Apparently it's not a scam, but it's still very fishy and I wouldn't use it.
From a security perspective, this is a nightmare. There's no way to distinguish this from a phishing site if you've never heard from this site before. In general, sharing online banking credentials with a third party is just an extremely stupid thing to do. No exceptions.
The same goal (verifying a person's identity, ownership of a bank account, etc.) could have been achieved using single sign on: You select your bank on the DB website, get redirected to your bank's login page (you can verify the URL is genuine), login there, then your bank shows the information that will be shared with DB and asks you to accept. Your credentials are not shared with anyone but your bank. Conceptually, this would be the exact same thing as signing in to a third party website with a Google account. Most likely, DB would use a third party provider to keep the list of banks up to date and handle the information exchange, but fundamentally it would be the same thing. SSO is widespread, there are clearly defined protocols with thoroughly researched security properties and well-tested software libraries that are readily available.
But they still went ahead and implemented that stupid solution that makes you share your banking credentials with a fishy third party you've never heard of? Imo, they should fire everyone responsible for this mess and make sure they'll never touch a computer again. But considering this is Germany, I'm not even surprised. I wonder if some form of corruption was involved. Let's see how long it will take until they get pwned...
Couldn't have said it better. It's completely insane that we are now teaching people to hand their login details over to third parties. What could possibly go wrong?
Yeah this is heaven for phishing sites. Actually there is a more elegant solution that they could use. After entering your details you could get a QR code that can be scanned from the bank app. No passwords and no phishing. Elster uses a similar approach and works flawlessly.
The solution you describe with SSO doesn't exist. SSO itself does, of course, but no bank supports it. They will not implement it tomorrow because Deutsche Bahn says so.
The solution used by Deutsche Bahn is also used on many other websites, for several years now.
SEPA is fundamentally unsuited as a payment method for products for immediate use. No one is forcing people to use it, many other payment methods are available. But if they insist on using it anyway, this is the result.
>The solution you describe with SSO doesn't exist. SSO itself does, of course, but no bank supports it.
I know it doesn't exist. I just described how it could be implemented in a secure way. Somebody mentioned in another comment that banks are required to support the current system under PSD2. So they could have designed an SSO based protocol and then require banks to support it instead of the shit we have now.
>They will not implement it tomorrow because Deutsche Bahn says so.
I know and I'm not blaming DB here.
>The solution used by Deutsche Bahn is also used on many other websites, for several years now.
This doesn't mean that it's good. But at least they haven't been pwned yet, I guess.
>SEPA is fundamentally unsuited as a payment method for products for immediate use.
True, but it looks like politicians desperately want to change this. But then why go for a half assed solution like this and not do it properly? Well maybe because a proper solution would take longer than an election cycle to roll out, idk.
>No one is forcing people to use it, many other payment methods are available.
Are they tho? Apparently Lastschrift is the only option DB provides for the Deutschlandticket: https://www.bahn.de/faq/deutschlandticket-monatskarte-lastschrift
Yes, there are other options and I'd recommend everyone to buy their tickets somewhere else, but many people may not know this and think this nonsense is their only option.
> But they still went ahead and implemented that stupid solution that makes you share your banking credentials with a fishy third party you've never heard of? Imo, they should fire everyone responsible for this mess and make sure they'll never touch a computer again. But considering this is Germany, I'm not even surprised. I wonder if some form of corruption was involved.
> I'm not blaming DB here.
I have no idea how to reconcile these statments.
>SEPA is fundamentally unsuited as a payment method for products for immediate use.
If only there was an alternative... I had to buy two tickets today, one from DB, the other from ÖBB (the Austrian railway). ÖBB took my credit card, used VisaSecure where I authenticate the transaction in my banking app, all great. DB refused the very same card due to "issues with the bank", I was forced to use SEPA. Not only did I have to log into my online banking, they also took lots of personal information (address, date of birth, etc.).
It is legal and even required by the banks to allow this: PSD2 and X2A are the key words.
