The instructions asked me to provide account, card number and OTP login code... then it’s just a matter of scraping all my past 10 years transactions and keep the session alive to snoop on exactly how many condoms I buy...
The idea behind the thing seems to be to initiate a wire transfer (which cannot be refunded as easily as direct withdrawal) and provides the merchant with an immediate confirmation of the same. I've never used Sofort for pretty much that reason that they want your online banking credentials and then automate stuff behind your back.
I've sometimes used giropay, though, which does the same, only directly through your bank's online banking interface. So you're interacting with your bank, not a third party; but that third party gets confirmation about the transfer. Still more of a hassle than direct withdrawal ...
This is ridiculous. In Poland, everyone implements online wire transfer with immediate confirmations by either:
- using a service like PayU or Przelewy24 that have accounts in every major bank (in-bank transfers are immediate), use bank API to initiate the transfer and provide a confirmation to the merchant when the money arrives on their account (they often allow manual or post-office transfer as a fallback, and Blik too)
- using a service like Blik, which is directly integrated with the bank
- using bank APIs directly
The first option is basically as wide-spread as credit card support; direct withdrawals pretty much don't exist there. A service that would ask for your banking login data and OTPs is unthinkable for me.
It's ridiculous how much of finance works on trust in some countries. It is mind boggling my easy for someone in the UK to steal someone's identity for the purposes of applying for credit cards and loans, and people happily give away their names, addresses, dates of birth, anything for random stuff like winning an iPhone or whatever.
No way anyone's ever getting my bank credentials, even though anything important is approved by phone. It's like giving someone the keys to your home and cash safe, and telling them to be careful with it please :)
The Netherlands mostly uses a system called iDEAL; I don’t know the details but it reminds me of Kerberos or Oauth2. Both parties establish trust with the intermediate server that guarantees confidential handover of transaction secrets without requiring more access than necessary.
German law at least forces them to declare that they do so if they were doing that. Otherwise they would break a lot of laws. IANAL, but I believe that might actually get some people in jail.
I remeber that banks were very much opposed to that service when they started out, warning people off (against the banks ToS, grounds for sccount termination etc.) and trying to block Sofort from their servers. I honestly don't know how the banks were placated in the end.
I am not sure how much information they get from your account. Could be just the balance and transaction confirmation. Also, you need a separate transaction authorization. The log-in information is not enough to initiate a transaction.
The instructions asked me to provide account, card number and OTP login code... then it’s just a matter of scraping all my past 10 years transactions and keep the session alive to snoop on exactly how many condoms I buy...
Criminals