30

I have been asked to provide my user name and password, so my fiance' can have his bank, Macoto, verify my identity, before they will send the funds. Does this sound right? I figure if he gives the ok, and they have my acct number, and tracking number, that should be sufficient? Has anyone every heard of this practice?

mhoran_psprep
  • 139,546
  • 15
  • 193
  • 389
Susan
  • 325
  • 1
  • 3
  • 3

7 Answers7

90

I think that's a steaming crock of cow manure.

The (well, a) standard method for determining whether an account is "on the level" are micropayments: you give them your bank's "routing number" (name will change depending on the country) and your account number. They make a couple of small deposits, and then you log into their website and enter in the amount of those deposits.

Even if it is legitimate, it's horribly insecure, and there's no way that I'd do it.

(Of course, it's always possible that your BF is using this as a subterfuge to get access to your bank accounts.)

RonJohn
  • 50,666
  • 10
  • 106
  • 170
  • 4
    Thank you. I agree. I remember the micropayments in the past. – Susan Feb 19 '18 at 17:10
  • 24
    BF is using this as a subterfuge to get access to your bank accounts That is a very plausible reason and I am quite sure that it is the reason. – DumbCoder Feb 19 '18 at 17:28
  • 25
    There is no situation where one is asked their password, except through the passworded system, eg before I can chat with my bank, I sign in and then they know it’s me in my own account. But the agent / rep will never ask for my password. +1 – JTP - Apologise to Monica Feb 19 '18 at 17:55
  • 10
    @DumbCoder or BF is getting scammed as well, etc. – fectin Feb 19 '18 at 18:07
  • Not strictly speaking on topic but why would the other side care (assuming they are legitimate). They are supposed to send money to you, you claim to have access to that account, why do they care if ypu have access to thwt account or not, surely it's your idiocy if you dont – Richard Tingle Feb 19 '18 at 21:04
  • 2
    @RichardTingle: They would be liable if they didn't correctly enter the account number you gave them. The confirmation step protects against their system making a mistake, and even if that isn't as likely as the recipient making a mistake, it's still worth their effort to do it. – Ben Voigt Feb 20 '18 at 01:43
34

This sounds like scam. There is no reason for any one to know your username and password. Are you sure it is your fiancee or some fraudsters.

They may run with your money or use it for illegal activity.

Dheer
  • 57,070
  • 18
  • 88
  • 169
  • 2
    Thanks. I agree. Sounds like a scam. Appreciate everyone's help. – Susan Feb 19 '18 at 17:34
  • I wouldn't say there's no reason, but this doesn't isn't one. I'm thinking of the financial aggregator sites that exist in the US. – Loren Pechtel Feb 21 '18 at 04:56
  • 3
    @LorenPechtel Financial aggregators will make you logon via registration and not ask it in email. – Dheer Feb 21 '18 at 05:07
  • I agree they won't ask for it in an e-mail, but you made the more sweeping statement that there is no reason for anyone to know your username and password. – Loren Pechtel Feb 22 '18 at 03:39
18

To reinforce an earlier answer; it is a steaming pile of cow manure. Not only is the bank username/password the most important information you carry, for the real Macoto Bank it would be utterly useless for authentication purposes (as they (should) have no way of verifying that information)!

Provided that the Macoto bank mentioned is the Macoto Bank of Taiwan, this process is not only suspicious, but illegal, as Taiwan has pretty advanced privacy and data protection laws, fully on par with the US and the EU. That also means that Macoto bank has at the very least suffered a breach of procedure, as the inquired information is not only useless for them, but also because waaaaaaaayyyyy better methods of authentication exist!

If you have not received the inquiry directly from Macoto Bank, it's with 99.9999% certainty a form of scam.

If you DID receive the inquiry directly from Macoto Bank, you should ask about alternative means of authentication. In Germany (at least with VolksBank and DiBa) you're usually asked to deliver a handwritten note in person at the nearest branch. Also, if you DID receive the inquiry from Macoto Bank, they should be reported to the consumer protection authorities (if you have any).

