Open in app

Sign in

Write

Sign in

Too much security — Revolut’s case

Human factor in security needs to be balanced. Never removed but also not overused. In this article we’ll look closer at Revolut App .

Marcin Rybicki
5 min readJan 6, 2023
Overused security — a Revolut’s case
Overused security — a Revolut’s case

Human Factor — intro

This is just a part one of the series — tackling the problem of security balance when users are involved. How much security is enough and when it’s just too much?

Humans are both strongest and weakest links in a security chain. They are unique an quite often pretty well recognise suspicious patterns. Something a tech — especially AI — still needs to learn (that’s by the way why we launched our Cybersec start-up).

Because I’m travelling quite a lot between countries with different currencies, I’m using Revolut App as my daily driver most of the month. For both online payments and in-store purchases (although I praise cash and use it more often than plastic) it’s a great solution until you are a security freak.

Weak security through strong security
Weak security through strong “security”

Revolut’s case

What’s revolut? It’s a bank in your phone — one of many fin-tech startups, established in the last few years. What’s great about this type of solution is that you have plenty of currencies and inter-bank conversion rates.

You can have a regular bank account within the app — managed by Lloyds in the UK (not sure how it works in other countries), which means you are connected to all the benefits of having bank a account. As a digital nomad, who runs businesses from the UK, Sweden, Czechia and Poland you can imagine how convenient it is.

Revolut’s authentication system

For a power user — all of us regular folks during vacations — Revolut and all its convenience also exposes the app to thieves that can use it’s best advantage — being mobile only. And it’s not protected enough with its authentication system that requires only your phone.

Once they have your device and PIN, they can do everything with your funds — even take money from your other bank accounts in some cases. Your credit score, your savings and investment portfolio — it’s all exposed with no extra layer of security except the device.
And PIN is very easy to steal through poor UX tactics. Why?

The process you go through

What I blame is this silly UX process that recently was improved just slightly. It’s this overuse of PIN number, which at some point is entered so often throughout the day that you are exposed to all sorts of 3rd party visual spying. They can simply see your pin if you type it several times within one session. And it accumulates to several dozens throughout the day.

Revolut’s PIN cycle
Revolut’s PIN cycle

Scenario (in infographics above):
Everytime you want to make an online purchase, using disposable cards generated in the system — great by the way — you have to type PIN multiple times. Sometimes up to four times within a single minute.

How to fix it:
1. Reduce the use of PIN. When you travel and make purchases you quite often check your phone to see how much you are actually spending. Removing or reducing PIN use for simple operations would greatly limit the number of cases someone can see your PIN.
2. Introduce another layer of security for more sensitive operations like topping up your balance or adding new recipients. Something that is not easily accessible from a phone (no, not an email). Like a security questions or extra PIN generator other banks have (ie. for premium users).

One pin away (from being hacked)

This constant chain of typing PIN codes makes you vulnerable to social engineering and theft. And it’s quite serious as it’s your bank and sometimes the only source of cash while you travel.

The system where App + Phone number is just equivalent to making backups on the same hard drive. In case of a failure you lose both.

One PIN away from breaking the bank
One PIN away from breaking the bank

Imagine travelling

Like I have mentioned, while you travel you are monitored constantly by CCTV. Either on airports and buses/trams or in the city, restaurants and public spaces.

Even an accidental recording of someone else’s can expose your PIN number on social media through high definition video being posted while you are in the frame.

Single security hub One device gives you total control
Single security hub. One device gives you total control

All factors combined

The fact our smartphone is our bank is fantastic. Nevertheless, when you combine all factors it’s just too much power for a single device. There is no perfect solution for cybersecurity involving users. Definitely users should be a line of defence. Not too thick and overused.

Solutions

Like I have mentioned above, changing UX patterns could prevent the problem from happening. Also adding — non phone reliant — layer of security could solve more than one problem for Revolut. After all it’s a whole bank within the app that can even take money from your other bank accounts easily.

In A-Irene.com we believe cybersec can be simple and effective. Simplicity can create a strong layer of security that makes hacking less profitable.

If you are curious what we are brewing, visit us on A-Irene.com or share your thoughts in the article.

About Me

Marcin Rybicki, former game developer, algorithm enthusiast.
I‘m working with my co-founder Rafał on an ambitious project called — A-Irene — unsupervised and easy to operate anomaly detection based on Machine Learning.

My LinkedIn

Cybersecurity
Social Engineering
Banking Technology

--

--

Marcin Rybicki
Marcin Rybicki

Written by Marcin Rybicki

37 Followers
12 Following

Entrepreneur, Solutions architect (Explainable AI)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams