←back to thread

Klarna users are being signed in to random accounts

(twitter.com)
475 points danielstocks | 1 comments | 27 May 21 10:28 UTC | HN request time: 0s | source
Show context
ThePhysicist ◴[27 May 21 10:57 UTC] No.27301428[source]
Their German counterpart, Sofortüberweisung, didn't properly blacklist test credentials given out by banks e.g. to developers in the beginning, so people could simply use those and pay for goods and services with fake accounts.

For me there are so many red flags with all these services, as they basically "steal" your credentials to log into your online banking. And while they claim that they only use the credentials to make transfers they could as well look at all my other account data. I really wonder how such a scheme can be legal and how banks can allow this, as they normally tell people to never give their credentials to anyone. The situation of course recently improved with the mandated 2FA for logins and transfers, but still there are so many attack vectors in this model that it boggles my mind how it can still exist.

replies(11): >>27301463 #>>27301488 #>>27301493 #>>27301564 #>>27301577 #>>27301579 #>>27301648 #>>27301752 #>>27302175 #>>27302632 #>>27307067 #
tgsovlerkhgsel ◴[27 May 21 19:26 UTC] No.27307067[source]
Sofortüberweisung specifically got caught looking at 30 days of transaction data.

> how banks can allow this

A court decided that blocking this "business model" would be anticompetitive.

replies(1): >>27310185 #
1. horstmeyer ◴[28 May 21 00:06 UTC] No.27310185[source]
Do you have sources on them looking at transaction data please? That is clearly not necessary for processing the payment.

Edit: Found an article in German - https://www.sueddeutsche.de/geld/zahlung-per-sofortueberweis...

They claim they need to do this to make sure there is sufficient money in the account, even with transactions that might not be reflected in the balance, and they also check for other "Sofortüberweisungen" to detect fraud. Makes sense in a way but still quite shady. If there wasn't enough money in my account, or other transfers pending would my bank even allow their transfer?