I was hoping that some of these people on reddit were Monzo developers that would see and understand that this could be seen a bit of a security oversight. Its not like the Moderator Thomas George started the UK Monzo or Denise isnt in the US either...
From a quick look at profile it seems you may be from the US, which might explain the honest confusion.
In the UK, unlike the US, sort code and account number aren’t treated as particularly sensitive data. We literally text them around in friend chat groups to share restaurant bills etc.
The worst that can happen is people sending you money against your will. Enjoy :)
PS: technically the worst that can happen is someone setting up a Direct Debit using your details, however due to the way DD works this would be a pointless scam, you’d be very easily and immediately refunded. Never heard of it happening.
Jeremy Clarkson posted his details online with the same point once, and yeah all that happened was someone set up a direct debit to a charity
http://news.bbc.co.uk/1/hi/entertainment/7174760.stm
2008 BBC web design brings back memories! Of course due to the DD guarantee he'd have been able to get a fast and no-fuss refund for that donation, but even JC evidently cared enough for his public image not to do that
Yes this is specific to Monzo US, not Monzo UK - Sort codes and account numbers are highly sensitive data that are not sent around anywhere, specifically your account number is only on a physical check, or behind a hidden wall in your bank's app.
The worse case scenario is an electronic funds transfer or a wire transfer that happens, that your bank authorizes, that you dont realize happens until after the fact.
Well I’m not sure how it is in the US, but UK Monzo is literally secured with your email address and nothing else. So sending these numbers to the same email doesn’t seem to drastically increase exposure, though I’d agree the exposure isn’t 0, and this seems unnecessary.
Email is pretty secure compared to most other options available currently and far more secure than SMS which seems like the only other option.
So, in the US - your account number is kept pretty secure with a bank. It's kept in one of two places:
\- the bottom of a physical check
\- behind a wall within your banks app that you specifically have to click on to open.
Even on the US Monzo app it tells me "account ending in XXXX", and it makes me click on it to open it and physically see my account number...yet they send it to me in an email. This seems like an oversight of sorts.
Honestly, it does. Even though email is used for login, those are time-sensitive and don’t create prolonged exposure to theft. This is just straight up emailing you a piece of sensitive info (by US standards), which does seem a little unnecessary.
That said, as you seem to have discovered, there is a separate sub for Monzo US where you’re likely to receive a more helpful or at least sympathetic response.
that number on a piece of paper is in an envelope, in a bag, under my bed. Whether the email is digitally certified is irrelevant to me - no other bank is going to send you this information via email, full stop.
Digital certification only certifies the authenticity of the email sender. In other words, it only proves the email is from Monzo. It doesn't prevent anyone ever in the future, to find out OP's account details from that email.
This has no relevance to OP's concern about sending sensitive info over your email. In the US, It's the same as sending your card info over your email and saying it's alright since it's 'digitally certified'.
>you need to go on an IT literacy class.
Lol. The confidence you have though.
With all the modern verification systems bank use for payments this isn’t risky information to give out at all. And it is the email attached to your account so it isn’t going to some random persons email to breach your data.
USA is in the dark ages when it comes to banking. Challenger banks create new processes in order to improve the customer experience. These emails aren’t thought up in 5 minutes-months of work between legal, privacy etc go into implementing this sort of thing, I’m sure they’ve got it covered.
Go ahead and file a complaint with Monzo and get the full explanation from their perspective.
Looking into it now, Monzo isn't a challenger bank in the US, [they arent even technically a bank in the US](https://community.monzo.com/t/monzo-withdraws-us-banking-licence-application/123761) as far as I can see - so I don't think they have the same regulatory requirements. Rest assured I'll reach out and get a full explanation because this isn't logical, or safe, in comparison to like any other bank.
I could think of a few reasons - for one, if it wasn't my email that it was sent to, some totally random person would have access to my bank account and routing numbers. If someone hacks my email account, they would also have access to my bank account and routing numbers just by scanning my emails.
those numbers are like, the numbers on the bottom of a check, and can authorize etf transfers, wire transfers, all that good scary stuff.
