This is common practice in germany. The whole payment methode "sofortüberweisung" or "sofort" is based on this. You give your login information and a single use password to sofort, they initiate a wire transfer and instantly guarantee the money will arive. (It will arrive 24h later, as banks are allowed to delay it this long and they use it as additional liquidity) Of course this is a security nightmare and or course the ToS of the Banks prohibit you from sharing your login details. But unfortunately they don't enforce their ToS. Recently the cartel office called for making this part of the Banks ToS void, as they would "hinder the adoption of innovative FinTec".
But it illustrates how deeply flawed the whole banking sector is that people are willing to give up passwords to third parties or paying insane fees to paypal. IMHO we urgently need a law that makes wire transferees instant, or this dangerous and incredible expensive layers grow for the disadvantage of everybody (expect paypal and sofort).
This is a solved problem in the Netherlands with iDEAL. Go to checkout, select your bank, authenticate at your banks website with your credentials and 2FA (SMS/EMV CAP reader/QR code), confirm transaction details and you'll be redirected back to the web store. The wire transfer is not instant but it is guaranteed so the merchant can start shipping immediately.
In France we have 3D Secure, when you make the paiement you are redirected to a page that belongs to the bank, you receive a SMS with a one time code to validate the paiement and are redirected to the merchant with the validation.
Quite efficient, but I think there's fees for the merchant in this case.
3D Secure is used to authorize credit card payments, while Sofort and iDEAL send wire transfers. Big difference.
With 3D Secure, you provide the normal card data (i.e. card number, expiration, name, CVV/CVC) to the merchant and are then redirected to an authentication form from your card issuer. There, you'll be asked to either provide a password or, as you described, input a confirmation code from a text.
With Sofort, you're entering your login data to your e-banking account on a login page served by Sofort. They, in turn, use it to log in to your e-banking using a simulated browser and send a wire transfer. You lose control, however, of what else they do: once they are logged in to your e-banking, they can check your previous transactions, send other transfers or they might change your mailing address...
As far as I know, 3D secure also works for debit cards. In many countries debit and credit cards use the same system (Visa/Mastercard). Have seen 3D secured payments several times for my UK debit Mastercard.
I've seen some horrific UI on some 3D secure implementations. Also, I've seen some websites refresh to a "loading 3D secure ..." page, only to somehow skip it and go further. If the merchant can just skip it and charge your card like a regular credit card, then what's even the point of having it?
As another comment already pointed out, you are probably seeing your card issuer's risk-based 3D Secure system in action. If your system (IP address, location, user-agent) and/or the transaction (merchant, sector, amount) look familiar enough, some issuers let you skip the password/TAN entry. If they are doing it right, that's a good thing.
The worst I've ever experienced is the RuPay card network's (India) Second Factor. You pick an image out of collection of thirty odd images that you must select again at the time of every transaction. It also forces you to type your PIN via a shuffled numeric clickpad on the browser.
The merchant can choose wether and when to use 3dsecure (at least in France).
I work for a company that uses Paybox for online payments. We can set an amount above which 3dsecure is used, e.g 20 EUR.
I'm guessing the bank has to support 3dsecure, but they can't or at least don't impose it.
I work with fraud detection at an online travel agency. If you use 3D Secure and there is a fraud, your insurance will cover the cost of that transaction. As a merchant you may bypass (not use) that security feature at your discression. 3D Secure is a Mastercard feature, no?
3dsecure works with Visa too. I don't know about AmEx, although I do know that for Point Of Sale payments we have to have a special bank contract (one for Visa / Mastercard and one for AmEx).
I suppose the merchant decides wether to use this or not by trying to find a balance between user experience and fraud risk.
In our case I think the limit is set right above the usual purchase amount (we sell movie tickets). It's low enough that a fraud wouldn't hurt us too badly and there's not much incentive for it either. Also, most of the clients don't have to fiddle with 3dsecure (in my case I would have to cary a fob around, which I never do), so it's a better experience for them.
If someone tries to buy a lot of tickets at once, they are more likely to be doing something fishy so we use 3dsecure.
I'm guessing that the page gets skipped when you're on a familiar IP address with a familiar cookie, or there are other factors where the bank decides more authentication is unnecessary.
10 years ago I got a Mastercard that for the first time required me to answer a 3D Secure questing each time I did an online purchase. It's been at least seven years since I had to answer that question though. How 3DS figures my card carries no fraud risk I have no idea. Is my card less likely to get stolen? Perhaps they have geography as a metric?
That would suck if anytime I wanted to deal with things back home while travelling I had to remove my local sim and put back in my home sim just so I could receive SMS messages from my bank.
In France they do not have a non SMS option. Also if you change your number you have to wait days while your bank mails a new activation code to your postal address. Actually snail mail. (At least with BNP.)
An incredible pain. I hate it. ApplePay for the web is far superior.
Data point of one here, but my experience is different. I used Crédit Coopératif, and they issued me with a password generator fob (like a small calculator in which you stick your Visa chip-card) which the 3D Secure page would ask for a response from.
I suspect it depends on your bank. Back when i used Crédit Agricole, i was indeed forced to do SMS auth, which is inferior.
3D Secure (at least in India) offers both SMS OTP and Password validation. So you can use your 3D Secure Password (which is different from bank credentials) or use SMS OTP to confirm the transaction.
Have 3d Secure here in Turkey too. Most merchants provide a checkbox to enable 3D secure, if you do so, they redirect to the bank's page and you need to enter a code.
Most of the time, non 3d secure purchases take a little more time to go through and if the amount is higher than your regular spendings or the charge happened to be in the middle of the night, banks ask for confirmation via SMS anyway. If you go with 3D secure, it just works instantly.
All banks provide virtual credit card numbers with predefined limits too though.
Yes, the same system exists in Germany too (confusingly alongside Sofortüberweisung). It's called Giropay and it works the same in that you sign in on your online banking website and the wire transfer is guaranteed by your bank, not a third party.
It's nice and works well. All would be great if it weren't for the fact that it's only offered by some banks (mainly cooperatives I think) and only accepted by some shops. Why the German banks have tried to sue Sofortüberweisung out of existence instead of implementing their own universal system that undercuts Sofortüberweisung's merchant fees (0.9% + €0.25 per transaction) is beyond me.
Oh right, thanks! It seems they're such a strong competitor that I've never even heard of them. And they still support nowhere near as many banks as Sofortüberweisung, although I appreciate that these things take time (and there are a lot of banks in Germany).
I don't consisted that a solved problem. Austria has the same "solution". Try paying as a foreigner without a local bank account. Also no support for chargebacks.
However the cost is minimal.
As a foreigner you can pay with credit cards - the merchant might not support it due to the horrendous cut that Visa/MC/Amex take (several percentage points).
This is how most ecommerce works in Lithuania too. Debit cards (vs credit cards) typically didn't allow online transactions until last year, so most ecommerce companies just do this - there are only 3 or 4 major banks, so for the user it's pretty easy. I assume the fees are lower for the business too.
The only downside is if you don't have a local bank account (i.e. as a foreigner) you can't use it.
2FA is done by a) paper code b) passcode generator fob or c) mobile signature, which uses your SIM which holds an RSA key (it doesn't use SMS):
Solved problem in Poland. Actually I usually laugh when I hear about "FinTech" startups struggling to deliver technology that is history here. mBank has been offering "instant" money transfer for purchases for the last 15 years, now there are more then a couple of vendors aggregating almost every bank that there is on the market. Real time transfers have been available via BlueMedia (private company) for like 7 years and via central banking transfer hub for over a year. You can pay with your mobile via a couple of providers, including said central banking transfer hub (Blik payments). And standard bank transfers (take around 8h to deliver - depending on incoming and outgoing transfer sessions timing - there are 3 sessions a day) are free - so many people are used to pay via standard bank transfer and there are many solutions for merchants that do automated account scraping to match incoming transfers. Poland - the land of FinTech future. Downside - if you are Financial IT provider - you can hardly get anything sold here - everything that comes from outside is history here.
Yeah, I was living in Poland for 4 years some time ago. (2008-2012) and I was astounded how modern banking is compared to Germany.
Here wire transfers still take 1 day minimum. (Except your transferring within the same bank). Doesn't matter if you send the payment in the first or last scheduled transaction window. For the receiver it won't show up till the next day.
Our bank cards won't double as credit/debit cards either. We still have to get an extra card if we want to perform VISA payments. And NFC is still not wide spread. (though that might be a good thing)
I also like how integrated Polish banks are with public services. You could issue a tax or social insurance payment directly from online banking. Granted on the backend it's still just a normal wire transfer but that most banks have an easy to use form for that is great.
I still have my mBank account and feature-wise (and UI wise) it's light years ahead of what my local German bank offers.
I guess here in Germany when it comes to banking we're the victims of early innovation and have to cope with entrenched old standards instead of adopting all the nice new tech.
Germany has a very bad banking system, mostly due to the high market share of very small banks that don't want to or cannot adapt quickly.
Here in the UK transfers also arrive within seconds 24/7 and debit cards can be used for online payments. No idea why transfers in Germany need 1-3 days (depending when you submit it) in a time when there's no manual work involved.
As a Brit I was surprised when I received a reply on Twitter to a blog post I wrote [0] that said:
...in Germany nearly 80% of transactions are still cash - lots of places that simply don't take cards
Reading this thread that now makes more sense. We have it pretty good in the UK with contactless and chip & PIN (although I hear the Dutch have it better). I always feel the US is so backwards when I visit and they do the stripe & sign thing.
However, I still think there are many reasons cash should always be accepted. I won't repeat them here as they're covered in the post.
The standing joke here is that Germany is a "developing" country when it comes to payment. 10 years ago it would even be difficult to pay with an international credit card.. In Sweden bank transfers are immediate if I use "Swish" and I use cash maybe once a month.
Here in Norway I use cash only at a loppemarked (literally flea market but generally in support of a charity, the local brass band, or sports club). Even these now have payment terminals more often than not, just not enough to go around so it is still quicker with cash.
I feel we in New Zealand, despite our small size, we actually have modern POS systems. I have been using contactless Visa regularly for at least 3 years now and have switched to Apple Pay recently. It is so popular here, that relatively small number of vendors who do not have contactless, have stick a physical label on the POS device saying "No Paywave" so when the customer goes to wave, they know do swipe/insert instead.
I've heard that we are a test bed for some technologies, given that the sample size is small relative to the world. An example of this was Pokemon Go, which was AFAIK release first here in NZ (and Australia).
Actually it is 1 day maximum, which is the legal requirement for transfers within the EWR. If it takes longer at your bank, go sue them. But I can't share your experience. I've lately transferred money between three different banks, on a Sunday, and it all happened in near-real-time (DKB, comdirect and my local Sparkasse where involved).
I think the comedy value of the shock on people's faces when you pay at a place with contactless (some bigger shops have it) with Apple Pay is brilliant, though.
Yeah, the tech side is great, it's just a shame that borrowing costs - for anything in złoty, e.g. mortgage - are gigantic, saving interest rates are abysmal, and you really have to watch out for bad actors thanks to the close-to-zero consumer protection rights.
For example, a number of online shops show items as being "in stock" despite having an empty warehouse (or no idea if their supplier has anything in stock). It's possible to transfer large sums, and then have to sit around waiting for a month or two while the shop decides what to do, all with close to zero repercussions for the shop themselves.
If you've paid with a credit card instead of a bank transfer, it's simple enough to kick off a chargeback. (well, not as simple as in other nations, but a short form and a quick chat with a moody call centre rep).
As a recent example, I had a ~5,000zł purchase go wrong (to a well-known Apple authorized store) after the payment was successfully taken, but the store's website had an error and failed to process. Trying to get a response out of the payment processor or the shop was like getting blood out of a stone; the only thing that worked inside of a reasonable timeframe (I gave them a week to even reply to me on phone -or- email) was a chargeback.
While I can live with unfavourable rates, give me the UK's consumer protection laws any day of the week!
It's interesting how different people can interpret the same situation in different ways.
I am wondering why you consider borrowing costs for a mortgage in PLN to be gigantic. I just checked and the total annual rate looks to be around 3.3%. Is that what you consider gigantic?
I've lived in Poland for over five years now. It took me some time to get used to operating procedures here. It is different than in the US, which is what I was used to. There are things that are worse than in the US, and there are things that are better. It is not as horrible as you make it seem.
Like everywhere, you have to know how to maneuver. A person having just arrived in the US may not know what to do when faced with bad service. Things that tend to work there is insisting to talk to a manager, and threatening a chargeback. Both will be difficult if you don't speak English.
In Poland, depending on the situation, threatening to report the company to UOKiK (the consumer rights groups) works really well. This will be difficult if you don't speak Polish.
I've had bad experiences in both countries. These were few and far between, both in the US, and in Poland.
Regarding the bad experience you've had... Could the delay in replying been to language difficulties, or were you communicating with the store in Polish?
P.S. You're right on about many retailers listing stock they don't have. Lot's of just-in-time types of stores. It comes down to finding reputable retailers. Not once though have I had a situation where something was not shipped. I've made hundreds of purchases online.
