←back to thread

Klarna users are being signed in to random accounts

(twitter.com)
475 points danielstocks | 7 comments | 27 May 21 10:28 UTC | HN request time: 0.001s | source | bottom
Show context
ThePhysicist ◴[27 May 21 10:57 UTC] No.27301428[source]
Their German counterpart, Sofortüberweisung, didn't properly blacklist test credentials given out by banks e.g. to developers in the beginning, so people could simply use those and pay for goods and services with fake accounts.

For me there are so many red flags with all these services, as they basically "steal" your credentials to log into your online banking. And while they claim that they only use the credentials to make transfers they could as well look at all my other account data. I really wonder how such a scheme can be legal and how banks can allow this, as they normally tell people to never give their credentials to anyone. The situation of course recently improved with the mandated 2FA for logins and transfers, but still there are so many attack vectors in this model that it boggles my mind how it can still exist.

replies(11): >>27301463 #>>27301488 #>>27301493 #>>27301564 #>>27301577 #>>27301579 #>>27301648 #>>27301752 #>>27302175 #>>27302632 #>>27307067 #
1. jstummbillig ◴[27 May 21 11:15 UTC] No.27301577[source]
What could a competitively convenient way to do this better look like?
replies(3): >>27301626 #>>27301668 #>>27301790 #
2. ThePhysicist ◴[27 May 21 11:21 UTC] No.27301626[source]
I think PSD2 is supposed to solve these problems with a less insane approach, but the rollout seems to be quit sluggish.
replies(1): >>27302657 #
3. jagger27 ◴[27 May 21 11:25 UTC] No.27301668[source]
https://plaid.com/ does it well.
replies(1): >>27302273 #
4. tialaramex ◴[27 May 21 11:39 UTC] No.27301790[source]
You can generically solve the problem of Alice giving David access to Bob's service on her behalf without giving Alice's credentials for Bob's service to David using stuff like OAuth2, this is already how lots of things work today.

In OAuth2 David only ends up with some token showing Alice authorised David to use this service on her behalf. Bob can tell David and Alice apart, and choose to restrict what David can do appropriately.

If Bob is particularly tired of this nonsense, and his customers like Alice keep giving David their credentials and then are surprised that doing so means Bob can't tell Alice and David apart, WebAuthn reifies it so that most users in Alice's position can now see where the problem is. When David tells Alice he needs her Yubikey to access Bob's service, it should occur to Alice that giving the Yubikey to David isn't a good idea because then she won't have it any more. Good.

5. lxgr ◴[27 May 21 12:36 UTC] No.27302273[source]
Don't they effectively do the exact same thing? As far as I know, they use screenscraping for most US banks rather than something OAuth-based.
replies(1): >>27302441 #
6. jagger27 ◴[27 May 21 12:50 UTC] No.27302441{3}[source]
I think it depends on the bank. It's really up to the banks to provide a proper API.
7. mping ◴[27 May 21 13:11 UTC] No.27302657[source]
Surprisingly, there are already integrations in my home country; I took a look at tink [1] some time ago (no affiliation whatsoever) and they look legit. I'm sure there are more SaaS like them.

[1] https://docs.tink.com/market-capabilities/aggregation