
Site requests bank logins for online purchases - technion
https://lolware.net/2016/11/17/requesting_bank_login.html
======
1ris
This is common practice in germany. The whole payment methode
"sofortüberweisung" or "sofort" is based on this. You give your login
information and a single use password to sofort, they initiate a wire transfer
and instantly guarantee the money will arive. (It will arrive 24h later, as
banks are allowed to delay it this long and they use it as additional
liquidity) Of course this is a security nightmare and or course the ToS of the
Banks prohibit you from sharing your login details. But unfortunately they
don't enforce their ToS. Recently the cartel office called for making this
part of the Banks ToS void, as they would "hinder the adoption of innovative
FinTec".

But it illustrates how deeply flawed the whole banking sector is that people
are willing to give up passwords to third parties or paying insane fees to
paypal. IMHO we urgently need a law that makes wire transferees instant, or
this dangerous and incredible expensive layers grow for the disadvantage of
everybody (expect paypal and sofort).

~~~
Rafert
This is a solved problem in the Netherlands with iDEAL. Go to checkout, select
your bank, authenticate at your banks website with your credentials and 2FA
(SMS/EMV CAP reader/QR code), confirm transaction details and you'll be
redirected back to the web store. The wire transfer is not instant but it is
guaranteed so the merchant can start shipping immediately.

See [https://www.ideal.nl/demo/en/](https://www.ideal.nl/demo/en/) for a demo.

~~~
rbag
In France we have 3D Secure, when you make the paiement you are redirected to
a page that belongs to the bank, you receive a SMS with a one time code to
validate the paiement and are redirected to the merchant with the validation.

Quite efficient, but I think there's fees for the merchant in this case.

~~~
makmanalp
I've seen some horrific UI on some 3D secure implementations. Also, I've seen
some websites refresh to a "loading 3D secure ..." page, only to somehow skip
it and go further. If the merchant can just skip it and charge your card like
a regular credit card, then what's even the point of having it?

~~~
vladvasiliu
The merchant can choose wether and when to use 3dsecure (at least in France).
I work for a company that uses Paybox for online payments. We can set an
amount above which 3dsecure is used, e.g 20 EUR. I'm guessing the bank has to
support 3dsecure, but they can't or at least don't impose it.

~~~
mack73
I work with fraud detection at an online travel agency. If you use 3D Secure
and there is a fraud, your insurance will cover the cost of that transaction.
As a merchant you may bypass (not use) that security feature at your
discression. 3D Secure is a Mastercard feature, no?

~~~
vladvasiliu
3dsecure works with Visa too. I don't know about AmEx, although I do know that
for Point Of Sale payments we have to have a special bank contract (one for
Visa / Mastercard and one for AmEx).

I suppose the merchant decides wether to use this or not by trying to find a
balance between user experience and fraud risk.

In our case I think the limit is set right above the usual purchase amount (we
sell movie tickets). It's low enough that a fraud wouldn't hurt us too badly
and there's not much incentive for it either. Also, most of the clients don't
have to fiddle with 3dsecure (in my case I would have to cary a fob around,
which I never do), so it's a better experience for them.

If someone tries to buy a lot of tickets at once, they are more likely to be
doing something fishy so we use 3dsecure.

------
ThrustVectoring
>Yes, I've spoken to them. They don't see an issue.

This is exactly why the PCI Security Standards Council is a thing. They need
to have someone straight up tell them something at least as serious as "fix
this, or we will no longer take your credit card payments". Honestly, it's
better off being "we aren't taking your credit card payments, you should know
better. Fix this and go through a security audit and we might reinstate you".

~~~
daurnimator
But this _isn 't_ a credit card payment. This is for direct debit.

I've sadly seen all sorts of stuff spring up around this in australia, like
[https://polipayments.com/Buy](https://polipayments.com/Buy) (which e.g. is
one of the only ways a normal person can pay for a jetstar flight without a
credit card surcharge)

~~~
PostOnce
What's wrong with just sending money from your acct# to their acct# with a
reference number/code to identify that transaction as you, other businesses
work this way (such as my power and phone bills from diff. companies), but the
NZTA for example requires me to use either a credit card (which is fine) or
POLi, which is garbage.

