38

Paypal has a new payment option called "Bank Account" which says:

Enter your online banking ID + password

Paypal: Enter your online banking ID + password

QUESTION: To me it sounds unsafe (ie: sends my password to a third-party organization like Paypal), but does there actually exist any security mechanism/protocol that they could be using to make this operation safe?

Notes: Seen from Japan, on Firefox 32.0 Ubuntu 2014.04, URL starts with https://www.paypal.com/ Paypal: Enter your online banking ID + password
The warning symbol in the URL says "Connection Partially Encrypted".

Nicolas Raoul
  • 1,276
  • 2
  • 12
  • 17
  • 4
    remember, when you are in doubt with anything concerning your Bank Account security, like here, Always call your bank! escpecially if you see sites asking for your Bank details – Lighty Sep 24 '14 at 09:42
  • 53
    That's the most creative form of image censoring I've ever seen. – Polynomial Sep 24 '14 at 12:23
  • 19
    I really hope he's buying $120's worth of peppers. – TMH Sep 24 '14 at 13:24
  • *Is my password sent to Paypal?* Yes, but by way of Russian hackers, so it's guaranteed safe. ;) – Hot Licks Sep 24 '14 at 17:41
  • 10
    Imagine if all government documents were redacted with bell peppers instead of black lines. – Keavon Sep 25 '14 at 00:55
  • 2
    Upvoted for the bell peppers. – Keavon Sep 25 '14 at 01:00
  • 2
    First good use of that senseless GIMP brush :D – print x div 0 Sep 25 '14 at 07:08
  • I wouldn't go near this. – Ben Sep 25 '14 at 10:10
  • 1
    BTW, there are other, similar services, where you supply your banking credentials and they do the banking for you. For example, in Germany "Sofortüberweisung" ("immediate money transfer") is moderately popular - https://www.sofort.com/ . They claim to be secure, but banks forbid their use as it violates their T&C. – sleske Sep 25 '14 at 10:18

5 Answers5

22

Once you submit that form, the information clearly goes to PayPal. So, yes, your password is definitely sent to PayPal. However, PayPal is saying that that it only uses your bank account credentials to confirm/verify your account.

What seems to happen is that PayPal takes your information then sends it to your online banking provider for verification. What PayPal does with your credentials after that is unknown. They might store it for future payments, or they discard it after the verification process.

In one line: Yes, your bank password goes to PayPal. Is it bad? Well, it depends on how much you trust PayPal.

By comparison, in Finland we have a completely different system with PayPal. When PayPal needs to verify the bank account or withdraw from the bank account, you get redirected directly to the bank's online banking page. You login there, and then you get redirected back to PayPal. They only get a verification token from the bank. The system is called TUPAS.