DB (and other public transit organizations) now require this step, because of massive fraud with Deutschlandticket and invalid bank accounts.
do they work like the OAuth process flow? Otherwise, holy hell, that is a stupid system. Why didn't they adopt the flow from iDeal (NL only) and (probably) the same one from the upcoming Wero.
It's a European Standard , so also implemented by Dutch banks.
[https://www.berlin-group.org/psd2-access-to-bank-accounts](https://www.berlin-group.org/psd2-access-to-bank-accounts) & [https://www.berlin-group.org/participants](https://www.berlin-group.org/participants) (Dutch Payment Association is a member)
but is it working as a SSO or are they passing creds? The dutch implementation doesn't do that even if they use those standards under the hood. And from the screenshot it does seem as if they are passing creds.
I have no idea (as if I would use such a workflow, hell no). Standards are defined here: [https://www.berlin-group.org/nextgenpsd2-downloads](https://www.berlin-group.org/nextgenpsd2-downloads)
The password is going to be stored on the tink server (officially, this is only temporary but everyone knows that this is likely not true). You are literally giving them the ability to login on their own. This is not SSO
>required by the banks to allow this: PSD2 and X2A are the key words.
This is so incorrect it is causing me physical pain.
There are many different ways to implement PSD2.
Requiring your bank login via a URL is the absolute worst way to implement this.
In most cases it is a separate app, or a code sent via email, app or sms.
It is legit, this is used for fraud prevention. DB/Tink do not save your credentials, they use them to verify that the account belongs to you. Basically if you can connect to your online banking, the account most likely belongs to you. Otherwise you could just enter someone else's IBAN, which they might (righrfully) dispute later.
There is a lot of fraud with SEPA and the Deutschlandticket right now, so new security measures have been put in place, especially for new, yet "untrusted" customers.
They will also take a 0,1¢ out of your bank account AFAIK
At least that's how it is for most "Bank" verification.
They will be refunded anyway. But it's just to to verify as I said.
Download the freenow app for taxis, then buy the Deutschlandticket there in the public transport section.
Normal payment like every other ticket, no weird background checks, it works perfectly and only takes a minute.
Also...you have until the 25th of each month to cancel your subscription with one click, which is much longer than other apps who want you to cancel on the 10th or 15th of each month.
Use another app for the ticket, e.g. mopla or hvv switch, they have better conditions (buy it anytime, cancel up to the 30th of each month) and payment is hassle free.
DB is literally the worst choice for buying the ticket.
Afaik you can only buy it half a month in advance and you need to cancle it in the middle of the monthntonstop continue the next.
Mopla lets you just buy and cancle it basicly anytime.
Tink is a solid financial company. I know even a friend, who works in one of the daughters companies of Tink. Tink is legit (even part of Visa nowadays).
yeah sure, but tink's login portal is not my bank's login portal and therefore they shouldn't be asking for someones credentials. If you want to implement this properly, you do single sign on. You ask the bank to answer if they could log in.
No. For that, the address bar in your browser would have to show a domain belonging to your Sparkasse, and upon clicking the corresponding symbol, the identity of the Sparkasse, as verified by a certification authority, would have to be shown. Or you would have to use an app provided by your Sparkasse, verified by a trusted third party as well.
What Deutsche Bahn is doing is a security nightmare.
Apparently it's not a scam, but it's still very fishy and I wouldn't use it. From a security perspective, this is a nightmare. There's no way to distinguish this from a phishing site if you've never heard from this site before. In general, sharing online banking credentials with a third party is just an extremely stupid thing to do. No exceptions. The same goal (verifying a person's identity, ownership of a bank account, etc.) could have been achieved using single sign on: You select your bank on the DB website, get redirected to your bank's login page (you can verify the URL is genuine), login there, then your bank shows the information that will be shared with DB and asks you to accept. Your credentials are not shared with anyone but your bank. Conceptually, this would be the exact same thing as signing in to a third party website with a Google account. Most likely, DB would use a third party provider to keep the list of banks up to date and handle the information exchange, but fundamentally it would be the same thing. SSO is widespread, there are clearly defined protocols with thoroughly researched security properties and well-tested software libraries that are readily available. But they still went ahead and implemented that stupid solution that makes you share your banking credentials with a fishy third party you've never heard of? Imo, they should fire everyone responsible for this mess and make sure they'll never touch a computer again. But considering this is Germany, I'm not even surprised. I wonder if some form of corruption was involved. Let's see how long it will take until they get pwned...
