Website asks for online banking password and TAN

35 posts in this topic

 

The funniest thing is that Sofort Überweisung have a TÜV security certificate, so at least we can believe their claim that they do not store passwords

Can we? Companies—including online security companies—make claims about security and data protection all the time, which turn out to be unsubstantiated when their systems get cracked and entire customer databases, sometimes including passwords and credit card numbers, get posted online or sold on the black market. The best we can say about Sofort AG is that, at some point in the recent past, they paid an industry organization named TÜV Saarland to inspect their payment processing and data handling procedures, and that TÜV Saarland found that it was in compliance with their standards. Exactly what those standards are (beyond the rather vague summary on the certificates themselves) and how the audit was carried out I haven't been able to determine. For all I know, TÜV Saarland is one of those companies like TRUSTe which hands out privacy certifications like candy on Halloween.

0

Share this post


Link to post
Share on other sites

 

The best we can say about Sofort AG is that, at some point in the recent past, they paid an industry organization named TÜV Saarland to inspect their payment processing and data handling procedures, and that TÜV Saarland found that it was in compliance with their standards.

Sure. I just hope that those standards do not allow storing passwords.

 

Important update: Deutsche Kreditbank has just updated their TC, they now cooperate with Sofort AG and allow to enter password on their site!

https://dok.dkb.de/pdf/plv_pk_mk.pdf

 

 

5.5 Kooperationspartner der DKB AG

Im Sinne von Nr. 8 Abs. 2 der Bedingungen für DKB-Onlinebanking

mit PIN und TAN ist:

- Sofort AG (www.sofortueberweisung.de)

In Bedingungen für DKB-Onlinebanking mit PIN und TAN you can read that it is only allowed to enter PIN/TAN on websites of DKB and their cooperation partner.

2

Share this post


Link to post
Share on other sites

 

or perhaps they may have discovered a security flaw in your bank's online system which obviates the need for a TAN. The third party might then, at some point in the future, use these credentials to maliciously access and withdraw all the funds from your bank account.

 

You've entered the domain of scaremongering. Were this ever to occur, the bank would be obliged to refund your losses. Actually, you sound like the kind of person who would have argued against electricity when that was first introduced.

3

Share this post


Link to post
Share on other sites

Banks should teach their clients never, ever to give out PINs and TANs to anyone, for any reason whatsoever. It's like teaching your kids not to follow strangers.

 

In my very humble opinion, it is moronic for banks to start making exceptions for the likes of "Sofortüberweisung", because it then becomes close to impossible for common mortals to tell the difference between TÜV-verified, legitimate guys like Sofortüberweisung and the bad guys. After all, both Sofortüberweisung and the bad guys divert you to a page that looks like your bank's, and ask for fishy information like PINs and TANs.

1

Share this post


Link to post
Share on other sites

The alternative would of course be to make all electronic payments instantaneous like most transfers in the UK. There's absolutely no reason it still needs to take 24-48 hours. But that's a bit too forward-looking for the German banking industry, and they earn good money from the interest gained whilst delaying the payment.

2

Share this post


Link to post
Share on other sites

In Poland there is a system like Sofortüberweisung, but without any third party: online shop/airline/whatever asks you to choose your bank and then redirects you to your own bank's web site, where you type your login/password and TAN and then you are redirected back to the shop, payment instantly confirmed although the actual transfer will take about 24 hours. Works just like 3D security for Mastercard/Visa.

 

I don't know why they have invented this crappy scheme here in Germany. Well, I know: a country with a lot of fraudsters tend to invest more into security, while Germans are a bit naive and believe in honesty.

0

Share this post


Link to post
Share on other sites

 

Were this ever to occur, the bank would be obliged to refund your losses.

Why? You're the one who gave Sofort AG what is practically a blank cheque. It's not your bank's fault if Sofort AG then lost that cheque to a malicious third party.

 

 

Actually, you sound like the kind of person who would have argued against electricity when that was first introduced.

I rather hoped to sound more like a professional electrician trying to warn others about using improperly insulated wiring their home. (FWIW, my previous job involved penetration testing for enterprise and military websites.)

1

Share this post


Link to post
Share on other sites

 

In Poland there is a system like Sofortüberweisung, but without any third party: online shop/airline/whatever asks you to choose your bank and then redirects you to your own bank's web site, where you type your login/password and TAN and then you are redirected back to the shop, payment instantly confirmed although the actual transfer will take about 24 hours. Works just like 3D security for Mastercard/Visa.

 

I don't know why they have invented this crappy scheme here in Germany. Well, I know: a country with a lot of fraudsters tend to invest more into security, while Germans are a bit naive and believe in honesty.

 

This system is in place in Belgium too. The Germans could learn a lot from the Belgians.....like how to brew decent beer for a start.

2

Share this post


Link to post
Share on other sites

 

In Poland there is a system like Sofortüberweisung, but without any third party: online shop/airline/whatever asks you to choose your bank and then redirects you to your own bank's web site, where you type your login/password and TAN and then you are redirected back to the shop, payment instantly confirmed although the actual transfer will take about 24 hours. Works just like 3D security for Mastercard/Visa.

 

I don't know why they have invented this crappy scheme here in Germany. Well, I know: a country with a lot of fraudsters tend to invest more into security, while Germans are a bit naive and believe in honesty.

 

Redirect systems are problematic too from a usability perspective because they encourage the naive to succumb to phishing schemes. ie, legitimizing one website redirecting to another to perform a transaction is just asking for phishers to mimic the behaviour, considering that phish is basically that anyway. The ONLY good payment security is one backed up by a legal guarantee by the bank to refund losses due to fraud, because every security scheme has a vulnerability.

2

Share this post


Link to post
Share on other sites

 

Why? You're the one who gave Sofort AG what is practically a blank cheque. It's not your bank's fault if Sofort AG then lost that cheque to a malicious third party.

 

That "blank cheque" is your login details, but no fraudster can do much more than look at your bank balance before needing to enter a new TAN. Which of course he can't; the one you used for the Sofortüberweisung transaction is no longer valid.

0

Share this post


Link to post
Share on other sites

 

In Poland there is a system like Sofortüberweisung, but without any third party: online shop/airline/whatever asks you to choose your bank and then redirects you to your own bank's web site, where you type your login/password and TAN and then you are redirected back to the shop

 

 

This system is in place in Belgium too.

German banks have their own payment system which works similar to the ones you described, it's called "giropay". And as the person above me said they don't usually have a "blank cheque" because many German banks today use systems like ChipTAN, PhotoTAN and mTAN where which are only valid once and allow you to check the transfer details on an external device.

0

Share this post


Link to post
Share on other sites

"Some" would be a bit of an understatement: all Sparkassen, almost all Volks- and Raiffeisenbanken, Postbank, comdirect... overall more than 1500 banks out of some 2000 total.

0

Share this post


Link to post
Share on other sites

I just had to do it with Lufthansa. Previously they charged like EUR 35 to pay with a credit card for flights over something like EUR 400, so I was glad to see a free option. It did feel weird though.

 

I just asked my bank, the Frankfurter Sparkasse, if I can trust Sofortüberweisung and they said: "Da dieses Zahlungssystem durch die Sparkassenfinanzgruppe nicht unterstützt wird, kann ich dazu leider keine Aussage treffen." (Basically: The Sparkassen don't support this payment system so they can't comment on it.)

0

Share this post


Link to post
Share on other sites

Dt. Bahn has had this for years. I've had perfect success with this. Always 100% accurate transferred from Dt. Bank and/or Commerzbank.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now