Adi
  • 43,808
  • 16
  • 135
  • 167
  • 11
    "it depends on how much you trust PayPal" - I don't know what's typical in the US, but here in the UK my bank tells me not to give my online banking password *to their own employees*, never mind to an unrelated organization. As well as how much you trust PayPal, it also depends how much your bank trusts PayPal. If you trust them with your password, but your bank doesn't, and your bank finds out what you did (e.g. because they detect logins from PayPal's servers), then I imagine you're in their bad books ;-) – Steve Jessop Sep 24 '14 at 23:48
  • 1
    @SteveJessop here in the US it varies a lot. I bet there are some banks who offer the same advice, but many people probably ignore it - and those who don't are usually the ones who would never share a password anyway. But your other point about the bank finding out is a good one. In many cases it is written into the terms of service of a website (banking, or other) that you must never share your password with anyone. – David Z Sep 25 '14 at 04:02
  • 3
    By the way TUPAS sounds a lot like OAuth... – David Z Sep 25 '14 at 04:03
  • @SteveJessop While I certainly agree that sending your bank's creds to PayPal will probably break your bank's T&C (much like using Mint.com), I still think it's irrelevant in this context. Breaking your bank's T&C is a legal issue, while the question whether the creds are sent to PayPal is a technical security-related one. In all cases, I'm happy that you mentioned it. – Adi Sep 25 '14 at 07:38
  • @DavidZ Indeed it is. It also implements two-factor authentication with OTPs. – Adi Sep 25 '14 at 07:40
  • What??? Safe???? Shouldn't anyone mention the mixed content warning? On a page where you enter reusable login information. Could be prone to a MITM Attack by DNS-sppofing, routing the HTTPS blindly through, but injecting cross-site scripting via the unencrypted parts of the page. – Falco Sep 25 '14 at 12:22
  • @Falco Ha?! That triangle information sign isn't a mixed-content warning. It's telling the user that the server isn't supplying full identity information in the certificate. Not a big problem at all. – Adi Sep 25 '14 at 12:31
  • @Adnan according to the Paypal Community-Forum the page is mixed content: https://www.paypal-community.com/t5/How-to-use-PayPal-Archive/Connection-Encrypted/td-p/25597 Which is exactly what the Firefox warning "Partially Encrypted" means - and actually what it says in plain english too "just parts of this page are encrypted, some images or other ressources are loaded via plain http" – Falco Sep 25 '14 at 12:47
  • Wouldn't it be possible (in theory) to implement sending the password in a safe way by generating a hash by a local script on the users computer and sending only this to PayPal? For verification purposes, this would be sufficient and still safe - or am I wrong? – schnaader Sep 25 '14 at 13:05
  • @Falco Apologies, you're right about **one** thing. It is indeed a mixed content warning triggered by the merchant logo (which is the only thing transmitted via plain HTTP). In this case, it's also not a problem at all. It's an image. The worst that can happen is that MiTM might changes the image to another image, no big deal. Also, browsers don't supply referrer information from HTTPS to HTTP, so that's also covered. All in all, you're wrong, you're over reacting, and yes it's safe. – Adi Sep 25 '14 at 13:09
  • 1
    @Adnan Again: If the user asks "Is it generally safe to enter critical banking-login information on a page, if my browser displays a mixed content warning" - the answer is NO!!! Even if it is just an Image at the moment, this might change in the future and you will not recognize, if unsecure JS is loaded over HTTP, since you are ignoring your browser-warning! Mixed content is a possible security hazard and you should not ignore it! – Falco Sep 25 '14 at 13:32
  • And there could be an attack vector via image-injection, possibly with a wrong mime-type, buffer-overflow or some svg-scripting... Although there are none that I know of at the moment on current browsers – Falco Sep 25 '14 at 13:37
  • @Falco Umm.. no? Because the insecure JS/CSS and insecure image warnings are completely different. The insecure image warning is a small warning and you don't have to do anything about it (defaults to allow), but the insecure JS/CSS is a warning that specifically tells you that it's a script and you need to do some actions to load it (defaults to deny). – Adi Sep 25 '14 at 13:44
  • 1
    @schnaader, that wouldn't be safe. In that case the hash itself would become the password. If you got your hands on the hash (whether through DB leaks or something else), you could send that through and it would be verified, no need to break the hash. This type of attack has been called [pass-the-hash](https://en.wikipedia.org/wiki/Pass_the_hash) and famously affected Windows accounts. – Chris Murray Sep 25 '14 at 16:01
17

Is my password sent to Paypal?

Yep. Giving your password to PayPal may be a breach of your bank's Terms and Conditions and/or make you personally liable for any fraud that takes place through that system. Also PayPal can see the personal information and transaction history associated with that account. Hope you trust PayPal real good now!

Or is there a kind of protocol involving the bank's server, which makes this actually safe?

PayPal is most probably running automated screen-scraping scripts attempting to log in to the normal online banking site on your behalf and doing the transfer. This is obviously pretty fragile and risks breaking when banks update their web sites. It is likely that some banks may be co-operating with PayPal to reduce this risk.