>I just checked and the total annual rate looks to be around 3.3%
Lowest I've seen is 3% plus base rate. If you typed "poland mortgage rates" into Google, you might be seeing the same infobox as I am, which references a US-based credit union. Taking Millenium Bank as an example, the calculator on their site offers 3.6% - base not included - for 25 years on a house value of 1,000,000zł with a loan of 700,000zł. That seems gigantic to me, and over 25 years it's just painful.
In a way, this kinda illustrates my frustration with the country; you really need to read the fine-print.
> threatening to report the company to UOKiK
Which I severely resent having to resort to; the companies should want to offer great service, and not have to be beaten into it.
Thankfully, since I've been here, I've seen a great increase in the quality of customer service. The Polish people I've met seem to fall into two groups though: either they'll complain; or they'll put up with absolute nonsense for months on end. It's such a shame.
>Could the delay in replying been to language difficulties, or were you communicating with the store in Polish?
Entirely in Polish.
>It comes down to finding reputable retailers. Not once though have I had a situation where something was not shipped. I've made hundreds of purchases online.
Five years ago, I would've said exactly the same thing as you. Then I bought a house, needed an oven, fridge, washing machine etc. etc. etc. all of which - from many different shops - had issues one way or another. I also had the same experience buying tires online recently, despite having thought I'd learned my lesson.
I love being here, and the country and people are great. On a practical level, though, it's not always as rosy as it's sometimes made out to be.
Edit: while I'm ranting, an anecdote: tried to buy a new nice-ish hoover online a few weeks ago. Looked up prices, and all the major players have it - Saturn etc. - and I see a small shop that's an authorized retailer for the brand and figure "Sure, I'd much rather give my money to you than the massive companies" went ahead, and hey presto, I receive every automated order received/packed/sent email from them, only to have the owner contact me a few days later and admitted he had a problem in his supply chain. Fine, these things happen, he promises delivery a week later, and I go with it. Of course, their website still listed the same damned thing in stock and, of course, there was another delay after that week. Cancelled the order, gave my money to Saturn mutter mutter grump grump and had the hoover the very next day. GRRRRR.
>"Lowest I've seen is 3% plus base rate. If you typed "poland mortgage rates" into Google, you might be seeing the same infobox as I am, which references a US-based credit union. Taking Millenium Bank as an example, the calculator on their site offers 3.6% - base not included - for 25 years on a house value of 1,000,000zł with a loan of 700,000zł. That seems gigantic to me, and over 25 years it's just painful."
Sitting with a 10.x% mortgage right now in sunny South Africa. It's all about perspective. Then again, we're on-par to paying the thing off within a few years, but plenty of people carry their mortgage around for up to 30 years, or more with re-financing.
This is totally and completely insane. If a site gets hacked and your money is stolen there's no way the bank is going to indemnify you when you willingly turned over your credentials to a third party.
Do they have to have all kinds of specialized fraud detection in place to prevent unknown IPs from transferring more than a certain dollar amount? It also just occurred to me that you probably can't have 2-factor enabled on your bank account.
This same procedure is used in the United States with startup darlings like Coinbase. No debit card or one-time-password required, please give your real bank account password.
I had heard good things about mint, and I liked the 'dashboard' screenshots and such. Then I looked at how it worked, particularly "provide your bank credentials" part.
It didn't take long to realize how incredibly dangerous that was, and leave.
Banks should provide API access for services like this because it mitigates significant security issues.
The second factor is the one time password. You get ~200 by snail mail and need one for each transaction. So you only give up control for one transfer. But yes, indeed, this is insane.
Generally, as the bank also tracks the rate at which your passwords get invalidated (by being used), they will automatically send you a new sheet when there are only ~20 remaining on your current sheet.
There isn't actually anything you can do with the login + password. Sure, you can look at the transactions, so I guess it's a privacy problem.
But any transaction or change usually requires generating a single use pin with your debit card and a small card reader. Some also use your mobile phone.
Some banks dont require a code at all for known contacts.
Some banks dont require a code at all for small amounts (under 50).
Some banks send you a plain SMS with a one-time-password.
Some banks send you an SMS with some additional information (receiver, amount) and a one-time-password.
Some banks ask for a one-time-password from a dongle.
Some banks ask for a one-time-password by entering a challenge code into your dongle and then the dongle generates the new one-time-password.
etc.
What I am trying to say is, there is no real standard. The best method I've come across so far is a device in which you insert your debit card, enter your pin, then scan a QR code on the computerscreen and the device will actually show you the receiving IBAN + amount. After pressing OK you get a challenge that you have to enter on the website.
Also in the Netherlands the banks have an API they can use called iDEAL which does the same as "SOFORT" but instead of having "SOFORT" log in to your account, your actual bank immediately transfers the funds and sends an OK to the vendor.
It makes me really angry that bank security isnt standardized and that good systems like iDEAL dont find international adoption. Luxembourg is trying to develope its own version of iDEAL e.g.
This is a solved problem. Credit cards work great.
The issue is that lots of merchants (particularly in the EU) simply don't want to deal with the fees associated with credit cards so come of up with lots of creative ways to externalize the cost of fraud to consumers.
No, they don't. They are completely insane aswell. They are like smart cards, but with the secret printed on them, visible for the world. If you want to clone them you don't need a highly advanced lab, you can just remember the number. You also share said "secret" with everybody you do business with.
Of course you constantly get your money stolen. You just don't notice because the loss is distributed evenly. That's why they are so expensive.
I'm suprised people use such a low tech system. I wouldn't even accept such authentication system for my throw-away reddit accounts, let alone for money.
Sure, I don't dispute that credit cards are technically very simplistic and basically don't have any security.
The huge benefit of them is that almost all those security risks are externalized. If someone uses my credit card fraudulently, I don't pay any of the costs. Basically every alternative (Verified by Visa, etc.) is about shifting those liabilities back to the consumer.
Which is vastly superior to the alternative, which is taking on the liability myself and facing the possibility of being financially devastated by fraud and/or theft.
The best alternative is a system where the bank still carries the liability but the system is harder to defraud (i.e. because it does push instead of shared secrets authorizing pull).
Yes, but if your credit card gets stolen, it is not your money that is getting stolen. Credit card companies are okay with that. If a CC is convenient, a lot of people will use it. These companies don't care if they have to reimburse let's say 10% of all transactions. In this case convenience > security.
In the UK at least, all our payments in store above £20 require a PIN to be used (payments below £20 you can use the fairly recently introduced touch pay which just requires you to touch the card to the payment machine).
