Klarna users are being signed in to random accounts

(twitter.com)

475 points danielstocks | 1 comments | 27 May 21 10:28 UTC | HN request time: 0s | source

Show context

hundchenkatze ◴[27 May 21 14:58 UTC] No.27303915[source]▶

>>27301219 (OP) #

Klarna has posted a statement here https://www.klarna.com/uk/blog/written-statement-on-app-bug/

replies(4): >>27304303 #>>27304317 #>>27304383 #>>27305164 #

dvaun ◴[27 May 21 15:33 UTC] No.27304303[source]▶

>>27303915 #

In their statement they deny accessing bank details:

> The bug led to random user data being exposed to the wrong user when accessing our user interfaces. It is important to note that the access to data has been entirely random and not showing any data containing card or bank details (obfuscated data was visible). This means that it has been impossible to access a specific user’s data.

This is not the experience of the user in the OP: https://twitter.com/esraefe/status/1397843949985931265

replies(1): >>27304472 #

hbosch ◴[27 May 21 15:47 UTC] No.27304472[source]▶

>>27304303 #

I believe it is the case, that when you see your stored payment method is is obfuscated such that it only reveals the last 4-5 digits. Same with bank details as far as I know.

However, showing the card issuer/bank + the final 4 or 5 digits of an account or card number is still extremely distressing. There are some services and vectors out there that can be engineered with just that information for sure.

Combine that with possibly exposed address, telephone number, and you are in very dangerous territory.

replies(1): >>27304998 #

1. shkkmo ◴[27 May 21 16:34 UTC] No.27304998[source]▶

>>27304472 #

It might be accurate if you are internally discussing PCI compliance.

However, to the layperson, "bank details" definitely includes name of bank and last 4 digits of account number. It does come across as deceptive to use that terminology to respond to customer complaints.

↑