Most active commenters
  • vesinisa(5)
  • 2rsf(3)

←back to thread

Klarna users are being signed in to random accounts

(twitter.com)
475 points danielstocks | 32 comments | 27 May 21 10:28 UTC | HN request time: 1.091s | source | bottom
1. vesinisa ◴[27 May 21 11:37 UTC] No.27301780[source]
Klarna is no stranger to criminally lax attitude towards data privacy and security. In Finland, they implemented a checkout flow based only on your SSN (personal ID number). By simply entering someone else's SSN (which is not hard to guess/pry) you can reveal anyone's official home address.

Further, they enable a "pay later by invoice" checkout flow, again by just knowing someone's SSN. Scammers use this to order items from web stores to automated pick-up lockers with someone's else's SSN for payment info. The victim usually only becomes aware about this activity when they start getting debt collection notices for unpaid invoices from multiple stores for thousands and thousands of euros. The debt collection process in Finland is famously unfair and harsh towards the supposed "debtor" (here: victim of fraud).

Unless the "debtor" (victim) actively opposes each and every individual collection, the cases will eventually end up in court with summary judgement. This will ruin the victim's credit rating, which has devastating results for just about all aspects of life. People are known to have collapsed under the burden of all this and ended up taking their own life.

Klarna's response to all this is that they want convenient checkout experience and some fraud is unavoidable. Although there are excellent technical means available to strongly identify users in Finland, they add a minor layer of inconvenience compared to just typing in your SSN. This is OK for Klarna since they give exactly zero fucks about security as long as they can make a little buck from it.

replies(6): >>27303311 #>>27309354 #>>27309767 #>>27309989 #>>27310306 #>>27310511 #
2. 2rsf ◴[27 May 21 14:08 UTC] No.27303311[source]
In Sweden you can ask them to require Mobilt BankID confirmation to every buy, their competitors (like qliro) don't have that yet so Klarna are only half bastards. But they did get a lot of criticism from the Swedish government about the same things you have presented.
replies(3): >>27309357 #>>27310416 #>>27313882 #
3. sly010 ◴[27 May 21 22:26 UTC] No.27309354[source]
I am not sure this makes sense. Shouldn't Klarna provide proof of the transaction to the court? Won't the court look at it and throw it out as baseless? If Klarna were actually on the hook for their own money, it wold only have to happen a few times before they realize it's not worth it. edit: definitely not a finnish lawyer
replies(2): >>27310880 #>>27313515 #
4. simon1573 ◴[27 May 21 22:26 UTC] No.27309357[source]
Qliro has that too, which I know since somebody bought shoes with my SSN. I don't know if it's a general feature or if you have to contact them, but the functionality is implemented at least.
replies(1): >>27314932 #
5. dpatterson2008 ◴[27 May 21 23:14 UTC] No.27309767[source]
This reminds me of this BBC article I came across: https://www.bbc.co.uk/news/business-55829879

> To use Klarna's pay later service, which defers payments for up to 30 days, shoppers only have to provide a name, email, date of birth, mobile number and billing address.

It’s mind blowing that’s all the information you need to process a payment via Klarna.

replies(1): >>27310293 #
6. avereveard ◴[27 May 21 23:40 UTC] No.27309989[source]
Good to hear, I failed an interview with them at the sixth step or so because I make a point not to remember easily googleable trivia, bet their engineers are traversing rb trees on paper off memory like crazy right now trying to find a solution
7. sneak ◴[28 May 21 00:18 UTC] No.27310293[source]
The benefits of reduced friction in high-trust societies are incredible sometimes. The failure modes are predictable.
8. sneak ◴[28 May 21 00:20 UTC] No.27310306[source]
The actual victim of the fraud is the creditor who was defrauded by the criminal; they are just leveraging the unfair legal system to push the liability onto someone who was not party to the fraud in any way (the person whose name was used in the fraud by the criminal against Klarna).

This is the lie of "identity theft". It's not identity theft, it's money/goods fraud, from a bank that didn't do proper authentication.

replies(1): >>27310421 #
9. tapland ◴[28 May 21 00:33 UTC] No.27310416[source]
Yeah. Klarna has BankID but it doesn't make them half bastards as they log in to users banks as the user, where they can see all account balances and purchases.

That makes them double bastard.

replies(2): >>27312652 #>>27313887 #
10. tapland ◴[28 May 21 00:34 UTC] No.27310421[source]
And guess who's their own bank?

Klarna \o/

11. pylon ◴[28 May 21 00:49 UTC] No.27310511[source]
This is one of the reasons I wish governments in the world implement proper digital authentication instead of relying on static identifiers like name, address, or SSN.
replies(3): >>27311220 #>>27312307 #>>27313864 #
12. AdamJacobMuller ◴[28 May 21 01:49 UTC] No.27310880[source]
> If Klarna were actually on the hook for their own money

Aren't they?

> it wold only have to happen a few times before they realize it's not worth it

That's an assumption. Someone did some A/B testing and said this payment flow results in X% increased sales, resulting in Y% more revenue for Klarna, it results in Z% more fraud. I don't even object to this per-se.

If Y is greater than Z, they will do it.

If they are especially awful they will consider that of the Z% of fraud it will result in A% still being paid for and B% being recovered in debt collection. That is awful.

replies(1): >>27317092 #
13. rjzzleep ◴[28 May 21 02:50 UTC] No.27311220[source]
The Baltic states have had proper digital authentication for years. Priv/pub key pair on the Xth iteration digital identity card that is checked against your passport physically. The problem isn't that governments don't have proper digital authentication. It's that most countries want to reinvent it every time. The German version is a clusterfuck that they then had to force into existence by mandating it by law and yet normal citizen services can't be done with it.
replies(2): >>27312566 #>>27319532 #
14. grishka ◴[28 May 21 06:21 UTC] No.27312307[source]
I'm somewhat happy that my country is so much behind on all this digital stuff. You usually have to physically present your ID to do something serious, or at least provide a picture of it. We do also have an official "government services" website, and it implements a proper oauth flow that many other government sites use and uses SSN + password for login.
15. ChuckNorris89 ◴[28 May 21 07:12 UTC] No.27312566{3}[source]
>The German version is a clusterfuck ...