The best solution would be to simply ask them about their authentication procedures in the scope of your case, at multiple branches and through customer service if you can. Verify as much as you can before you proceed!

Also, provided your fiancee has conducted the transaction either in person or via 2-factor authenticated online banking, that should provide enoough authentication unless her account is actively under investigation.

tl;dr: No respected authority or company asks directly for private account information, especially usernames and passwords. Unless it's a direct scam, the information will (and should be) completely and utterly useless for the inquirer!

Update Another thought that just hit me, is that the burden of proof of the transaction itself normally lies on the debtor (your fiancee, who sends the money and the party who risks harm), except if suspicious circumstances surround the creditor (you, the one who receives the money).

I'd check my account statements and tax records if I were you...

Tylon Foxx
  • 281
  • 1
  • 3
7

A bank will only ask for your full name, Ic number, or your bank account number. A bank will never ask for your password: they don't want to know your password because it is private and known to no one else except you.

I've never come across a bank asking for your bank personal password. If someone is asking for your password, that means they are not a bank but a scammer.

Be aware: just hang up the call, or ignore it.

Rupert Morrish
  • 7,566
  • 4
  • 26
  • 41
DanishDayana Samri
  • 71
  • 1
  • 1
    Welcome to PF&M. What's an Ic number? – Rupert Morrish Feb 19 '18 at 21:57
  • 2
    @RupertMorrish Well, a person with the same user name and same picture posted a hint to her location in the form of geo coordinates on a big social network. Working from that, I'd venture a guess that "IC number" is the number of Singapore's Identity Card, which would make it very much location specific, though. – I'm with Monica Feb 20 '18 at 08:14
  • @AlexanderKosubek Most countries have some equivalent to the IC number you refer to here. The USA has their Social Security Number (even though it was never designed to be used as an identifier), for example. The name might be different, but it's a safe assumption that most countries have something like this, even if it's just the serial number for your ID. – Valthek Feb 21 '18 at 09:06
  • @Valthek You're right, of course. The concept is transferrable and widely applicable, only the actual term "IC number" is only meaningful in a specific locale. – I'm with Monica Feb 21 '18 at 11:38
  • @Valthek : Many perhaps, but not all. The UK has no government issued number that a bank would be interested in. Germany does have an Ausweis, but I have never been asked for my Ausweis number (which is just as well, because I don't have one). – Martin Bonner supports Monica Feb 21 '18 at 15:10
6

When someone asks for your password, here's how you give it.

First invent a new username that you never use anywhere.

The go to any password-geneartor site and let it make you up a completely new password not used anywhere else. Lt. Cmdr. Data gets it.

If they come back and say "That password doesn't work", then they are scamming you. The only legitimate reason to ask a password is if they are setting up a new account for you. If a password already exists, never give it to anyone.

Harper - Reinstate Monica
  • 58,229
  • 10
  • 91
  • 195
  • 3
    Even when you're setting up the account. You generally provide ea temporary password that the user changes on their first login, you shouldn't ask them for their password. – Иво Недев Feb 21 '18 at 08:19
2

This might not be a scam, but I'd still avoid it

This is actually becoming a more common practice, at least in the US. I have seen a number of banks offer this as a means to authenticate your account ownership instantaneously. By providing your online banking credentials, their service is able to impersonate you and scrape data from your bank's online banking portal automatically. They use the data they collect to verify your account info matches what you previously entered. It's always made me a bit nervous, as there is no way to tell what additional data they might be gathering or what they might do with it. As such, I tend to avoid these services personally, but as far as I can tell they are legitimate. For example, Dwolla offers this as an option for adding an account.

As @RonJohn said, the more standard means of verifying an account is through microdeposits. Most banks that offer the online banking option, also offer this as an alternative. Not everyone has online banking, and their scraper probably wouldn't work with all smaller banks anyway.

If you absolutely must use the online banking option, either due to time constraints or whatever reason, change your password, both before and after. In case you reused this password somewhere else, you should change it to a dummy password beforehand so that if they do keep it in a database somewhere, and it gets compromised, that password is useless to the hackers. You should change it after because, well, otherwise they have your real password and can log in anytime.

