• Chozo@fedia.io
    link
    fedilink
    arrow-up
    7
    arrow-down
    23
    ·
    3 months ago

    That’s unusual, but not unheard of. Some online merchants will allow you to make payments via ACH transfers. Can be useful for things like international purchases or if you don’t have a normal credit/debit card to use. Sometimes smaller merchants will prefer this, if they don’t have an existing business partnership with a payment processor already.

    Usually these will go through a third-party system that tokenizes your login with your bank. This way the merchant can only access your routing/account numbers to do the transfer. As for why you’d need to provide your bank login instead of the routing/account numbers directly, it’s usually just a form of fraud prevention, as the login verifies that you’re actually the account owner and not trying to pay with a checkbook you found on the street.

    It’s similar to Plaid, which is a near-identical service that some merchants in the US use. From what I can tell, Ozow appears to be legitimate, so realistically it’s probably safe to enter your login details as long as you’re not getting any certificate errors on the page.

    E: Not sure why this is downvoted. I’m not saying it’s a good system, just saying that it’s not inherently a scam.

    • FuglyDuck@lemmy.world
      link
      fedilink
      English
      arrow-up
      19
      ·
      3 months ago

      You shouldn’t trust Plaid either.

      Especially if all they’re doing is looking for the routing and account number. Because that’s just as easy to give.

      • OsrsNeedsF2P@lemmy.ml
        link
        fedilink
        English
        arrow-up
        17
        ·
        3 months ago

        I know someone who works in software security at Plaid. I can’t give too many details because there’s only like 20 of them - but no, you REALLY should not trust Plaid. (Allegedly) phones intercepting 2FA in their server rooms, (allegedly) bank connection issues that have led to people getting access to the wrong accounts, (allegedly) using browser bots to handle login on the backend for banks without API access, (allegedly) customer info leaks that weren’t reported… Now that I think if it, I should tell my friend about the whistleblower programs

        • Echo Dot@feddit.uk
          link
          fedilink
          English
          arrow-up
          1
          ·
          3 months ago

          I don’t know how it works in the US but under European law if he knows about these things and isn’t reporting them he’s liable if and when it all comes to light.

          If you know that the company you work for is committing crimes, and you do not report it, you are as liable as the company.

      • Chozo@fedia.io
        link
        fedilink
        arrow-up
        8
        arrow-down
        2
        ·
        3 months ago

        It’s also risky to give. Banks will generally approve all transactions between two accounts if one of them is a business account, because the assumption is that those are business transactions and are legitimate 99.99% of the time, so there’s very little scrutiny involved for those transfers. Giving the merchant your routing/account number gives them access to make withdraws from your account at will and at any time and can’t be revoked, and giving that access to somebody you may not fully trust the reputation of is a dangerous move.

        A trusted financial institution as a middleman can be useful for those situations, because they’ll tokenize your details to expose as little as possible to the merchant, directly. These services are typically insured, so even if something did happen to your account, you’re more likely to get your money back than if you gave a merchant direct ACH access to your bank account. It’s basically a modernized version of Western Union.

        • FuglyDuck@lemmy.world
          link
          fedilink
          English
          arrow-up
          9
          ·
          3 months ago

          You do realize that if the bank authorizes a transfer, that you did not… it’s wire fraud and they’re obligated to refund that cash, regardless if they recoup the cash or not.

          Their fuck up, their loss.

          On the other hand, if you give your credentials to a 3rd party, that’s against the ToS none of us actually read, and if something happens to your account; they’re going to deem it as your fuck up.

          As for whatever technobabble Plaid wants to use, even if they’re insured… you’re not, unless you can prove in court that they were the source of the breach. Their lawyers are probably better than yours.

          • Chozo@fedia.io
            link
            fedilink
            arrow-up
            4
            arrow-down
            3
            ·
            3 months ago

            You do realize that if the bank authorizes a transfer, that you did not… it’s wire fraud and they’re obligated to refund that cash, regardless if they recoup the cash or not.

            You do realize that not every transaction happens in countries where these protections exist, right? Not everybody can rely on something like the FDIC to protect their funds.

            On the other hand, if you give your credentials to a 3rd party, that’s against the ToS none of us actually read, and if something happens to your account; they’re going to deem it as your fuck up.

            You’re not providing your bank credentials directly to the third-party, either. They use OAuth-like systems to log you in, typically. I’m not familiar with Ozow, specifically, but from what I can tell about their company, they appear to be doing mostly the same things as Plaid.

            • FuglyDuck@lemmy.world
              link
              fedilink
              English
              arrow-up
              5
              ·
              3 months ago

              You’re not providing your bank credentials directly to the third-party, either. They use OAuth-like systems to log you in, typically. I’m not familiar with Ozow, specifically, but from what I can tell about their company, they appear to be doing mostly the same things as Plaid.

              Plaid or Ozow is the third party. You’re using their system, which they control, to provide your credentials.

              You’re trusting that a) they’re not malicious and b) they have their shit together and c) even though they do have their shit together someone doesn’t find a random exploit anyhow.

              As for the first. yeah. that’s a problem. At that point it really doesn’t matter, does it? why would you trust Ozow or anyone else in that sort of environment with your banking credentials? or even the bank with your money?

              • Chozo@fedia.io
                link
                fedilink
                arrow-up
                2
                ·
                3 months ago

                You’re trusting that a) they’re not malicious and b) they have their shit together and c) even though they do have their shit together someone doesn’t find a random exploit anyhow.

                You could say this about literally any solution short of hand-delivering cash in person.

      • bss03@infosec.pub
        link
        fedilink
        English
        arrow-up
        2
        ·
        3 months ago

        Plaid effectively admitted to stealing your transaction history and selling it to the highest bidder in the past. There was a settlement and they agreed to not to that in the future

        Just don’t ever share your password, and certainly not your banking password, and definitely not with Plaid.

    • This is fine🔥🐶☕🔥@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      3 months ago

      We have a variation of this system here (India)

      During checkout you can select netbanking as payment method. It asks you to select your bank and after you select it and click next/pay, it redirects you that bank’s login. You login, provide OTP, and it redirects back to the website you were shopping at, usually to orders page.

      • Trainguyrom@reddthat.com
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        3 months ago

        Sounds like a good opportunity to redirect to a fake version of the bank’s website.

        Honestly I think the best solution is a revokable token from your bank that you can give to a merchant. One token per merchant, make it easy to revoke as the user sees fit. If you see a charge on the token from one merchant by someone else it’s immediately obvious that token and possibly that merchant was compromised

          • Trainguyrom@reddthat.com
            link
            fedilink
            English
            arrow-up
            1
            ·
            3 months ago

            My thinking was in terms of a malicious website, if it does a fake redirect to a fake bank webpage it will then be able to harvest your bank login as well, which is worse than a credit/debit card being harvested