←back to thread

475 points danielstocks | 10 comments | | HN request time: 0s | source | bottom
Show context
ThePhysicist ◴[] No.27301428[source]
Their German counterpart, Sofortüberweisung, didn't properly blacklist test credentials given out by banks e.g. to developers in the beginning, so people could simply use those and pay for goods and services with fake accounts.

For me there are so many red flags with all these services, as they basically "steal" your credentials to log into your online banking. And while they claim that they only use the credentials to make transfers they could as well look at all my other account data. I really wonder how such a scheme can be legal and how banks can allow this, as they normally tell people to never give their credentials to anyone. The situation of course recently improved with the mandated 2FA for logins and transfers, but still there are so many attack vectors in this model that it boggles my mind how it can still exist.

replies(11): >>27301463 #>>27301488 #>>27301493 #>>27301564 #>>27301577 #>>27301579 #>>27301648 #>>27301752 #>>27302175 #>>27302632 #>>27307067 #
1. tapland ◴[] No.27301488[source]
There have been some weird legal cases in Sweden where businesses and scammers have been freed after having signed in using other people's "BankID" to change retirement savings around or send cash.

Its the ID method I use for credits, pharmacies, health care, taxes, but was apparently not an ID so it's not id-hijacking.

Klarna has man in the middled my bank account before and performed a purchase and I've boycotting any company having them as the only payment option since.

OH, now I also remember Klarna adding credit in my name since they only needed my tax registered adress. I lived in a dorm so someone just used our public information to take out credits to order sneakers and could break into the crappy entry mailbox.

replies(2): >>27301598 #>>27302164 #
2. flemhans ◴[] No.27301598[source]
In Denmark, you're forced to use the state-run "NemID" for credit card payments, making for some weird situations where you authenticate with NemID inside iframes on shady URLs.

The same NemID is also used to file your taxes, look at all your health info, get married, everything basically.

Credit card payments are much lower security level, and they're basically forcing sharing credentials amongst all the sites you pay on.

replies(3): >>27301650 #>>27301702 #>>27301818 #
3. cra ◴[] No.27301650[source]
Yeah, same way they have it in Sweden, it's called "BankID" and only a few banks are allowed to issue that
replies(2): >>27301727 #>>27304028 #
4. aenin ◴[] No.27301702[source]
However it also forces everybody to use two factor authentication. On a whole population level I'd bet that's overall a positive tradeoff.

And I believe you can also use sms + password for online transactions.

replies(2): >>27302013 #>>27309007 #
5. tapland ◴[] No.27301727{3}[source]
I've worked on BankID implementation and it was super smooth, good tools for testing and well documented.

We didn't need to scam anyone though, just have them verify that they were a Swedish resident (had a valid Swedish SSN and we're the ones ordering) :D

6. ◴[] No.27301818[source]
7. legulere ◴[] No.27302013{3}[source]
2FA is already mandatory by the PSD2 directive of the EU. I use my debit card as the second factor to access my bank account here in Germany via ChipTAN
8. ekvilibrist ◴[] No.27302164[source]
> There have been some weird legal cases in Sweden where businesses and scammers have been freed after having signed in using other people's "BankID" to change retirement savings around or send cash.

As far as I know most, if not all, of these scams have been perpetrated against the elderly. All operations (authentication, signing) can be initiated remotely with just a personal ID number, so the typical scam meant calling up someone and claiming that "an authentication must be performed", and simultanously initiating a bank login session. If you can keep the victim on the phone and using the BankID app when you tell them, you could basically login and empty their bank accounts. This has been largely fixed using QR codes to initiate login requests for major internet banks (which means you have to be in front of the same screen now) and other clever workarounds. But it has also always been a fact that there will be a description saying what you are signing, in the app, so being careful you could easily avoid being scammed.

I think its largely a great asset (BankID) but its never gonna be 100% tamper-proof without being seriously neutered.

9. 3np ◴[] No.27304028{3}[source]
Major distinction being that BankID is privately owned and operated, as opposed to state-run.
10. flemhans ◴[] No.27309007{3}[source]
SMS + password works for some Mastercards still but not Visa.

I don't think it's good that users are taught to accept their primary citizen 2FA on any random website and app where the URL doesn't even show.