PIN the blame on us, says Monzo in mondo security blunder: Bank card codes stored in log files as plain text
Trendy online-only Brit bank Monzo is telling hundreds of thousands of its customers to pick a new PIN – after it discovered it was storing their codes as plain-text in log files.
As a result, 480,000 folks, a fifth of the bank's customers, now have to go to a cash machine and reset their PINs.
The bank said the numbers, normally tightly secured with extremely limited access, had accidentally been kept in an encrypted-at-rest log file. The content of those logs was, however, accessible to roughly 100 Monzo engineers who normally would not have the clearance nor any need to see customer PINs.
The PINs were logged for punters who had used the "card number reminder" and "cancel a standing order" features.
To hear Monzo tell it, the misconfigured logs, along with the PINs, were discovered on Friday evening. By Saturday morning, the UK bank updated its mobile app so that no new PINs were sent to the log collector. On Monday, the last of the logged data had been deleted.
"No one outside Monzo had access to these PINs," Monzo said in its attempt to reassure customers.
"We’ve checked all the accounts that have been affected by this bug thoroughly, and confirmed the information hasn’t been used to commit fraud."
Monzo says anyone whose PIN was exposed in the logs will be given a message instructing them to change their codes. To do that, the customer will need to go to a cash machine (app-happy Monzo has no brick-and-mortar branches) and select a new number via the PIN Services menu.
While Monzo maintains that nobody outside of the bank was able to see the codes, it would not be a bad idea to keep an eye on your account activity in case anything suspicious is spotted.
Additionally, everyone with an account at the bank is being advised to update their Android and iOS apps to make sure they have the latest versions, via which PINs are no longer fed into the log files.
The blunder is a setback for the upstart UK banking service, but fortunately for Monzo, it happened to come along in the wake of a much bigger banking privacy foul-up. With Capital One now facing lawsuits and the possibility of Congressional hearings for its mishandling of records on 106 million people, a few mishandled PINs won't get much play in the news cycle.
source theregister
Industry: Cyber Security
Latest Jobs
-
- Contact 12 month- Security Operations- Crowdstrike Falcon Insight EDR / Analyst.
- United Kingdom
- Dependent on experience
-
Security Operations engineer / Analyst with Crowdstrike Falcon Insight EDR experience for a 12 month contract. Experienced Contractor with Crowdstrike Falcon Insight: Endpoint detection and Response (EDR) experience needed - 12 month rolling project. Implementation, configuration and Analyst experience needed with Crowdstrike Falcon Insight: (EDR) Migration project- relocating capability internationally. technically implementing, configuration of that that migration and then transition to BAU role monitoring. DCL Search exclusive associate Project.
-
- SailPoint Consultant
- London
- Upto £75,000 plus benefits
-
SailPoint Consultant is needed for an expanding Financial Service business, this is an exciting time to join the Business as they are in the Process of deploying both IAM and PAM solutions and this consultant will form a key part of the IAM team Location can be flexible but would require the individual to come into the London office a couple of times a month for team meetings and face to face project reviews Duties include · Engage in the Identity & Access Management project to deliver SailPoint IdentityNow and Privileged Access Management · On-board applications and users into IAM tools and customise or configure integrations as required · Regularly review, secure and recertify privileged roles in applications, databases and operating systems · Implement least privilege, just-in-time access, password rotation and vaulting wherever possible · Migrate application authentication to Single Sign-On through the use of SAML and OAuth · Implement and enforce the use of MFA where possible, focusing on critical applications and risky sign-ins · Provide technical support to Centrify and SailPoint users Key experience required: Previous experience with SailPoint, including integrating and deploying into a business, onboarding users and applications, supporting users and performing manual administration tasks. Experience with SAML and OAuth to migrate applications to Single Sign-on. If you are interested in hearing more please reach out to me for more information
-
- Centrify Consultant
- London
- Upto £75,000 plus benefits
-
A Privileged Access Management Consultant is needed for an expanding Financial Service business, this is an exciting time to join the Business as they are in the Process of deploying a Centrify PAM solution,, this consultant will form a key part of the team Location can be flexible but would require the individual to come into the London office a couple of times a month for team meetings and face to face project reviews Duties include · On-board applications and users into PAM tools and customise or configure integrations as required · Regularly review, secure and recertify privileged roles in applications, databases and operating systems · Implement least privilege, just-in-time access, password rotation and vaulting wherever possible · Migrate application authentication to Single Sign-On through the use of SAML and OAuth · Implement and enforce the use of MFA where possible, focusing on critical applications and risky sign-ins · Provide technical support to Centrify users You would also gain expsoure with the IAM toolset as part of an Identity Access deployment. Key experience required: Previous experience with a PAM tool (Centrify would be an added bonus but not essential) including integrating and deploying into a business, onboarding users and applications, supporting users and performing manual administration tasks. Experience with SAML and OAuth to migrate applications to Single Sign-on. If you are interested in hearing more please reach out to me for more information
-
- SOC team lead- Deputy SOC manager - Managed Security Services, Bradford. Exclusive
- Bradford
- £70,000 +
-
SOC team lead- Deputy SOC Manager - Managed Cyber Security Services, Bradford. Exclusive Identifier project. Technical team lead needed to join a Managed Cyber Security Services business. The role will be a hands on lead role and technical escalation point for the team. You will also be responsible for leading, mentoring, growing and developing the team. You will be the deputy SOC manager and be involved in the strategic growth of the capability. A managed security services background is essential, specifically within a managed security operations capability. Current hands on support experience across Firewall, SIEM, Incident Response is essential.