8

In South Africa there's this payment method called SiD which may be used to pay for things like flights. SiD is an assisted method where you fill in a third party form with your internet banking login details and they aid you in the online banking payment process by filling in certain numbers for you (amount, reference, etc).

Here's what it looks like:

enter image description here

These are the login fields for my internet banking in a 3rd party form. The page in the background (the red) is recognised as my internet banking page.

On the help page, it says they don't store details but may store bank account number for refund purposes.

SID may store your bank account number for refund purposes. However, no third party can access or operate your Internet Banking facilities based on this information, or any other information retained by SID.

This is getting used in a number of places here as a payment option and my understanding is that to give my login details to a 3rd party is a very bad idea. They could easily store the numbers I put in their form and use them later.

Since this is becoming popular, is it possible that I'm just being paranoid. Is this method - supplying my login information to a 3rd party form - secure?

  • 5
    I personally wouldn't do it, but it all depends upon whether you trust the third party or not. – Luke Feb 10 '17 at 14:46
  • 10
    I'd rather travel 2 hours to a bank, stand in line 40 minutes, and travel 2 hours back, than fill my bank password and PIN on a third-party form. It sounds **extremely** insecure. That's the kind of thing I'd expect from phishing attacks, not legitimate solutions. – That Brazilian Guy Feb 10 '17 at 14:49
  • 7
    Have you asked your bank if they have approved the use of this payment processor? – DavidPostill Feb 10 '17 at 15:18
  • 3
    Any reputable service would transfer the payment part directly to a page from your bank. [There is a system in NL to do exactly that](https://www.ideal.nl/en/). You choose your bank and get transferred to the banks payment system to complete the payment. No details are transferred apart from the amount and the target account. (cont) – DavidPostill Feb 10 '17 at 15:21
  • "iDEAL is a method of payment that enables consumers to pay online through their own bank. In addition to webshops, other online organisations that are not part of the e-commerce market also offer iDEAL. iDEAL is increasingly used to pay energy bills, make donations to charities, buy mobile credits, pay local taxes, traffic fines, etc… – DavidPostill Feb 10 '17 at 15:25
  • iDEAL is not a centralised electronic payment system but a collection of technical agreements between banks and transaction processors. Thanks to these technical agreements, iDEAL is seamlessly integrated with the online banking offered by banks. " – DavidPostill Feb 10 '17 at 15:26
  • I used it in NL for 8 years or so and never had any problems ... – DavidPostill Feb 10 '17 at 15:27
  • 1
    That depends if you trust the payment processor. Unfortunately banking system varies from country to country so I cannot say anything about South Africa but in Germany the SOFOR worked by entering credentials on their page IIRC, in US all you need is the account number and sort code to withdraw money by ACH but everyone uses cards, in UK there is direct deposit system but cards are popular etc. – Maciej Piechotka Feb 10 '17 at 19:22
  • Similar question: [What to do about “approved” direct banking MITM sites like sofort.com?](https://security.stackexchange.com/questions/70509/what-to-do-about-approved-direct-banking-mitm-sites-like-sofort-com) – l0b0 Feb 10 '17 at 22:13
  • 1
    @DavidPostill: Have you heard of https://mint.com? Guess how it works? And guess whether it's reputable? Your view seems a little divorced from reality. – user541686 Feb 11 '17 at 08:59
  • 1
    https://transferwise.com/ uses a system evidently developed by Paydirect Billing where you can send from a Canadian bank by logging into your account inside the transferwise page. Same concerns as sofort or the OP apparently. – chx Feb 11 '17 at 12:12

4 Answers4

21

We can't determine whether or not it's secure without doing a full audit (not just of SiD, but your bank). Is it any less secure than not using it? Hard to say, since we don't know how secure the system is without it.

However, what we can say is that you're introducing another entity you need to trust. If you're passing your bank data into SiD, then they have the possibility to use it for fraud. You are trusting them to not.

This isn't unprecedented; I store this information in my password manager, which means I trust it to not intentionally or unintentionally allow bad things to happen to those secrets.

You will have to determine for yourself what level of trust is necessary for you to feel comfortable with SiD.

Xiong Chiamiov
  • 9,384
  • 2
  • 34
  • 76
  • This to me is the answer and always has been - it comes down to trust. SID Instant EFT has been around for 10+ years now with hundreds of merchants active on the platform. It abides by industry standard security processes (and would be silly not to). SID however is not overly different from a large number of systems available today, such as password managers, or things such as Mint.com, 22Seven, Citadel, Yodlee etc. Disclaimer - I work for the company. – Kyle Rosendo Feb 12 '17 at 06:51
8

Yes, it's reasonably safe

Yes, it should be secure if implemented properly. That being said, there is nothing preventing a merchant from implementing it improperly or maliciously, so you should double check a couple things.

How it works

I reviewed the SID implementation guide (intended for software engineers working at a merchant site) and this is essentially how it works:

  1. You click a button on the merchant web site
  2. The merchant concatenates a series of values (including the amount and currency code) and encrypts it.
  3. The merchant sends the encrypted data to a SID web service, which responds with information telling the merchant where to redirect your browser.
  4. Your browser is redirected to your actual online banking web site. Presumably there is a list of these that are registered with SID (including Nedbank, ABSA, Standard Bank, and First National Bank), so it knows where to send you. It probably adds some junk at the end of the querystring to tell your bank that you are trying to do a SID EFT payment.
  5. You sign into your online banking web site. Directly. The data are secured by your bank's SSL certificate and SID has no way of getting it. (It sounds like the UX may be tailored for SID, but it should be your bank's actual web site, which you can verify using the steps I list below).
  6. The banking site sends you a one-time password via SMS or push notifications. You have to enter that to complete the payment.
  7. The banking web site processes the payment and redirects you back to the merchant site
  8. The merchant site displays a confirmation. It sounds like it may store your bank name or account number in order to process refunds, but it does not store your login credentials or PIN.

