Website asks for online banking password and TAN

35 posts in this topic

Recently I bought some computer shop from an online retailer www.planet4one.de who are large, well known and well reviewed by hundreds of past customers. When asked for my payment method I went for what I thought was plain überweisung (ie. bank transfer) and got a 'sofortüberweisung' where I was redirected to a third company website that appeared to ask for my bank account number, my online banking password and a TAN. At this point all my online fraud alarms started ringing in my head, I cancelled the operation and went back and did a normal überweisung and everyone was happy.

 

There is no question that planet4one is a dodgy site, and I guess that sofortüberweisung must be somehow accepted by some people but I'm just wondering if anyone else has seen this before and was naieve and blindly stupid trusting enough to actually go through with passing on this sort of information, or am I just paranoid?

0

Share this post


Link to post
Share on other sites

Never give your banking password out and if your bank hasn't implemented requesting a unique TAN number for each transaction (not simply a list where you use the next one in line), then you need a new bank.

1

Share this post


Link to post
Share on other sites

I saw this on the website for the Umwelt Plakette (I think it was this website - was a while back) and had pretty much the same reaction as you.

0

Share this post


Link to post
Share on other sites

I did it with Conrad a couple of weeks ago as well, with no problems, and since then I've noticed a few website offering it as a payment method. I guess it must be a new way doing an upfront payment for websites which still don't accept credit cards or people who don't have credit cards.

0

Share this post


Link to post
Share on other sites

Although eurovol's comment above isn't really relevant here his points are valid - if you give a TAN to anyone as well as the login details to your account you are allowing that person full access to your bank account. They could empty the account and your bank would refund you nothing. That may be fine if the company is reputable but it opens up a whole world of possibilities for hackers and the possibility, however small, that you lose everything in your account.

 

I would never, ever, disclose that information over the web, ever, to any site other than my bank direct.

1

Share this post


Link to post
Share on other sites

Paranoia is good when it comes to online banking. I have come across this on a couple of websites now, and have aborted on both occasions.

0

Share this post


Link to post
Share on other sites

The same service is also used as a means of age verification. I tried to order a PS3 game and was also supposed to enter my account details. I searched for this company and found quite a bit of discussion about it in German forums. It seems that there are no claims (yet) of Sofortueberweisung misusing the account details, but I would also never use this service. Plus, it explicitly violates the user agreement with your bank and will probably leave you with all the damage if something does go wrong.

1

Share this post


Link to post
Share on other sites

 

will probably leave you with all the damage if something does go wrong.

It will certainly leave you with all the damage if anything goes wrong. Your bank will certainly, as you believe, not help one bit for precisely the reason you state - you are explicitly told on every TAN and password notification sheet from your bank to never disclose this information.

 

Lots of italics for emphasis but I'm amazed that anyone uses this service, amazed that it even got set up, and I wonder what value the TUV certification has :blink:

1

Share this post


Link to post
Share on other sites

After reading the information, legal regulations and disclaimers provided by redcoon.de regarding a Sofortüberweisung I used the service. They don't really ask for your PIN and a TAN, there was a notification in the instructions that you will need to log into your account and use a TAN for the transaction with all sorts of confidentiality assurances etc. The whole procedure was very handy, no one has depleted my account, a very clean and - I found - reliable transaction.

0

Share this post


Link to post
Share on other sites

 

They don't really ask for your PIN and a TAN, there was a notification in the instructions that you will need to log into your account and use a TAN for the transaction with all sorts of confidentiality assurances etc.

Are you sure? According to their own instructions: https://www.payment-network.com/de/user/sof...ktionierts.html

 

 

Schritt 3

Hier geben Sie die gleichen Daten ein, wie bei der Anmeldung zu Ihrem Online-Banking.

And step 4:

 

 

Bestätigung der Bestellung durch Eingabe der TAN.

These 3 pieces of info (internet banking login name, internet banking PIN/password and a valid TAN number) are all I would need to login to my bank's real internet banking website and empty the account by transfering everything away. I saw nothing on those screenshots that showed you being redirected to your bank's legitimate internet banking site, not that that's a good idea anyway, so all that info must go to these sofortueberweisung.de (or is it 'payment-network.com'?) people.

0

Share this post


Link to post
Share on other sites

 

After reading the information, legal regulations and disclaimers provided by redcoon.de regarding a Sofortüberweisung I used the service.

Hats of to you sarabyrd, did you happen to notice if they say anything about retaining the information? Naturally the TAN is use once but if they retain the online banking details this could become a potential gold mine for hackers.

