←back to thread

Klarna users are being signed in to random accounts

(twitter.com)
475 points danielstocks | 5 comments | 27 May 21 10:28 UTC | HN request time: 0s | source
Show context
vesinisa ◴[27 May 21 11:37 UTC] No.27301780[source]
Klarna is no stranger to criminally lax attitude towards data privacy and security. In Finland, they implemented a checkout flow based only on your SSN (personal ID number). By simply entering someone else's SSN (which is not hard to guess/pry) you can reveal anyone's official home address.

Further, they enable a "pay later by invoice" checkout flow, again by just knowing someone's SSN. Scammers use this to order items from web stores to automated pick-up lockers with someone's else's SSN for payment info. The victim usually only becomes aware about this activity when they start getting debt collection notices for unpaid invoices from multiple stores for thousands and thousands of euros. The debt collection process in Finland is famously unfair and harsh towards the supposed "debtor" (here: victim of fraud).

Unless the "debtor" (victim) actively opposes each and every individual collection, the cases will eventually end up in court with summary judgement. This will ruin the victim's credit rating, which has devastating results for just about all aspects of life. People are known to have collapsed under the burden of all this and ended up taking their own life.

Klarna's response to all this is that they want convenient checkout experience and some fraud is unavoidable. Although there are excellent technical means available to strongly identify users in Finland, they add a minor layer of inconvenience compared to just typing in your SSN. This is OK for Klarna since they give exactly zero fucks about security as long as they can make a little buck from it.

replies(6): >>27303311 #>>27309354 #>>27309767 #>>27309989 #>>27310306 #>>27310511 #
pylon ◴[28 May 21 00:49 UTC] No.27310511[source]
This is one of the reasons I wish governments in the world implement proper digital authentication instead of relying on static identifiers like name, address, or SSN.
replies(3): >>27311220 #>>27312307 #>>27313864 #
1. rjzzleep ◴[28 May 21 02:50 UTC] No.27311220[source]
The Baltic states have had proper digital authentication for years. Priv/pub key pair on the Xth iteration digital identity card that is checked against your passport physically. The problem isn't that governments don't have proper digital authentication. It's that most countries want to reinvent it every time. The German version is a clusterfuck that they then had to force into existence by mandating it by law and yet normal citizen services can't be done with it.
replies(2): >>27312566 #>>27319532 #
2. ChuckNorris89 ◴[28 May 21 07:12 UTC] No.27312566[source]
>The German version is a clusterfuck ...

These gigantic government IT projects are also a good way to funnel taxpayer money to the right pockets, that's why they're always behind schedule and over budget (just like all government physical infrastructure projects) and if you look closely it's always the same 2-3 companies getting all the contracts.

replies(2): >>27312900 #>>27319669 #
3. rorykoehler ◴[28 May 21 08:10 UTC] No.27312900[source]
In Singapore they have world class public IT infrastructure and they do it all in house.
4. ◴[28 May 21 19:30 UTC] No.27319532[source]
5. anoncake ◴[28 May 21 19:46 UTC] No.27319669[source]
Bullshit. The German electronic ID card wasn't a huge project and it was developed in-house. By all accounts, it works pretty well if you actually have the opportunity to use it. The problem is that nobody supports it. In part because of federalism: You rarely interact with the federal bureaucracy directly and the states for some reason aren't interested in supporting it.