SoylentNews is people
SoylentNews
Monzo admits to storing payment card PINs in internal logs
Monzo, a mobile-only bank operating in the UK, admitted today to storing payment card PINs inside internal logs.
The company is now notifying all impacted customers and urging users to change card PINs the next time they use a cash machine.
Monzo described the issue as a "bug" that occurred when Monzo customers used two specific features of their Monzo mobile apps -- namely the feature that reminds users of their card number and the feature for canceling standing orders.
When Monzo customers used one of these two features, they'd be asked to enter their account PIN, for authorization purposes, but unbeknowst to them, the PIN would also be logged inside Monzo's internal logs.
Monzo said these logs were encrypted and that only a few employees had access to the data stored inside.
Monzo worked over the weekend to purge logs of customer PINs
The company said it discovered the bug on Friday, August 2, and spent all weekend removing PIN numbers[*] from its internal logs.
As soon as it finished this operation, Monzo published a statement on its site on Monday morning, August 5.
The company also published an update for its mobile app on Saturday, August 3, so the apps won't send the account PIN code to Monzo servers anymore.
The company said that all users should update their mobile apps. Users who had their PINs recorded in Monzo's logs received email notifications. Users who didn't receive an email, were not impacted, the bank said. The number of affected users is around 480,000.
[*] PIN number: Personal Identification Number number. =)
See also: ZDnet.
(Score: 4, Interesting) by rigrig on Wednesday August 07 2019, @03:39PM
We've come a long way from "storing cleartext passwords", through "storing weakly-hashed passwords" and "storing unsalted passwords", all the way to "logging cleartext passwords".
No one remembers the singer.