Most active commenters
  • tapland(4)
  • lxgr(3)

←back to thread

Klarna users are being signed in to random accounts

(twitter.com)
475 points danielstocks | 38 comments | 27 May 21 10:28 UTC | HN request time: 0.957s | source | bottom
1. ThePhysicist ◴[27 May 21 10:57 UTC] No.27301428[source]
Their German counterpart, Sofortüberweisung, didn't properly blacklist test credentials given out by banks e.g. to developers in the beginning, so people could simply use those and pay for goods and services with fake accounts.

For me there are so many red flags with all these services, as they basically "steal" your credentials to log into your online banking. And while they claim that they only use the credentials to make transfers they could as well look at all my other account data. I really wonder how such a scheme can be legal and how banks can allow this, as they normally tell people to never give their credentials to anyone. The situation of course recently improved with the mandated 2FA for logins and transfers, but still there are so many attack vectors in this model that it boggles my mind how it can still exist.

replies(11): >>27301463 #>>27301488 #>>27301493 #>>27301564 #>>27301577 #>>27301579 #>>27301648 #>>27301752 #>>27302175 #>>27302632 #>>27307067 #
2. toxik ◴[27 May 21 11:02 UTC] No.27301463[source]
Hear hear, I used Klarna (not by choice) and it surprised me they would feign being me in interactions with my bank. Exactly the type of behavior techies are trying to teach the older generations to NOT fall for.

With this, we know that Klarna's software quality is papier-mâché level. I am happy I refused to let Klarna have my account authorization.

3. tapland ◴[27 May 21 11:06 UTC] No.27301488[source]
There have been some weird legal cases in Sweden where businesses and scammers have been freed after having signed in using other people's "BankID" to change retirement savings around or send cash.

Its the ID method I use for credits, pharmacies, health care, taxes, but was apparently not an ID so it's not id-hijacking.

Klarna has man in the middled my bank account before and performed a purchase and I've boycotting any company having them as the only payment option since.

OH, now I also remember Klarna adding credit in my name since they only needed my tax registered adress. I lived in a dorm so someone just used our public information to take out credits to order sneakers and could break into the crappy entry mailbox.

replies(2): >>27301598 #>>27302164 #
4. corroclaro ◴[27 May 21 11:06 UTC] No.27301493[source]
Klarna is actually its own bank these days so that doesn't really happen anymore. I think however many other payment providers operate this way still which is ridiculous.

Then again, PSD2 API roll-out has been very ???

replies(2): >>27301569 #>>27302172 #
5. danpalmer ◴[27 May 21 11:13 UTC] No.27301564[source]
Can you explain more about the credentials and online banking?

I've used (and integrated with) Klarna in the UK and from what I've seen it's only really a payment method with merchants who you pay back by card later.

replies(2): >>27301617 #>>27302156 #
6. tapland ◴[27 May 21 11:14 UTC] No.27301569[source]
It's happened wayyy into them being their own bank (at least until 2019 when I started boycotting them)

They signed into users bank accounts, in other banks, to set up transfers (which also gives you all account statements).

replies(1): >>27301574 #
7. corroclaro ◴[27 May 21 11:14 UTC] No.27301574{3}[source]
Did not know! Guess being scummy doesn't stop because you get a license.
8. jstummbillig ◴[27 May 21 11:15 UTC] No.27301577[source]
What could a competitively convenient way to do this better look like?
replies(3): >>27301626 #>>27301668 #>>27301790 #
9. spurgu ◴[27 May 21 11:15 UTC] No.27301579[source]
Yeah I once had to make a ~20k transfer with Klarna and was shocked to see that they essentially hijacked my credentials. I only went through with it because there is additional 2FA (on my bank) so they wouldn't have been able to repeat it. But still a super shady practice. I was sweating for days until I got a confirmation that the transfer went through successfully. 1/5 experience.
10. flemhans ◴[27 May 21 11:18 UTC] No.27301598[source]
In Denmark, you're forced to use the state-run "NemID" for credit card payments, making for some weird situations where you authenticate with NemID inside iframes on shady URLs.

The same NemID is also used to file your taxes, look at all your health info, get married, everything basically.

Credit card payments are much lower security level, and they're basically forcing sharing credentials amongst all the sites you pay on.

replies(3): >>27301650 #>>27301702 #>>27301818 #
11. tapland ◴[27 May 21 11:20 UTC] No.27301617[source]
In Sweden most people have an electronic way to identify themselves to their bank (BankID) and it is used by many services to verify your identity.

It's extremely useful for any ID verification, but Klarna asks you to verify your identity towards them but when you open the app they have instead sent a request to identify with your bank, using your credentials.

12. ThePhysicist ◴[27 May 21 11:21 UTC] No.27301626[source]
I think PSD2 is supposed to solve these problems with a less insane approach, but the rollout seems to be quit sluggish.
replies(1): >>27302657 #
13. rbmks ◴[27 May 21 11:23 UTC] No.27301648[source]
I cancel every online order if I find out that it is handled by PayPal, Klarna, Mollie or other data collecting entities.

The situation in Europe is so bad that you are sometimes tricked into a prepaid order only to find out that the invoice comes from one of those.

The appropriate penalty is immediate cancellation and multiple GDPR requests.

replies(1): >>27308290 #
14. cra ◴[27 May 21 11:23 UTC] No.27301650{3}[source]
Yeah, same way they have it in Sweden, it's called "BankID" and only a few banks are allowed to issue that
replies(2): >>27301727 #>>27304028 #
15. jagger27 ◴[27 May 21 11:25 UTC] No.27301668[source]
https://plaid.com/ does it well.
replies(1): >>27302273 #
16. aenin ◴[27 May 21 11:29 UTC] No.27301702{3}[source]
However it also forces everybody to use two factor authentication. On a whole population level I'd bet that's overall a positive tradeoff.

And I believe you can also use sms + password for online transactions.

replies(2): >>27302013 #>>27309007 #
17. tapland ◴[27 May 21 11:32 UTC] No.27301727{4}[source]
I've worked on BankID implementation and it was super smooth, good tools for testing and well documented.

We didn't need to scam anyone though, just have them verify that they were a Swedish resident (had a valid Swedish SSN and we're the ones ordering) :D

18. bierjunge ◴[27 May 21 11:34 UTC] No.27301752[source]
I have the same sketchy feeling about Sofortüberweisung/Klarna. If they want to make transactions on my behalf, why should I give them full access to my account?

Most banks have a paragraph in their contracts/ToS forbidding sharing the account with third parties, but they are rarely enforcing it. Still, they could close the account due to contract/ToS violation.

replies(1): >>27302127 #
19. tialaramex ◴[27 May 21 11:39 UTC] No.27301790[source]
You can generically solve the problem of Alice giving David access to Bob's service on her behalf without giving Alice's credentials for Bob's service to David using stuff like OAuth2, this is already how lots of things work today.

In OAuth2 David only ends up with some token showing Alice authorised David to use this service on her behalf. Bob can tell David and Alice apart, and choose to restrict what David can do appropriately.

If Bob is particularly tired of this nonsense, and his customers like Alice keep giving David their credentials and then are surprised that doing so means Bob can't tell Alice and David apart, WebAuthn reifies it so that most users in Alice's position can now see where the problem is. When David tells Alice he needs her Yubikey to access Bob's service, it should occur to Alice that giving the Yubikey to David isn't a good idea because then she won't have it any more. Good.

20. ◴[27 May 21 11:42 UTC] No.27301818{3}[source]
21. legulere ◴[27 May 21 12:06 UTC] No.27302013{4}[source]
2FA is already mandatory by the PSD2 directive of the EU. I use my debit card as the second factor to access my bank account here in Germany via ChipTAN
22. chopin ◴[27 May 21 12:21 UTC] No.27302127[source]
Worse, you're on the hook if your account is drained.
23. lxgr ◴[27 May 21 12:25 UTC] No.27302156[source]
Klarna provides many different financial services.

They provide "pay by bank account" (which involves the mentioned MITMing of users' online banking accounts, unless Klarna is integrated with your bank via OAuth/PSD2, which is still not ubiquitous), but also installment payments/factoring and others.

24. ekvilibrist ◴[27 May 21 12:25 UTC] No.27302164[source]
> There have been some weird legal cases in Sweden where businesses and scammers have been freed after having signed in using other people's "BankID" to change retirement savings around or send cash.

