←back to thread

Klarna users are being signed in to random accounts

(twitter.com)
475 points danielstocks | 3 comments | 27 May 21 10:28 UTC | HN request time: 0.757s | source
Show context
vesinisa ◴[27 May 21 11:37 UTC] No.27301780[source]
Klarna is no stranger to criminally lax attitude towards data privacy and security. In Finland, they implemented a checkout flow based only on your SSN (personal ID number). By simply entering someone else's SSN (which is not hard to guess/pry) you can reveal anyone's official home address.

Further, they enable a "pay later by invoice" checkout flow, again by just knowing someone's SSN. Scammers use this to order items from web stores to automated pick-up lockers with someone's else's SSN for payment info. The victim usually only becomes aware about this activity when they start getting debt collection notices for unpaid invoices from multiple stores for thousands and thousands of euros. The debt collection process in Finland is famously unfair and harsh towards the supposed "debtor" (here: victim of fraud).

Unless the "debtor" (victim) actively opposes each and every individual collection, the cases will eventually end up in court with summary judgement. This will ruin the victim's credit rating, which has devastating results for just about all aspects of life. People are known to have collapsed under the burden of all this and ended up taking their own life.

Klarna's response to all this is that they want convenient checkout experience and some fraud is unavoidable. Although there are excellent technical means available to strongly identify users in Finland, they add a minor layer of inconvenience compared to just typing in your SSN. This is OK for Klarna since they give exactly zero fucks about security as long as they can make a little buck from it.

replies(6): >>27303311 #>>27309354 #>>27309767 #>>27309989 #>>27310306 #>>27310511 #
sly010 ◴[27 May 21 22:26 UTC] No.27309354[source]
I am not sure this makes sense. Shouldn't Klarna provide proof of the transaction to the court? Won't the court look at it and throw it out as baseless? If Klarna were actually on the hook for their own money, it wold only have to happen a few times before they realize it's not worth it. edit: definitely not a finnish lawyer
replies(2): >>27310880 #>>27313515 #
vesinisa ◴[28 May 21 09:59 UTC] No.27313515[source]
Problem is the invoice itself is real. You have to contest it actively to the debt collector and give at least some evidence as to why the debt is invalid. If you do not actively contest the collection, it will soon end up in court. This is a very routine case for a district judge where they will give a default judgement in favor of the plaintiff.

The problem is that the law in Finland is written so that even if the collection is baseless the supposed debtor needs to actively manage it or end up in legal jeopardy. Which is rather unfair if you are a victim of identity theft.

replies(1): >>27317387 #
1. beagle3 ◴[28 May 21 16:28 UTC] No.27317387[source]
This was probably already common fraud in Finland before Klarna if that’s what the law says - but Klarna would be a crazy force multiplier for the fraudsters and no help for the defrauded, so it becomes a much more pressing issue.

(No knowledge of the details, just speculation based on the discussion here)

replies(1): >>27323926 #
2. tappio ◴[29 May 21 08:54 UTC] No.27323926[source]
Nordics have really poor laws around this. We have these payday loan companies that work under the same principle. Klarna just found a way to conveniently do the same. It is easier to capture buyers at the counter rather than before the counter. Effectively Klarna is a payday loan company in the Nordics and has nothing to do with easy checkout. In fact, they used to offer kickbacks to merchants, so every time someone chose Klarna invoice they would pay the merchant instead of charging for it, because they get so good profit from the individuals due to poor laws.
replies(1): >>27324661 #
3. beagle3 ◴[29 May 21 11:54 UTC] No.27324661[source]
... and as always, trust works really well, despite the occasional fraud, until someone finds a way to exploit it at industrial scale. And then it fails spectacularly.