Overlay banking or phishing/man-in-the-middle attack?

Today I learned that there is such a thing as overlay banking, which provides a way to pay in webshops through your online banking system. Contrary to how in the Netherlands popular iDeal system works, with overlay banking you provide your credentials (including a one-time-password/TAN code)  to a hopefully trusted third party. Technically, you could say this third party is very similar to someone doing a man-in-the-middle attack. The Dutch National Bank and others expressed their concerns about this, and I completely agree. Although I can imagine that the specific party providing this overlay banking service (the German Payment Networking) may very well be trustworthy, one should of course never give ones credentials to a third party. There are many technical solutions to avoid this (e.g., OAuth), and let someone act on your behalf without having to give them your credentials. What worries me most is that this may educate people to be more susceptible to phishing and man-in-the-middle attacks!  Apparently Payment Networking disagrees (article in Dutch), and considers their system secure because they adhere to high security standards. This does not however take my ‘educating people to do the wrong thing’ concern away.
Of course, one may also argue that in addition to raising concerns about overlay banking, the European banks should speed up the process of standardizing interfaces that allow competing international online payment systems. I can imagine that overlay banking is simple a way to provide cheap online payment, and with proper standards and fair competition, this should be possible without the above described security risks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: