Why Going Cashless Has Turned Sweden Into a High-Crime Nation

An anonymous reader quotes a report from Fortune: Ellen Bagley was delighted when she made her first sale on a popular second-hand clothing app, but just a few minutes later, the thrill turned to shock as the 20-year-old from Linkoping in Sweden discovered she'd been robbed. Everything seemed normal when Bagley received a direct message on the platform, which asked her to verify personal details to complete the deal. She clicked the link, which fired up BankID -- the ubiquitous digital authorization system used by nearly all Swedish adults.After receiving a couple of error messages, she started thinking something was wrong, but it was already too late. Over 10,000 Swedish kronor ($1,000) had been siphoned from her account and the thieves disappeared into the digital shadows. "The fraudsters are so skilled at making things look legitimate," said Bagley, who was born after BankID was created. "It's not easy" to identify scams. Although financial crime has garnered fewer headlines than a surge in gang-related gun violence, it's become a growing risk for the country. Beyond its borders, Sweden is an important test case on fighting cashless crime because it's gone further on ditching paper money than almost any other country in Europe.

Online fraud and digital crime in Sweden have surged, with criminals taking 1.2 billion kronor in 2023 through scams like the one Bagley fell for, doubling from 2021. Law-enforcement agencies estimate that the size of Sweden's criminal economy could amount to as high as 2.5% of the country's gross domestic product. To counter the digital crime spree, Swedish authorities have put pressure on banks to tighten security measures and make it harder on tech-savvy criminals, but it's a delicate balancing act. Going too far could slow down the economy, while doing too little erodes trust and damages legitimate businesses in the process.Using complex webs of fake companies and forging documents to gain access to Sweden's welfare system, sophisticated fraudsters have made Sweden a "Silicon Valley for criminal entrepreneurship," said Daniel Larson, a senior economic crime prosecutor. While the shock of armed violence has grabbed public attention -- the nation's gun-homicide rate tripled between 2012 and 2022 -- economic crime underlies gang activity and needs to be tackled as aggressively, he added. "That has been a strategic mistake," Larson said. "This profit-generating crime is what's fueling organized crime and, in some cases, leads to these conflicts."

Sweden's switch to electronic cash started after a surge of armed robberies in the 1990s, and by 2022, only 8% of Swedes said they had used cash for their latest purchase, according to a central bank survey. Along with neighboring Norway, Sweden has Europe's lowest number of ATMs per capita, according to the IMF. The prevalence of BankID play a role in Sweden's vulnerability. The system works like an online signature. If used, it's considered a done deal and the transaction gets executed immediately. It was designed by Sweden's banks to make electronic payments even quicker and easier than handing over a stack of bills. Since it's original rollout in 2001, it's become part of the everyday Swedish life. On average, the service -- which requires a six-digit code, a fingerprint or a face scan for authentication -- is used more than twice a day by every adult Swede and is involved in everything from filing tax returns to paying for bus tickets.Originally intended as a product by banks for their customers, its use exploded in 2005 after Sweden's tax agency adopted the technology as an identification for tax returns, giving it the government's official seal of approval. The launch of BankID on mobile phones in 2010 increased usage even further, along with public perception that associated cash with criminality.The country's central bank has acknowledged that some of those connotations may have gone too far. "We have to be very clear that there are still honest people using cash," Riksbank Governor Erik Thedeen told Bloomberg.

What are the details of the scam?

[piojo]

It seems BankID is being triggered to authorize transactions without the victim realizing they are authorizing a transaction. How does this work? I looked at every instance of BankID in the article but did not find details.

actually secure your domain ?

[johnjones]

The scam site prompts for all the details including the MFA codes etc

realistically they bankID should be using a swedish website (.SE) and should take responsibility for the fraud since they allowed a scammer to register a domain

plus seemingly they cant figure out how to do key exchange securely on their website for TLS so I dont hold out much hope

this is what happens if you allow banks to create their own system with not enough regulations they just go with the cheap option and push the fraud to the consumer

Re:

[93 Escort Wagon]

I'm still having trouble seeing how someone who was selling something for (electronic) cash got tricked into authorizing a purchase. Was a Nigerian Prince involved?