"no one can see your bank details" it says on
[https://www.polipayments.com/security](https://www.polipayments.com/security)
which is a fraudulent claim, yeah the hell you can, its being sent to your
server, not my bank, this is crazy. It also says they don't cache anything --
all kinds of criminals claim they're up to no harm. POLi says they're up to no
harm, why should I believe them? There is NO EXCUSE for using POLi vs. just
paying with your bank, if a business offers POLi and not bank transfer
directly or a credit card, i would never even remotely entertain doing
business with them. NZTA is not a business though, it's a government agency.
You can do it in person though (transfer ownership of a car for example), or
by CC, so whatever, I don't understand who would ever use POLi, the naive?
Hopefully they go bankrupt in the near future.

~~~
petitmiam
> There is NO EXCUSE for using POLi vs. just paying with your bank

POLi is instant. Bank transfer is anywhere from 1 - 3 days. Until banks
finally implement instant transfers, POLi will still be useful to some.

~~~
flukus
POli uses bank transfers underneath. It just takes control of the browser and
makes sure you inputs the correct values for you, like selenium.

------
captncraig
I'm confused. They think this is easiest? Either they have someone manually
going into bank accounts and making transfers, or somebody actually programmed
something to log in via the webpage and do stuff. Neither of those are "quick
and easy".

Is a paypal button really so hard?

Also, how are they not shut down? It seems a single user sending that
screenshot to Amex should be more than sufficient to close any merchant
account they have.

~~~
madeofpalk
There are services that give you programmatic access to bank accounts from
multiple providers. Plaid and Yodlee are examples of these.

Not sure exactly how they services work under the hood, but it wouldn't be too
dissimilar to just screen scraping.

------
polemic
There is a similar system in use in New Zealand and Australia called POLi:

[https://en.wikipedia.org/wiki/POLi_Payments](https://en.wikipedia.org/wiki/POLi_Payments)

It's discouraged by banks and you don't see it as much as you used to (in NZ
anyway).

~~~
elemenopy
It's still around for some things, eg Jetstar. You used to be able to do a
manual online transfer to pay for flights but now POLi is the only way you can
avoid the $5 credit card surcharge. Grinds on me every time I buy a flight.

------
celerrimus
There was similar attempt here in Poland few years ago, i believe it was
sofort used by few online shops owned by German parent companies.

This ended very soon, because people here are quite sensitive for such
practices and Financial Supervision Authority begin informative action as this
was against the law.

But what was more important, people quickly realized that they could abuse
this process. After such payment, they log in again to bank account and
cancelled wired transfer (in most banks we can cancel wired transfer unless it
actually leave your account few hours later), and then change their bank
password. From point of view of shop, payment was successfull, they process
order, but never get cash for it. This was the reason such payment systems
ended very soon.

Like kybernetyk and other wrote, in Poland we have very modern banking system,
there's no problem to make fast wire (up to 15min) using official banking
systems or reliable payments systems - you authorize each transaction directly
in your bank system without revealing your login details to the middleman.

~~~
expertentipp
Stay away from German payment "inventions" like Sofort, direct debit by
default, "cash is the king" bollocks. Many German retailers and "startups"
entering Polish market are trying to introduce their (low) standards and this
can deteriorate banking culture in Poland. The retail banking in Poland is
working really good and is customer friendly - keep it this way.

------
technion
Author here. The post was put together in a bit of a rush - I've updated it
based on a number of the queries I've seen.

Overall, if attention to this issue can stop one other company doing this,
I'll be pretty happy.

------
voycey
I don't think PCI compliance is a factor here (unfortunately) - they literally
only deal with the taking of cards, I would think Banks should be looking at
this pretty skeptically! Although here in Australia there seems to be a lot
more "access" available to your bank account than in many other countries
(including my native UK), it makes things like integrations nicer but I do
wonder just when it's all going to come crashing down!

~~~
joatmon-snoo
According to the PCI-DSS website, "[i]t is important to note that the payment
brands and acquirers are responsible for enforcing compliance, not the PCI
council." [1] No idea what the state of actual legally-enforceable penalties
is.

In the meantime I've tweeted @AmericanExpress about this.