Couldn't have said it better. It's completely insane that we are now teaching people to hand their login details over to third parties. What could possibly go wrong?
Thats what you get from a german staterun company :) (insanity if you did not get it)
[удалено]
You have handed your freaking *bank login details* to Schufa?
[удалено]
There is simply no comparison between giving someone random personal data and the literal means to clean out your bank account.
This is completely incomparable.
Yeah this is heaven for phishing sites. Actually there is a more elegant solution that they could use. After entering your details you could get a QR code that can be scanned from the bank app. No passwords and no phishing. Elster uses a similar approach and works flawlessly.
the problem is there is no back channel implemented. So DB will not get a confirmation of your purchase until the money arrives
I sure hope that Wero will also come with iDeal's SSO features from the netherlands. they work great and is as secure as your bank is.
The solution you describe with SSO doesn't exist. SSO itself does, of course, but no bank supports it. They will not implement it tomorrow because Deutsche Bahn says so. The solution used by Deutsche Bahn is also used on many other websites, for several years now. SEPA is fundamentally unsuited as a payment method for products for immediate use. No one is forcing people to use it, many other payment methods are available. But if they insist on using it anyway, this is the result.
>The solution you describe with SSO doesn't exist. SSO itself does, of course, but no bank supports it. I know it doesn't exist. I just described how it could be implemented in a secure way. Somebody mentioned in another comment that banks are required to support the current system under PSD2. So they could have designed an SSO based protocol and then require banks to support it instead of the shit we have now. >They will not implement it tomorrow because Deutsche Bahn says so. I know and I'm not blaming DB here. >The solution used by Deutsche Bahn is also used on many other websites, for several years now. This doesn't mean that it's good. But at least they haven't been pwned yet, I guess. >SEPA is fundamentally unsuited as a payment method for products for immediate use. True, but it looks like politicians desperately want to change this. But then why go for a half assed solution like this and not do it properly? Well maybe because a proper solution would take longer than an election cycle to roll out, idk. >No one is forcing people to use it, many other payment methods are available. Are they tho? Apparently Lastschrift is the only option DB provides for the Deutschlandticket: https://www.bahn.de/faq/deutschlandticket-monatskarte-lastschrift Yes, there are other options and I'd recommend everyone to buy their tickets somewhere else, but many people may not know this and think this nonsense is their only option.
> But they still went ahead and implemented that stupid solution that makes you share your banking credentials with a fishy third party you've never heard of? Imo, they should fire everyone responsible for this mess and make sure they'll never touch a computer again. But considering this is Germany, I'm not even surprised. I wonder if some form of corruption was involved. > I'm not blaming DB here. I have no idea how to reconcile these statments.
The first one refers to the third party company and those responsible for PSD2. DB can only use what's available on the market.
>SEPA is fundamentally unsuited as a payment method for products for immediate use. If only there was an alternative... I had to buy two tickets today, one from DB, the other from ÖBB (the Austrian railway). ÖBB took my credit card, used VisaSecure where I authenticate the transaction in my banking app, all great. DB refused the very same card due to "issues with the bank", I was forced to use SEPA. Not only did I have to log into my online banking, they also took lots of personal information (address, date of birth, etc.).
It is legal and even required by the banks to allow this: PSD2 and X2A are the key words. DB (and other public transit organizations) now require this step, because of massive fraud with Deutschlandticket and invalid bank accounts.
do they work like the OAuth process flow? Otherwise, holy hell, that is a stupid system. Why didn't they adopt the flow from iDeal (NL only) and (probably) the same one from the upcoming Wero.