 

As I said above my concerns are not so much that this company, or its partners, are reliable or not (but naturally I'm concerned about that too) more that by disclosing this information to a third party you have broken the T&C imposed by your bank and they will cut you loose if anything goes wrong, related directly to this transaction or not. If anything goes wrong in the future can you be sure that your bank won't say that perhaps a hacker has obtained the login details to your online banking and this is all your fault? After all we have seen with EC cards that contain the PIN lamely encoded in an easily read magnetic stripe that have, surprise surprise, been cracked after being stolen that some banks are all too quick to hide behind their infallible technology claim.

0

Share this post


Link to post
Share on other sites

There are plenty of companies using this system completely legally and without any more risk than when you use your online banking normally.

 

What you must ensure is that when you are giving your password and your TAN's, that you are on your banks website. Look in the URL bar and ensure that it is their domain. If so, then it's all fine. Never put your password or TAN into any other website than your banks.

 

Some banks have setup a system whereby they verify to a third party that a payment has been made. It's a good idea, cause your order can be shipped immediately, rather than waiting for the money to show up. All that is happening is that the online shop is redirecting you to your banks website where you transfer the money as normal, but afterwards will redirect you back to the online shop along with confirmation that the transaction is done.

0

Share this post


Link to post
Share on other sites

 

There are plenty of companies using this system completely legally and without any more risk than when you use your online banking normally.

 

What you must ensure is that when you are giving your password and your TAN's, that you are on your banks website. Look in the URL bar and ensure that it is their domain. If so, then it's all fine. Never put your password or TAN into any other website than your banks.

I don't think this was the case in 2009, and it certainly isn't the case now. When you pay by Sofortüberweisung, you are asked to enter your banking details (including your account number and online access PIN) into a form hosted on the Sofortüberweisung site itself, not on your bank's website. I even checked the web page's HTML source and verified that the form is posted to an URL on the Sofortüberweisung domain, not on my bank's.

 

Therefore, there certainly is more risk paying this way than using online banking directly: you are giving access to your online banking system to a third party. Once they have your account number and PIN they could theoretically log into your online banking whenever they wanted. (They might not be able to do any damage without your TAN block, though this would still be a violation of your privacy.) And though you may trust that Sofortüberweisung would never do this themselves, there is always the possibility that their data protection procedures are inadequate, thereby exposing your banking credentials to others.

 

I would strongly recommend against using Sofortüberweisung unless your bank has specifically granted you permission to divulge your credentials to them and has agreed to indemnify you for any losses arising from Sofortüberweisung's misuse or failure to adequately protect those credentials.

0

Share this post


Link to post
Share on other sites

I've had to do this twice recently while booking tickets for my daughter to go to Amsterdam by bus. I will admit, I was a bit nervous about it at the time, but I did it and it worked out fine.

0

Share this post


Link to post
Share on other sites

 

I would strongly recommend against using Sofortüberweisung unless your bank has specifically granted you permission to divulge your credentials to them

 

As clarification: Most (pretty much all) banks ban you from divulging online access information to third parties in their AGB, meaning by using Sofort AG's Sofortüberweisung product you're usually in breach of contract terms for your bank account.

2

Share this post


Link to post
Share on other sites

 

I've had to do this twice recently while booking tickets for my daughter to go to Amsterdam by bus. I will admit, I was a bit nervous about it at the time, but I did it and it worked out fine.

 

No one is disputing that this payment system "works" insofar as it correctly processes individual transactions. However, there are certain risks involved, the consequences of which might not manifest themselves immediately. For example, what if Sofort AG fails to securely store or transmit your banking credentials, and they are intercepted by a third party? Possibly this third party will have also obtained an unused TAN by similar means, or directly from you by social engineering, or perhaps they may have discovered a security flaw in your bank's online system which obviates the need for a TAN. The third party might then, at some point in the future, use these credentials to maliciously access and withdraw all the funds from your bank account.

 

Naturally you will probably notice the unauthorized withdrawal and report it to your bank, whereupon the first thing they are going to ask you is whether you ever divulged your password to a third party. (In fact, they won't even need to ask you, as this information will be obvious from their web server logs, and can be corroborated upon subpoena to Sofort AG.) They could then use the fact that you willingly disclosed your credentials, in violation of your account terms and conditions, to refuse to compensate you for your loss.

0

Share this post


Link to post
Share on other sites

The funniest thing is that Sofort Überweisung have a TÜV security certificate, so at least we can believe their claim that they do not store passwords:

https://www.sofort.com/eng-INT/security/

 

But from the legal point of view this is still dodgy, yes.

0

Share this post


Link to post
Share on other sites

I also recently used this company's service but immediately had second thoughts once I'd completed the transaction. Those thoughts were obviously too late to prevent the transaction going through (or rather sending all my details through to a 3rd party) but I decided there and then to change my Internet Banking PIN to make sure those details I had provided were no longer valid.

 

I won't use the service again until I have an answer from my bank that they approve the service and the company offering it.

 

I think the company was recently taken over by a big Scandinavian online payment company btw.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now