[1] [https://www.pcicomplianceguide.org/pci-
faqs-2/#1](https://www.pcicomplianceguide.org/pci-faqs-2/#1)

~~~
brazzledazzle
I think legally-enforceable penalties in a regulatory sense vary depending on
where you and your customer are. But the contracts between you and your credit
processing merchants are civilly enforceable and in my experience they don't
mess around. They will fine you and raise your transaction costs when out of
compliance and will ultimately cut you off if necessary. They also know their
competitors will do the same thing because they bear the brunt of the costs
incurred by fraud.

------
codedokode
Is that even legal? What is the difference between this company and phishers
collecting bank logins?

And doesn't it look suspicious if the logins into different accounts are made
from the same IP belonging to the online shop? Some banks in my country even
require SMS verification if you are logging in from new IP address.

------
smaili
_Why do I need to provide my bank login information (username, password,
security questions)?_

 _Mwave has identified online banking access as the quickest and easiest
method to get access to your banking information. In order to access this
information, it is required that you provide your username, password, and any
security questions associated with your online banking account._

~~~
mikestew
_Mwave has identified online banking access as the quickest and easiest method
to get access to your banking information._

Well, one can't argue that they're wrong in making that statement. However,
that's the reason we don't give random websites the credentials for our
"online banking access". :-)

------
cyberferret
I am wondering about the legalities of them doing this. I remember back when
we had a merchant account for a retail style business, we were repeatedly
warned by the bank that we were legally on the hook if we took a customer's
credit card information and it got somehow compromised or leaked.

This was back in the pre-EFTPOS days when a store would have to keep a carbon
copy of the customer card imprint (as well as their signature). We were told
to guard those slips like gold, and dispose of them properly when not needed
any longer, because with that information, we could in effect impersonate the
customer elsewhere.

I would say that things have changed markedly these days, but I wonder if the
legislation, especially here in Australia, has kept up with that, seeing as a
customer's login credentials are effectively the same as having their
signature which can be copied?

------
CGamesPlay
> Mwave has identified online banking access as the quickest and easiest
> method to get access to your banking information.

Well, that's certainly true...

[https://www.mwave.com.au/help/faq/view/76](https://www.mwave.com.au/help/faq/view/76)

------
russdill
Is this the verified by visa thing? [https://usa.visa.com/pay-with-
visa/featured-technologies/ver...](https://usa.visa.com/pay-with-
visa/featured-technologies/verified-by-visa.html)

Bank passwords alone wouldn't work on any of my accounts because it would
detect a different computer and request secondary authorization. It does this
by looking at the information the browser sent...and...oh...oh. Geez I hate
security theater. Is there anything less secure than the information sent by
your browser?

~~~
464192002d7fe1c
It looks like their own ghetto implementation of Verified by Visa.

Verified by Visa is secure because it uses a shared secret (not terribly
unlike how JWT works) for the merchant to redirect you to the bank (with
information on what card you used), who verifies your username and password
and that that is your card, who then redirects you back to the merchant with
something that says "Yep, we verified them"

~~~
0x0
A big problem with VbV is that the VbV step is usually embedded as an iframe,
making it near impossible to verify its authenticity in normal browsers.

~~~
innocenat
My bank (Thailand) has VbV that requires me to set up personal phrase with the
bank and that phrase is shown on VbV page. Also it sends SMS OTP to
preregistered mobile number so I doubt any sites could fake that.

~~~
0x0
I've seen that phrase thing, but what would prevent a fake page from fetching
your phrase from the real VbV website?

------
ian0
Typically the payment process is be managed by a dedicated payment gateway
through an iframe and not the merchant so it should in principle be slightly
more secure than it looks. Someone mentioned Poli, one such gateway in Oz.

As being shut down is a genuine business risk they strive for legitimacy - id
be surprised if it was in-country and operating without at least tacit
agreement of banks. Even slow moving banks could counter against this type of
browser automation technically - not to mention legal action. No large
merchant would fancy negative security related PR either.

Honestly speaking - the payments industry is full of hacks like this. Look at
US p2p systems built on ACH refunds. Or using 3D Secure for identity
verification. Or processing pre-auths of 1 cents and rolling back to add a
card to a wallet.

Banks are slow and competitive, schemes are just slow, central banks often
take a wait-and-see approach. When they get their act together systems like
this tend to be replaced or evolved into more sensible and durable solutions -
but that can take awhile.

