Banking PINs exposed in Monzo secure storage slip-up

When is a secure PIN not a secure PIN? When you accidentally store it in your log files.

That’s what happened to digital native bank, Monzo, which was left grovelling to customers over the weekend after its security blunder.

Monzo is one of the new breed of ‘challenger banks’ that uses financial technology (fintech) systems to subvert older, more established banks. One way of doing that is to abandon boring old brick-and-mortar branches in favour of shiny new smartphone apps. This lets them provide online-only services that can adapt quickly to meet customer demands.

UK-based Monzo bank, started in 2015 through a crowdfunding campaign, serves its customers with an iOS and Android app, along with a debit card that is still usable at ATM machines. Unfortunately, its sophisticated software-driven business model let it down last week. On Sunday, it admitted that it hadn’t been as careful as it could have been with the PINs that customers use to access their account.

Engineers had access to customers’ PINs

The bank explained that it stored these PINs in a secure part of its infrastructure. Unfortunately that wasn’t the only place where it was storing them. An oversight meant that it had also been storing the PINs in the log files that its software engineers use to understand what’s happening in its systems.

Although the log files were encrypted, they were still insecure. The company explained:

Engineers at Monzo have access to these log files as part of their job.

Up to 100 engineers had the right to access those log files, meaning that one bad apple could have stolen them and used them to commit fraud.

That didn’t happen, according to Monzo, which said that it had checked:

No one outside Monzo had access to these PINs. We’ve checked all the accounts that have been affected by this bug thoroughly, and confirmed the information hasn’t been used to commit fraud.

Monzo found the problem on Friday evening, and rushed to solve it. According to the blog post, it updated its mobile apps by 5:25am UK time the following morning. It had deleted all of the erroneously stored PIN data by the time it posted its announcement on Sunday.

PINs for around 20% of customers – that’s around 480,000 – made their way into the log files, according to the bank. Anyone who had asked for a reminder of their card number or cancelled a standing order would have been affected.

Monzo has already informed the affected customers, and said that they should change their PINs at ATM machines. Monzo explains how:

You can do this by putting your Monzo card into the cash machine, entering your old PIN and choosing ‘PIN services’. Then choose ‘Select a new PIN’ and change it to a new number.

As with any data breach involving your bank details, you should monitor your statements closely, and inform your bank if you notice anything unusual. Monzo says you can do that through its in-app chat or by ringing the phone number listed on your debit card.

It also emphasises that customers should take precautions, even if they’ve not been told by Monzo that they’ve been directly affected:

If we haven’t emailed you, you haven’t been affected. But you should still update your app to the latest version.