Just know that any and all funds in your accounts are at risk until you change your password the second time. (And even then potentially, if they've managed to change any of your details or schedule future transactions.)

BryKKan
  • 165
  • 3
  • 2
    Hard to believe. Impossible actually. They would be losing non-repudiability over the entire account. You cold do any transaction and then claim they did it, and the existence of such a system would void any defence they might put up in court. – user207421 Feb 19 '18 at 22:34
  • 2
    @EJP Perhaps, but I've personally seen it more than once, so it's definitely out there. Keep in mind though, that it isn't your bank that enables this. It's a piece of software maintained by the other bank. They have scripted out the login process to a number of major banks, so they can automate the web requests as if they were a real user. They simply substitute your username and password. I've done similar scripts with load testing software (RadView's Webload) in the past, and it's not that technically complicated. – BryKKan Feb 19 '18 at 22:55
  • @EJP As for the legal aspect, technically you've given out the account details, so from the perspective of your bank, you'd still be responsible for any actions taken. One more reason why I tend to avoid such services. – BryKKan Feb 19 '18 at 22:58
  • 8
    I think you're confusing an API some financial institutions implement, where that institution allows you to use your bank login ON YOUR BANK'S OWN PORTAL to login and give permission for the requesting bank or institution to have access to your basic account information. This allows for the automatic setup of transfers or payments. Much like the way your mobile apps stay logged in and have access to your account information if you so chose. But, at no point do you actually give your login information to the other bank, though if you're not paying close attention, it may seem like you do. – Keith Feb 20 '18 at 04:23
  • @Keith That seems far more logical. I couldn't imagine any reputable company even wanting to touch your account information. Too much potential for backlash. – JMac Feb 20 '18 at 17:42
  • 3
    I can attest that although this answer sounds crazy, it is actually correct. Some US banks will request your user/password at another bank when you "add an account at a different bank" to your portfolio (so you can view all your accounts in one place). It is not a secure API call (OAuth/SAML), the login details of the second bank are transmitted directly to the first bank. Sad state of affairs indeed. – coldfused Feb 21 '18 at 02:54
  • 1
    This is nothing new, Facebook and Twitter (used to?) constantly badger you for your Gmail/Yahoo/Hotmail password so they could scrape it to find your friends. Securitywise, this is a very bad thing. Instead of banning this practice, some email providers used it to integrate all your email accounts in their UX. So entity X demanding your credentials to entity Y is nothing new. I have a feeling downvoters aren't entirely clear that's what you mean. I got it, but I am already familiar with It. And of course scammers use it everyday, making it much more horrible. – Harper - Reinstate Monica Feb 21 '18 at 14:36
  • 1
    This is yet another example of "security at the expense of usability comes at the expense of security". Of course the bank's SecOps department loathe the practice. However the bank's product marketing department adores the practice, and both answer to management/Board, who sacrifices security for likely profit. A better practice would be public key exchange, which is easy if both sides cooperate. – Harper - Reinstate Monica Feb 21 '18 at 14:58
2

Passwords should always be a secret known only to you and the service the password is meant to keep secure (e.g your bank, your email account, etc.). Any respectable service will secure your password in such a way that no person other than you can ever know it without you disclosing it, because no one but you need ever know your password for any honest purpose.

Giving out your password is handing over control of whatever it is your password is protecting, effectively allowing someone else to "become you" for whatever that service does.

Any third party asking for your password is doing so for nefarious purpose, such as emptying all your funds out of your account.

For a bank to send funds to a recipient account at another bank, all they need is identification of the destination bank and the destination account number. To confirm that it is the correct account, they will probably want/need to know the name of the account holder. No passwords.

The sending bank doesn't need to verify your identity. They don't have to know or care who you are. They will want to verify the identity of the person requesting the withdrawal of funds (i.e. your fiance); before they draw any funds from his account, they will want to know he is OK with it. All they need to know about your account is enough to avoid any mistakes in executing his request; having the account holder's name to go with the destination account number is enough.

Anthony X
  • 1,032
  • 8
  • 9