All of these types of "hey, give us your password to this other system" are just training users to get phished.
IMO the worst offender in this is Plaid, which has created a service where millions of people are giving their banking credentials so some random startup can mine your transaction data. And people think FB has privacy implications...
Swedish payment processor Klarna does something similar to this as well. If bying something through the platform by direct bank transfer you are asked to sign to your bank to accept the payment using BankID [0], which is normal.
What is not normal is that they grab your personal identification number and send a login request using BankID before you open your app. When authenticating the login you authorize one of Klarnas third parties to log into your bank account as you, allowing them to pull records of all your financial transactions, account statements etc. Most users just authenticate the login without reading where the request is coming from on the login prompt.
I don't understand how that can be legal, but they are relying on recent court cases where scammers would call old people asking them to log on to check their retirement accounts. The scammers would then send a login request before the user sent theirs, log on to the accounts and change what funds received the victims pension payments. The scammers were ruled in the wrong, but the logins themselves were ruled to be an ok way of doing business.
POLi in Australia also asks for your bank username and password, logs into your bank's online portal, and performs a bank transfer on your behalf; which is of course in violation of the bank's policies.
It's truly insane, if I see any company accepting payment via POLi it's instant verification the company in question is clueless and that I should avoid using their services whenever possible, because they have zero idea about security.
According to POLi[1][2], the list includes:
Qantas, Jetstar, Virgin Australia, Microsoft (?), Sportsbet, Emirates, BetEasy, CoinSpot, Australia Post, TigerAir, Facebook (?)
The list goes on. It's pure madness.
I really wish there was more awareness of this, I can't believe these massive companies can't comprehend how they're being implicated when they encourage users to hand over their banking password to a third party.
> if I see any company accepting payment via POLi it's instant verification the company in question is clueless and that I should avoid using their services whenever possible, because they have zero idea about security.
They just don't care; if something happens, people (including the press) won't really blame Microsoft or Qantas, so they don't have an incentive to vet those payment systems.
Thanks for this comment. I had no idea - other than regularly seeing POLi as an option (that my bank didn't support) when visiting some of the websites you mentioned.
I will certainly steer clear of this process in the future.
Which is amusing / horrifying because Australia already has good ways to transfer money between bank accounts. BSB/Acct# for normal transfers and BPay for bills.
Klarna tried to ask for people's bank access codes in Finland until Finland's Financial Supervisory Authority ruled it illegal. Seems like a shady business to me.
>The scammers were ruled in the wrong, but the logins themselves were ruled to be an ok way of doing business.
This seems like something that the Riksdagen should step-in on. BankId was meant as validating a legal entity (I am who I say I am) and a third-party presenting that they are they are that legal entity (in this case, the person in question) would certainly seem to circumvent the intention behind that.
I tried to find more information about this statement:
"When authenticating the login you authorize one of Klarnas third parties to log into your bank account as you, allowing them to pull records of all your financial transactions, account statements etc.“
Do you have any source to verify this claim? That they can and do pull down this information. I would like to know if they really have all that information or not, if so it's a surprise to me, did not know that.
I don't know if they do have it, but it is absolutely possible after the login. I saw it reported in an IT-security facebook group and made my own purchase from a site that use them (gottebiten.se), paying directly from bank account. The login was indeed done by a Klarna 3rd party using my ID number, and not from my device.
You have to confirm once more for the payment to be sent.
I just paid using their direct payment method two times the last week or so. Will be more on the lookout in the future and try to keep an eye on these things.
Where it says you can email this address "dataskydd@klarna.se" if you either want them to delete your data (except data they are required to store as a bank) or if you want a print out of your personal information they store.
Ive been asking them singe GDPR took effect to provide me with all details they have about me, and to delete my account.
Not even a response.
They claim "financial institutions" are exempt due to money laundering laws.
That I understand, financial transactions they can keep, but I know a friend works there, they dont only keep financial transactions, they keep data of every website/shop I visited where they have an "integration with".
Have you sent a complaint to the regulator? At least the Portuguese data protection commission is quite responsive, a clear email containing all the information I could gather was enough to trigger investigations, which resulted in warnings and even a couple of fines.