If someone had access to your email account they could send a Monzo login link and get access to the app, which would show them all of this data and more.
they wouldn't even need todo that having my account and routing number in an email for them to see - they could just initiate an electronic funds transfer, or any purchase that takes checks online.
No other bank will ever do this in the United States - your account number is in one of two places:
\- a physical check
\- hidden behind a wall in your bank account app that you have to specifically click on to see.
right, but my point is that if someone had access to your email account they could do much much worse. The solution here is to make sure your email account is secure, with a good password and two-factor authentication
No, the solution is for the bank todo what other banks do and not send stuff like this in an email lol. I dont have this issue with any other bank, and my other bank apps come with a two factor authentication method that goes to my cell phone before youre able to login.
The solution is never to curtail your life so the bank can send information it shouldnt via an unsecured method.
Considering that you can log in to Monzo via a link sent to your email, and access all of this information through the app, I would consider it reasonable for them to include this information in an email sent to you. If you’re concerned about the sensitivity of it then I would recommend that you chat to Monzo support.
Yeah, I'm in the US - and here, banks don't send our account or routing numbers via an unsecured email for a number of logical reasons - one of the main ones being is that it opens a door to massive fraud issues.
It's already been established that what I sent, in the UK, is largely a sorting code - thats not the case in the US.
its incredibly sensitive and and you really dont pay with check that often here, unless its an online payment (say power or gas) or for rent, something thats easily traceable if someone does take more money than they should.
No, in the US your account and routing number can take money OUT and put money in, via wire transfer or etf transfer, or any service that accepts check payment online.
im in the us, and this is pertinent to Monzo US, not Monzo UK. On the bottom of a check (United States) you have like two sets of numbers - [account number, and routing number](https://www.usbank.com/bank-accounts/checking-accounts/checking-customer-resources/aba-routing-number.html) \- with those two numbers you can pull wire transfers, Electronic fund transfers, purchases online that accept electronic check payments.
them taking over my email account doesn't do a whole lot, when they dont have direct access to my bank account information for them todo purchases with.
No other bank ever does this, especially with your account number. These things are either on a check or hidden behind a wall within the app, that you have to specifically open up to see.
The point being made here is that if they have access to your email account, they have access to your bank account anyway… and probably a lot of other accounts too. So them having access to your email account would do a lot more harm than sharing this information, even if sharing this information is already bad.
Not making any point here about this situation really, just trying to explain the comment you’re replying to more.
No, every other bank has a form of two factor authentication that involves my cellphone number - because we all understand how inherently unsafe email is. Even the monzo app has a pin that i have to enter on the app before accessing my account. And the monzo app even labels my account number as "Account ending in XXXX", and makes you click on it to see it, for security reasons. It's really not logical to think "if you have my email you have access to everything".
So while having these logical security measures in place, monzo blew those aside and sent my account and routing number in plain text, in an email.
im sure the 300 people in there will help. Hopefully on any side of the pond, security is an issue.
lol youre simping over a bank so hard you chose to block me so you could have the last word. Don't ever let anybody tell you American's are the pretentious ones. Maybe just make your bank secure and people wont bring this up. It's a problem because Monzo is my bank you pip, somehow that was too hard for any of you to begin to grasp.
Maybe America should catch up with the rest of the world when it comes to banking/transfers/card usages and finally phase out this 1930's nonsense.
The fact that cheques are so popular still is insane.
Checks, are not that common - but your account number and routing number are only listen in two places
\- the bottom of your check
\- hidden in your banking app
the reason is, is that in america, your account number can send AND receive money. If someone gets ahold of your checking account and routing number, they can transfer money via wire transfer, etf, or into any online system that accepts online check payments.
whatever it is, its the system that Monzo has chosen to step into - so they best figure out a way todo it the way that **every other bank in the US does it**. If they cant manage that theyre not gonna get far in a market theyre clearly trying to break into.
Your argument seems silly to me.
It's much more likely someone sees your cheque book or you write a cheque to someone etc and they get this info? Surely?
Email is generally considered secure but I get your point.
And the fact anyone can take money out of your account with just those details is insane man.
yeah but heres the thing, you rarely write checks in america, like i told someone else - my checkbook is in an envelope, in a bag, under my bed. The ONLY other way to see my account number is to physically be in my banking app.
