←back to thread

Klarna users are being signed in to random accounts

(twitter.com)
475 points danielstocks | 10 comments | 27 May 21 10:28 UTC | HN request time: 0.001s | source | bottom
Show context
vesinisa ◴[27 May 21 11:37 UTC] No.27301780[source]
Klarna is no stranger to criminally lax attitude towards data privacy and security. In Finland, they implemented a checkout flow based only on your SSN (personal ID number). By simply entering someone else's SSN (which is not hard to guess/pry) you can reveal anyone's official home address.

Further, they enable a "pay later by invoice" checkout flow, again by just knowing someone's SSN. Scammers use this to order items from web stores to automated pick-up lockers with someone's else's SSN for payment info. The victim usually only becomes aware about this activity when they start getting debt collection notices for unpaid invoices from multiple stores for thousands and thousands of euros. The debt collection process in Finland is famously unfair and harsh towards the supposed "debtor" (here: victim of fraud).

Unless the "debtor" (victim) actively opposes each and every individual collection, the cases will eventually end up in court with summary judgement. This will ruin the victim's credit rating, which has devastating results for just about all aspects of life. People are known to have collapsed under the burden of all this and ended up taking their own life.

Klarna's response to all this is that they want convenient checkout experience and some fraud is unavoidable. Although there are excellent technical means available to strongly identify users in Finland, they add a minor layer of inconvenience compared to just typing in your SSN. This is OK for Klarna since they give exactly zero fucks about security as long as they can make a little buck from it.

replies(6): >>27303311 #>>27309354 #>>27309767 #>>27309989 #>>27310306 #>>27310511 #
1. pylon ◴[28 May 21 00:49 UTC] No.27310511[source]
This is one of the reasons I wish governments in the world implement proper digital authentication instead of relying on static identifiers like name, address, or SSN.
replies(3): >>27311220 #>>27312307 #>>27313864 #
2. rjzzleep ◴[28 May 21 02:50 UTC] No.27311220[source]
The Baltic states have had proper digital authentication for years. Priv/pub key pair on the Xth iteration digital identity card that is checked against your passport physically. The problem isn't that governments don't have proper digital authentication. It's that most countries want to reinvent it every time. The German version is a clusterfuck that they then had to force into existence by mandating it by law and yet normal citizen services can't be done with it.
replies(2): >>27312566 #>>27319532 #
3. grishka ◴[28 May 21 06:21 UTC] No.27312307[source]
I'm somewhat happy that my country is so much behind on all this digital stuff. You usually have to physically present your ID to do something serious, or at least provide a picture of it. We do also have an official "government services" website, and it implements a proper oauth flow that many other government sites use and uses SSN + password for login.
4. ChuckNorris89 ◴[28 May 21 07:12 UTC] No.27312566[source]
>The German version is a clusterfuck ...

These gigantic government IT projects are also a good way to funnel taxpayer money to the right pockets, that's why they're always behind schedule and over budget (just like all government physical infrastructure projects) and if you look closely it's always the same 2-3 companies getting all the contracts.

replies(2): >>27312900 #>>27319669 #
5. rorykoehler ◴[28 May 21 08:10 UTC] No.27312900{3}[source]
In Singapore they have world class public IT infrastructure and they do it all in house.
6. vesinisa ◴[28 May 21 10:55 UTC] No.27313864[source]
Finland offers a state of the art digital authentication system. It's just that Klarna doesn't want to use it because it adds an auhtentication step to their checkout process. It's just easier for them to take the random internet user's word for who they are (!!).

I am not sure how this is even legal under the PSD2 in EU. It might not be. But Klarna does not seem to care, and I really hope someone will take them to court over this.

replies(1): >>27315083 #
7. tmk1108 ◴[28 May 21 13:29 UTC] No.27315083[source]
Is there any pressure in Finland to make this illegal? If your transaction didn't go through the digital authentication to verify identity, then it's worthless and the money can't be collected?
replies(1): >>27315620 #
8. vesinisa ◴[28 May 21 14:21 UTC] No.27315620{3}[source]
Yes, PSD2 (Payment Services Directive vol 2) should require strong customer authentication for online payments throughout EU. How Klarna is able to skirt this regulation is beyond me. Either they've found a loophole in the law or they are already in breach but the financial regulators are holding back from enforcing it.

https://en.wikipedia.org/wiki/Payment_Services_Directive#Rev...

9. ◴[28 May 21 19:30 UTC] No.27319532[source]
10. anoncake ◴[28 May 21 19:46 UTC] No.27319669{3}[source]
Bullshit. The German electronic ID card wasn't a huge project and it was developed in-house. By all accounts, it works pretty well if you actually have the opportunity to use it. The problem is that nobody supports it. In part because of federalism: You rarely interact with the federal bureaucracy directly and the states for some reason aren't interested in supporting it.