If you are purchasing online, all my credit and debit card payments require me to enter 3 random characters from my (previously set up) password.
Not sure what the system is like elsewhere in Europe/worldwide.
> In the UK at least, all our payments in store above £20 require a PIN to be used...
Not true (notwithstanding that it increased to £30). Some people (myself included) have opted for a chip-and-signature card instead of chip-and-pin, because it is harder for the bank to push the cost of fraud onto me that way.
It's been only seven years (I think?) since chip-and-pin was introduced. It's amazing how quickly all the checkout staff have forgotten what to do when their till tells them to check the card signature. Also almost none of them actually have a pen to hand.
Did not know the limit had been increased, and agree about checkout staff having no clue when the pin does not work (happens a fair amount with foreign cards).
I've seen a lot of people in the US not sign their card and instead write "ask for ID", which seems like a much smarter move!
This works great, but some international merchants (some airlines in my case) don't support it yet. I've gotten my card declined with a relevant error message but no redirect to my bank's 2FA login page.
If they don't want to pay the fees why don't they just develop some open payment protocol any bank and merchant could use? It would also solve the privacy problem with sending customer data to USA (Visa and MasterCard are both american companies).
> This is common practice in germany. The whole payment methode "sofortüberweisung" or "sofort" is based on this.
I've never used that and only one person I know did use it ever. And even that person felt rather uncomfortable about it. So I don't think it's very common.
A year ago or so it was also exposed that sofortüberweisung doesn't only do the transfer, they actually retrieve details of all recent transfers.
Well, given that they have all the login information (bank, user/account number, password/pin) they can basically access everything that is read-only and not TAN protected.
For my bank the transfers of the last month would be accessible right away, for example.
Honestly, I (German as well) didn't believe 1ris right of the bat and went to their website to prove someone wrong on the internet. Oh my was I wrong (apologies, 1ris). Horrible idea.
This is a common method of payment in Finland as well, but, the store always asks you to choose your bank, then redirects you to the online bank where you then authenticate and authorize the transfer on the bank's website. It then redirects you back to the merchant's website.
Basically, banks provide an API (similar to OAuth? I guess) where the merchant only asks the bank for a specific amount of money, and the authentication and authorization of the payment happens only directly between the customer and the bank.
Why would this be so hard to so in other countries?
And note: the same authorization is mandatory also for credit card payments in Finnish web shops.
I.e. when you're ready with your shopping cart and click "pay", and give your credit card number, then next thing is a redirect to the bank's page (where you really should check the URL and SSL certificate...), you give your OTP for bank login, and this authorizes the credit card payment, you get a redirect back to the seller website and complete the transaction.
> where you really should check the URL and SSL certificate...
Yeah, we are really training people to be vulnerable to phishing scams, aren't we.
The advice I give is that if you didn't type the URL of the bank web site into the address bar yourself, it may not be your actual bank you are talking to.
I thought in Germany you used one-time disposable TAN numbers for this purpose?
Australia also has direct person-to-person/business money transfers, but without the one-time-use pins. That this company would even ask for a bank login is terrible and unnecessary.
> I thought in Germany you used one-time disposable TAN numbers for this purpose?
We do, Sofortüberweisung just acts as a man in the middle and passes through all TAN requests from the banking website to the client. They can't transfer money out of your account without your consent, but they can do just about anything else that doesn't require a TAN.
If someone intercepts the traffic (a hack on sofort's server) they could read all transactions and account info without anyone noticing. Guess with that information you could make a lot of money phishing.
>>we urgently need a law that makes wire transferees instant
Not sure about Germany, in the US this is a "technical" issue with the way consumer banking settlement is implemented. The notification of the intent to move the funds is almost instantaneous, the actual clearing takes days in some cases.
In the UK it was solved by making all small transfers instant, while large transfers (direct debits, salaries) are still settled overnight. That way most of the transfers are instant while >90% of the amount transferred is still settled. Avoids issues for the banks' cash management while it's convenient for the user at the same time.
I think the US has the problem that it had to set up that way when clearing was done physically (due to the size of the country) and it's now very costly to change, for very little benefit to the banks.
While that's true, they're still mostly used for rather small amounts. The payment volume is around 5% of all electronic payments [1].
Not saying that Faster Payments are not a good thing, but they would probably cause problems for banks if most money would be moved by it. It works well because the major source of cash management is done due to card payments, direct debits and Bacs. So the normal cash buffer a bank holds throughout the day is sufficient to do fast transactions.
What we need is just a secondary password with limited permissions and some fraud guarantees. There's no reason your bank account can't also act as a payments gateway with the right protections.
Any password that you give out will be stolen; that's why "let's have a special secondary password" doesn't solve much. There are now passwordless ways to authenticate, authorize, prove identity, make payments, etc. so that's what we should be suggesting.
Apple Pay is technically trying to solve this problem by providing one-time authentication keys for a specific transaction at time of payment. This sort of key can not be reused in another transaction... What exactly do you mean with other passwordless ways?
To solve the problem with Sofortüberweisung it would be enough if my bank would just provide a digitally signed statement, that I authorized a payment and had enough funds at the time so they would execute it. I could take this statement, show it to the merchant and he could verify it by using a publicly known publlic key of that bank. If nothing better is available it could be the key they us on their website.
I wonder who is interested not to already have this. I can't be the first person with that idea.
From what I understand, this is basically what happens for most online credit card payments. If you enter your credentials, you're redirected to a verification page by the issuer where you have to enter a password or SMS-sent key. On success, this page then passes a signed token (or similar) back to the original online shop as confirmation.
Is that actually true? I remember I used Sofortüberweisung once when I had to and it didn't feel (for a lack of a better term) as if I was sharing my credentials with Sofort.
It was a long time ago but I had the impression that they used some kind of legitimate connection to your bank (with TAN check and my original banking interface) and were only notified about the success (or failure) of the transaction while never receiving the sensitive credentials themselves.
In Estonia it was solved in a somewhat saner way: there is a unified framework with which customers can:
- click on a Pay with Internet bank link
- it directs you to your chosen bank's internet bank
- you log in
- the payment is already pre-filled and
- once it is done the seller gets a signed confirmation from the bank that the transaction has actually happened.
.nl and .in have similar systems that allow one-time transfers to be made using your online bank account.
In .nl they have iDEAL, as someone already pointed out. In .in, we have to integrate with each bank individually, and there are several aggregators that do this for you, and you don't have to sign an agreement with each bank.
