Verbraucherzentrale Bundesverband e.V. Federation of German Consumer Organisations
NA - see BEUC and our General Comment on Category of Organsiation
Within the concept of securing the communication in between the payment service users and payment service providers – including payment initiation services - we see the issue that not all items of credentials actually in use are protected adequately by the concept of dynamic linking and the use of different elements of credentials.
Apart from dynamically linked TANs that will only allow for those transactions that are linked to them some schemes further ask for credentials like the online banking PIN. This PIN will allow for full and repeated access to almost all information with online or home banking. Furthermore these credentials will allow for payments orders not only by payment initiation services, but anybody by accessing the ordinary online banking features provided to their customers.
In its recital 14 of the draft EBA itself points at the risk of phishing or other fraudulent activities. The recital states that it is with that deemed important to ensure that the account servicing payment service provider shall be aware that he is being contacted by a payment initiation service or an account information service provider and not by the client itself. Yet this is not enough.
We may expect that fake or hacked online shops may direct consumers to fake payment initiation services as those services will always be accessed by a consumer via a link. Thus fake initiation services may collect the credentials and may initiate payments the same way as a consumer and with that anybody with those credentials could do. Up to the new regulation some services had to do this themselves just in order to be able to offer their services.
Keeping this practice would allow fraudsters to further use those credentials provided by a consumer to mimic a payment order by that consumers himself. And with that those efforts set to ensure for secure connections in between account institutes and initiation services would almost be in vain, if any fraudster could easily circumvent these precautions as described above.
Furthermore dynamically linked credentials will provide for the amount but the recipient or payee is likely to be stated only by their bank account number. The latter is a credential not known in detail to the consumer. While there can be no more tricks on the amount, the payee of that payment could still be forged.
We ask to reconsider whether the use of secured links in between account service providers and initiation services could as well be used to plan for credentials that only those services can actually use to induce a payment.
The implied risk that phishing activities will reignite once the practice of payment initiation services gets wider acceptance and consumer are ready to share this data more frequently to use these payment options should be blocked by concept.
The EU regulator decided to allow for those services. With that it is no longer possible to give a simple advice to consumers like never to use their main key for online banking on another website but that of their own bank to keep these credentials safe.
With this decision it is now important to prevent consumers from falling prey to fraudsters due to that decision. We may even see that those who do will not necessarily be adequately safe by the legal standards set for unauthorised payments. This is because we expect discussions whether anybody entering these credentials at a fake side may become suspected of having acted with gross-negligence.
By adding a difference in what an initiation service is expected to present to account holding service from what customers themselves are expected to present to their payment service provider, there is a good chance to prevent this kind of fraud. Because in the follow-up of recital 14 and respective regulation a bank is to know the difference.
We fully endorse BEUCs response and only like to add that with respect to Article 74.2 of PSD 2 such further choices do exist in the German market. Payees do accept IBAN or credit card numbers to enable card or direct debit payments and take the risk that some default may occur by lack of coverage or fraud. If a provider considers the risk small compared to the extra costs for more secure payment methods even further exemptions are thinkable. As long as in accordance to Article 74.2 the payers do never face any liability for any wrong or fraudulent payments this practice so far has been acceptable to consumers.
As already further described by our response concerning Q03 we endorse the importance of data protection. With that we are wary on the protection of those security credentials that are further useable and not entirely restricted by dynamic linking to a single usage. A PIN code to access the online banking account is something that should be kept private at all time.
Apart from the issue of fraudulent payment there are further risks that arise, if criminals get hold of those credentials. Insight into the account and on further details like address and card limits etc. may support criminal activities against consumers. Their actual financial situation, when and where a consumer is usually or at a certain point of time located and even important codes sent by 1-cent transactions could get compromised. This would further allow criminals to mimic a card holders activities in order to circumvent security schemes that monitor the way payments instruments are used to detect unauthorised usage. And by those codes sent to bank accounts even further payment accounts could be opened on the name of an unsuspecting consumer in order to be abused for money laundering.
We further support the issue named by BEUC on the issue of restricting the rules only to card based transactions.
[Consumer or consumer association"]"
General remark on the answers: As a consumer organisation Verbraucherzentrale Bundesverband e.V. (vzbv) will only partially comment on important issues regarding security from a consumer’s point of view. With that the approach in general by this Regulatory Technical Standard (RTS) is expected to meet security issues in an adequate way. Yet some important aspects seem not to have been pondered regarding our remarks to the first consultation on these RTS. We see options for serious security circumvention being still undealt with.
With answering we have restricted ourselves to point on issues with three of EBAs questions only and furthermore refer to and endorse those answers presented by BEUC.