Wait, what? I use Klarna quite regularily and I assumed they were redirecting to my bank's website (in an iframe) where I would enter my credentials. I mean, the web form is even branded with my bank's logo and color scheme.
If it's really the case that I was just giving my credentials to Klarna who then logged into my bank account on my behalf, I have been phished, there's no sugar coating this.
BankID generally have quite strict rules about how you use their authentication, or so I've hear from their customers. If it is as deceptive as you say, I really don't understand how/why BankID is allowing it.
It's not really BankIDs fault. It was discussed when it was discovered that Allra had misused BankID in this way. The BankID will say who/where is trying to log on, and the hijackers trust that users don't read the BankID login screen.
It's a great service and I can't believe shady things like this is allowed.
The way I saw this done is through an iframe, I suppose it's something similar to 3DS/VbV (while ridiculously misguided, this iframe thing was done correctly)
This is going to contain errors, one would have to be a professional to get this right, but the gist is that formally, no, but in practice it kind of does.
If the decision was made by one of the higher courts, a precedent will be created, which while not formally binding is essentially treated as such. In general the precedents can't create new law, only interpret. However this turns out to sometimes be a difference without significance, as effectively new law is created due to how heavy lower courts are leaning on some such cases.
One I have some knowledge of regards agency of company representatives where the interpretation made it essentially legal for a company to use third party sellers to act as representatives for the company write and sign contracts, which then the original party could renege on at any time, with no penalties by simply stating that their agent had overstepped their bounds. This was a case of a house builder backing out because the agent had given a price that the house builder deemed a little too low. This is described in the relevant literature as a clear precedent for all manners of company agency, while if you read the actual judgement it was clearly marginal. But it has effectively created new law. You now have to make sure to write contracts with an employee of whomever you are dealing with if you are to be able to trust in your contract.
All courts also have a right to judicial review, thus in theory a single local court can nullify any law if it doesn't follow the constituting laws, either completely, or for a specific case. If this happens, then that case becomes a precedent. This is however somewhat rare as far as I understand it, as it's somewhat of a joke that the best way to loose a case is to refer to the constituting laws, as they are essentially completely ignored.
Yeah, I'm amazed it works at all.
At least on the surface it seems our judicial system really has some deep flaws that nobody has really dared to address.
To little real oversight, no binding checks on the constitutionality of new laws - although the advisory committee tends to be respected, and no formal way afaik to revoke precedents that turn out to have bad consequences.
It seems to work a lot based on some form of "gentlemen's agreement", and tradition. By now I guess we all know how quickly those can crumble.
During demonetisation in India (2016), Mobile wallet startups threw the privacy out of window.
Paytm (India's largest e-Wallet), asked customers to enter their credit card details on their app on merchant's smartphone. I reported the security risk to them with a POC to their bounty hunting[1], they asked me to wait, removed the feature & the CEO told media that I was lying, there was never a security risk.
Mobiwik, read customer's SMS of bank transactions to inform its users which ATMs had cash.
Mint legitmatized that authorization flow years before Plaid came around and the banks decided that was the best way to move forward instead of adopting something like an oauth2 flow.
I remember when Mint first came around, and a coworker was telling me about how cool it was. I started completing the the signup process, but I stopped cold once I realized they needed to be provided account credentials from my bank. Never completed it, and never went back to it. I never thought it would last as long as it had. I guess I gave the public too much credit.
Counterpoint: Many people of the "general public" are at least vaguely aware of the fact that they're making risky decisions, but proceed regardless in order to reap the short-term rewards that you mention, calculating that the benefits are worth the hypothetical costs, and many of them will live and die having been right about making that tradeoff.
Counterpoint to your counterpoint: Living in flyover country surrounded by people with at best a high school education has taught me MANY things about how the public consumes tech.
They have no idea what is possible with technology. They literally do not and cannot comprehend what can be done with their information online. To the folks I interact with, it's almost magical how it works.
They trust, as another comment points out here, that someone is taking care of whatever trail they leave (if they even understand that's a thing). They trust that tech companies are acting in their best interests.