Yes, I have noticed. But thanks for the update again :) I think future is here, just it is not evenly distributed. But I really laugh when talking to someone who has just heard of this new exciting London or SV Fintech startup and learns that in some countries this is already forgotten history and we moved forward since :) I think Poland is more striking for them than The Netherlands as people are used to thinking about old Comm block countries as a bit backwards ;)
Wiretransfer at least internationally can't be instant since there is no such thing as an international wiretransfer. What there is is a bunch of agreement between banks. So at least globally a law wont change anything.
Not only is there such a thing as a common system for international wire transfers in Europe (SEPA Credit Transfer, which is also used for domestic wires as well), instant payments are coming soon™ to that (supposedly end of next year): http://www.europeanpaymentscouncil.eu/index.cfm/sepa-instant...
The existence of SEPA shows that it might be viable on a larger scale. While the EU and EEA members already share a common legal framework, the other two SEPA members (San Marino and Monaco) don't (even though they cooperate closely with the EU in certain areas). With enough political will a larger payment area doesn't seem impossible. (But personally I can't imagine this to happen globally.)
In the USA, you give them a number (which is written on each check anyway) that allows anyone to empty your account if so they wish, with absolutely no passwords or anything else.
From the merchant's perspective this works because bank transfers have to be free for both the source and the destination. So banks have an incentive to sabotage this and they will. By contrast bank fees on credit cards can go close to 6% now. That's why you get cashback offers, points, ... on credit card offers.
I think a lot of people (but not banks) would be very keen on having regulated fees for transfers. Of course, not banks.
But you are right about credit cards, it's not that much.
Right now I'm more or less fored to use paypal. They offer a very similar service. I'm paying a tiny bit less than 10% of my income directly to paypal.
Huh? Merchants definitely are the ones who pay card processing fees.
Some small merchants offer cash discounts, but that's comparatively very rare.
Edit: since you mentioned Paypal, I agree that they're horrible to both merchants and consumers. Stay far away if you can. (In fact, I'm curious why you're using Paypal instead of someone friendlier like Stripe.)
In my experience merchants in Australia often add the fee directly at checkout. You can't really pass on the costs any more direct than that. They often do provide PayPal for checkout, which is why I expect people use it. Stripe is simply not present, so how could we use it?
I'm mostly speaking from the US perspective, where credit card surcharges are extremely rare for online transactions (and only slightly less rare for offline ones).
Stripe is meant as a suggestion for merchants, not customers.
The merchants pass on those costs in the form of higher prices. The better your rewards the more someone else is subsidizing your credit card fees, but you're not breaking even either.
Sure, in the same sense that merchants pass on all costs in the form of higher prices.
That being said, if you play it right you can actually make far more in rewards than the merchants paid. There's a whole subculture devoted to it: I routinely earn around 4-5% back, to the point that I prefer to pay my taxes via credit card even with the surcharge.
Yea! Except for providing seamless global payments, distributed credit provisioning, fraud protection, rewards, travel benefits, purchase insurance, what have credit cards ever done for the economy?!
I don't understand why we don't do that here. People like the rewards but that only works because the cost of those rewards is subsided by a price increase for everyone, even the people paying cash.
I wonder, why we do not have cash prices and whenever you want to use a credit card you have to pay the fee on top.
I heard this is in the contracts between merchants and credit card companies. Merchants are not allowed to make prices more transparent to consumers or they will lose the ability to accept credit card payments.
>> Credit card transaction fees are regulated at a much lower level in Europe.
> I don't understand why we don't do that here.
It really comes down to allowing markets to operate efficiently. Such regulation, in order to be work as intended, creates a price ceiling for the credit card market. This ceiling produces a deadweight loss (in this case, you would likely see it as either a reduction in the aggregate quantity of credit extended to consumers or the perks associated with using the card like fraud protection, ability to file charge backs, and customer support). On the whole (producer surplus + consumer surplus), you will observe such a loss.
Now what makes the government more capable of determining appropriate prices than market participants themselves? Allowing a competitive market to determine prices for credit services will drive the cost of the services to an efficient level. Given that governments are tasked with many pressing issues, it's reasonable to believe that they can only afford to put so many resources into assessing price levels for each regulated good or service. However, each market participant is able to focus solely on determining a price for the product offered. Even if the government can determine the optimal price level for the market, there is necessarily a lag time for the regulation to be passed and implemented, reducing the ability of the market to respond to systemic shocks and changing conditions.
Along different lines, if price regulations on credit card fees are acceptable, should the government install price ceilings on housing (causing reduced incentive to build more) and other markets? Should the price of all meals at restaurants be capped at $10 so more people can dine out? In the latter example it's easier to imagine the ramifications of a price ceiling, but the same market forces are at work.
> People like the rewards but that only works because the cost of those rewards is subsided by a price increase for everyone, even the people paying cash.
That's not true in specific, observable cases, and I suspect it's not true in general either.
To provide concrete examples, many gas stations and vending machines offer discounts for paying with cash instead of card, specifically to avoid the impact of fees on their prices. Additionally, vendors can choose to set minimum thresholds at which they accept credit cards, in order to mitigate the impact on their pricing and profitability.
In general, I assume the rewards are not truly subsidized by merchant fees. From my recollection of previous reading on the subject (I'd appreciate more accurate numbers if someone can provide them), merchants pay 3% to accept the credit card. ~2.5% of the fee is consumed by the cost of fraud. The remainder is split between the payment processor (e.g. Stripe), the issuing bank, and the credit card company. Clearly in a world of 2% rewards cards, a 3% fee does not allow for fraud protection, servicing expenses, and rewards.
My guess is that rewards programs only become feasible when you consider the interest charged on unpaid balances. Somewhere on the order of 50% - 70% of consumers carry debt on their credit cards. At 6% - 30% APR, this expense can reasonably cover the perks conferred by a credit card. If all consumers suddenly stopped carrying debt on credit cards, I suspect rewards programs would disappear rapidly.
To elaborate on this further, a competitive market in payments allows for a great diversity in interchange rates for different payment types.[0] This allows competing payment networks (Visa, Mastercard, AmEx, etc.) to offer the exact most efficient rate for a transaction, based on their actual costs. Under a regulated system, less risky transactions would be subsidizing more risky transactions, because the rates are capped. Our current system allows a major grocery retailer like Costco to have flat rates at $0.30 per transaction.
I found your analysis very interesting but I think one thing is missing from it.
Once a product or service becomes ubiquitous, people will sign on partly due to the social pressure of being left out - e.g. I might get a social media account just in case my friends want to chat to me there, or a credit card because it is the primary method for online payment.
Customers like this are not necesaarily as engaged with the product/service as the initial, enthusiastic ones. The difference in engagement creates a pyramid scheme of perverse incentives, where the companies create more and more benefits for their "engaged" customers and offload the costs to everyone else. Companies get really good at evaluating just how mich cost to offload without disturbing the largely unengaged customers.
