20

Brussels Airlines allows several payment types, only two of which are free: Maestro and Sofort Banking:

Brussels Airlines payment methods

The second option was new to me, but direct debit is usually a free and practical way to pay: The request is forwarded to the bank web site, I fill in my details as if I were logging in, and the bank returns me to the vendor site with confirmation. However, in this case sofort.com wanted me to put my bank login details on their site! Username, password, one-time pad, everything!

After all of us effectively signed a "don't ever disclose your login details to anybody else under any circumstances, or else" agreement with our banks, how is this possible? And is there anything end-users can do except voting with their wallets? In this case, Brussels Airlines tickets can be had from for example Skyscanner, which does not use sofort.com and has free payments for many more card types, but what if it becomes standard?

For the record, the site is using a verified, valid, "strong encryption" (at least according to Firefox) certificate.

Another write-up about Austrian Airlines also using sofort.com.

l0b0
  • 2,981
  • 20
  • 29

4 Answers4

10

After all of us effectively signed a "don't ever disclose your login details to anybody else under any circumstances, or else" agreement with our banks, how is this possible?

Sofort AG is a german company, so I'll focus on Germany: There was an antitrust proceeding, and as a result of it, most banks changed their terms and conditions to allow this (at least according to Wikipedia). It doesn't seem that the proceeding actually resulted in new laws though.

The european Payment Services Directive is currently being updated, and would then also cover third party payment providers (TPPs), so as I understand it, it would then also regulate Sofortüberweisung (the correct name for a service like this seems to be Payment Initiation Services). See also this interpretation here in English.

is there anything end-users can do except voting with their wallets?

Well, you can lobby politicians, write news articles, search for and expose security flaws, etc. Or you can hope that there are valid alternatives and use them instead.

Security

The implied question here seems to be if this is secure or not.

  • it adds an additional company which can screw up, and thus reduces security (for no or few benefits).
  • you have to trust the company (in this case Sofort AG), as they could also just take all your money if they wanted to (but this is the case with a lot of payment options, paypal for example allows any shop to withdraw a random amount of money).
  • it might increase inexperienced users willingness to enter their password ("I did this so many times, and never did something bad happen before") and thus increase the success and amount of phishing attacks.
tim
  • 29,018
  • 7
  • 95
  • 119
  • 1
    In addition to adding an additional company, it also lowers responsibility - if something does go wrong, and there are now N parties involved, the amount of blaming X and delays will also increase exponentially - and related, it also introduced the chance for the liability of a certain company to be lowered (how do we know Sofort has the same liability as a traditional bank?) – user2813274 Nov 02 '14 at 15:10
  • 1
    Laws, regulations or audits simply cannot change the fact that this is a MITM site. Should you trust an unknown third party? Nope. – Eric Duminil Nov 13 '17 at 22:21
5

The answer by Tim is super, and still relevant in 2017, but omits one important thing: PRIVACY.

you have to trust the company (in this case Sofort AG), as they could also just take all your money if they wanted to

Risk exists, but is probably low - or their whole business model would collapse. The risk provides a serious incentive to take security seriously.

I actually asked my bank (BNP Fortis Paribas) about Sofort (now Klarna) with the same comments as OP, and they did not discourage me from using Sofort, nor scorn me for sharing my login details... instead encouraging me to contact Sofort with my question instead (much like the reply this customer received). Tim's statements explain well enough why.

But you also have to trust Sofort to take your PRIVACY seriously.

Sofort effectively have access to your bank balances on all your accounts, all transactions that you made - the same ones that are visibile in your bank's online portal. This appears to be depending on the setup they have with the various banks; if there is no API from the bank, then their Data Protection policy states:

"Alternatively, our system will automatically call up the data via the user interface of your online banking service, much in the same way as if you logged on yourself".

I.e. they [can] know what you earn, where you spend your money, what your cash burn rate is, what your savings or investments are.

I'm sure that information is HUGELY valuable.

If you perform 1 Sofort transaction every 6 months, for my bank at least, they could assemble a continuous transaction history for every customer.

The only thing going for them IMHO is German privacy laws are among the strictest in the world...

Their Privacy Policy, does not mention data they are collecting or what they do with it; however the more interesting Data Protection UK/EN policy is more specific and appears to exclude the usage I described above.

We will not store any personal data beyond that, in particular, no account balance, transaction data, overdraft limits, account lists, online banking login passwords (such as personal identification number) or confirmation codes such as transaction authentication number.

Thing is though, it's easy enough to audit whether your money has been stolen. It's quite something else to verify whether the company is complying with its promise not to collect this data. So it's all about trust. Don't trust them? Spend a few €€€ more, and use another payment provider.

Geehan
  • 51
  • 1
  • 2
5

The biggest problem with services like Sofort is that because YOU have entered your banking details THEY are indemnified against chargebacks and indeed any kind of claim that the transaction was fraudulent. Which lowers their business cost because they have zero fraud (that they are responsible to pay for). However the responsibility for fraud lands on YOU the customer. By using Sofort you are giving up the rights you would have if you used any other traditional payment method.

Do the math. Decide if you're willing to run the risk. If its online and it feels wrong... it is wrong.

Bob Shaw
  • 61
  • 1
  • 1
4

Sofort has caused a lot of concerns and controversies across Europe due to its requirement to supply user login details. in 2013 Polish Financial Oversight Commission has issued a warning (in Polish) about supplying customer payment details to third-parties such as Sofort or Trustly but the picture seems to be more nuanced.

Sofort has a presentation where they respond to most of the accusations - firstly, they take all responsibility for any possible fraud related to its services (they claim there was none), secondly, they claim they don't store any of the credentials but rather use them in real-time.

In my opinion, their business model and arguments make a lot of sense but taking user credentials just to check account balances and order a payment is an overkill by an order of magnitude. This model is simply violating need-to-know and least privilege principles, two of the most fundamental principles of information security. It's a work around the business limitation of consumer banking sector that now rarely offers third-party APIs and authorization protocols that would allow to perform the same functionality in a proper way.

The PSD2 EU directive should remove the need for such workarounds since it introduces mandatory APIs for consumer banking sector and prohibits storage of user credentials (something Sofort says they don't do, but still).

kravietz
  • 412
  • 2
  • 7