Monzo in the UK recently added a beta ("labs") feature in their app to check your Barclaycard balance from within the app. Sounded ideal as the Monzo app is the best banking app I've ever used. I figured they'd be using Open Banking (the new OAuth style authentication system rolling out across banks here).
I went to turn it on only to find that they use a third party who ask for all of your Barclaycard credentials (including your full "secret word", which you normally only enter a few characters from at login time). I've no idea why they'd go this route, but exactly as you say - it just trains users to get phished.
It also wasn't clear what this third party would do with the transaction information they scrape from your account. Overall a terrible idea.
Degiro, an investment platform, do the same for your initial £100 deposit: you enter your bank's auth info and they do the wire transfer for you. It uses a 3rd party system called "SOFORT". Thereby training the public that passwords to a bank account should be given to random third parties, undoing years of pain staking training efforts.
If they asked for your PIN code, people would clearly balk. But somehow, passwords to a bank account are fair game. It's exasperating.
> Thereby training the public that passwords to a bank account should be given to random third parties, undoing years of pain staking training efforts.
Accounts details are relatively fine to enter on other sites, just entering 2FA tokens should be limited for transactions that you really want to confirm.
1. You train end users that entering banking credentials on 3rd party sites is Okay. This makes educating against phishing an impossible task.
2. Many banks require (a form of) 2FA to log in. Perhaps it’s a “2 letters from a secret code” system (see sibling post). You’re now educating users that entering 2FA on 3rd party sites is ok. This is the end of educating users about any security at all, really.
3. This 3rd party gets access to my full transaction history, everything I ever spent on anything, using this account. That is an unconscionable overreach in personal data access. “But we don’t use it / read it / store it / we only send it to trusted partners / .....” I’ve heard that song too many times.
If someone asked for email account passwords and 2FA login, people would scream bloody murder. What makes this different?
Note that none of this is about money. If someone defrauds me, the bank will refund me. It’s the least of my worries, really. Sure, rather not. But the bank can’t refund my privacy if someone exfiltrates purchase history. Based on any data leak ever, I think we all know what’s the most valuable thing in my bank account .. it’s not the money. It’s the data.
I went to turn it on only to find that they use a third party who ask for all of your Barclaycard credentials (including your full "secret word", which you normally only enter a few characters from at login time). I've no idea why they'd go this route, but exactly as you say - it just trains users to get phished.
It also wasn't clear what this third party would do with the transaction information they scrape from your account. Overall a terrible idea.