New payment option on Paypal "Enter your online banking ID + password": Any mechanism that could make this safe?

Once you submit that form, the information clearly goes to PayPal. So, yes, your password is definitely sent to PayPal. However, PayPal is saying that that it only uses your bank account credentials to confirm/verify your account.

What seems to happen is that PayPal takes your information then sends it to your online banking provider for verification. What PayPal does with your credentials after that is unknown. They might store it for future payments, or they discard it after the verification process.

In one line: Yes, your bank password goes to PayPal. Is it bad? Well, it depends on how much you trust PayPal.

By comparison, in Finland we have a completely different system with PayPal. When PayPal needs to verify the bank account or withdraw from the bank account, you get redirected directly to the bank's online banking page. You login there, and then you get redirected back to PayPal. They only get a verification token from the bank. The system is called TUPAS.


Is my password sent to Paypal?

Yep. Giving your password to PayPal may be a breach of your bank's Terms and Conditions and/or make you personally liable for any fraud that takes place through that system. Also PayPal can see the personal information and transaction history associated with that account. Hope you trust PayPal real good now!

Or is there a kind of protocol involving the bank's server, which makes this actually safe?

PayPal is most probably running automated screen-scraping scripts attempting to log in to the normal online banking site on your behalf and doing the transfer. This is obviously pretty fragile and risks breaking when banks update their web sites. It is likely that some banks may be co-operating with PayPal to reduce this risk.

This approach has been done a number of times before, eg by Germany's sofort.com. I am disappointed to see PayPal jump on this payment model too. Whilst the rest of the web is working on federated authentication/authorisation schemes that let you approve particular transactions without having to hand over the keys to the kingdom to other participants (OAuth, SAML etc), the financial world is once again plumping for convenience and legacy compatibility over security.


Your information does go to PayPal, who will likely use it to login to your bank account. That way they can verify your information is valid.

However - technically - they can also see other information. Anything you see after logging in (your account balance, the various deposits / withdrawals) is visible to them, and they may or may not store that. Technically they are also able to invoke any other function you don't need another form of authentication for.

So, risk is one matter. The other matter is if your bank actually allows you to do that. A lot of banks will require that you keep your access information confidential. By using this function you will violate that agreement, by giving your access information to a third party.

Tags:

Password Policy

Banks

Related

Is it dangerous to post my MAC address publicly? Why do browsers enforce the same-origin security policy on iframes? Does Android encryption really prevent law enforcement access? What are the differences between dictionary attack and brute force attack? How do systems protect against a stolen code-signing certificate after the certificate expires? What role do hashes play in TLS/SSL certificate validation? My IP address (with a NAS) is targeted by a hacker. What to do? Should I be worried? How can I find if my password has been posted online? Secure REST API and Single Page App by using external OAuth 2 Authorization Code Can you recover original data from a screenshot that has been 'blacked out'? Are social security numbers useless by themselves? Are certificate authorities required to obey to the signature algorithm (hashing) specified in the CSR?

Recent Posts