And in the meantime everyone tries every avenue possible to reduce fees or
provide a better UX (in this case at the expense of consumer protection).

------
yashwanthcp
This page has a good explanation of why -
[https://www.mwave.com.au/help/faq/view/24](https://www.mwave.com.au/help/faq/view/24)

~~~
cyberferret
That link explains other security measures, but doesn't actually say that they
need your bank/credit card login details though?!? (unless I missed it
somewhere).

"Please note: Due to the rise of credit card fraud and for your security all
credit card orders will be subject to detailed security checks requiring
further documentation; that may include Driver Licence, CreditCard or bank
statements. If your order does not meet our security check requirements, you
will be contacted and further credit card security procedures will be
implemented.

As part of our verification process we will utilise various procedures to
ensure ultimate protection to the Credit Card holder. These processes may
include but not limited to charging a small amount randomly under $2 requiring
confirmation prior to approval; verbal verification via phone or a request for
written Authorization, photo identification including valid Driver Licence,
Utilities bill or the copy of the credit card or a request for your bank
statement displaying the debit entry.

Mwave may also use a verification service powered by BankStatements.com.au,
the Australian leader in automated bank statement data retrieval. Since 2013
BankStatements.com.au has provided secure, automated data retrieval services
to over a quarter of a million Australians as part of their credit
applications. "

------
BrandiATMuhkuh
I've talked with a friend working in the IT department of one of Austrias
biggest banks (black + yellow colour ;) ) about it. Apparently, banks want to
become the identification services of the future. The idea is, that you can
only (not sure if that is true) open a bank account with a valid ID, therefore
the bank login can identify if a person is real or not. Example: creating a
Twitter/FB account with you bank credentials would make your account
automatically an approved account (you are you)

~~~
boredpudding
This is true. However, they will not let you enter the details on the page
itself.

In The Netherlands they are launching 'iDIN'. Which is a bit like OAuth 2.0,
so it only provides the webshops with the things they need (and a bit more
like age. So yay, privacy issues).

~~~
BrandiATMuhkuh
One of the problems is when this is done by companies instead of states. A
company might remove your access for some, not obvious reasons. Just see
current trending HN link
[http://www.dansdeals.com/archives/98444](http://www.dansdeals.com/archives/98444)
where google suspended an account and with that the person could not use the
google login anymore. Even for non-google pages. That is scary. A protocol
like the EDUROAM system would be nice. In that case, credentials include a
domain (usually a Uni name), and with that domain the home uni(bank) can be
used as an authentication authority.

------
wolframhempel
As the son of an otherwise amazing woman who falls for every credit card scam
to ever hit her inbox I think this is another great reminder of the mindset
disparity between techies and the wider public. While we obsess over end-to-
end encryption and distributed ledgers the vast majority of people are
perfectly happy typing online banking credentials and uploading pins to random
websites.

------
SwellJoe
I used to love MWave, many years ago. They were just a fantastic vendor back
then. They shipped faster than anyone, handled returns fast and with zero
hassle.

But, I had a couple of mildly negative experiences (slow to ship, items listed
as in stock weren't, etc.) and I stopped buying from them.

This, though, is just crazy. I can't believe their merchant bank even allows
them to do this.

------
barbs
Wow. And that's an Australian company, based in Sydney no less, not far from
where I live... how embarassing.

------
plantain
This is very normal in Australia. All the major airlines do it via POLi[1]

[1][https://en.wikipedia.org/wiki/POLi_Payments](https://en.wikipedia.org/wiki/POLi_Payments)

~~~
abrookewood
I wouldn't say it is common - I've never seen it.

~~~
_kyran
It's usually the only option to avoid a $5-$70 credit card surcharge. Have you
ever paid for a flight online with Jetstar, Tiger or Air Asia?

With Jetstar, up until a few months ago, you could do your own bank transfer,
but now poli is the only option.

~~~
fineline
Tiger used to not charge for Mastercard debit. It has changed recently, but
still only a matter of cents.

------
jaaames
There's a few places doing this now.

I've met the CEO of bankstatements.com.au at a trade conference. Currently
it's hard to get data feeds from banks - these guys are logging in, scraping
bank statements and then providing them as digestable feeds.

