In order to pay import duties, these crazy fuckers are expecting me to enter my bank logon details into their website. What. The. Fuck.

johsny@lemmy.world to Mildly Infuriating@lemmy.world – 392 points –
79

That is a scam, they probably send mass texts linked to tracking numbers that have a registered phone number.

I remember one of the funnier scams.

They said they were from USPS, and in order to finish shipping, they needed me to pay the tariff.

It didn't have anything about me. No login. No address. No tracking number. It just wanted me to hit that pay now button.

But even then, why would I pay a tariff for something I didn't order?

They didn't send it just to you. They sent it to millions. If even one person happened to order something internationally and be stupid, it's already worth it.

For a while (and still every so often), I received fake texts from delivery companies, but they always referred to me as "There". "There, we tried to deliver your package...", "There, your package may be returned if you don't click this link...". I was curious what I typed in and where that they recorded my name as "There".

I get that once in a while here in Denmark too, only replace USPS with PostNord, sometimes DHL or GLS

And this is one of the ways to filter random scams. If a legitimate business or public entity is reaching out to contact you about an issue you need to deal with, they will know some identifying information about you. Especially the ones claiming that there's a warrant (or will be). If that was the case, they would definitely know your name and other specific details.

That said, there are targeted scams, too, so don't assume that if someone can tell you your name that they are legit. Ask them for a callback number (don't call it, ask because they might be dumb enough to give you a number linked to them that you could pass on to investigators), then hang up and call the number you looked up online.

Be careful looking up numbers online as well. There are lots of fake numbers and sites out there. Use previous known good communication as your guide for contacting the specific entity you are trying to contact. If at all possible. Also, smammers seem to have databases of scraped and leaked data so will often pull up your data based on your caller ID or other info you may disclose to them. Be careful out there.

Don't even need an associated list, just a random list of phone numbers. People online shop enough.

It probably isn't as the banking industry is crazy

Banking network engineer here: Never give out your login details. Not to your mom. Not to your brother. Not to me. Not to a company. Not to a random guy in India. Don't do it.

Agreed. However, there are services that login on your behalf. It is incredibly dumb but they exist.

Just to be entirely clear, DO NOT GIVE THEM YOUR LOGIN

Partners are the stupidest fuckers on the planet. I won't name names, but I have sicced my governance team on fucking http (NO S) websites, usage of certificate pinning, public-facing databases! (Protected by a shitty 2000's-era username+password login interface) transferring credit card numbers in CLEAR TEXT. I swear I've seen every possible idiotic move from partners.

Super massive red flag there.

Love that Muse song.

🎶 Ooh baby don't you know I suffer Oh baby when you phished my bank You sent me to a dodgy website Using a convincing link

Ooooooh-ooooh You drained my bank account Ooooooh-ooooh You drained my bank account🎶

Google seems to suggest they’re some sort of fintech company out of South Africa? Either way if that’s their product then I’d run a mile in the other direction, and then another just be sure.

Yeah no. Plaid is one thing but giving access to your bank login to pay an invoice is something quite another. If it's legit they can accept a card payment, or send you to a PayPal invoice.

Yep. They've been around for years.

Normally you would just give them your card info like any other online pay site like PayPal etc. but I don't know why they suddenly decided to give everyone at the company a deluxe lobotomy

I saw this shit yesterday when I was trying to buy a weed cart online (still not sure if it's legal or not. I still hear stories of those moron cops arresting people for "drug possession" i.e. didn't pay a bribe)

Noped out and just gave the clearnet grey market drug website virtual card info that's gonna expire in a few hours anyway

I've seen this in a few places

Just to be clear, the answer is absolutely NO.

Seen the same thing with other third party payment systems in south africa. Run away my dude.

As a fellow saffer, and a person who works with scam victims, I'm curious as to what services asked you to do that? Feel free to pm me.

This kind of stuff got legalised in Germany: Banks said that e.g. Sofortüberweisung was instigating their customers to break their TOS and should be shut down, anti-trust then said "nuh-uh you can't just shut down legitimate business" (Sofort is indeed legitimate) and instead put third-party systems under banking regulations, and required ordinary banks to have APIs allowing third parties do do sensible things.

...which theoretically could mean that you're sent to your actual bank to authorise and thus getting rid of the normalising phishing problem, dunno, haven't checked I'm boycotting them out of principle for going down that route in the first place. Don't serve any purpose now that we have real-time transfers, anyway.

Make sure you email them your mothers maiden name and date of birth too, just to be safe it goes through

What could go wrong?

They look trustworthy, right?

Hello sir, ozow.com is best most recognize branding. We are trust top tier bank accounts detailed are encrypted so most safe safer than banks actually!

If you’d like, I can show you. Just uh, need you to sign a waiver saying you authorize this little demonstration and accept all risks.

Also, gonna need your login credentials…

They maybe use Plaid to connect your bank? I still wouldn't do it though. Fuck Plaid. Fuck handing out creds. Find another way.

The crazy part that the bank uses username+password method for authentication.

That's fairly common, 2fa w/loc is after password in a lot of cases.

They’ve been doing essentially the same thing for years. Here’s the site from 2 years ago. Not to say that this is definitely safe, but scam sites usually don’t last this long

https://web.archive.org/web/20220114215955/https://ozow.com/

Step 3: Log in and select your account to pay from. Don’t worry, we have security covered. 🤣

Yeah, scam or not, this method of getting your account and routing information is not at all secure. I'm actually more surprised that the banks allow another site to initiate the login with a plaintext password. This defies all decent security practices.

Well, it is a payment processor that uses bank accounts. So, that makes sense.

That’s what wire transfers are for.

There should be no need for you to give them your credentials. Also, be aware that if you do give a third party credentials, and you get hacked, your banks going to blame you for being stupid.

