This is the bank account verification process for the UK from the PayPal site
This is the bank account verification process for the USA from the PayPal site
Hmmm…
I’ve been on the internet since the early 90’s Netscape and dial-up days, I work with computers and I read a lot about such stuff - this is the first I realized that anyone legitimately did this. Can you imagine the risk/liability if they were hacked? Plus, why would anyone link Paypal to their bank acount? I use a credit card.
SO I understand FBG and psycho’s collective astonishment. I would certainly NOT trust a third party with this information.
In response to OP, I would assume that (a) they have a database of valid USA bank sites so (b) a valid logon gives them your balance. If they encounter a new site, maybe it takes human intervention to validate it. Maybe there’s a company that has already assembled the database for such businesses. Whether they use smart software to analyze the screen scrapes, or have a database of known screen layouts - I’m guessing it’s more a combination of the two. Most companies won’t share details so that they have one more layer of obscurity for hackers to get past.
The earliest posts warnings stand, though - unless you are sure you are not infected, and type the site name in yourself, do not enter this info. Especially, do not on a link on some weird web site or a link in an email. hat the screen shows you is not always the address you get taken (so to speak) to.
But in this case the third party is your bank*, which is probably the most trusted institution that any person ever deals with. You give them money, trusting that they will give it back to you at a later date. They own your car and your house, and you trust that they will pass the ownership to you once you give them enough money. Your bank handles every non-cash transaction you do.
I’m not so worried about handing them a few passwords for my other financial accounts. If they (or a malicious employee) wanted to steal from me, they already have access to all of my money. What they possibly do with my student loan account password that will hurt me?
Now, I have to trust that they keep the third-party login information as securely as they do their own. Perhaps that’s a stretch.
*though Paypal isn’t a bank, and I don’t trust it nearly as much, it provides similar services.
If you want to transfer funds out of Paypal you can’t use your credit card.
I don’t see the big deal. These firms are typically other financial firms like banks or stockbrokers.
If you think banks are mystically hack proof or immune to disgruntled employee thefts, … they’re not.
Basically, this is equivalent to giving someone a blank cheque and trusting them or their employees to fill in the right amount and the correct payee.
I normally just read the SDMB, but this thread has made me want to post considering the overwhelming amount of misinformation in here that’s completely unrelated to OP.
Paypal lets you instantly verify your bank account by putting in your online banking credentials. I did this to link my Bank of America checking account to Paypal.
Now, on OP’s topic, I would presume this is done by simply checking to see if the credentials you gave are valid. Once validated, they probably discard your login information.
[talking about Paypal] Paypal doesn’t need to use your bank credentials to log in every time you make a transaction, because there are plenty of people who have verified they Paypal by the two little deposit method, and Paypal can withdraw money without a problem, having never received anything.
So it only makes sense that its a 1 time verification thing that gets thrown out after its initial use.
Actually, secure ways to offer these services have existed for many years and are used in many European countries, although I am having trouble finding good cites.
The critical trick that makes this safe is that the merchant redirects the customer’s browser to their own familiar online banking site. The merchant never sees the customer’s password or any other traffic between the customer and the bank. After the authentication between the bank and the customer completes, the bank redirects back to the merchant, passing a digitally signed success message confirming the transaction.
I also use Mastercard SecureCode and for me it works the same way - for some reason Wiki gets this wrong, talking about iframes and other issues that would make this insecure.
The point is that these people already have access to my money. I’m trusting them with thousands of dollars of stock, or balances due, or whatever. If I trust them that much, I don’t see why I shouldn’t trust them with holding a bank password.
Personally I’m having trouble deciding which is worse:
That there are banks that rely on a simple username/password-combo for their online services.
or
That some companies feel the need to set up their systems in such a way that they need the login/pass for your bank account to do business with you.(Unless there is some trick, like the one Frankenstein Monster mentioned, involved somewhere.)
or
That some people think it’s fine to share the login information for their bank account with, well, anyone.
You don’t understand how it works:
(1) They can’t withdraw/send money using the login information. That is done as a ACH transaction.
(2) You typically don’t have to give them the information. If you don’t, they make two deposits in your account, and you need to tell them how much they were for. Logging in is just faster.
(3) Scottrade typically holds more of my net worth than my bank does. Why should I be afraid to give them a password/login? Should I be worried that they will take 100% of my money instead of 75% of it?
I thought “Fuck off” was strong enough to get rid of the posters who don’t know what they are talking about, but apparently not.
Because Scottrade has plenty of internal auditing procedures dealing with the possibility that their own employees are stealing from them. No doubt they have records of which employees have accessed your account, no low-level employee will know your password except on a need-to-know basis (and they won’t need to know for any basic account inquiries) and any internal access to your account will be logged so if there are problems later the guilty party can be tracked down.
In contrast, a corrupt Scottrade employee is unknown to your bank, and is just like any other random attacker. They have no special ability to monitor his access and track him down if he does anything bad. He can cause a lot more trouble with less potential for repercussions.
In short, while Scottrade as a whole has similar access to your wealth as your bank does, any individual corrupt employee of scottrade has a lot less access.
Moderator Note
treis, that’s enough. Since you can’t seem to keep your responses civil, I’m closing this thread. You’re lucky I don’t issue you an additional warning.
Colibri
General Questions Moderator