These gigantic government IT projects are also a good way to funnel taxpayer money to the right pockets, that's why they're always behind schedule and over budget (just like all government physical infrastructure projects) and if you look closely it's always the same 2-3 companies getting all the contracts.

replies(2): >>27312900 #>>27319669 #
16. 2rsf ◴[28 May 21 07:29 UTC] No.27312652{3}[source]
they do what? how is that even possible? even if I never coupled my account to them?
replies(1): >>27323918 #
17. rorykoehler ◴[28 May 21 08:10 UTC] No.27312900{4}[source]
In Singapore they have world class public IT infrastructure and they do it all in house.
18. vesinisa ◴[28 May 21 09:59 UTC] No.27313515[source]
Problem is the invoice itself is real. You have to contest it actively to the debt collector and give at least some evidence as to why the debt is invalid. If you do not actively contest the collection, it will soon end up in court. This is a very routine case for a district judge where they will give a default judgement in favor of the plaintiff.

The problem is that the law in Finland is written so that even if the collection is baseless the supposed debtor needs to actively manage it or end up in legal jeopardy. Which is rather unfair if you are a victim of identity theft.

replies(1): >>27317387 #
19. vesinisa ◴[28 May 21 10:55 UTC] No.27313864[source]
Finland offers a state of the art digital authentication system. It's just that Klarna doesn't want to use it because it adds an auhtentication step to their checkout process. It's just easier for them to take the random internet user's word for who they are (!!).

I am not sure how this is even legal under the PSD2 in EU. It might not be. But Klarna does not seem to care, and I really hope someone will take them to court over this.

replies(1): >>27315083 #
20. vesinisa ◴[28 May 21 10:57 UTC] No.27313882[source]
Wait, so you have to explicitly ask Klarna to not sell stuff under your payment info to random internet strangers? That's not too good either - I think ordering without BankID should be opt-in rather than opt-out.
replies(1): >>27344730 #
21. mlonkibjuyhv ◴[28 May 21 10:58 UTC] No.27313887{3}[source]
They what now? That has to be illegal.
22. 2rsf ◴[28 May 21 13:12 UTC] No.27314932{3}[source]
I contacted them and they said no, but they have other "smart" ways to prevent fraud
23. tmk1108 ◴[28 May 21 13:29 UTC] No.27315083{3}[source]
Is there any pressure in Finland to make this illegal? If your transaction didn't go through the digital authentication to verify identity, then it's worthless and the money can't be collected?
replies(1): >>27315620 #
24. vesinisa ◴[28 May 21 14:21 UTC] No.27315620{4}[source]
Yes, PSD2 (Payment Services Directive vol 2) should require strong customer authentication for online payments throughout EU. How Klarna is able to skirt this regulation is beyond me. Either they've found a loophole in the law or they are already in breach but the financial regulators are holding back from enforcing it.

https://en.wikipedia.org/wiki/Payment_Services_Directive#Rev...

25. heavenlyblue ◴[28 May 21 16:05 UTC] No.27317092{3}[source]
> results in Z% more fraud

They would probably not measure fraud but just losses directly.

26. beagle3 ◴[28 May 21 16:28 UTC] No.27317387{3}[source]
This was probably already common fraud in Finland before Klarna if that’s what the law says - but Klarna would be a crazy force multiplier for the fraudsters and no help for the defrauded, so it becomes a much more pressing issue.

(No knowledge of the details, just speculation based on the discussion here)

replies(1): >>27323926 #
27. ◴[28 May 21 19:30 UTC] No.27319532{3}[source]
28. anoncake ◴[28 May 21 19:46 UTC] No.27319669{4}[source]
Bullshit. The German electronic ID card wasn't a huge project and it was developed in-house. By all accounts, it works pretty well if you actually have the opportunity to use it. The problem is that nobody supports it. In part because of federalism: You rarely interact with the federal bureaucracy directly and the states for some reason aren't interested in supporting it.
29. tappio ◴[29 May 21 08:51 UTC] No.27323918{4}[source]
It is called open banking. Banks are 'anti-competitive' so some people managed to lobby in a directive that forces banks to provide apis for companies like Klarna to access their bank accounts. All you have to do is accept tos.
30. tappio ◴[29 May 21 08:54 UTC] No.27323926{4}[source]
Nordics have really poor laws around this. We have these payday loan companies that work under the same principle. Klarna just found a way to conveniently do the same. It is easier to capture buyers at the counter rather than before the counter. Effectively Klarna is a payday loan company in the Nordics and has nothing to do with easy checkout. In fact, they used to offer kickbacks to merchants, so every time someone chose Klarna invoice they would pay the merchant instead of charging for it, because they get so good profit from the individuals due to poor laws.
replies(1): >>27324661 #
31. beagle3 ◴[29 May 21 11:54 UTC] No.27324661{5}[source]
... and as always, trust works really well, despite the occasional fraud, until someone finds a way to exploit it at industrial scale. And then it fails spectacularly.
32. carlhjerpe ◴[31 May 21 15:01 UTC] No.27344730{3}[source]
I can't remember ever opting in to the Klarna BankID requirement, but when i checked it was enabled on my account.