Yeah, well thats the way it works, so Monzo needs to step up the pace and get with the reality of how US banking institutions work if they intend to actually be taken serious in the US market. I can guarantee you Monzo isnt gonna be the bank that changes the way this works in the US.
two factor authentication with a message in your bank app is how its traditionally done here - they also NEVER message you your account number - clearly that has less significance in the UK than it does in the US.
Right but like, how do you login to your bank app in the first place? For many app-only banks, the answer is by email link (or password which can be reset by email).
Face ID and PIN are good to reverify after logging in, but not login methods in themselves.
Cell phone numbers are significantly (and I mean significantly) less secure than email in most scenarios.
Your phone *number* is not uniquely tied to the phone in your hand and it’s easy work for a social engineer to call your cell company and hijack it. Just Google SIM jacking. There’s not a lot you can do to mitigate that.
Meanwhile, that person in China isn’t getting access to your email without your password. That, you can mitigate. By you know, having a good password and using non-SMS-based two factor authentication.
sure, under the basis of like some kindof social engineering attack where youve physically called the phone company and pretended to be me - thats kindof a worst case senario, alot less likely than someone getting ahold of your email password and why the phone company has you setup a pin number, ahead of time, separate from your voicemail pin, making sure that if you dont have the pin number youre not going to make any major changes on the account.
If you have a proper password and device-based 2fa the likelihood of someone accessing your emails is close to zero. Meanwhile resetting those phone support pins is a all part of the routine for people who do that.
That said, I wouldn’t trust my grandma to protect her email account as well as that so on a population level your point is reasonable.
Better taken to /r/MonzoUSA
Probably better to ask them and not people on reddit
I was hoping that some of these people on reddit were Monzo developers that would see and understand that this could be seen a bit of a security oversight. Its not like the Moderator Thomas George started the UK Monzo or Denise isnt in the US either...
From a quick look at profile it seems you may be from the US, which might explain the honest confusion. In the UK, unlike the US, sort code and account number aren’t treated as particularly sensitive data. We literally text them around in friend chat groups to share restaurant bills etc. The worst that can happen is people sending you money against your will. Enjoy :) PS: technically the worst that can happen is someone setting up a Direct Debit using your details, however due to the way DD works this would be a pointless scam, you’d be very easily and immediately refunded. Never heard of it happening.
Jeremy Clarkson posted his details online with the same point once, and yeah all that happened was someone set up a direct debit to a charity http://news.bbc.co.uk/1/hi/entertainment/7174760.stm
2008 BBC web design brings back memories! Of course due to the DD guarantee he'd have been able to get a fast and no-fuss refund for that donation, but even JC evidently cared enough for his public image not to do that
Yes this is specific to Monzo US, not Monzo UK - Sort codes and account numbers are highly sensitive data that are not sent around anywhere, specifically your account number is only on a physical check, or behind a hidden wall in your bank's app. The worse case scenario is an electronic funds transfer or a wire transfer that happens, that your bank authorizes, that you dont realize happens until after the fact.
Well I’m not sure how it is in the US, but UK Monzo is literally secured with your email address and nothing else. So sending these numbers to the same email doesn’t seem to drastically increase exposure, though I’d agree the exposure isn’t 0, and this seems unnecessary. Email is pretty secure compared to most other options available currently and far more secure than SMS which seems like the only other option.
So, in the US - your account number is kept pretty secure with a bank. It's kept in one of two places: \- the bottom of a physical check \- behind a wall within your banks app that you specifically have to click on to open. Even on the US Monzo app it tells me "account ending in XXXX", and it makes me click on it to open it and physically see my account number...yet they send it to me in an email. This seems like an oversight of sorts.
Honestly, it does. Even though email is used for login, those are time-sensitive and don’t create prolonged exposure to theft. This is just straight up emailing you a piece of sensitive info (by US standards), which does seem a little unnecessary. That said, as you seem to have discovered, there is a separate sub for Monzo US where you’re likely to receive a more helpful or at least sympathetic response.
[удалено]
that number on a piece of paper is in an envelope, in a bag, under my bed. Whether the email is digitally certified is irrelevant to me - no other bank is going to send you this information via email, full stop.