This approach has been done a number of times before, eg by Germany's sofort.com. I am disappointed to see PayPal jump on this payment model too. Whilst the rest of the web is working on federated authentication/authorisation schemes that let you approve particular transactions without having to hand over the keys to the kingdom to other participants (OAuth, SAML etc), the financial world is once again plumping for convenience and legacy compatibility over security.

bobince
  • 12,494
  • 1
  • 26
  • 42
  • What's with banks using simple password authentication though? In Sweden, all (afaik) banks use some kind of PIN-protected physical token (sometimes this token is your credit card chip) for authentication. – You Sep 24 '14 at 16:36
  • 2
    When Sofort did it for German banks that had TANs, they required you to enter a TAN separately to use in the login; I believe they also man-in-the-middle the CAP process (chip+PIN home signer thingy). I don't know if PayPal are doing the same or whether the supported US banks use similar 2FA methods. Encouraging users to type banking passwords and 2FA tokens into a third party site (encouraging phishing) seems super-irresponsible to me. – bobince Sep 24 '14 at 18:20
  • 3
    Excuse me but your answer is just pure speculation!! "..running screen-scraping scripts.." "..pretty fragile.. risks breaking.." What?? Yes, it *may* be implemented this way, it probably isn't (considering how big PayPal is) but the fact is that you don't know and I don't know. So please don't just start making up things – Andreas Bonini Sep 24 '14 at 19:36
  • Yes, until we have an actual PayPal developer here to definitely describe how it works, all any of us can do is speculate. I speculate that it works similarly to the existing services that provide the same user experience. – bobince Sep 24 '14 at 20:44
9

Your information does go to PayPal, who will likely use it to login to your bank account. That way they can verify your information is valid.

However - technically - they can also see other information. Anything you see after logging in (your account balance, the various deposits / withdrawals) is visible to them, and they may or may not store that. Technically they are also able to invoke any other function you don't need another form of authentication for.

So, risk is one matter. The other matter is if your bank actually allows you to do that. A lot of banks will require that you keep your access information confidential. By using this function you will violate that agreement, by giving your access information to a third party.

Aaa
  • 191
  • 3
  • 3
    +1 for "banks will require that you keep your access information confidential". Ask your bank if this is allowed! Probably it is as it looks like they only support a small number of large banks, so they have probably got an agreement with them. But I still wouldn't go near it. – Ben Sep 25 '14 at 10:12
  • So sad we live in a world where a business that makes money off your money, still gets to at the end of the day tell you what you are and aren't allowed to do with that money you've so kindly let them 'hold onto'. – Mike Sep 25 '14 at 14:25
  • True, but to a point you have to understand them - you are essentially giving them the keys to your bank account. I have an account at a pretty big bank in Central US, and someone could literally empty it with the correct username and password. Even if you trust PayPal, services like these make users more prone to letting their guard down, and thinking that it's okay to give away their passwords. It's a bad habit to start. – Aaa Sep 25 '14 at 14:34
  • @Mike, the bank isn't dictating what you do with your money, where did you get that idea from? All the bank is saying is, "If you give your access to another, we are no longer responsible for protection of your funds". Which makes perfect sense, how can the bank protect your money if you give access to anyone and everyone? – Chris Murray Sep 25 '14 at 16:06
  • @ChrisMurray I must have misunderstood his meaning by saying that 'violate that agreement'. I suppose this means they'll take no responsibility for anything negative happening, which makes sense but I wouldn't worry about it in the case of a reputable company like Paypal. – Mike Sep 25 '14 at 16:09
0

I think other answers explain well risks of giving your password to PayPal. I think the bigger issue here is that users are taught in this way that they can sometimes provide password to somebody. This is IMO extremely bad and stupid and I'm highly disappointed by PayPal for doing so.

akostadinov
  • 555
  • 3
  • 8
0

I have a login and password that is read-only access. That is the login I use when sites such as paypal asks for it. I also use the read only account for my quicken software. If you are curious what paypal does with the login data, read the user agreement or contact support for more details.

Sun
  • 101
  • 4