Just how badly designed is this BankID system?

Re:actually secure your domain ?

[F.Ultra]

It's not badly designed, the app clearly tells you what you are authorizing but the girl from the article didn't look at what it told her and authorized it blindly.

Re:

[dvice]

There have been cases where bank has stopped the transaction and contacted the person transferring money, saying that this looks like a scam and you should not make this transaction, but the person has still chosen to make the transaction.

Re:actually secure your domain ?

[gweihir]

While true that purely causally she could have seen what was going on, many people cannot deal with the cognitive load the additional verification requires and hence mess it up or leave it out completely. That means the whole process is badly designed, because it did not take the skills and capanibiles of the user population into account adequately. And it did so while it was known that people have real trouble dealing with UAC prompts and the like.

Re:

[F.Ultra]

What else can they do (except for implementing geolock which is what I have asked for for years now)? You open the app and it tells you "so you want to authorize sending $10K to Criminals" and she enters her password, how on earth do you solve that problem.

Re:

[gweihir]

No idea. But if they cannot design it in such a way that the risk of people not understanding what they are doing is comparable to cash, then this app has no business being deployed. Replacing a critical mechanism with a worse solution is not acceptable.

Re:

[volcan0]

I believe it is called the dancing bunny problem. People want to see dancing bunnies, no amount of warning message stop them!

Re:

[Beerismydad]

I agree with you completely. I like to remind technophiles inside the Nerdosphere who are quick to blame the victim/end user for poor technical skills, that the responsibility to make quality software products rests on the shoulders of engineers. Kelly Johnson (Lockheed Skunk Works) used to berate his aircraft engineers when they added to the pilot workload with confusing cockpit indicators. (He also referred to the aircraft pilots as "just stupid pilots" to remind his team to think through the design pr

Re:

[gweihir]

Indeed. If an average (or reasonably below average) skilled person cannot use it reliably and _with_ understanding what they are doing, then the mechanism, whatever it may be, is not fit for public rollout, no excuses. And if we had reasonable product liability for software, that would effectively be enforced. Most people are not technology experts and that is _not_ their fault.

Re:

[tero]

It's very susceptible to social engineering, because people are just so used to it being the "popup they have to dismiss".

The app itself tells clearly what you're about to authorize. People just don't read.

Re:

[ffkom]

It's very susceptible to social engineering, because people are just so used to it being the "popup they have to dismiss".

The app itself tells clearly what you're about to authorize. People just don't read.

With cash, nobody would "accidentally" hand over a stack of notes worth a thousand USD. But safety from fraud for the consumer is way down on the list of priorities wherever "digital payment systems" are being introduced. At the top of the priority list are 1. profits for the payment system provider, 2. data harvesting from every payment, 3. control over who is allowed to pay whom for what.

Re:

[gweihir]

Indeed. And that is because cash has a massively, massively superior user interface design. Maybe because it has been optimized over a few 1000 years and electronic transactions are a new thing.

Re:

[F.Ultra]

on the other hand people have handed over cash to scammers for thousands of years before we invented online payments.

Re:

[gweihir]

Sure. But the risk is a lot smaller because the UI is a lot better.

Re:actually secure your domain ?

[gweihir]

That is too simplistic. We are talking about average people here. They get cognitive overload easily. Expecting them to act on the level of a competent IT person is excessively bad design and basically screwing them over. Yes, so is expecting regular users to decide whether to allow a privilege escalation (UAC prompt, etc.), to decide whether an email attachment is safe to open, whether a website is fraudulent, etc. Regular people cannot do it reliably and often cannot do it at all. Expecting them to be able to is not professional and not acceptable. And no, this has nothing to do with intelligence or education and everything with bad GUI and process design.

Re:

[codebase7]

TL;DR: "It's your fault. Because otherwise, it's my fault, and I don't like that."

No amount of GUI and process design is going to fix stupid, and "cognitive overload" is bullshit. If that's the game you people want to play, we'd all be better off just banning you from using the things period.

In this case, we have malicious actors intentionally trying to deceive the public. Knowledge is only preventative solution here. Anything else is yet another thing for those actors to engineer a fake for, and puniti

Re:actually secure your domain ?

[Local ID10T]

It was her first time selling. She did not know what to expect. If she had done it before, she would have known it was not right.

-She thought she was linking her account for receipt of funds -because she had made a sale she was expecting to have to do this...

-She actually provided account info for payment of funds -it is mostly the same information. Mostly.

Sure, she should have known better... but scammers count on people not catching on until too late. That is how scams work.

Re:

[F.Ultra]

the domain was real and so was the site (it's basically an e-bay for used clothes), what happened was that the buyer sent a message to the seller (the victim) convincing her that she had to authorize with BankID in order to get paid for her sale.

Re:

[Big Hairy Gorilla]

thanks for reading the article.
From what you said, this is "social engineering"... i.e. just convincing someone else to do some dirty work, cough up a password, login, press a button.
People are always the weakest link.
How do you fix that?

Re: actually secure your domain ?

[dark_requiem]

Easy, replace them all with AI! :D

Re:

[ISayWeOnlyToBePolite]

The scam site prompts for all the details including the MFA codes etc

realistically they bankID should be using a swedish website (.SE) and should take responsibility for the fraud since they allowed a scammer to register a domain

plus seemingly they cant figure out how to do key exchange securely on their website for TLS so I dont hold out much hope

this is what happens if you allow banks to create their own system with not enough regulations they just go with the cheap option and push the fraud to the consumer

Afaik this doesn't to relate to how popular scams are performed.

Re: actually secure your domain ?

[CompMD]

Tell us you donâ(TM)t live in Sweden without telling us you donâ(TM)t live in Sweden.

A BankID authentication for a transaction always states who is requesting it (which may be fraudulent) and for how much the transaction is for. Itâ(TM)s no different from signing a contract you donâ(TM)t actually read.

Re: actually secure your domain ?

[Corbets]

I think you ought to read up on how things work here in the Nordics - or at least read the linked article - before posting your brilliant ideas of a centralized ID mechanism.

Re:

[VeryFluffyBunny]

All EU countries have national ID cards although not all countries make them compulsory; Spain does. Apparently, Sweden doesn't. They're also supposed to be moving on to having online secure digital versions & there's also plans to make them seamlessly interoperable between EU countries so that citizens can move from one country to another & automatically access public services wherever they are, no additional paperwork necessary.

What is it specifically that you wanted to mention?

Re:

[F.Ultra]

You cannot get BankID without a national ID card so your theory is completely wrong, there is also zero id theft involved here. The criminals use either mule accounts or foreign accounts.

Re:

[VeryFluffyBunny]

You missed the point. The comparison is between govt online ID systems & corporate (bank) ID systems. Banks let anyone in because money so fraud is rampant. Govt ID systems are thankfully relatively secure. Bank ID systems are obviously not & the really don't care.

Re:

[F.Ultra]

No you completely missed the fact on how this works in Sweden. It's not possible to get a BankID issued by a bank unless you first provide the government supplied national id. So no, banks doesn't let anyone in, in fact this is a serious problem for people moving here in that they cannot perform banking before they have gotten their national id card which they cannot get until they have gotten their national personal number (which takes a while to get).

Re:

[VeryFluffyBunny]

So how are the scammers getting in? How is it that they can set up accounts on the banks' systems & drain people's bank accounts without being arrested for fraud/theft on the basis of their identity having been securely established?

Re:What are the details of the scam?