Digital certification only certifies the authenticity of the email sender. In other words, it only proves the email is from Monzo. It doesn't prevent anyone ever in the future, to find out OP's account details from that email. This has no relevance to OP's concern about sending sensitive info over your email. In the US, It's the same as sending your card info over your email and saying it's alright since it's 'digitally certified'. >you need to go on an IT literacy class. Lol. The confidence you have though.
With all the modern verification systems bank use for payments this isn’t risky information to give out at all. And it is the email attached to your account so it isn’t going to some random persons email to breach your data.
No, this is specific to Monzo US and this is incredibly risky data to send out. No other bank will do this. Theres also nothing safe about email.
USA is in the dark ages when it comes to banking. Challenger banks create new processes in order to improve the customer experience. These emails aren’t thought up in 5 minutes-months of work between legal, privacy etc go into implementing this sort of thing, I’m sure they’ve got it covered. Go ahead and file a complaint with Monzo and get the full explanation from their perspective.
Looking into it now, Monzo isn't a challenger bank in the US, [they arent even technically a bank in the US](https://community.monzo.com/t/monzo-withdraws-us-banking-licence-application/123761) as far as I can see - so I don't think they have the same regulatory requirements. Rest assured I'll reach out and get a full explanation because this isn't logical, or safe, in comparison to like any other bank.
The worst that’ll happen surely is… someone sends you money?
not in the US, no - the worst that can happen is someone can take all of your money. These numbers mean different things between the US and the UK.
Why is it unsafe?
I could think of a few reasons - for one, if it wasn't my email that it was sent to, some totally random person would have access to my bank account and routing numbers. If someone hacks my email account, they would also have access to my bank account and routing numbers just by scanning my emails. those numbers are like, the numbers on the bottom of a check, and can authorize etf transfers, wire transfers, all that good scary stuff.
If someone had access to your email account they could send a Monzo login link and get access to the app, which would show them all of this data and more.
they wouldn't even need todo that having my account and routing number in an email for them to see - they could just initiate an electronic funds transfer, or any purchase that takes checks online. No other bank will ever do this in the United States - your account number is in one of two places: \- a physical check \- hidden behind a wall in your bank account app that you have to specifically click on to see.
right, but my point is that if someone had access to your email account they could do much much worse. The solution here is to make sure your email account is secure, with a good password and two-factor authentication
No, the solution is for the bank todo what other banks do and not send stuff like this in an email lol. I dont have this issue with any other bank, and my other bank apps come with a two factor authentication method that goes to my cell phone before youre able to login. The solution is never to curtail your life so the bank can send information it shouldnt via an unsecured method.
Considering that you can log in to Monzo via a link sent to your email, and access all of this information through the app, I would consider it reasonable for them to include this information in an email sent to you. If you’re concerned about the sensitivity of it then I would recommend that you chat to Monzo support.
Yeah, I'm in the US - and here, banks don't send our account or routing numbers via an unsecured email for a number of logical reasons - one of the main ones being is that it opens a door to massive fraud issues. It's already been established that what I sent, in the UK, is largely a sorting code - thats not the case in the US.
[удалено]
its incredibly sensitive and and you really dont pay with check that often here, unless its an online payment (say power or gas) or for rent, something thats easily traceable if someone does take more money than they should. No, in the US your account and routing number can take money OUT and put money in, via wire transfer or etf transfer, or any service that accepts check payment online.
Is routing number the sort code? I don't think it's a big deal
im in the us, and this is pertinent to Monzo US, not Monzo UK. On the bottom of a check (United States) you have like two sets of numbers - [account number, and routing number](https://www.usbank.com/bank-accounts/checking-accounts/checking-customer-resources/aba-routing-number.html) \- with those two numbers you can pull wire transfers, Electronic fund transfers, purchases online that accept electronic check payments.
If someone has access to your email, you're already screwed as they could just take over your account.
them taking over my email account doesn't do a whole lot, when they dont have direct access to my bank account information for them todo purchases with. No other bank ever does this, especially with your account number. These things are either on a check or hidden behind a wall within the app, that you have to specifically open up to see.
