Judging from your screenshot, this is part of the 3-D Secure[1] process. WLP-ACS is not a payment processor but rather an Access Control Server (ACS) that your bank uses. Ideally, this page should reside under the bank's domain name, and they should be using OTP of some sort, but (unfortunately) it's not uncommon to see banks do this.
The flow goes: Merchant -> Merchant Plug-In (MPI) -> Directory Server -> Access Control Server (ACS) -> Banks. The first two are under the merchant's responsibility domain (or payment processors). The Directory Server is under the payment network's responsibility domain. The last two are under the bank's responsibility domain. Thus, a "3-Domains Secure" name.
Despite the word "secure" in its name, the primary purpose of 3-D Secure is to protect the merchant. Transactions authenticated with 3-D Secure will be "liability shifted," making merchants less liable for chargebacks (e.g., banks are more likely to reject your chargeback claims).
> rather an Access Control Server (ACS) that your bank uses. Ideally, this page should reside under the bank's domain name
To me it looks like it's another company than "La Banque Postale": "Worldline is a French multinational payment and transactional services company founded in 1974."
I meant that ideally, they should be using the same domain as the bank itself. However, it's not uncommon for banks to use the ACS domain their vendor provides, which is the case here. The ACS vendor still requires passing PCI-3DS and PCI-DSS in either case, though.
> The password they"re asking for is NOT your general ebanking password. It's not your Credit Card pin code either. It's a separate, THIRD password (mine is like a CC pin: 4 digits) that's dedicated to authenticating online purchases. Mine is viewable and changeable at will in my bank app & web site.
I just tried again and the UI won't let me input anything other than a 6-digit password (see screenshot in comments), which correspond to the size of the secret bank password, and does not correspond to the 5 digit password that I can choose via Certicode mobile app.
Nope but I can understand the confusion, as when you have already activated Certicode with the mobile app as I understand from other comments it should ask for the 5-digit code that you have chosen. But in my case where I have until yesterday never used the mobile app nor activated Certicode, it is really requiring a 6-digit code (the same size as the secret bank password) (see additional screenshots in comments).
This is because of an European directive PSD-2 [0] which requires "strong authentification" in addition to the sms code. In the case of this bank you have to download an app and use it with your fingerprint or FaceId. If you don't want to use a smartphone app or doesn't have one you'll have to type your bank account password.
This is pretty common, another one is (https://www.sofort.de) where you have to enter your bank login information on a domain that's not your bank's domain.
I'm not sure how this exists when it was common sense to tell people to not use their banking information on a site that's not the one of the bank.
Yes, they exist for many years already, and depending on the bank they actually used to log in to your bank's web interface to do the transaction, which is the reason I avoid them like the plague. I haven't followed whether they still do that.
> Think of it the equivalent of the cookie wall but for banking.
That comparison doesn't really make sense. Cookie banners exist to inform you about data sharing agreements. PSD-2 regulates how third party providers and banks can work together and providing more open APIs between banks and consumer apps.
PSD-2 does in no way, shape or form require people to enter, nor mandate banks to support people entering their banking information on third party sites.
* Strong Customer Authentication (SCA) is a new requirement of the second Payment Services Directive (PSD2), ... It will require banks to perform additional checks when consumers make payments to confirm their identity. To do this, banks may ask for a combination of two forms of identification at checkout. Examples include: Something they know (such as a password or PIN).*
This is different and sofort pre-dates these requirements. They actually take your username / password and log into the bank website. It’s not just about asking some additional parameters for security or require 2FA.
Not bank password, but the new e-payment password that's dedicated to authenticating online purchase. You can view and change it at any time via your bank's app or website. Mine is like a credit card PIN, not sure if all are. But it's not the same digits as my CC PIN. And, again, I can change it at will.
AFAICT this is just the way La Banque Postale has implemented “3-D Secure”?[0]
In my bank (Swedbank) it’s tied to a smartphone app instead, called BankID[1]. So in order to pass the “3-D Secure” check I will open the BankID app and it will request me to verify my identity via either a PIN or FaceID.
My bank, by default, only allows 3-D Secure transactions, since six or seven years ago.
There is an escape hatch where you can disable it for 60 minutes. Steam used to require going through that procedure, but they've implemented 3-D Secure for a while now.
Shopping at Amazon is a pain. They don't use 3-D Secure, and they don't even perform the transaction during checkout. Instead, they send a "payment declined" e-mail somewhere between a few minutes and a few days later, at which point I have to re-enter my payment details.
Welcome to French banking. My bank has started to ask for the same thing, and as a result I can't use its card online anymore. I don't know where they find bozos like this.
The banks (BnP, CdE) I use ask you to confirm in their apps, and have never seen this before! Not to say this isn't legit -- I can completely imagine this happening.
That said, I absolutely also hate having only a choice of a 6 digit pin on a UI that's intentionally designed to disallow any password manager usage. Plus they shuffle the inputs, make you change pin every n-usage/n-days. I really don't get the rationale other than it maybe avoids screen scraping, or keylogging?
La Banque Postale also asks you to confirm in their app, what we see here is the case when someone has not activated the in-app confirmation (called "certicode", uses another password that is different from the account password).
Apparently just SMS is not deemed secure enough by law, so they have to have another authentication factor, and the only other factor they have if you haven't activated certicode is the regular account password.
