26

I was creating a new bank account here in the US at HSBC's popular online bank...

You know the step where you have to verify the account you're sending from, by receiving two small test payments?

I was astounded to see HSBC have a new system:

You give them the login for your current online bank.

enter image description here

Below that is a user/pass field, which they apparently use at your online bank, spoofing a browser.

I actually TRIED IT, cleaning up afterwards.

Incredibly, the next step they echo to you the two-factor questions ("by text, email .." etc) - you read that right.

Then they echo through to you the code ask!

enter image description here

648315 was the code actually texted to me by my credit union; I typed it in there.

(Note the reassuring message: "Your login details won't be saved in our system"!)

So,

  1. Is this common now?! Conversely, is it brand new?

  2. Would it actually be illegal in some way?

  3. It seems incredible that other banks wouldn't block them once they heard of the practice, or at least complain bitterly.

I cannot fathom this happened. But there it is.

If you want to try it, seeing the screens, go ahead and pretend to open an account there. You're not actually obligated (even for marketing garbage) until a few steps after that step, so really it's harmless to get to the point of seeing that screen.

Funnily enough it didn't work in my case: the end result was "Sorry, you'll have to use the 'small test deposits' method ...".

The process did clearly work technically through all steps: incredibly I saw the (raw html, handled a bit badly) from my credit union asking "text? email?" .. and I literally got the SMS etc. from my bank. (Perhaps it failed in the end due to IP, or their scraper failed or whatever - who knows.)

(Unfortunately, looks like my bank does not list recent IP attempts.)

Is it just me or is this totally wrong ?!?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Fattie
  • 263
  • 2
  • 10

5 Answers5

6

Disclaimer: IANAL

1 is this common now?! conversely is it brand new?

First time I read of it, but I know that many online banking system propose to aggregate your other bank accounts on their site. Mine proposed to but I declined so I cannot tell exactly how they manage to prove the third party bank that the client allows them to gather account elements. The account number is certain, I do not know for other credentials. The goal is to collect all of your banking informations, because this does have value for announcers.

2 would it actually be illegal in some way?

As already said IANAL. But I cannot imagine why it could be illegal: they ask you some information saying how they will use it. You are the information owner and can choose to share it with them or not. The only point that could be illegal would be that they declare to not store an element and actually store it. Being professional, they also have to protect your sensitive data, but provided it is not transmitted in clear text nor stored, I assume that it is enough.

3 it seems incredible that other banks wouldn't block them once they heard of the practice, or at least complain bitterly.

Not that simple. The other bank has a contract with you allowing you a number of operations provided you can prove that you have an account, a password and a unique code sent to a device or mail address. You are responsable for securing those elements and implicitely ask them to honour any request presenting them. They would probably be more happy if you used their own system to connect to your other bank accounts, but I cannot imagine a legal point for preventing you to use any third party added value system.

Now for my opinion. On a security point of view, a secret should never be shared by more than 2 entities. So I would never post my credentials for a site on a site of a third party company, whatever the reason. I know that this will prevent me to use some sexy added value aggregators and I accept it. At least I will try to keep that security policy as long as I will be able to...

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
5

There are some answers to this but I'll add a unique perspective:

Is this common now?! Conversely, is it brand new?

It is relatively new, but will be commonplace. Consumer-facing financial institutions in the US have had an awful time dealing with updating their infrastructure and understanding what role they play in the evolving internet-based financial and payment infrastructure.

One thing they understand now, after many false starts, is that each of them is an identity provider- frankly to a far greater degree than any email or social media platform.

This understanding is why they are consuming and utilizing customer credentials with each other, and not introducing some other delegated auth scheme. Who could they delegate to? Facebook?

This is also the model that aggregators- https://plaid.com is one of the more aggressive in this space- are taking- obviously with the full cooperation of the banks.

Would it actually be illegal in some way?

No. As crazy as it might seem, this approach most accurately solves for the trust domain and threat model.

It seems incredible that other banks wouldn't block them once they heard of the practice, or at least complain bitterly.

No, quite the opposite. Banks have decades, sometimes centuries, of shared trust and mutual responsibility, and innumerable layers of technical and administrative integration.

Again, think of a bank as the original identity provider- even more so than a government, because credit and accounting systems long predate governments.

It's a separate issue whether banks are technically equipped to play this role, and whether consumers and banks mutually understand all of the impersonation and confused deputy risks.

From a structural perspective, they have no choice but to approach it this way.

Script47
  • 217
  • 1
  • 11
Jonah Benton
  • 3,359
  • 12
  • 20
4

Yes, this is now a thing.

Over here, Germany has a new online payment provider that will allow you to pay instantly online any bill by logging into your bank account and doing the money transfer for you. How convenient, no mistyping any account numbers and you only need to give them your login details - see the similarity?

I have absolutely no idea how this service came into existence, who thought it was an idea worth funding and who actually uses it.

So yes, this is a thing now, your bank is not the only one doing it, it must be by a very, very long stretch the most dumb idea anyone came up with this century and that large banks have signed up to it is one of those things you can only explain with a strong conviction that the end times are near so who cares?

