←back to thread

Klarna users are being signed in to random accounts

(twitter.com)
475 points danielstocks | 1 comments | 27 May 21 10:28 UTC | HN request time: 0.001s | source
Show context
vesinisa ◴[27 May 21 11:37 UTC] No.27301780[source]
Klarna is no stranger to criminally lax attitude towards data privacy and security. In Finland, they implemented a checkout flow based only on your SSN (personal ID number). By simply entering someone else's SSN (which is not hard to guess/pry) you can reveal anyone's official home address.

Further, they enable a "pay later by invoice" checkout flow, again by just knowing someone's SSN. Scammers use this to order items from web stores to automated pick-up lockers with someone's else's SSN for payment info. The victim usually only becomes aware about this activity when they start getting debt collection notices for unpaid invoices from multiple stores for thousands and thousands of euros. The debt collection process in Finland is famously unfair and harsh towards the supposed "debtor" (here: victim of fraud).

Unless the "debtor" (victim) actively opposes each and every individual collection, the cases will eventually end up in court with summary judgement. This will ruin the victim's credit rating, which has devastating results for just about all aspects of life. People are known to have collapsed under the burden of all this and ended up taking their own life.

Klarna's response to all this is that they want convenient checkout experience and some fraud is unavoidable. Although there are excellent technical means available to strongly identify users in Finland, they add a minor layer of inconvenience compared to just typing in your SSN. This is OK for Klarna since they give exactly zero fucks about security as long as they can make a little buck from it.

replies(6): >>27303311 #>>27309354 #>>27309767 #>>27309989 #>>27310306 #>>27310511 #
pylon ◴[28 May 21 00:49 UTC] No.27310511[source]
This is one of the reasons I wish governments in the world implement proper digital authentication instead of relying on static identifiers like name, address, or SSN.
replies(3): >>27311220 #>>27312307 #>>27313864 #
vesinisa ◴[28 May 21 10:55 UTC] No.27313864[source]
Finland offers a state of the art digital authentication system. It's just that Klarna doesn't want to use it because it adds an auhtentication step to their checkout process. It's just easier for them to take the random internet user's word for who they are (!!).

I am not sure how this is even legal under the PSD2 in EU. It might not be. But Klarna does not seem to care, and I really hope someone will take them to court over this.

replies(1): >>27315083 #
tmk1108 ◴[28 May 21 13:29 UTC] No.27315083{3}[source]
Is there any pressure in Finland to make this illegal? If your transaction didn't go through the digital authentication to verify identity, then it's worthless and the money can't be collected?
replies(1): >>27315620 #
1. vesinisa ◴[28 May 21 14:21 UTC] No.27315620{4}[source]
Yes, PSD2 (Payment Services Directive vol 2) should require strong customer authentication for online payments throughout EU. How Klarna is able to skirt this regulation is beyond me. Either they've found a loophole in the law or they are already in breach but the financial regulators are holding back from enforcing it.

https://en.wikipedia.org/wiki/Payment_Services_Directive#Rev...