[BreachExchange] Monzo admits to storing payment card PINs in internal logs

Destry Winant destry at riskbasedsecurity.com
Wed Aug 7 10:04:24 EDT 2019


https://www.zdnet.com/article/monzo-admits-to-storing-payment-card-pins-in-internal-logs/

Monzo, a mobile-only bank operating in the UK, admitted today to
storing payment card PINs inside internal logs.

The company is now notifying all impacted customers and urging users
to change card PINs the next time they use a cash machine.

Monzo described the issue as a "bug" that occurred when Monzo
customers used two specific features of their Monzo mobile apps --
namely the feature that reminds users of their card number and the
feature for canceling standing orders.

When Monzo customers used one of these two features, they'd be asked
to enter their account PIN, for authorization purposes, but unbeknowst
to them, the PIN would also be logged inside Monzo's internal logs.

Monzo said these logs were encrypted and that only a few employees had
access to the data stored inside.

MONZO WORKED OVER THE WEEKEND TO PURGE LOGS OF CUSTOMER PINS

The company said it discovered the bug on Friday, August 2, and spent
all weekend removing PIN numbers from its internal logs.

As soon as it finished this operation, Monzo published a statement on
its site on Monday morning, August 5.

The company also published an update for its mobile app on Saturday,
August 3, so the apps won't send the account PIN code to Monzo servers
anymore.

The company said that all users should update their mobile apps. Users
who had their PINs recorded in Monzo's logs received email
notifications. Users who didn't receive an email, were not impacted,
the bank said. The number of affected users is around 480,000.

Monzo is a so-called "mobile bank" that launched in the UK in 2015,
under the name Mondo. It doesn't have any branches and operates solely
via its mobile apps.

The company said it passed over the one million users mark in October
2018. On its website, Monzo claims that over 55,000 people open an
account every week. In June 2019, the company announced plans to
launch in the US.

THE "STORE PASSWORDS IN CLEARTEXT" CLUB

Monzo's mistake isn't an isolated snafu. Bigger names have made the
same error in the past two years.

For example, just last month, one of Silicon Valley's latest tech
unicorns, Robinhood, a web service for trading market stocks and
cryptocurrency, also admitted to storing some users' passwords in
cleartext in its logs.

Before that, Facebook admitted in March to storing passwords in
cleartext for hundreds of millions of Facebook Lite users and tens of
millions of Facebook users.

Facebook then admitted again in April to storing passwords in
cleartext for millions of Instagram users.

Not to be outdown, Google admitted in May to also storing an
unspecified number of passwords in cleartext for G Suite users for
nearly 14 years.

And, a year before, in 2018, both Twitter and GitHub admitted to
accidentally storing user plaintext passwords in internal logs.


More information about the BreachExchange mailing list