. Enable authentication with FaceID from the Monzo app: ‘Privacy & Security’ – ‘App Lock
2. Use a different app passcode than phone’s passcode, if app allows it – currently it does not.
Monzo (AppLock enabled)FaceIDphone’s passcode
(vulnerable to scenario #2 if the thief knows it)
after 1 FaceID failed attempt it asks for phone’s passcode1. Use a different app passcode than phone’s passcode, if app allows it – currently it does not.
Table showing the banking app that provide secure authentication by default and their fallback method.

Android Security Features

On Android, currently we have no equivalent for the iOS ‘Stolen Device Protection’ to secure the phone. However, we can use the App Lock security feature if the phone supports it. If not then we can install a thirdparty ‘App Lock’ app. These apps can set up FaceID, TouchID, or a security PIN for added protection for the sensitive apps. Ideally, choose a different PIN than your phone’s.

Wanted security features

  • Google, please create the equivalent of ‘Stolen Device Protection’ security feature for your users.

Case Study: Monzo banking app attack – What’s the worst that could happen?

There are 3 main vulnerabilities here:

  1. Unauthenticated access to the app by default Authentication is done every 90 days – It seems Monzo already knows about this issue and they are working on changing this based on our conversations.
  2. Impersonation on “Record a short video of yourself to Recover Card PIN” – this functionality is vulnerable to impersonation compared to FaceID authentication.
  3. The fallback for FaceId authentication is the iPhone’s passcode when AppLock is enabled (this requires FaceID or passcode for accessing the app).

In the Monzo app case, you install the app and upon logging in for the first time you select to ‘Use FaceID next time’ and ‘Turn on FaceID’, as seen below. However, once logged in, the app does not ask to authenticate for another 90 days, which makes authentication useless, it’s like having no authentication at all. Whoever snatched your phone, has access to your Monzo bank account.

iOS security features - FaceID
I activated the above ‘Use FaceID next time’.
iOS security features - Turn on FaceID
I activated ‘FaceID’ here too.

The critical issue we need to address is the implications of an attacker gaining access to a Monzo account. Specifically, can the attacker initiate money transfers? Transferring funds requires either FaceID or the card’s PIN. So, the pivotal question is: Is it possible to obtain the card’s PIN? Based on our testing, the answer appears to be yes.

Recovering a card’s PIN

In our tests, the following method successfully revealed the card’s PIN:

  1. Navigate to ‘Card’ > ‘Reveal PIN’.
  2. Intentionally fail the FaceID verification twice by misaligning the phone.
  3. The app then prompts to record a video repeating a series of randomly generated numbers.
  4. After submitting the video, a notification with the PIN is sent.

This method proved effective when I impersonated my brother, and similarly, he was able to impersonate me, each of us gaining access to the other’s PIN using our respective phones. This vulnerability suggests that while FaceID generally provides robust authentication, the ‘record a short video’ fallback mechanism compromises security, potentially allowing unauthorized transactions.

Thus, while FaceID may serve as an appropriate authentication method, ‘recording a short video of yourself to recover PIN‘ to verify identity does not seem to be a secure authentication method.

Monzo banking app attack - iOS security features - 'video message'
The attacker tries to use the ‘Reveal PIN’ functionality and is asked for FaceID. After failing FaceID, the attacker receives the above message for a short ‘video message’.
Monzo banking app attack - iOS security features - 'video message' bypassed
The attacker(my brother) recorded the ‘video message’ impersonating me. Shortly afterwards, the attacker receives the above successful notification on the stolen phone: ‘Tap to view your PIN’. Now he can start making transfers.

Monzo banking app attack summarized

Considering the theft described in the Financial Times article (where someone stole a user’s phone and saw the mobile PIN beforehand), and based on our research, we conclude that the following scenario is possible with the Monzo iOS Mobile app:

  1. The thief attempts to authenticate to the Monzo iOS app using FaceID (if the ‘App lock’ security feature is enabled).
  2. The authentication falls back to the device PIN, which the attacker has already seen beforehand.
  3. The attacker can record a short video to recover the card’s PIN, as we did, and transfer money out of the victim’s account.

Monzo’s response to the security breach inquiry was somewhat generic and did not provide detailed information about their corrective actions. Due to legal constraints, we will not quote their reply directly, but it generally aligned with standard public relations responses and did not address the core issues. We recommend that pentesters include this face recognition attack in their assessments. We suspect that Monzo might be using a ‘Mechanical Turk’ approach, where tasks such as face recognition verification are outsourced to an on-demand workforce. This method is reminiscent of a strategy once considered by Amazon Fresh, which ultimately decided against it.

Disclosure Timeline – Monzo Banking app

20/05/2024: We disclosed three security issues to Monzo. They acknowledged our report and thanked us on the same day.

30/05/2024: Monzo inquired about the completion of the Identity Verification (IDV) checks.

31/05/2024: We responded to Monzo, confirming the completion and bypass of the IDV checks.

03/06/2024: Update requested on the resolution of the reported issues.

05/06/2024: Monzo confirms Auth is done every 90 days and provided feedback on issues 2 and 3, similar to PR statements.

06/06/2024: FORTBRIDGE requested an update from Monzo on issues 2 and 3.

07/06/2024: Monzo stated that they have no further details to offer at this time.

17/06/2024: Blog post published summarizing the situation and our findings.

Explore Our Mobile Application Penetration Testing Services

As we continually advance our tools and techniques for effective mobile app security testing, we invite you to discover our mobile application pentesting services. Tailored to equip security professionals with cutting-edge defenses against evolving threats, our services are designed to fortify your mobile applications. Dive into the latest and most effective security strategies with our expertly crafted solutions. For more detailed information about our offerings or to discuss customized penetration testing strategies with our team, please visit our services page or contact us today.

References

Read more details about the ‘Stolen Device Protection’ security feature from Apple here:
https://support.apple.com/en-gb/HT212510 .
London police catch e-bike mugger after he steals phones from 24 people during a day-long crime spree.

About Post Author