This leads to the creation of a secondary market, where you compete on extra features for the engaged part of your consumer base. Here on HN, we proudly acknowledge this fact when companies cater to geeks and techies - if i like your product, I will convince my relatives to use it.
This practice ia not neceasarily malicious, but the cost ofnpleasing your engaged consumers muat naturally come from somewhere. When a credit company adds bonuses and incentives, they are not trying to serve the interests of all their consumers.
I don't know if government intervention is appropriate in this case, especially simple and heavy-handed rules like a price ceiling. However, in this case, the incentives of the government are more closely aligned with that of all the consumers, compared to the company.
(I hope this post was coherent, I rarely write on mobile)
The EU cap is 0.2% for debit cards, so for transactions under €150, everyone gets that super Costco rate or less. Alternatively, the cap can be set to €0.05.
The card companies still appear to be making good profits.
The problem with capping the rate for all transactions is that some riskier transactions simply cost more than this to process. Without being able to charge more for them, processors will likely make the decision to just not handle these. Suddenly, entire industries and classes of customer will be shut out of the network, simply because they can't be charged fairly.
For a German it is common to have a "check account". The underlying system is called "girocard". It contains a module for paying in stores (electronic cash) and another one for withdrawing money from cash dispensers ("Deutsches Geldautomaten-System"). In addition to that most banks offer their customers access to "maestro" (some debit card service from Master Card) and V-Pay (same as maestro but from Visa). Credit cards are only popular among the younger population as they need them to buy things online (iTunes, Google Play, etc...).
However the "check accounts" come with a different kind of insurance. You can read quite a lot about that online, my personal experience is the following: If somebody steals (no matter how) 200€ from your credit card the bank will cancel the transaction immediately, if the same happens with your "check account" you need to go to court to get it back.
Having this system you might imagine why our online-banking is overly complex:
You have to login with a username and a password[=PIN] (for some banks you have a fixed username, at others you can choose one). Afterwards you are allowed to send someone money. Therefore you require another one-time-password[=TAN]. This TAN can be obtained in multiple ways: 1. Snake Mail (Just a printed TAN list asking you for a random free TAN), 2. Snake Mail (A printed TAN list asking you for a specific TAN at a given index), 3. Snake Mail (A printed TAN list asking you for a specific TAN at a given index and returning a verification code, that is also printed on the list), 4. Mobile TAN (TAN via SMS), 5. Push TAN (TAN via Banking App), 6. Photo TAN / QR TAN (Optical System which works with pub/priv key to verify your transaction), 7. Chip TAN (Special device that uses the chip in your card to verify your transaction).
After you verified your transaction it takes up to three days before the recievers bank notifies the reciever that he got the money. The real joke is, that everything regarding payments can be transmitted in real time. However some banks make use of these days to generate more interest.
End of the story: If you want to pay something online and you want to recieve it quick you need to either use a Credit Card or some proprietary system that your bank might support (see paydirekt, giropay). As both might not be available for some users they either have to wait for 3 days for their money to arrive at the reciever or use a untrustworthy service like sofortüberweisung (which scans all your transactions and predicts your accountability [Disclaimer: If I remember correctly, German Ref. http://www.pcwelt.de/news/Datenschuetzer-alarmiert-Sofortueb...).
>Yes, I've spoken to them. They don't see an issue.
This is exactly why the PCI Security Standards Council is a thing. They need to have someone straight up tell them something at least as serious as "fix this, or we will no longer take your credit card payments". Honestly, it's better off being "we aren't taking your credit card payments, you should know better. Fix this and go through a security audit and we might reinstate you".
But this isn't a credit card payment. This is for direct debit.
I've sadly seen all sorts of stuff spring up around this in australia, like https://polipayments.com/Buy (which e.g. is one of the only ways a normal person can pay for a jetstar flight without a credit card surcharge)
What's wrong with just sending money from your acct# to their acct# with a reference number/code to identify that transaction as you, other businesses work this way (such as my power and phone bills from diff. companies), but the NZTA for example requires me to use either a credit card (which is fine) or POLi, which is garbage.
"no one can see your bank details" it says on https://www.polipayments.com/security which is a fraudulent claim, yeah the hell you can, its being sent to your server, not my bank, this is crazy. It also says they don't cache anything -- all kinds of criminals claim they're up to no harm. POLi says they're up to no harm, why should I believe them? There is NO EXCUSE for using POLi vs. just paying with your bank, if a business offers POLi and not bank transfer directly or a credit card, i would never even remotely entertain doing business with them. NZTA is not a business though, it's a government agency. You can do it in person though (transfer ownership of a car for example), or by CC, so whatever, I don't understand who would ever use POLi, the naive? Hopefully they go bankrupt in the near future.
It is for a credit card payment - the article mentions they paid via AmEx, their card was charged, and then a day later the website asked them to provide the login to their AmEx account as proof that they are the card holder. (Some/many AmEx cards come direct from AmEx itself, not via a bank.)
It appears that AmEx offers both, I have a credit card Amex via my bank that has both a spending limit & doesn't have to be paid off each month (though I always do anyway). But I learned something today, thank you!
American Express offers something like 30+ products (there's like six versions of the Platinum card alone). Some are charge cards and some are credit cards, they offer a wide variety of both.
Fun fact, they have a limit to how many credit cards you have have with them (6?) But no limit on the number of charge cards they will issue you.
That's excluding AMEX cards issued by third parties.
I'm confused. They think this is easiest? Either they have someone manually going into bank accounts and making transfers, or somebody actually programmed something to log in via the webpage and do stuff. Neither of those are "quick and easy".
Is a paypal button really so hard?
Also, how are they not shut down? It seems a single user sending that screenshot to Amex should be more than sufficient to close any merchant account they have.
It's still around for some things, eg Jetstar. You used to be able to do a manual online transfer to pay for flights but now POLi is the only way you can avoid the $5 credit card surcharge. Grinds on me every time I buy a flight.
Poli now manage this via an API with Westpac at least, i.e. you go to Poli, redirect to Westpac and log in, then redirect back to Poli who pull in the info with an API. Very much like an OAuth flow, but I don't know the actual details of it. (I won't get into how oauth isn't a great solution, but at least I'm not exposing my creds to Poli).
There was similar attempt here in Poland few years ago, i believe it was sofort used by few online shops owned by German parent companies.
This ended very soon, because people here are quite sensitive for such practices and Financial Supervision Authority begin informative action as this was against the law.
