What to do about "approved" direct banking MITM sites like sofort.com?

After all of us effectively signed a "don't ever disclose your login details to anybody else under any circumstances, or else" agreement with our banks, how is this possible?

Sofort AG is a german company, so I'll focus on Germany: There was an antitrust proceeding, and as a result of it, most banks changed their terms and conditions to allow this (at least according to Wikipedia). It doesn't seem that the proceeding actually resulted in new laws though.

The european Payment Services Directive is currently being updated, and would then also cover third party payment providers (TPPs), so as I understand it, it would then also regulate Sofortüberweisung (the correct name for a service like this seems to be Payment Initiation Services). See also this interpretation here in English.

is there anything end-users can do except voting with their wallets?

Well, you can lobby politicians, write news articles, search for and expose security flaws, etc. Or you can hope that there are valid alternatives and use them instead.

Security

The implied question here seems to be if this is secure or not.

  • it adds an additional company which can screw up, and thus reduces security (for no or few benefits).
  • you have to trust the company (in this case Sofort AG), as they could also just take all your money if they wanted to (but this is the case with a lot of payment options, paypal for example allows any shop to withdraw a random amount of money).
  • it might increase inexperienced users willingness to enter their password ("I did this so many times, and never did something bad happen before") and thus increase the success and amount of phishing attacks.

The biggest problem with services like Sofort is that because YOU have entered your banking details THEY are indemnified against chargebacks and indeed any kind of claim that the transaction was fraudulent. Which lowers their business cost because they have zero fraud (that they are responsible to pay for). However the responsibility for fraud lands on YOU the customer. By using Sofort you are giving up the rights you would have if you used any other traditional payment method.

Do the math. Decide if you're willing to run the risk. If its online and it feels wrong... it is wrong.


The answer by Tim is super, and still relevant in 2017, but omits one important thing: PRIVACY.

you have to trust the company (in this case Sofort AG), as they could also just take all your money if they wanted to

Risk exists, but is probably low - or their whole business model would collapse. The risk provides a serious incentive to take security seriously.

I actually asked my bank (BNP Fortis Paribas) about Sofort (now Klarna) with the same comments as OP, and they did not discourage me from using Sofort, nor scorn me for sharing my login details... instead encouraging me to contact Sofort with my question instead (much like the reply this customer received). Tim's statements explain well enough why.

But you also have to trust Sofort to take your PRIVACY seriously.

Sofort effectively have access to your bank balances on all your accounts, all transactions that you made - the same ones that are visibile in your bank's online portal. This appears to be depending on the setup they have with the various banks; if there is no API from the bank, then their Data Protection policy states:

"Alternatively, our system will automatically call up the data via the user interface of your online banking service, much in the same way as if you logged on yourself".

I.e. they [can] know what you earn, where you spend your money, what your cash burn rate is, what your savings or investments are.

I'm sure that information is HUGELY valuable.

If you perform 1 Sofort transaction every 6 months, for my bank at least, they could assemble a continuous transaction history for every customer.

The only thing going for them IMHO is German privacy laws are among the strictest in the world...

Their Privacy Policy, does not mention data they are collecting or what they do with it; however the more interesting Data Protection UK/EN policy is more specific and appears to exclude the usage I described above.

We will not store any personal data beyond that, in particular, no account balance, transaction data, overdraft limits, account lists, online banking login passwords (such as personal identification number) or confirmation codes such as transaction authentication number.

Thing is though, it's easy enough to audit whether your money has been stolen. It's quite something else to verify whether the company is complying with its promise not to collect this data. So it's all about trust. Don't trust them? Spend a few €€€ more, and use another payment provider.