Bank asked for a cross login?
Disclaimer: IANAL
1 is this common now?! conversely is it brand new?
First time I read of it, but I know that many online banking system propose to aggregate your other bank accounts on their site. Mine proposed to but I declined so I cannot tell exactly how they manage to prove the third party bank that the client allows them to gather account elements. The account number is certain, I do not know for other credentials. The goal is to collect all of your banking informations, because this does have value for announcers.
2 would it actually be illegal in some way?
As already said IANAL. But I cannot imagine why it could be illegal: they ask you some information saying how they will use it. You are the information owner and can choose to share it with them or not. The only point that could be illegal would be that they declare to not store an element and actually store it. Being professional, they also have to protect your sensitive data, but provided it is not transmitted in clear text nor stored, I assume that it is enough.
3 it seems incredible that other banks wouldn't block them once they heard of the practice, or at least complain bitterly.
Not that simple. The other bank has a contract with you allowing you a number of operations provided you can prove that you have an account, a password and a unique code sent to a device or mail address. You are responsable for securing those elements and implicitely ask them to honour any request presenting them. They would probably be more happy if you used their own system to connect to your other bank accounts, but I cannot imagine a legal point for preventing you to use any third party added value system.
Now for my opinion. On a security point of view, a secret should never be shared by more than 2 entities. So I would never post my credentials for a site on a site of a third party company, whatever the reason. I know that this will prevent me to use some sexy added value aggregators and I accept it. At least I will try to keep that security policy as long as I will be able to...
Yes, this is now a thing.
Over here, Germany has a new online payment provider that will allow you to pay instantly online any bill by logging into your bank account and doing the money transfer for you. How convenient, no mistyping any account numbers and you only need to give them your login details - see the similarity?
I have absolutely no idea how this service came into existence, who thought it was an idea worth funding and who actually uses it.
So yes, this is a thing now, your bank is not the only one doing it, it must be by a very, very long stretch the most dumb idea anyone came up with this century and that large banks have signed up to it is one of those things you can only explain with a strong conviction that the end times are near so who cares?
Is it just me or is this totally wrong ?!?
It is just you and me, unfortunately. Because yes, this is so totally wrong that there ought to be a seperate word to express just how wrong it is.
There are some answers to this but I'll add a unique perspective:
Is this common now?! Conversely, is it brand new?
It is relatively new, but will be commonplace. Consumer-facing financial institutions in the US have had an awful time dealing with updating their infrastructure and understanding what role they play in the evolving internet-based financial and payment infrastructure.
One thing they understand now, after many false starts, is that each of them is an identity provider- frankly to a far greater degree than any email or social media platform.
This understanding is why they are consuming and utilizing customer credentials with each other, and not introducing some other delegated auth scheme. Who could they delegate to? Facebook?
This is also the model that aggregators- https://plaid.com is one of the more aggressive in this space- are taking- obviously with the full cooperation of the banks.
Would it actually be illegal in some way?
No. As crazy as it might seem, this approach most accurately solves for the trust domain and threat model.
It seems incredible that other banks wouldn't block them once they heard of the practice, or at least complain bitterly.
No, quite the opposite. Banks have decades, sometimes centuries, of shared trust and mutual responsibility, and innumerable layers of technical and administrative integration.
Again, think of a bank as the original identity provider- even more so than a government, because credit and accounting systems long predate governments.
It's a separate issue whether banks are technically equipped to play this role, and whether consumers and banks mutually understand all of the impersonation and confused deputy risks.
From a structural perspective, they have no choice but to approach it this way.