Good to know ! Smaller or regional banks are much better in comparison : CIC, Crédit Mutuel and Crédit Agricole did a much better job for their online banking
Is there any problem with this? I've had two or three payments requiring my LaBanquePostale password now and while I found it curious that they ask for so many factors of authentication (credit card details, sms-pin, password) I assumed whatever info I enter in that iframe was safe and only accessible to the bank, isn't that how it works?
That's the thing, even if they use an IFrame, I am not supposed to check everytime. The only thing I should have to check is whether the domain name in the address bar is the one of my bank for giving such confidential credentials.
Because as a client I'm not supposed to know anything about wlp-acs.com or adyen.com or whatever site the merchant site redirected me to.
Here the password they request is a lot more important than any one transaction would, as it allows full access to your accounts.
Unfortunately, it doesn’t surprise me to see this from them…
Have you set up the certicode system from within their banking app though? I believe the UI you’ve seen here is some kind of crappy fallback for when you don’t have Certicode enabled.
I hadn't set up Certicode before but I tried to set-it up yesterday but still not operational even though they told me by phone that it has been activated, (but I'll wait a few days before escalating further because it may take around 48 hours).
Whenever that happens, my bank shows a notification on my phone and asks me to confirm I'm actually doing that transaction. It seems an improvement over the 3-D model.
I'm guessing it's just 3ds - which was badly designed to allow it be run in iframes - does seem completely nuts, should have been done with a redirected flow
Almost every french bank does the same and ask you for a confirmation code that you can find inside the Android/Apple Application (I guess it's an OTP kind of thing), Since I didn't want to install the application I asked my bank a code they sent me a fixed code by postal mail. So you have 1 code by SMS then this code.
This is funny because over the pond they made a whole billion dollar business out of tricking people into entering their bank password into some 3rd partys form. It's not phishing, it's an opportunity!
I'm not sure what they lobbied governments into to retcon their phishing towards a legitimate API. But there was certainly a time where there was no API (no "open banking") and they were straight up MITM you.
Is there some site which rates all these bank based how good they are regarding security and online purchases?
I found out that BoA is ok and that AppleCard is excellent. I heard horror stories about others (like they are calling you and asking for personal info, security is bad, etc.).
Has anyone run into Plaid doing the same thing? Someone tried to pay me using Zelle the other day, and it requires entering my bank login information in order to receive a payment. No thanks. What was wrong with EBT?
Unfortunately, I bet it's legitimate. Clearly whoever designed this didn't think it through and I would not recommend entering that password, but I find it extremely unlikely this is an attack.
OP here, I am also convinced this is legitimate. This is the new system that they enforce some times since last November for some websites (foreign but not exclusively). Their system is called 3dSecure https://www.labanquepostale.fr/particulier/comptes-et-cartes... .
Sometimes when you are using a phone app they can send you a notification there, something they call Certicode Plus, but for everyone that has not activated it, they request the secret bank password.
I've tried to activate it yesterday, but maybe it takes additional time to switch to the new system even though they tell me it has been activated, and I'm still stuck and can't process payments without giving my secret code. And it has made me miss some aliexpress promotion.
From a security perspective it exposes them if any of the payment processor is compromised. In my case the payment processor was wlp-acs.com but sometimes it is adyen.com.
3D-Secure is a common system, in fact it's now mandatory in the EU as per PSD2.
The original implementation of it is flawed - the merchant is supposed to iframe the authorization page, which means as a user you have no way to tell whether the displayed page is legitimate. Somehow this insanity actually went ahead and is now part of the spec, so it's too late to change it.
The redeeming factor is that the authorization pages (controlled by the banks) usually only ever ask for an OTP or some relatively benign piece of information that by itself can't be used to break into the account (modern banks doesn't ask for anything at all and just polls the backend for an out-of-band response via a push notification), so as long as the user doesn't expect this page to ask for their actual online banking password it is safe as a fake page requesting such info will raise alarm bells (of course, that relies on the user being somewhat aware of the problem and the risks - not sure how much of this actually applies to the general population).
La Banque Postale here clearly didn't understand the problem, and decided to legitimize asking for their actual banking password on an untrusted website - this now opens them up for attacks where websites make a fake iframe to steal that password. The fact that it's a static secret also means it can be reused forever once captured, where as typical 3D-Secure implementations use time-limited secrets.
3DSecure is asked by the merchant, and if you haven't activated Certicode, then your bank doesn't have a dedicated authentication factor to use, so they can either refuse payment or allow you to authenticate using your account password, they actually don't really have another choice.
In normal usage, you don't give any information anymore to the payment processor yourself (now that SMS authentication has been deprecated by law).
IIRC, this depends on the card brand. Attempting to do 3-D Secure with non-enrolled JCB/Visa cards should result in a liability shift, AMEX/Diners only records the attempt, and MasterCard does not offload liability in such cases. (Though this may also vary by country.)
For quite a while uk banks have done it with weird URLs. The only bank I know that does this incredibly well is Monzo as their 3D secure URLs are all on veirfy.monzo.com
The flow goes: Merchant -> Merchant Plug-In (MPI) -> Directory Server -> Access Control Server (ACS) -> Banks. The first two are under the merchant's responsibility domain (or payment processors). The Directory Server is under the payment network's responsibility domain. The last two are under the bank's responsibility domain. Thus, a "3-Domains Secure" name.
Despite the word "secure" in its name, the primary purpose of 3-D Secure is to protect the merchant. Transactions authenticated with 3-D Secure will be "liability shifted," making merchants less liable for chargebacks (e.g., banks are more likely to reject your chargeback claims).
[1]: https://en.wikipedia.org/wiki/3-D_Secure