As far as I know most, if not all, of these scams have been perpetrated against the elderly. All operations (authentication, signing) can be initiated remotely with just a personal ID number, so the typical scam meant calling up someone and claiming that "an authentication must be performed", and simultanously initiating a bank login session. If you can keep the victim on the phone and using the BankID app when you tell them, you could basically login and empty their bank accounts. This has been largely fixed using QR codes to initiate login requests for major internet banks (which means you have to be in front of the same screen now) and other clever workarounds. But it has also always been a fact that there will be a description saying what you are signing, in the app, so being careful you could easily avoid being scammed.

I think its largely a great asset (BankID) but its never gonna be 100% tamper-proof without being seriously neutered.

25. lxgr ◴[27 May 21 12:26 UTC] No.27302172[source]
Is that true for all European banks though? I think they all need to have an API available at this point, but is Klarna using that in every instance (instead of their legacy creepy MITM scheme) already?
26. gpvos ◴[27 May 21 12:27 UTC] No.27302175[source]
I understand that Sofort was allowed to continue despite using the user's bank credentials because disallowing them would be anticompetitive.[0] I have no idea how that could justify such an insecure practice, but there you have it.

[0] https://knowledge.fintecsystems.com/en/blog/the-history-of-o... , under "Legal Action by Giropay"

27. lxgr ◴[27 May 21 12:36 UTC] No.27302273{3}[source]
Don't they effectively do the exact same thing? As far as I know, they use screenscraping for most US banks rather than something OAuth-based.
replies(1): >>27302441 #
28. jagger27 ◴[27 May 21 12:50 UTC] No.27302441{4}[source]
I think it depends on the bank. It's really up to the banks to provide a proper API.
29. 74d-fe6-2c6 ◴[27 May 21 13:09 UTC] No.27302632[source]
Have been using SÜ for years until I learned that they not just facilitate the transfer but abuse their role to dump bank transfer data worth several months. I don't use that service anymore.
replies(1): >>27303540 #
30. mping ◴[27 May 21 13:11 UTC] No.27302657{3}[source]
Surprisingly, there are already integrations in my home country; I took a look at tink [1] some time ago (no affiliation whatsoever) and they look legit. I'm sure there are more SaaS like them.

[1] https://docs.tink.com/market-capabilities/aggregation

31. bschne ◴[27 May 21 14:26 UTC] No.27303540[source]
That sounds pretty bad! I always thought the login flow was super sketchy, but wasn't aware of this part — has this been covered/analyzed somewhere or is it evident from their terms or something?
replies(2): >>27305257 #>>27310267 #
32. 3np ◴[27 May 21 15:09 UTC] No.27304028{4}[source]
Major distinction being that BankID is privately owned and operated, as opposed to state-run.
33. 74d-fe6-2c6 ◴[27 May 21 17:00 UTC] No.27305257{3}[source]
I cannot answer this question satisfyingly. I read it somewhere and found tangential information by google search - but nothing very specific.
34. tgsovlerkhgsel ◴[27 May 21 19:26 UTC] No.27307067[source]
Sofortüberweisung specifically got caught looking at 30 days of transaction data.

> how banks can allow this

A court decided that blocking this "business model" would be anticompetitive.

replies(1): >>27310185 #
35. thomasikzelf ◴[27 May 21 20:47 UTC] No.27308290[source]
I looked through the terms of use and the privacy policy for Mollie and I don't think they are selling data. Do you have different information then I have?
36. flemhans ◴[27 May 21 21:50 UTC] No.27309007{4}[source]
SMS + password works for some Mastercards still but not Visa.

I don't think it's good that users are taught to accept their primary citizen 2FA on any random website and app where the URL doesn't even show.

37. horstmeyer ◴[28 May 21 00:06 UTC] No.27310185[source]
Do you have sources on them looking at transaction data please? That is clearly not necessary for processing the payment.

Edit: Found an article in German - https://www.sueddeutsche.de/geld/zahlung-per-sofortueberweis...

They claim they need to do this to make sure there is sufficient money in the account, even with transactions that might not be reflected in the balance, and they also check for other "Sofortüberweisungen" to detect fraud. Makes sense in a way but still quite shady. If there wasn't enough money in my account, or other transfers pending would my bank even allow their transfer?

38. horstmeyer ◴[28 May 21 00:15 UTC] No.27310267{3}[source]
Here is an article in German : https://www.sueddeutsche.de/geld/zahlung-per-sofortueberweis...