Stories
Slash Boxes
Comments

SoylentNews is people

Monzo Admits to Storing Payment Card PINs in Internal Logs

posted by martyb on Wednesday August 07 2019, @02:57PM   Printer-friendly
from the YAO-(Yet-Another-Oops) dept.

"upstart" writes in with a submission, via IRC, for SoyCow7671

Monzo admits to storing payment card PINs in internal logs

Monzo, a mobile-only bank operating in the UK, admitted today to storing payment card PINs inside internal logs.

The company is now notifying all impacted customers and urging users to change card PINs the next time they use a cash machine.

Monzo described the issue as a "bug" that occurred when Monzo customers used two specific features of their Monzo mobile apps -- namely the feature that reminds users of their card number and the feature for canceling standing orders.

When Monzo customers used one of these two features, they'd be asked to enter their account PIN, for authorization purposes, but unbeknowst to them, the PIN would also be logged inside Monzo's internal logs.

Monzo said these logs were encrypted and that only a few employees had access to the data stored inside.

Monzo worked over the weekend to purge logs of customer PINs

The company said it discovered the bug on Friday, August 2, and spent all weekend removing PIN numbers[*] from its internal logs.

As soon as it finished this operation, Monzo published a statement on its site on Monday morning, August 5.

The company also published an update for its mobile app on Saturday, August 3, so the apps won't send the account PIN code to Monzo servers anymore.

The company said that all users should update their mobile apps. Users who had their PINs recorded in Monzo's logs received email notifications. Users who didn't receive an email, were not impacted, the bank said. The number of affected users is around 480,000.

[*] PIN number: Personal Identification Number number. =)

See also: ZDnet.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Monzo Admits to Storing Payment Card PINs in Internal Logs | Log In/Create an Account | Top | 9 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2, Disagree) by AthanasiusKircher on Thursday August 08 2019, @03:39AM (3 children)

    by AthanasiusKircher (5291) on Thursday August 08 2019, @03:39AM (#877327) Journal

    Yes, precisely. OP's gripe is "kinda stupid" as it presumes that the word "pin" is unambiguous. "I forgot my pin today" could mean "I forgot my tie pin" or "I forgot my bowling pin" or "I forgot to make a certain chess move" or (when spoken in a Southern accent) "I forgot my writing implement that outputs ink" or many other things. Somehow, we still mostly understand each other in most common situations.

    Starting Score:    1  point
    Moderation   0  
       Disagree=1, Total=1
    Extra 'Disagree' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by acid andy on Thursday August 08 2019, @09:25AM (2 children)

    by acid andy (1683) on Thursday August 08 2019, @09:25AM (#877379) Homepage Journal

    Not really. I dislike ambiguity. I only "mostly understand" other people when they provide sufficient context in cases where they use such ambiguous terms. The Southern "pin" for pen would really have me baffled and asking for them to elaborate.

    If you accept that some context is needed to remove the potential for misunderstanding then do you not also accept that explicitly clarifying that the PIN is a number is reasonable and appropriate?

    The reason it's stupid is that the term has clearly introduced controversy as well as the ambiguity, hence our disagreement.

    --
    If a cat has kittens, does a rat have rittens, a bat bittens and a mat mittens?

    • (Score: 2) by AthanasiusKircher on Friday August 09 2019, @07:22AM

      by AthanasiusKircher (5291) on Friday August 09 2019, @07:22AM (#877804) Journal

      A huge number of common English words have multiple divergent meanings. It's just how most languages work.

      I don't think anything is "clearly introduced" about the supposed controversy or ambiguity. I have no problem with "PIN number" as an utterance. English is full of redundancies. Only pedants tend to worry about them; most of us actual people just use the language.

      And I have never encountered a situation where anyone has used the term PIN but I thought they were referring to a pin. Maybe you have. But the word "pin" doesn't tend to come up in normal conversation that much for me, and when it does, it's usually in a specific context where the meaning is clear (referring to an item on clothing, referring to something being prepared for sewing, referring to bowling, referring to wrestling, etc.).

      I mean, in a broad sense, I agree with you that it's better to introduce a new word rather than to tack on an unrelated meaning to a previously existing one. Sure, I'll agree with that as a vague general principle. But we have so many words with divergent meanings and the chances of ambiguity in this specific case seem so utterly remote that I'm not putting this on my list of linguistic problems to worry about.

    • (Score: 2) by AthanasiusKircher on Friday August 09 2019, @07:40AM

      by AthanasiusKircher (5291) on Friday August 09 2019, @07:40AM (#877808) Journal

      Oh, and by the way, I don't think of adding "number" to PIN is clarifying -- it's just a common phrase. When people don't realize what acronyms mean (or even that they are acronyms), they add words on that are theoretically unnecessary. Here's a list [nanday.com]. In most cases, there's no reason for the redundancy based on potential ambiguity. English speakers just naturally add these words to abbreviations in many situations, generally to clarify the general type of thing we're talking about for those who don't spend their lives memorizing the meaning of acronyms.