But what was more important, people quickly realized that they could abuse this process. After such payment, they log in again to bank account and cancelled wired transfer (in most banks we can cancel wired transfer unless it actually leave your account few hours later), and then change their bank password. From point of view of shop, payment was successfull, they process order, but never get cash for it. This was the reason such payment systems ended very soon.
Like kybernetyk and other wrote, in Poland we have very modern banking system, there's no problem to make fast wire (up to 15min) using official banking systems or reliable payments systems - you authorize each transaction directly in your bank system without revealing your login details to the middleman.
Stay away from German payment "inventions" like Sofort, direct debit by default, "cash is the king" bollocks. Many German retailers and "startups" entering Polish market are trying to introduce their (low) standards and this can deteriorate banking culture in Poland. The retail banking in Poland is working really good and is customer friendly - keep it this way.
It's because Germany has a very low credit card penetration rate and the German debit cards cannot be used to guarantee a transaction. Direct debits can be cancelled without any reason for a while and aren't confirmed at all for several days.
Unfortunately that doesn't seem to change. The big banking networks have their own debit system that's not compatible with many international online payment systems. There is thus little incentive to switch to sth like Visa/Mastercard debit cards.
>> Still an issue - tried to buy shoes from Deichmann, they requested my login credentials. WTF.
> It's because Germany has a very low credit card penetration rate and the German debit cards cannot be used to guarantee a transaction.
No, really: WHAT THE F&CK?!?
In Poland we have instant payments services for years already. Each of the
services directs the user to their own bank's website (login form). Payment
clears instantly and confirmation of the payment (which is machine
processable) is sent to the shop in a matter of minutes and with no human
employee whatsoever.
We have these systems working for years, and the use ranges from buying
e-books through food to power tools and clothing in on-line auctions site.
I know the feeling. I live in the UK and travel to Germany regularly. Most retailers only accept the German version of a debit card. Luckily most supermarkets now accept credit cards, but small shops almost never do.
Leads to me avoiding small shops when I'm there, not really sure if that's the desired effect.
I don't think PCI compliance is a factor here (unfortunately) - they literally only deal with the taking of cards, I would think Banks should be looking at this pretty skeptically! Although here in Australia there seems to be a lot more "access" available to your bank account than in many other countries (including my native UK), it makes things like integrations nicer but I do wonder just when it's all going to come crashing down!
According to the PCI-DSS website, "[i]t is important to note that the payment brands and acquirers are responsible for enforcing compliance, not the PCI council." [1] No idea what the state of actual legally-enforceable penalties is.
In the meantime I've tweeted @AmericanExpress about this.
I think legally-enforceable penalties in a regulatory sense vary depending on where you and your customer are. But the contracts between you and your credit processing merchants are civilly enforceable and in my experience they don't mess around. They will fine you and raise your transaction costs when out of compliance and will ultimately cut you off if necessary. They also know their competitors will do the same thing because they bear the brunt of the costs incurred by fraud.
I wouldn't think there are any legally enforceable penalties except maybe through contract law. PCI-DSS is not law, it's an agreement between companies.
That is more referring to the user/pass you might use to login retrieve card details say from a card vault for manual processing. Indeed PCI 3.1 (and actually from v2) has a strong requirement for MFA when connecting to the cardholder data environment network.
I've lived PCI for a while - I don't think this particular issue would fall under their purview. As per PCI-DSS doc, it is primarily concerned with the secure "acceptance, transmission and storage" of cardholder data.
If they use a 3rd party payment processor for their credit/debit card transactions, they will only have a very limited PCI scope (probably just SAQ-A) which will basically say "oh, make sure you send it to your processor over TLS" and don't peek.
This particular instance is probably one for the regulatory body, which in our case in Aus would likely be APRA.
Is that even legal? What is the difference between this company and phishers collecting bank logins?
And doesn't it look suspicious if the logins into different accounts are made from the same IP belonging to the online shop? Some banks in my country even require SMS verification if you are logging in from new IP address.
Why do I need to provide my bank login information (username, password, security questions)?
Mwave has identified online banking access as the quickest and easiest method to get access to your banking information. In order to access this information, it is required that you provide your username, password, and any security questions associated with your online banking account.
Mwave has identified online banking access as the quickest and easiest method to get access to your banking information.
Well, one can't argue that they're wrong in making that statement. However, that's the reason we don't give random websites the credentials for our "online banking access". :-)
I am wondering about the legalities of them doing this. I remember back when we had a merchant account for a retail style business, we were repeatedly warned by the bank that we were legally on the hook if we took a customer's credit card information and it got somehow compromised or leaked.
This was back in the pre-EFTPOS days when a store would have to keep a carbon copy of the customer card imprint (as well as their signature). We were told to guard those slips like gold, and dispose of them properly when not needed any longer, because with that information, we could in effect impersonate the customer elsewhere.
I would say that things have changed markedly these days, but I wonder if the legislation, especially here in Australia, has kept up with that, seeing as a customer's login credentials are effectively the same as having their signature which can be copied?
Bank passwords alone wouldn't work on any of my accounts because it would detect a different computer and request secondary authorization. It does this by looking at the information the browser sent...and...oh...oh. Geez I hate security theater. Is there anything less secure than the information sent by your browser?
It looks like their own ghetto implementation of Verified by Visa.
Verified by Visa is secure because it uses a shared secret (not terribly unlike how JWT works) for the merchant to redirect you to the bank (with information on what card you used), who verifies your username and password and that that is your card, who then redirects you back to the merchant with something that says "Yep, we verified them"
I don't think I've EVER had a VBV or Mastercard Securecode transaction actually work. I avoided buying stuff from NewEgg for a couple of years because of this.
My bank (Thailand) has VbV that requires me to set up personal phrase with the bank and that phrase is shown on VbV page. Also it sends SMS OTP to preregistered mobile number so I doubt any sites could fake that.
Verified By Visa happens immediately after you hit "pay", not a number of days later. Also, there's a number of implementations of it - some banks in the UK ask for a password you've set up previously, some don't, some ask for random other info. It is consistent between sites, though - it's bank-dependent, not site-dependent.
Typically the payment process is be managed by a dedicated payment gateway through an iframe and not the merchant so it should in principle be slightly more secure than it looks. Someone mentioned Poli, one such gateway in Oz.
As being shut down is a genuine business risk they strive for legitimacy - id be surprised if it was in-country and operating without at least tacit agreement of banks. Even slow moving banks could counter against this type of browser automation technically - not to mention legal action. No large merchant would fancy negative security related PR either.
