8

I am from the UK but I'm living in Poland. I have two British bank accounts and a Polish account. The two British accounts are linked to a PayPal account registered from the UK and the Polish one is linked to an account made in Poland. Today I could not add instant funds to my Polish PayPal without using a third party (Trustly) who requested my internet banking credentials in order to verify my transaction. I have not been asked this with my British accounts. There is no information on PayPal (English or Polish) nor from my banks about this procedure being added. I was definitely on Paypal.pl and not a phishing site.

This got me wondering a few things:

  • Why does the PayPal process suddenly require my bank credentials and why have their customers not been informed of this change? To reiterate, nowhere on Paypal's English or Polish language site does it mention this change, nor does anyone from my bank know about it. They encouraged me to sever all ties with PayPal over this, as technically a financial organisation requesting your bank details is illegal under a certain EU law. Couldn't find that online, though, so take that with a pinch of salt.

  • Is such a system secure? Everything we learn about internet security and indeed everything I've learned in life is to trust as little people as possible. I went with the bank I'm using in Poland because they offer a higher level of verification for internet banking than the others.

  • As a developer myself, I'm guessing they'll scrape the online bank site to verify the credentials I provided are correct as a sort of verification system. The thing is, PayPal did this in the form of a small deposit that we enter the amount for. Why is the third party asking for a more trusting approach than PayPal themselves? Doesn't this seem odd? PayPal are essentially asking us to trust a third party more than themselves, which makes me quite uncomfortable.

What are your thoughts on this? Is it secret? Is it safe? Why have PayPal been quiet about it? Why not Britain as well? I wouldn't trust PayPal with my bank details, so why would I trust a third party I've never heard of before? There is so much about this that seems very suspicious to me. I was quite convinced I'd found my way onto a phishing site because it was hard to believe they wanted my credentials.

-- Edit with additional information:

The certificate on Paypal.com is indeed PayPals, verified by Symantec, etc. The website PayPal directs to when trying to add Instant Funds is Paypal-Doladowania.pl. In Polish, Doladowania means "Adding Funds" in this context. The HTTPS certificate is registered Paypal PTE Ltd, verified by DigiCert, registered in Singapore. No EV on either sites.

Here's a picture of the Trustly page asking for my credentials. In English it says "Please enter the identification credentials for your online banking."

A screenshot of the page asking for bank details

If I enter some numbers (I just mashed the keys) they then ask me to do this:

enter image description here

Which is the partial password system this particular bank is using. So login to your bank account through a third party... I don't think so.

Woody Payne
  • 193
  • 1
  • 1
  • 6
  • PayPal would never request your banking credentials. This is definitely a scam. – John Apr 27 '16 at 17:16
  • It's not PayPal asking for it. It's the third party that PayPal have "verified" and that I'm being sent to when trying to add instant funds. That PayPal is even using a third party makes me really uncomfortable in the first place. PayPal have given me many problems in my online career, but I've always trusted them with my money. – Woody Payne Apr 27 '16 at 17:24
  • What was the adress to the site that asked for your banking credentials? It was not paypal.pl? – Anders Apr 27 '16 at 17:27
  • 2
    By "credentials" do you mean the bank account number, along with a number that identifies the bank, or do you mean username/password? – Steve Sether Apr 27 '16 at 17:31
  • @WoodyPayne still not any less fishy. I also doubt that the actual PayPal would cooperate with such criminal third party. Does the PayPal website use https for the redirect or just for the login? – John Apr 27 '16 at 18:49
  • Adi's answer has given some more information on Trustly, but indeed, it doesn't make me trust this, nor will I ever give them my bank details. I'll try logging in now to see if the redirect is certified. – Woody Payne Apr 27 '16 at 19:50
  • Yes, the login is certified. – Woody Payne Apr 27 '16 at 19:56
  • I think that I have invented a way to use PayPal securely. [Here it is](https://money.stackexchange.com/questions/74665). [Here is a copy](http://valjok.blogspot.com.ee/2017/01/working-with-popular-electronic.html) because stackexchange is moderated by criminals, you cannot post the bypass or analyze Paypal security here. In short, you tie you credit card to another banking account with restriction that it is impossible to wthdraw more money that you have there. You can expose this credit card to the paypal without the risk to lose all the money. Do not expose the passowrd. – Little Alien Jan 11 '17 at 23:19

1 Answers1

11

PayPal is NOT asking for your bank details. It is Trustly that is asking for your bank details.

Trustly is a Swedish company. It operates in Sweden, Finland, Poland, and a few other companies. They have an agreements with Paypal to provide options to top up your Paypal account (similar agreements are made with Skrill/Moneybookers). This is not a scam.

Now here's where it gets complicated. Trustly does indeed ask you for a full access to your bank account using your bank credentials. They promise you that they won't misuse the access and they'll only use that access, in your case, to transfer money from your bank account to your PayPal account. Trusting them and believing that promise is completely up to you. Keep in mind that since Trustly is a Swedish company that handles financial information, it falls under the strict Swedish Finansinspektionen's (Financial Supervisory Authority) regulations, which means the company is legally liable if misuse/abuse of your data occurs because of them.

If you decide that you don't trust Trustly, then you can revert back to using the non-instant top-up option by sending the money manually from your bank account to your PayPal account using the top-up information copied from your PayPal account.

In short:

  • Trustly has an agreement with PayPal, so it's not a scam.
  • Trustly asks you for full access to your bank account through your credentials.
  • It's up to you trust them not to abuse this access.
  • If you don't trust them, use the traditional PayPal account top-up.
Adi
  • 43,808
  • 16
  • 135
  • 167
  • I didn't want to put this in my answer, so here it is as a comment. PayPal Poland verified Facebook account made a comment on the matter in Polish. Since OP is Polish, you can read more about the contraversy here https://www.facebook.com/PayPalPolska/photos/a.246027618848355.53861.244706038980513/961677540616689/?type=3&comment_id=963195677131542&comment_tracking=%7B%22tn%22%3A%22R9%22%7D – Adi Apr 27 '16 at 19:00
  • In my question, let's say that "Paypal" refers to the whole Paypal process, which this falls under. I'm aware that Paypal themselves aren't asking, but the Paypal process is, which is definitely something new. Thank you for your answer, and especially for more information on Trustly. It's easy to see how I missed the Facebook post as I'm not following the UK Paypal, let alone Poland, lol. I'll check it out. It still doesn't change how uncomfortable I am being asked for my bank details, even if it's a "legitimate" source... In my opinion, there is no such thing. – Woody Payne Apr 27 '16 at 19:47
  • eBay asks you both credit card details and bank password. Do not try to tell that Trustly is not their service. If they wanted, they could expose a banking account for the user to make the bank transfers themselves, without Trustly. Trustly just mimics my bank web iterface. If Paypal wanted, they could tell me the banking account to send money to. Do not tell me that they force me to Trustly for good and this forcing was not a PayPal idea. It should be trustly that uses paypal for dirty purposes. – Little Alien Jan 11 '17 at 17:16
  • There is no need to refer the Polish Paypal facebook since Trustly has nothing to do with Paypal. Paypal does not ask you for your credentials. This is trustly to blame. Why do you refer to Paypal's facebook? – Little Alien Jan 11 '17 at 17:18
  • 1
    @LittleAlien Because that's what Trustly paid me to do. – Adi Jan 11 '17 at 18:25
  • I'm seeing more and more payment services ask for bank credentials. This seems crazy to me... why aren't they using oath2 for trustless authentication? Is there a name for this new scheme/protocol? – Joe Coder Dec 17 '21 at 07:51