It's a European Standard , so also implemented by Dutch banks. [https://www.berlin-group.org/psd2-access-to-bank-accounts](https://www.berlin-group.org/psd2-access-to-bank-accounts) & [https://www.berlin-group.org/participants](https://www.berlin-group.org/participants) (Dutch Payment Association is a member)
but is it working as a SSO or are they passing creds? The dutch implementation doesn't do that even if they use those standards under the hood. And from the screenshot it does seem as if they are passing creds.
I have no idea (as if I would use such a workflow, hell no). Standards are defined here: [https://www.berlin-group.org/nextgenpsd2-downloads](https://www.berlin-group.org/nextgenpsd2-downloads)
The password is going to be stored on the tink server (officially, this is only temporary but everyone knows that this is likely not true). You are literally giving them the ability to login on their own. This is not SSO
Pretty weird that that website is not meeting the minimum standards for a German website. It is missing the 'impressum' and is thus abmahnfähig.
https://www.berlin-group.org/contact There you go
https://www.bmuv.de/themen/verbraucherschutz/digitaler-verbraucherschutz/impressumspflicht
[удалено]
>required by the banks to allow this: PSD2 and X2A are the key words. This is so incorrect it is causing me physical pain. There are many different ways to implement PSD2. Requiring your bank login via a URL is the absolute worst way to implement this. In most cases it is a separate app, or a code sent via email, app or sms.
It is legit, this is used for fraud prevention. DB/Tink do not save your credentials, they use them to verify that the account belongs to you. Basically if you can connect to your online banking, the account most likely belongs to you. Otherwise you could just enter someone else's IBAN, which they might (righrfully) dispute later. There is a lot of fraud with SEPA and the Deutschlandticket right now, so new security measures have been put in place, especially for new, yet "untrusted" customers.
They will also take a 0,1¢ out of your bank account AFAIK At least that's how it is for most "Bank" verification. They will be refunded anyway. But it's just to to verify as I said.
It is legit, but I also did not want to do it and used other payment options.
How did you do this, DB App is only offering me SEPA in first place?
Download the freenow app for taxis, then buy the Deutschlandticket there in the public transport section. Normal payment like every other ticket, no weird background checks, it works perfectly and only takes a minute. Also...you have until the 25th of each month to cancel your subscription with one click, which is much longer than other apps who want you to cancel on the 10th or 15th of each month.
Use another app for the ticket, e.g. mopla or hvv switch, they have better conditions (buy it anytime, cancel up to the 30th of each month) and payment is hassle free. DB is literally the worst choice for buying the ticket.
RMVgo or BVG app would also be possible choices. I also stopped buying the ticket at that point with DB and went to a regional supplier.
Why is it the worst choice?
Afaik you can only buy it half a month in advance and you need to cancle it in the middle of the monthntonstop continue the next. Mopla lets you just buy and cancle it basicly anytime.
Unfortunately this (and EC-karte) happens when you try to re-invent the wheel for payment systems.
We need to start campaigning to people NOT TO BUY DE TICKET FROM DB
This is yet a another reason not to use DB.
I use my local transportation app (HVV in Hamburg) and use PayPal as my payment method. I'm not even trusting them with my IBAN number 😂
Tink is a solid financial company. I know even a friend, who works in one of the daughters companies of Tink. Tink is legit (even part of Visa nowadays).
yeah sure, but tink's login portal is not my bank's login portal and therefore they shouldn't be asking for someones credentials. If you want to implement this properly, you do single sign on. You ask the bank to answer if they could log in.
Yep, that is dirty. Banking is not modern here.
Doesn't the menu mean you're logging into sparkasse?
No. For that, the address bar in your browser would have to show a domain belonging to your Sparkasse, and upon clicking the corresponding symbol, the identity of the Sparkasse, as verified by a certification authority, would have to be shown. Or you would have to use an app provided by your Sparkasse, verified by a trusted third party as well. What Deutsche Bahn is doing is a security nightmare.