points
1 year ago
| 4 comments
| HN
That is the thing - you don't.

In Czechia, something called bank ID is commonly used to authenticate. The point is to verify it is you, for example when you sign a contract online, fill in tax returns online... stuff like that. The way it works is that you are on some site, you get redirected to your internet banking, you log in (that's what I meant by "bank details", I am sorry about expressing myself so clumsily), and your bank redirects you back to that site with confirmation that is you.

Do I need to verify my identity when someone wants to send me money? Who knows. This is the part that made me check. But I was close to not checking simply because it is habitual, and you do stuff like that automatically.

Nowadays, we are often dealing with systems we do not fully understand. You get redirected to some familiar login form, you log in, and you don't even pause. Well, at least I do it. I should be a lot more careful, apparently.

mcyukon
1 year ago
[-]
Canada checking in. We have the same system for authenticating with government services. https://www.interac.ca/en/verification/personal/sign-into-go...

I dislike this as well, as this is conditioning people to not second guess why a third party website is sending you to your bank to login. As well as scam websites I've come across that mirror the authentication process down to every step you would have when using it for legitimate purposes. Scam website>Scam Interact login parter>Scam web banking login> stolen bank credentials.

reply
ustad
1 year ago
[-]
Holy crap! I would have thought Canada would know better than use this “Bank ID” method.
reply
XorNot
1 year ago
[-]
Login page redirects have become a big user security hazard it would seem - and OAuth is basically the culprit.
reply
dylan604
1 year ago
[-]
The entire social engineering of sending everything off to 3rd party is something that really irks me. The touted convenience of faster to deploy updates by using 3rd party rather than depending on local version updates has never been enough for me. It also was the sugar pill for switching to rent seeking SaaS to gain traction.

I don't want my web server dependent on anyone else's server/service being available or in any other way slowing down my user's experience.

The only service that I have no local solution is payment processing.

reply
seymore_12
1 year ago
[-]
Honest question. Shouldn't this internet banking that offer authentication as a service do it via at least mandatory 2FA for log in. I would guess that way fake bank sites would be failing?

I dont have many banking relationships, using 2 banks and there is not even a password to remember, all login is done via authentication apps.

reply
ustad
1 year ago
[-]
Holy crap. What a terrible system and I hope my part of the world never implements such forms of tech.
reply
honzabe
1 year ago
[-]
I am not sure I can agree with that. I almost got scammed, but isn't that my responsibility to check?

The thing is, those services really are useful. A lot of stuff that used to be complicated and required me to stand in line somewhere can now be done comfortably from home. Many good things can be abused, but that does not mean they should not be implemented. And you don't have to use it if you do not want to.

Also, I don't know how the scam works behind the login form that stopped me, but I think it would not have worked even if I had given them my info because there is 2FA - how would they overcome that hurdle?

reply
ustad
1 year ago
[-]
Sorry, I was not clear. I was talking about having to use your bank for authentication/sign in.
reply
noprocrasted
1 year ago
[-]
It's an actually really good system, as the origin (aka the domain displayed in your URL bar) changes during the redirect.

The problem is the lack of user education as to what an "origin" is.

But assuming there is good user education, this is the proper way to do it. One (untrusted) origin redirects you to a trusted one with instructions to give it some information. The trusted origin asks for your authentication and tells you what the untrusted origin is requesting. If you approve, the untrusted origin only gets the very specific data it requested (and you approved) and nothing else.

reply
ustad
1 year ago
[-]
I’ll repeat what I said above/below: Sorry, I was not clear. I was talking about having to use your bank for authentication/sign in.
reply