Maybe that's just anecdotal data from my experience, but it's my experience.
I use mint even now. I'm generally technically paranoid, and have just concluded mint is not actually that risky.
Here's why:
1. Most banking companies seem to have a much better security landscape than other places, including tracking where you're logging in from. Even with a password it won't be easy for a hacker to do stuff with my accounts. Almost any change or transaction triggers an email and sms alert too.
2. The main bank I have my money in, doesn't let you do transactions larger than 2000 in a day online, and even that is insured against fraud.
3. For credit card accounts, I have noticed that you actually can't do much with just an online account, except to pay the bill.
4. Mint is owned by Intuit and they know my tax details, most of which are far more important and guard-worthy anyways.
5. Also till now I've been a fairly poor guy with not much in my bank accounts. So I didn't worry too much about losing my cash since I didn't have much. If you have a lot of it, perhaps you need to be careful with such services.
Mints privacy policy includes this language "we may prepare and share information about our customers with third parties, such as advertisers or partners, for research, academic, marketing and/or promotional purposes." - where any usage of "may" can be substituted with "will".
They say they will anonymize data, but advertisers have no interest in data if they can't action on it -- i.e. use the data they buy for targeted advertising.
To some of us (me) the service Mint provides is well worth letting some marketer know I spent $50 at Walmart yesterday, that's not sensitive information to me, and if it were I'd be paying in cash.
I even gave the transaction history of all my credit cards directly to Drop (https://www.earnwithdrop.com) in exchange for a few dollars, that's how little it means to me. (So far around $30)
I've been using mint for years,it's been very useful for me. Adopting other mechanism like oauth will be slow they wouldn't be able to support that many financial institution.
That's the problem now though. We've made it so apps have to be approved by gatekeepers, and are highly discouraged by the gatekeepers from sharing state with other apps on the same device.
Then the recommendation if that's a problem for you is to use the web. But sometimes the web doesn't work, as is the case here, because it requires the user to trust third party code in real time and give sensitive data to third party servers they don't control.
So we have everything pushing the user to put their most sensitive information into some third party service that should be an app, but isn't, because cloud.
I'm not talking about sharing state with your webserver, I'm talking about two apps on your phone sharing state directly with each other without ever leaving the device or becoming accessible to a third party.
Desktop operating systems have a slew of ways to facilitate this, and the mobile gatekeepers keep eroding them. They're also terrible at dependency management (a completely solved problem in real package managers), which discourages creating apps that depend on other apps.
There are still ways to do any given thing, but if you make it harder then you make it rarer.
> My understanding is the app permission model never asks for network access, so all "apps" are effectively web clients with a fancy UI.
At least for Android, not exactly: they still have to require network access (android.permission.INTERNET), and you can check if they have done that in the Play Store (description → Read More → App permissions). What changed is that the Store won't explicitly ask you to confirm you're OK with it when installing.
In any case, typical native applications didn't have to ask for network access either, that didn't make them all effectively web clients. Many of the mobile apps I have installed don't rely on a central service.
Monzo in the UK recently added a beta ("labs") feature in their app to check your Barclaycard balance from within the app. Sounded ideal as the Monzo app is the best banking app I've ever used. I figured they'd be using Open Banking (the new OAuth style authentication system rolling out across banks here).
I went to turn it on only to find that they use a third party who ask for all of your Barclaycard credentials (including your full "secret word", which you normally only enter a few characters from at login time). I've no idea why they'd go this route, but exactly as you say - it just trains users to get phished.
It also wasn't clear what this third party would do with the transaction information they scrape from your account. Overall a terrible idea.
Degiro, an investment platform, do the same for your initial £100 deposit: you enter your bank's auth info and they do the wire transfer for you. It uses a 3rd party system called "SOFORT". Thereby training the public that passwords to a bank account should be given to random third parties, undoing years of pain staking training efforts.
If they asked for your PIN code, people would clearly balk. But somehow, passwords to a bank account are fair game. It's exasperating.
> Thereby training the public that passwords to a bank account should be given to random third parties, undoing years of pain staking training efforts.
Accounts details are relatively fine to enter on other sites, just entering 2FA tokens should be limited for transactions that you really want to confirm.
1. You train end users that entering banking credentials on 3rd party sites is Okay. This makes educating against phishing an impossible task.
2. Many banks require (a form of) 2FA to log in. Perhaps it’s a “2 letters from a secret code” system (see sibling post). You’re now educating users that entering 2FA on 3rd party sites is ok. This is the end of educating users about any security at all, really.
3. This 3rd party gets access to my full transaction history, everything I ever spent on anything, using this account. That is an unconscionable overreach in personal data access. “But we don’t use it / read it / store it / we only send it to trusted partners / .....” I’ve heard that song too many times.
If someone asked for email account passwords and 2FA login, people would scream bloody murder. What makes this different?
Note that none of this is about money. If someone defrauds me, the bank will refund me. It’s the least of my worries, really. Sure, rather not. But the bank can’t refund my privacy if someone exfiltrates purchase history. Based on any data leak ever, I think we all know what’s the most valuable thing in my bank account .. it’s not the money. It’s the data.
Plaid might be my least favorite company ever. It's such a privacy nightmare and they do not even tell you basic information about what you are sharing (or how to revoke sharing rights) going through their typical flow on some random fintech app. If you look at their website, you could be giving away just the bank and routing number, or potentially your entire bank transaction history, balance, identity information, etc. and have no idea. It's terrible and could never recommend ever using an app that forced you through that flow.
Except that like all no-longer-a-startup companies who can make your life a living nightmare if they are not spot-on perfect with their security, Plaid have slapped a mandatory, binding arbitration clause in their user agreement.
Thus, if they do drop the ball in some catastrophic way, your ability to recover anything beyond a firm handshake and maybe an "oops, our bad" on the way to an "Our Incredible Journey" blog post is on the same level of probability as my winning a gold medal in curling at the Olympics: it statistically could happen, but very likely won't.
I alluded to this in my other comment, but I don't blame Plaid. Blame the banks - Plaid isn't doing this behind their banks, but with their blessings. Again, Mint was doing this for years.
When it comes to Credit Card Fraud, the banks are buying all sorts of AI based solutions - after all it's their money. When it comes to customer cash, then its the wild west. I recently found out that my Wells Fargo password isn't even case sensitive.
There is clearly a market need for easier information exchange. Authorizing ACH withdrawals shouldn't require me depositing 2 random values in your account. The Banks could have done the work here, but they didn't and then Plaid came along and did the work for them. I hope they take data security more seriously than Wells Fargo.
Plaid's value is providing the SDK that developers can plug into their app to connect user bank accounts with their app. They have purposefully decided not to show a very common step in the user-facing bank link/onboarding flow of displaying exactly what information you are providing the developer with (e.g. think about FB Connect, Twitter, and Google and how each requires developers to show exactly what permission is being asked of the user).
Plaid has several endpoints you can hit. It could be as little as the bank number/routing number (to pull/push funds), but it can be years of bank transaction history and/or all identifying information about you from your bank (e.g. names, emails, phone numbers, addresses) and/or your current bank balance as well. An app that doesn't even provide mint-like functionality (e.g. showing your spending habits) could be pulling years of bank transaction history and you would not even know. That's horrifying.
Again, Plaid can and should take responsibility for not showing a simple permissions page. There is no way this is just an "oversight" on their part. It's a deliberate decision because they know it would be a conversion killer if people actually consciously understood how much information they are granting to random apps.
Users are generally dumb. I don't disagree that users are granting permission to these apps, but I'm saying that Plaid is making it purposely opaque in a way that common auth flows like FB/Twitter/Google do not get do or get away with.
Not case sensitive, huh? How about not even distinguishing between letters and numbers?
When I called a prominent bank* recently, I was asked to enter my password via the phone. As in, the digit-equivalent of my password. At least I finally figured out why their password length is capped so low - user experience!
*I began this post with the bank name, and then wondered if given their approach to security, even that might be a bad idea.
> I hope they take data security more seriously than Wells Fargo.
But it doesn't really matter how seriously Plaid takes data security, as their whole business is around providing your account data (including your transaction data) to other companies. What matters is if the thousands of business customers of Plaid take data security seriously.