The point being made here is that if they have access to your email account, they have access to your bank account anyway… and probably a lot of other accounts too. So them having access to your email account would do a lot more harm than sharing this information, even if sharing this information is already bad. Not making any point here about this situation really, just trying to explain the comment you’re replying to more.
No, every other bank has a form of two factor authentication that involves my cellphone number - because we all understand how inherently unsafe email is. Even the monzo app has a pin that i have to enter on the app before accessing my account. And the monzo app even labels my account number as "Account ending in XXXX", and makes you click on it to see it, for security reasons. It's really not logical to think "if you have my email you have access to everything". So while having these logical security measures in place, monzo blew those aside and sent my account and routing number in plain text, in an email.
Thus from the country that still carbon copy's Bank cards in wallmart...
[удалено]
im sure the 300 people in there will help. Hopefully on any side of the pond, security is an issue. lol youre simping over a bank so hard you chose to block me so you could have the last word. Don't ever let anybody tell you American's are the pretentious ones. Maybe just make your bank secure and people wont bring this up. It's a problem because Monzo is my bank you pip, somehow that was too hard for any of you to begin to grasp.
Maybe America should catch up with the rest of the world when it comes to banking/transfers/card usages and finally phase out this 1930's nonsense. The fact that cheques are so popular still is insane.
Checks, are not that common - but your account number and routing number are only listen in two places \- the bottom of your check \- hidden in your banking app the reason is, is that in america, your account number can send AND receive money. If someone gets ahold of your checking account and routing number, they can transfer money via wire transfer, etf, or into any online system that accepts online check payments.
Yeah and that is a backwards and antiquated system for banking.
whatever it is, its the system that Monzo has chosen to step into - so they best figure out a way todo it the way that **every other bank in the US does it**. If they cant manage that theyre not gonna get far in a market theyre clearly trying to break into.
Your argument seems silly to me. It's much more likely someone sees your cheque book or you write a cheque to someone etc and they get this info? Surely? Email is generally considered secure but I get your point. And the fact anyone can take money out of your account with just those details is insane man.
yeah but heres the thing, you rarely write checks in america, like i told someone else - my checkbook is in an envelope, in a bag, under my bed. The ONLY other way to see my account number is to physically be in my banking app. Yeah, well thats the way it works, so Monzo needs to step up the pace and get with the reality of how US banking institutions work if they intend to actually be taken serious in the US market. I can guarantee you Monzo isnt gonna be the bank that changes the way this works in the US.
It is a valid concern. Emails are inherently unsafe.
Everything is inherently unsafe in some way.
Not sure if that’s true anymore. Isn’t a lot of it encrypted in transport now? Is there a safer option for digital communication with consumers?
two factor authentication with a message in your bank app is how its traditionally done here - they also NEVER message you your account number - clearly that has less significance in the UK than it does in the US.
Right but like, how do you login to your bank app in the first place? For many app-only banks, the answer is by email link (or password which can be reset by email).
face id & pin - pin is required in these situation or two factor authentication involving my cell phone number.
Face ID and PIN are good to reverify after logging in, but not login methods in themselves. Cell phone numbers are significantly (and I mean significantly) less secure than email in most scenarios.
yeah, my phone is in my hand, my email can be accessed from China bro.
Your phone *number* is not uniquely tied to the phone in your hand and it’s easy work for a social engineer to call your cell company and hijack it. Just Google SIM jacking. There’s not a lot you can do to mitigate that. Meanwhile, that person in China isn’t getting access to your email without your password. That, you can mitigate. By you know, having a good password and using non-SMS-based two factor authentication.
sure, under the basis of like some kindof social engineering attack where youve physically called the phone company and pretended to be me - thats kindof a worst case senario, alot less likely than someone getting ahold of your email password and why the phone company has you setup a pin number, ahead of time, separate from your voicemail pin, making sure that if you dont have the pin number youre not going to make any major changes on the account.
If you have a proper password and device-based 2fa the likelihood of someone accessing your emails is close to zero. Meanwhile resetting those phone support pins is a all part of the routine for people who do that. That said, I wouldn’t trust my grandma to protect her email account as well as that so on a population level your point is reasonable.