[cameronh90]

Not Monzo but I can tell you SOME ways we deal with this kind of risk.

* Work laptops are all using trusted computing, tamper detection and remote attestation which, while imperfect, does provide some verification that the hardware isn't being tampered with.

* Additionally it means if you try to access any service from a non-work laptop (or a work laptop failing remote attestation), it doesn't let you in. Even if you have all the credentials.

* Passwordless authentication means capturing PIN codes with a keylogger is of very limited value unless you also steal the laptop. Even then, an additional factor is required such as mobile push or biometric.

* No developer should have access to any AWS keys that would grant access to production data. But in any case, we use AWS SSO which only returns temporary AWS keys.

* There are lots of systems that monitor for anomalous activity. For example if a user account suddenly starts hitting lots of access denied errors or accessing things they don't normally access, that's a hint they've been compromised.