I was creating a new bank account here in the US at HSBC's popular online bank...
You know the step where you have to verify the account you're sending from, by receiving two small test payments?
I was astounded to see HSBC have a new system:
You give them the login for your current online bank.
Below that is a user/pass field, which they apparently use at your online bank, spoofing a browser.
I actually TRIED IT, cleaning up afterwards.
Incredibly, the next step they echo to you the two-factor questions ("by text, email .." etc) - you read that right.
Then they echo through to you the code ask!
648315
was the code actually texted to me by my credit union; I typed it in there.
(Note the reassuring message: "Your login details won't be saved in our system"!)
So,
Is this common now?! Conversely, is it brand new?
Would it actually be illegal in some way?
It seems incredible that other banks wouldn't block them once they heard of the practice, or at least complain bitterly.
I cannot fathom this happened. But there it is.
If you want to try it, seeing the screens, go ahead and pretend to open an account there. You're not actually obligated (even for marketing garbage) until a few steps after that step, so really it's harmless to get to the point of seeing that screen.
Funnily enough it didn't work in my case: the end result was "Sorry, you'll have to use the 'small test deposits' method ...".
The process did clearly work technically through all steps: incredibly I saw the (raw html, handled a bit badly) from my credit union asking "text? email?" .. and I literally got the SMS etc. from my bank. (Perhaps it failed in the end due to IP, or their scraper failed or whatever - who knows.)
(Unfortunately, looks like my bank does not list recent IP attempts.)
Is it just me or is this totally wrong ?!?