Is it just me or is this totally wrong ?!?

It is just you and me, unfortunately. Because yes, this is so totally wrong that there ought to be a seperate word to express just how wrong it is.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Tom
  • 10,124
  • 18
  • 51
  • 3
    Let's keep the language at a SFW level please. – schroeder Jun 12 '18 at 19:03
  • What's the big deal if you immediately change your password after entering it in? And furthermore, with 2FA enabled you don't even have to do it "immediately"... – TTT Jun 12 '18 at 21:14
  • 4
    The big deal is that **you gave someone else your password**. We security experts have been trying to hammer into peoples heads for two decades and counting **not to f&%!%g do that**. Most people's job is not to run a risk analysis on various scenarios. If they see a big bank supporting such schemes, they may well assume that it is an acceptable practice and their CISO is just a paranoid dude not to be taken too seriously. – Tom Jun 12 '18 at 21:49
  • @Tom I think we need to distinguish between "someone" and "something". Surely you aren't arguing that no one should login to this site with their Google account? – TTT Jun 13 '18 at 03:51
  • 2
    @TTT please read up on oauth. tl;dr: When you log in to this site using your Google account, you are **not** giving your Google account password to stackexchange. – Tom Jun 13 '18 at 06:11
  • @Tom you missed my point. You're arguing that an average non technical person needs to have consistency or else they'll be untrained to blindly give out their password. They aren't going to know how oauth works, so you should be complaining about oauth too if this bothers you for *that* reason. – TTT Jun 13 '18 at 08:34
  • @TTT, using social-cross-login on this site, is totally, completely, utterly unrelated to what I describe in the question. (What I describe in the question is so - to me - amazingly bizarre that, you may have actually misunderstood the question on first reading!) – Fattie Jun 17 '18 at 12:34
  • 2
    This has no connection, at all, to OAuth. In the example, **astoundingly - beyond all belief -** the HSBC servers use a crawler to literally log in to your bank account, ie they use a simulated web browser, and literally go to yourbank.com/login, and type in your user/pass. It's kind of ......... beyond belief! (As I explain in the question, you can literally see the crawler making mistakes, and copying the actual text/html from yourbank.com, and so on - try it !) – Fattie Jun 17 '18 at 12:36
  • (I do appreciate though that the typical civilian **wouldn't have the slightest clue** about the (total, categorical) difference between those two things. 99% of humans would just describe it as "you log in using the other site - like on snapchat! how do I post a picture?!") – Fattie Jun 17 '18 at 12:39
  • @Fattie - exactly. OAuth is completely different. However, in a comment Tom stated the problem is that for decades we've been trying to train lay people to never give someone else your password. I was just pointing out that a lay person wouldn't know the difference between entering in their Google password on a non-Google site vs entering in their bank password on another bank site. So, I'm not saying there is a problem with OAuth, only that if you're upset about the bank asking for another bank's password *for that particular reason*, then you should also be upset about OAuth. – TTT Jun 17 '18 at 12:50
  • You actually do not enter your Google password on another site. It will open a popup window with Google branding and you enter your password there. Yes, the lay person may not be aware of all the differences, but with just a tiny bit of effort they can understand it. – Tom Jun 17 '18 at 13:28
  • BYTW 40 years of computing history has proven, absolutely, that the lay person can not make that tiny effort :-) – Fattie Jun 18 '18 at 19:17
  • 1
    That's ok. You can continue calling people lusers and PEBCAK and pretend something like good UI design doesn't exist. It'll make me more money solving the problems you create. These lay people pay very nicely for someone who doesn't treat them like idiots and explains things in terms they can understand and designs systems useable to regular people. :-) – Tom Jun 19 '18 at 03:37
2

I have seen this same thing offered by two different banks in the last year. One time I opted for the two deposits, and the other time I actually used the login form because I preferred my linked account to be verified instantly, and it worked. I remember the first time I saw this I had a similar reaction to you, but it does make sense in the situation where you desire instant verification (like when you are making your first mortgage payment with a new servicer on the due date!) I did opt to change my password shortly after doing this, probably more out of paranoia than necessity.

As for the legality of it, my bank also stated it would not retain any of my credentials, and the only way I could see this being illegal is if they actually did retain them (whether intentionally or accidentally). But even then they'd probably have to be hacked and have it proven that they saved the credentials in order for legality to come into play. (Like the AM hack proving deleted accounts weren't actually deleted even though users paid extra for that service.)

So, it's a trade-off. It's certainly a generally bad practice to enter in a bank password on a site outside of that bank, however, if your goal is instant verification, and given that you can simply change your password immediately afterward, I don't personally see a problem with offering it as an option. That being said, if it were the only option, then I think I'd have a big problem with it.

TTT
  • 9,122
  • 4
  • 19
  • 31
1

This is a security fail. If the bank wants to allow you to set up a second read-only account with its own credentials, that's fine. But using your main credentials to give a third party access to your bank account is crazy sauce.

Ken Griffith
  • 11
  • 1