In Australia, there’s POLi Payments, now owned by Australia Post, which gets you to enter your bank username and password, then impersonates you (https://www.polipayments.com/Security is their statement about it, and a substantial fraction of the text on that page is just flat-out lies). Naturally, doing so is entirely against the ToS of all the banks (including you now being liable for literally anything), and a few banks have publicly said “don’t use that” or similar, but they evidently tacitly support it, because I don’t imagine it would be hard for them to block.
I was incredulous when I first tried to use POLi Payments and realised how it worked—I ran away screaming, naturally. That entire business should be shut down with prejudice.
Yes. Mint also does this. From what I've heard, there are a lot of banks without APIs, so the next best approach is to login on behalf of users and scrape the data.
The data is encrypted with a key that you have not one that the server has which is much much better. If someone breaks in to the server they are not able to very quickly grab all the data. They have to be able to deploy some malware on the server and allow it to run for a while to collect passwords.
If the on-line component goes anywhere beyond the ability to sync an opaque binary blob that only your local machines can decrypt and reencrypt, there's a problem there.
The devices could exchange their keys through a secure connection - be it direct (Bluetooth, LAN) or routed by a third-party service. It could also be transferred physically (through removable storage, or through retyping a bunch of numbers shown on one device into another device).
They do this because banks refuse to implement a properly-secured read-only API for granting access to transaction data. (I think maybe Chase now finally has one)
Maybe if the banks realize their customers are handing over their credentials in large numbers, it will light a fire under them to build a real solution.
> Maybe if the banks realize their customers are handing over their credentials in large numbers
Or they might pop a bottle of Champaign over that, in jurisdictions where the bank is by default responsible for all the account abuse risk unless they can prove that the user has shared credentials.
Probably not, because liability for non-credit accounts is up to the customer, not the bank. If people give up access credentials then they only have themselves to blame.
I haven't heard any reports of Plaid doing bad stuff with user transaction data, so I suspect there's a bit of paranoia in the comments here.
On the other hand, there's an underlying (and valid) concern that handing over bank credentials to a third party is risky and, even assuming good faith from Plaid, they have to store passwords on their servers somehow (probably encrypted).
Since they make money from integrations with startups/big banks, there is definitely a conflict of interest between keeping user credentials safe and growing their revenue.
I think as a whole, relying on a modern company which specializes in authentication is better than trusting that thousands of app developers, some of which might big legacy banks with woefully understaffed IT departments, will keep your credentials safe. I'm aware that I'm more optimistic than most people in this thread (and on HN) though.
Here's a stackexchange question with some good discussion about Plaid security:
Arguably, giving up your email login is worse than giving up your banking login, since attackers could use your email to reset the password on other accounts, possibly including bank accounts.
For banking, a better system would allow you to generate some kind of token in your banking site which would allow the kinds of permissions you want to grant to a third party, and which you could unilaterally revoke at any time.
Yeah back when ING still had a retail presence in the US they were notorious for not working well with Mint… because they required a mint specific access key and not your master credentials.
Yeah, but the difference (at least I think so, as I'm not a mint user) is that Plaid is building an API for other startups to use. It's somewhat amazing to me how little is needed for folks to gleefully hand over their bank passwords to anyone who asks for it.
> a service where millions of people are giving their banking credentials so some random startup can mine your transaction data
Wow, that's insane. I didn't think I'd ever be happy that all banks here in Brazil require you to install an invasive piece of software to validate your computer before allowing you to use online banking, which as far as I can see makes that sort of business model non-viable here.
This is by far my biggest concern with the new PSD2 system that's about to be launched. Even though I can understand why it might help break up monopolies, I still worry that easier access to banking details is going to end disastrously for people's privacy.
Transfund does this now. I tried complaining to their support and they just don't get it. Account/routing number should be enough, they don't need access to my transactions, etc.
Add that on top of increasing fees and I'm seeking alternatives.
IMO the worst offender in this is Plaid, which has created a service where millions of people are giving their banking credentials so some random startup can mine your transaction data. And people think FB has privacy implications...