Imagine you keep all your life savings in a safe. Normally you take some money out and go and pay for things. But this one time, instead of asking your money, the shop owner points at a guy by the door and says, "see that guy? Please give him the key to your safe. He'll open your safe, take the amount you owe for your purchases, and deliver it to us."
Who is this guy, you wonder? You've never seen him before.
"Oh, don't worry, we're totally safe! I've done this a number of times before and nobody has ever had any money go missing. Also, check out my SafeBuy logos, don't they make you feel safe already?"
Would you give him the key to your safe?
Some hyperbole aside, this is essentially what Austrian Airlines have asked me to do. They pointed me to sofort.com, who, to my utter disbelief, requested me to enter my online banking password into their site. Just like that. Hang on, wait, did this just really happen? Maybe that was a fake Austrian Airlines site, that directed me to some phishing operation? No? It wasn't? Huuuuuuuuh?... Is this for real?!?!?!....
Sadly, once I've convinced myself I wasn't dreaming, and re-checked the legitimacy of the websites, there was only one possible conclusion left. This website was really asking me to give it the authority to empty my bank accounts, only they promise not to. And Austrian Airlines were really actually endorsing this service. Check it out:
If you seek more info about their security, they will actually warn you that by giving them these details, if you do end up being a victim of some kind of fraud, your bank will not reimburse you because, well, giving your password to a third party is your own damn fault and "voids your warranty", so to speak.
Why you shouldn't even consider using this service:
- If sofort.com has even one unscrupulous programmer, you might just find all your balances zeroed.
- If this were to happen, you are completely unprotected by your bank's fraud provisions. Giving away your online banking details voids them.
- By getting used to giving away your bank password to a third party, you are exposing yourself to an increased risk of accidentally giving it to bad guys in the future.
This is extremely wrong. The whole premise is dodgy and backwards. Why even ask for your password? Why not just ask you to make a payment to a specific account? This site goes in the opposite direction to where we should be going with regard to security. And how many people will lose all their money not because sofort.com itself is illegitimate, but because sofort.com makes people susceptible to actual phishing attacks?
Staying safe is simple: don't give your bank password to anyone, ever. Even if this someone is recommended by a company you know. Even if other people haven't been robbed yet. Even if it's only 3 out of 12 characters. Even if they tell you they can only use your details once. "Once" is quite enough to take all your money.
P.S. To top this off, Austrian Airlines charge a card processing fee which they have the audacity to call an "optional payment". The only other option being to bet (a part of) your life savings on whether everyone at sofort.com is a nice guy. That is really the icing on the cake.
What is needed
A mechanism to authorize payments has been in place for decades: credit/debit cards. Unfortunately, it also wasn't designed with internet-level security in mind (unsurprisingly, given cards predated the internet): a merchant may withdraw a different amount to the one shown to you, or make multiple withdrawals. Because of this, countries have introduced laws that require banks to protect their customers against such fraud. Every now and then, however, a customer will use these procedures to revert a legitimate charge, which costs companies money. In my opinion, sofort.com is nothing but an attempt to circumvent these fraud protection laws and enable the company to eliminate the risk of a chargeback. A sneaky one at that, because people who use it are not fully aware of the risks involved, nor of the protection they lose as a result.
What we really need instead of all this mess is a way to authorise single payments of specified amounts that is hard to forge or share accidentally. It should be fundamentally impossible for the merchant to use the payment details I provide to charge me more than once, or for anything other than the authorized amount.
And you know what's funny? Many of the ex-USSR countries have just such systems in place already. It's possible to configure one's credit card so that the card alone becomes completely useless. Whenever someone tries to charge an amount, the issuer sends the owner a text message with the details of the transaction: the amount and the merchant's name. If the owner replies, the transaction is authorized. This set-up strikes a good balance between convenience, simplicity and the level of security. It doesn't protect against all possible unauthorized charges, but it really rather raises the bar: one needs to get hold of the buyer's phone in order to fake authorization. Certainly not something internet merchants can do.
The western world is stuck in the past when it comes to online payments, and Sofort is a clear indication that radical changes are required.