Pocketbook is another Australian fintech that was recently acquired that do
the same things with credentials.

The banks know they're doing it, it's against terms of service, but seem to
turn a blind eye.

POLi seems to have more reputation but I still feel dirty the few times I've
been strongarmed into using it.

------
Karupan
There is something similar in India called netbanking. Typically, the site
redirects you to a payment gateway, which then redirects you to the bank's
site. You enter your username/password only on the bank's site and complete
the transaction. It is used quite frequently due to convenience and security.

When I moved to Oz and tried to buy something online, I was quite taken aback
that I was being asked to enter bank login details on 3rd party sites
directly. Felt completely unsafe, so haven't used it yet.

------
netfreak111
The way I handle this is, I have a dumb checking account which I transfer
money to, when I do such transactions. This is more akin to giving a lame
email address to websites you don't care.

~~~
bathory
If only banks had a special login for these one-time transactions. One where
the history isn't enabled either. In the Netherlands such a system exists,
it's called iDEAL

------
biafra
> It's that they apply the charge to your card a day before giving you this
> prompt, leaving you begging for refunds when you refuse.

That is strange. I never begged for a charge back with any of my credit cards.
When I say the transaction is fraudulent or not authorized by me, I get my
money back. Always.

The merchant can then sue me, if he thinks different. Is that not what happens
with all credit cards in all countries?

------
jaunkst
No. Just no. Not necessary. Its amazing that this is successful by any means.

------
ctpide
So, technically, everyone who does this (provides their login info) violates
their terms with the bank I assume, as they probably told you not to share
your password with any third party?

------
sathackr
Paypal does the same thing. I added a bank account, and Paypal requested my
username and password to automatically verify the two test deposits they made.

~~~
theobon
Is that new. When I signed up, admittedly a number of years ago, they just
asked me to tell them the amounts of the two test deposits. No login creds
provided.

~~~
sathackr
At first I thought so, as the first time I saw it was a couple of months ago
when I added a new account, but then I googled and found [1]

So I guess it's based on your routing number and whether your bank's online
system has the proper framework to allow it.

[1]
[http://www.ecommercebytes.com/C/abblog/blog.pl?/pl/2009/2/12...](http://www.ecommercebytes.com/C/abblog/blog.pl?/pl/2009/2/1235839118.html)

------
late2part
Newegg recently did this when I used my American Express. It was a valid
referral to Amex's website so I see how folks would fall for this.

~~~
wmf
Newegg redirected to you the Amex site which asked you to enter your password
(this is 3D Secure aka SafeKey) or Newegg asked you to enter your Amex
password on Newegg's site?

~~~
464192002d7fe1c
NewEgg does the former, for sure, with my corporate Amex. Oddly they don't do
it with my personal one.

------
maerF0x0
Pretty sure Expensify and Mint did/do this, no?

~~~
kjbflsudfb
Yea, but those are different services that utilize the history of your
transactions. What reason does an online retailer have to access that level of
detail? Shouldn't they simply be able to accept the information on the credit
card for the sale?

~~~
jpalomaki
They can reduce their risk by doing this. For online retailer there is always
risks in accepting card payments. (Not saying this is a good idea, just trying
to find reasons).

~~~
kjbflsudfb
Whose risk is reduced? The retailer or the bank? Certainly not the cardholder.

~~~
464192002d7fe1c
The retailer and only the retailer.

It probably reduces fraud chargebacks to nearly 0.

------
Biganon
It wouldn't work for me (UBS, Switzerland), I need to punch a code into a
special calculator thing in order to login.

------
rajington
This is how Venmo does it so they don't have to make you do the "verify two
microdeposits" process, and it's getting more popular. I think because when
you give your login you're giving over complete access so bank is not liable
for fraud.

~~~
andrewguenther
I never had to do this for Venmo. Is this a recent change?

~~~
JadeNB
I had to do it when I signed up. That's why the history of my interaction with
Venmo was (1) change bank password, (2) accept the money from the person who
would only pay using Venmo, (3) change bank password back so that Venmo / late
hackers into Venmo databases don't get any ideas.

------
daurnimator
mwave can be pretty shady... I know that their user email list has been either
stolen or sold.