Because it is stupid.

How stupid is it? Not even the bank support staff will ask for your credentials.

I just noticed it was login details… my brain was thinking account and routing.

Still, I say: You (importer) tell me the amount to pay -- then I authorize payment to you.

All they need is your account numbers. But this is a service that appears to operate in South Africa and allows bank to bank transfers. To me that sounds like using PayPal to do bank to bank transfers which is really strange sounding.

But regardless a username and password is an odd thing to ask for unless we are just not understanding how this app works.

That's unusual, but not unheard of. Some online merchants will allow you to make payments via ACH transfers. Can be useful for things like international purchases or if you don't have a normal credit/debit card to use. Sometimes smaller merchants will prefer this, if they don't have an existing business partnership with a payment processor already.

Usually these will go through a third-party system that tokenizes your login with your bank. This way the merchant can only access your routing/account numbers to do the transfer. As for why you'd need to provide your bank login instead of the routing/account numbers directly, it's usually just a form of fraud prevention, as the login verifies that you're actually the account owner and not trying to pay with a checkbook you found on the street.

It's similar to Plaid, which is a near-identical service that some merchants in the US use. From what I can tell, Ozow appears to be legitimate, so realistically it's probably safe to enter your login details as long as you're not getting any certificate errors on the page.

E: Not sure why this is downvoted. I'm not saying it's a good system, just saying that it's not inherently a scam.

You shouldn’t trust Plaid either.

Especially if all they’re doing is looking for the routing and account number. Because that’s just as easy to give.

I know someone who works in software security at Plaid. I can't give too many details because there's only like 20 of them - but no, you REALLY should not trust Plaid. (Allegedly) phones intercepting 2FA in their server rooms, (allegedly) bank connection issues that have led to people getting access to the wrong accounts, (allegedly) using browser bots to handle login on the backend for banks without API access, (allegedly) customer info leaks that weren't reported.. Now that I think if it, I should tell my friend about the whistleblower programs

I don't know how it works in the US but under European law if he knows about these things and isn't reporting them he's liable if and when it all comes to light.

If you know that the company you work for is committing crimes, and you do not report it, you are as liable as the company.

It's also risky to give. Banks will generally approve all transactions between two accounts if one of them is a business account, because the assumption is that those are business transactions and are legitimate 99.99% of the time, so there's very little scrutiny involved for those transfers. Giving the merchant your routing/account number gives them access to make withdraws from your account at will and at any time and can't be revoked, and giving that access to somebody you may not fully trust the reputation of is a dangerous move.

A trusted financial institution as a middleman can be useful for those situations, because they'll tokenize your details to expose as little as possible to the merchant, directly. These services are typically insured, so even if something did happen to your account, you're more likely to get your money back than if you gave a merchant direct ACH access to your bank account. It's basically a modernized version of Western Union.

You do realize that if the bank authorizes a transfer, that you did not… it’s wire fraud and they’re obligated to refund that cash, regardless if they recoup the cash or not.

Their fuck up, their loss.

On the other hand, if you give your credentials to a 3rd party, that’s against the ToS none of us actually read, and if something happens to your account; they’re going to deem it as your fuck up.

As for whatever technobabble Plaid wants to use, even if they’re insured… you’re not, unless you can prove in court that they were the source of the breach. Their lawyers are probably better than yours.

You do realize that if the bank authorizes a transfer, that you did not… it’s wire fraud and they’re obligated to refund that cash, regardless if they recoup the cash or not.

You do realize that not every transaction happens in countries where these protections exist, right? Not everybody can rely on something like the FDIC to protect their funds.

On the other hand, if you give your credentials to a 3rd party, that’s against the ToS none of us actually read, and if something happens to your account; they’re going to deem it as your fuck up.

You're not providing your bank credentials directly to the third-party, either. They use OAuth-like systems to log you in, typically. I'm not familiar with Ozow, specifically, but from what I can tell about their company, they appear to be doing mostly the same things as Plaid.

You’re not providing your bank credentials directly to the third-party, either. They use OAuth-like systems to log you in, typically. I’m not familiar with Ozow, specifically, but from what I can tell about their company, they appear to be doing mostly the same things as Plaid.

Plaid or Ozow is the third party. You're using their system, which they control, to provide your credentials.

You're trusting that a) they're not malicious and b) they have their shit together and c) even though they do have their shit together someone doesn't find a random exploit anyhow.

As for the first. yeah. that's a problem. At that point it really doesn't matter, does it? why would you trust Ozow or anyone else in that sort of environment with your banking credentials? or even the bank with your money?

You're trusting that a) they're not malicious and b) they have their shit together and c) even though they do have their shit together someone doesn't find a random exploit anyhow.

You could say this about literally any solution short of hand-delivering cash in person.

Plaid effectively admitted to stealing your transaction history and selling it to the highest bidder in the past. There was a settlement and they agreed to not to that in the future

Just don't ever share your password, and certainly not your banking password, and definitely not with Plaid.

We have a variation of this system here (India)

During checkout you can select netbanking as payment method. It asks you to select your bank and after you select it and click next/pay, it redirects you that bank's login. You login, provide OTP, and it redirects back to the website you were shopping at, usually to orders page.

Sounds like a good opportunity to redirect to a fake version of the bank's website.

Honestly I think the best solution is a revokable token from your bank that you can give to a merchant. One token per merchant, make it easy to revoke as the user sees fit. If you see a charge on the token from one merchant by someone else it's immediately obvious that token and possibly that merchant was compromised

As far as I know, fake version of bank's website will not work because the redirection happens from payment gateway with hardcoded linking to bank websites.

My thinking was in terms of a malicious website, if it does a fake redirect to a fake bank webpage it will then be able to harvest your bank login as well, which is worse than a credit/debit card being harvested