What to verify

Given the above design, you only need to confirm that when you are entering your PIN you are actually posting it to your online banking web site and not somewhere else. Check the address bar of your browser to ensure (1) that it is green, and (2) the domain name is the correct domain name of your online banking web site. If there is even a small error (e.g. MyBankc.om instead of MyBank.com) then close your browser and forget about using that merchant, as this indicates the merchant is either malicious or has been hacked.

It is possible I suppose to set up the banking web page so that there is one URL shown in the address bar and a different address that the form will post to. This sort of cross-domain request, unfortunately, is not blocked by same origin policy. If you are concerned about this, you can try entering the wrong PIN while watching the network traffic (e.g. using Chrome developer tools) and make sure that it goes where you want it to go. The request will be declined but you can see the traffic. If the only traffic is going to your bank's web site, then the page is safe and you can enter the correct PIN.

John Wu
  • 9,101
  • 1
  • 28
  • 39
3

No!

You're giving another party the keys to your bank account, up to and including any one-time transaction codes. They are a literal man-in-the-middle.

Even when they say they don't store them, what is keeping this party honest? Does this party provide security against misuse, coding errors, fraud, internal or external hacking like your bank does? Do you have a written agreement with this party, and with your bank stating this? What happens when a transaction is made to a wrong account because someone made a coding error (or worse)?

Apart from that, i don't understand why you would wan't to use this kind of 'service'. Since it inherently relies on the bank providing online transaction functionality, what's the use of this service? pretty pictures?

oɔɯǝɹ
  • 528
  • 2
  • 6
  • 18
  • Exactly. The whole system is flawed, even if everything is implemented correctly and the 3rd party is honest. The process simply shouldn't rely on a third party. If anything goes wrong, the bank can hold you accountable : you've been stupid enough to give your bank credentials to someone else, they won't do anything to help you get your money back. – Eric Duminil Nov 13 '17 at 22:13
2

Quoting the site help page you linked to (emphasis is mine):

SID uses the most advanced security features available on the Internet and although SID invokes your Internet Banking service, it does not access or store your Internet Banking identifier or password. These are entered directly into your Internet Banking log on screen using the usual security provided by your bank.

a little down:

Your session occurs directly between your PC and your bank in the same way as if you had logged into your bank’s Internet Banking system separately from any SID transaction.

and in troubleshooting (mainly basic SMS reception problems):

If all else fails, please escalate to your bank by contacting their internet banking help desk for assistance.

Sounds like the usual process, they fill for you common field (amount, account to credit) and then you're directed to your bank page to fill the personal information (PIN/card number), they keep your bank account to know where to send money (which doesn't need authentication as it add to your account).

Addendum after comments:

The process is debatable, specially the point 3.:

  1. Select the SID payment option on the merchant’s checkout page.
  2. Select your bank.
  3. Login to your existing, secure Internet banking.
  4. Select the bank account you wish to pay from (If you have more than one account linked to your internet banking profile).
  5. Enter the OTP received from your bank or respond to a push message received from your bank to complete the payment.

The point 3 where you need to log in to your bank account through a page they provide is indeed a risky thing. You have to trust them, which is ... weird.
You should contact your bank to know if they really allow this kind of login 'on behalf' or not or just don't use this system.

Tensibai
  • 513
  • 2
  • 10
  • 1
    I'm not sure I understand. If I were directed to fill in my own login details onto my own banking page, that would be fine. My issue is that I fill in my login details on *their* form, which then get inserted on the bank login page. –  Feb 10 '17 at 16:20
  • As far as they describe the system, the PIN is assumed to be a one time code sent to you by your bank, not your usual password. I'll edit with the process. – Tensibai Feb 10 '17 at 16:23
  • That's the thing - the PIN is my bank login pin that I use usually, not a one time pin. and the Account no is my bank account no. The fields on this form are identical to the fields I fill in with my online banking. –  Feb 10 '17 at 16:24
  • See here: https://ib.absa.co.za/absa-online/login.jsp This is my login page. the fields are identical. It even has the user number. –  Feb 10 '17 at 16:26
  • @stanri edited, indeed I missed the point of the login into your bank system, through an overlay page. Main question is (need to test) do they just 'rebrand' the page with CSS or do they get the information and repost it. (I've to find a linnk to test and verify this point) – Tensibai Feb 10 '17 at 16:31
  • Even if they did rebrand the page, which I suppose is better than not, I would also be concerned that they had access to the page itself - they give you the option to choose your bank account, which means they have access to everything on that page, like account numbers, balances, etc. I would be concerned about them scraping my internet banking. At best, it's letting a company look over your shoulder while you make the payment. –  Feb 10 '17 at 16:34
  • @stanri that's a valid concern, I'm a little lazy to register in any of the sites listed to 'try it' to know if your browser access the bank page directly or through a redirection. – Tensibai Feb 10 '17 at 16:36
  • @stanri You can observe what traffic the page sends back to which servers yourself. IE, Firefox, and Chrome all include "development tools" out of the box that monitor network traffic. That said, you do have to pretty much go through the whole process and actually look at the data in every request to determine whether your information is going to a third party. – jpmc26 Feb 10 '17 at 23:07