Honestly speaking - the payments industry is full of hacks like this. Look at US p2p systems built on ACH refunds. Or using 3D Secure for identity verification. Or processing pre-auths of 1 cents and rolling back to add a card to a wallet.
Banks are slow and competitive, schemes are just slow, central banks often take a wait-and-see approach. When they get their act together systems like this tend to be replaced or evolved into more sensible and durable solutions - but that can take awhile.
And in the meantime everyone tries every avenue possible to reduce fees or provide a better UX (in this case at the expense of consumer protection).
That link explains other security measures, but doesn't actually say that they need your bank/credit card login details though?!? (unless I missed it somewhere).
"Please note: Due to the rise of credit card fraud and for your security all credit card orders will be subject to detailed security checks requiring further documentation; that may include Driver Licence, CreditCard or bank statements. If your order does not meet our security check requirements, you will be contacted and further credit card security procedures will be implemented.
As part of our verification process we will utilise various procedures to ensure ultimate protection to the Credit Card holder. These processes may include but not limited to charging a small amount randomly under $2 requiring confirmation prior to approval; verbal verification via phone or a request for written Authorization, photo identification including valid Driver Licence, Utilities bill or the copy of the credit card or a request for your bank statement displaying the debit entry.
Mwave may also use a verification service powered by BankStatements.com.au, the Australian leader in automated bank statement data retrieval. Since 2013 BankStatements.com.au has provided secure, automated data retrieval services to over a quarter of a million Australians as part of their credit applications. "
I've talked with a friend working in the IT department of one of Austrias biggest banks (black + yellow colour ;) ) about it. Apparently, banks want to become the identification services of the future. The idea is, that you can only (not sure if that is true) open a bank account with a valid ID, therefore the bank login can identify if a person is real or not.
Example: creating a Twitter/FB account with you bank credentials would make your account automatically an approved account (you are you)
This is true. However, they will not let you enter the details on the page itself.
In The Netherlands they are launching 'iDIN'. Which is a bit like OAuth 2.0, so it only provides the webshops with the things they need (and a bit more like age. So yay, privacy issues).
One of the problems is when this is done by companies instead of states. A company might remove your access for some, not obvious reasons. Just see current trending HN link http://www.dansdeals.com/archives/98444 where google suspended an account and with that the person could not use the google login anymore. Even for non-google pages. That is scary. A protocol like the EDUROAM system would be nice. In that case, credentials include a domain (usually a Uni name), and with that domain the home uni(bank) can be used as an authentication authority.
As the son of an otherwise amazing woman who falls for every credit card scam to ever hit her inbox I think this is another great reminder of the mindset disparity between techies and the wider public. While we obsess over end-to-end encryption and distributed ledgers the vast majority of people are perfectly happy typing online banking credentials and uploading pins to random websites.
I used to love MWave, many years ago. They were just a fantastic vendor back then. They shipped faster than anyone, handled returns fast and with zero hassle.
But, I had a couple of mildly negative experiences (slow to ship, items listed as in stock weren't, etc.) and I stopped buying from them.
This, though, is just crazy. I can't believe their merchant bank even allows them to do this.
I've met the CEO of bankstatements.com.au at a trade conference. Currently it's hard to get data feeds from banks - these guys are logging in, scraping bank statements and then providing them as digestable feeds.
Pocketbook is another Australian fintech that was recently acquired that do the same things with credentials.
The banks know they're doing it, it's against terms of service, but seem to turn a blind eye.
POLi seems to have more reputation but I still feel dirty the few times I've been strongarmed into using it.
There is something similar in India called netbanking. Typically, the site redirects you to a payment gateway, which then redirects you to the bank's site. You enter your username/password only on the bank's site and complete the transaction. It is used quite frequently due to convenience and security.
When I moved to Oz and tried to buy something online, I was quite taken aback that I was being asked to enter bank login details on 3rd party sites directly. Felt completely unsafe, so haven't used it yet.
The way I handle this is, I have a dumb checking account which I transfer money to, when I do such transactions. This is more akin to giving a lame email address to websites you don't care.
If only banks had a special login for these one-time transactions. One where the history isn't enabled either. In the Netherlands such a system exists, it's called iDEAL
> It's that they apply the charge to your card a day before giving you this prompt, leaving you begging for refunds when you refuse.
That is strange. I never begged for a charge back with any of my credit cards. When I say the transaction is fraudulent or not authorized by me, I get my money back. Always.
The merchant can then sue me, if he thinks different. Is that not what happens with all credit cards in all countries?
So, technically, everyone who does this (provides their login info) violates their terms with the bank I assume, as they probably told you not to share your password with any third party?
Paypal does the same thing. I added a bank account, and Paypal requested my username and password to automatically verify the two test deposits they made.
Is that new. When I signed up, admittedly a number of years ago, they just asked me to tell them the amounts of the two test deposits. No login creds provided.
Newegg redirected to you the Amex site which asked you to enter your password (this is 3D Secure aka SafeKey) or Newegg asked you to enter your Amex password on Newegg's site?
Yea, but those are different services that utilize the history of your transactions. What reason does an online retailer have to access that level of detail? Shouldn't they simply be able to accept the information on the credit card for the sale?
They can reduce their risk by doing this. For online retailer there is always risks in accepting card payments. (Not saying this is a good idea, just trying to find reasons).
True, but they have a legitimate need to access your banking info: they need access to your transaction history to function. The absurdity here is asking for bank login info just to make a purchase.
Sites like Mint do this to retrieve your banking history. Asking for banking login details seems to be the standard way of doing that sort of thing. (Don't get me wrong, it's still terrible, but it's not like the banks provide an API you can log in to with oAuth or something.)
This is different; mwave is a retailer, all they're doing is receiving a payment.
I don't think there is reason to any longer. Most banks now have a trust relationship with feed providers like Yodlee etc. We use Xero, and I believe they use Yodlee to pull bank and credit card transactions in. IIRC we had to authorise the transfer with Yodlee, and not with Xero directly (i.e. Xero doesn't get to see or capture our bank login details).
This is how Venmo does it so they don't have to make you do the "verify two microdeposits" process, and it's getting more popular. I think because when you give your login you're giving over complete access so bank is not liable for fraud.
I had to do it when I signed up. That's why the history of my interaction with Venmo was (1) change bank password, (2) accept the money from the person who would only pay using Venmo, (3) change bank password back so that Venmo / late hackers into Venmo databases don't get any ideas.
But it illustrates how deeply flawed the whole banking sector is that people are willing to give up passwords to third parties or paying insane fees to paypal. IMHO we urgently need a law that makes wire transferees instant, or this dangerous and incredible expensive layers grow for the disadvantage of everybody (expect paypal and sofort).