[F.Ultra]

The fraudsters initiate a purchase with the victims details and then somehow manages the victim to authorize something with BankID and the victim then doesn't read what BankID tells the victim that they are actually authorizing and the purchase is authorized. So there are two issues at play here, one is that people don't validate what they are authorizing (BankID displays that you are going to authorize so this is 100% on the victim) the other is that there are no GeoIP lock on BankID so a purchase or bank-login can be initiated in one location and then be authorized with BankID from a different location. Most of these scams would disappear if both the initiation and the authorization had to take place in the same city (or even country).

Re:

[ghoul]

The Geolock is a problem. India has a similar system called UPI. My son cant have one as he is still a minor but sometimes when he is out and about some places wont take cash so he takes a picture of their QR code and whatsapps it to me and I can scan it from my phone and do the payment. Even more conveniently as scanning the QR code from whatsapp is a pain, he can start the transcation by manually entering my UPI ID and then the confirmation message comes to me and I confirm it. of course I only confirm if

Re:

[F.Ultra]

ofc a geolock would not allow such things, but it would also make scams like these also not work and IMHO that would be a net positive. A compromise could be having the app blink between black and red and alert the user that the transfer was initiated in a different country.

Re:What are the details of the scam?

[ISayWeOnlyToBePolite]

no GeoIP lock on BankID so a purchase or bank-login can be initiated in one location and then be authorized with BankID from a different location. Most of these scams would disappear if both the initiation and the authorization had to take place in the same city (or even country).

BankID has geolock, but it's only mandatory for issuing new BankID on a different device https://www.bankid.com/en/priv... [bankid.com] How accurately it works I don't know and I'm pretty sure it isn't on by default and you're asked if you'd like to give permission (on android).

Re:

[4wdloop]

> BankID displays that you are going to authorize so this is 100% on the victim
Partially, there may be some physiological play here as when you use cash, something physical is exchanged (bills, coins) while clicking and swiping does not have this feeling. Very similar to using credit car plastic - it is much easier to make purchase with it than with money.

Re:What are the details of the scam?

[F.Ultra]

Ok so I looked up the original article here in Sweden and in this particular case Ellen was selling used clothes at the site vinted.se that is a real site for selling used clothes. She made a sell (or so she thought) and to reclaim her money she had to authorize via BankID, what she didn't know what the scammers had initiated a transfer of money from her bank account to their account so she authorized that transaction (which was clearly labelled in the BankID app but she must have ignored what it told her).

Original article: https://www.aftonbladet.se/nyh... [aftonbladet.se]

Re:

[quantaman]

Ok so I looked up the original article here in Sweden and in this particular case Ellen was selling used clothes at the site vinted.se that is a real site for selling used clothes. She made a sell (or so she thought) and to reclaim her money she had to authorize via BankID, what she didn't know what the scammers had initiated a transfer of money from her bank account to their account so she authorized that transaction (which was clearly labelled in the BankID app but she must have ignored what it told her).

Original article: https://www.aftonbladet.se/nyh... [aftonbladet.se]

My rule of thumb is that "user error" is still a bug.

Users will be distracted, users will start performing actions based on muscle memory, users will become focused on an outcome and miss red flags.

Apps should be designed to work with how users work in the real world, not hypothetical users who read the entire manual and carefully verify every detail.

Re:What are the details of the scam?

[ISayWeOnlyToBePolite]

It seems BankID is being triggered to authorize transactions without the victim realizing they are authorizing a transaction. How does this work? I looked at every instance of BankID in the article but did not find details.

BankID will tell you what's being authorized and you have to actively approve. In the case described it seems like Ellen Bagley got an automated version of https://www.reddit.com/r/vinte... [reddit.com] it involves several steps of authorization. At scale some people are just clicking thru and giving info they really wouldn't do but for the expectation that they are about to do a legitimate transaction to their benefit and ignoring all common sense.

This is not a case of BankID being insecure but the way Vinted (a Lithuanian company) allows buyers to send sellers fishing mail.

Re:

[Misagon]

In a properly designed system, there would have been a code on the screen (numeriic or QR) for the user to input into the BankID app.
There was no such code: no link between transaction and authorisation that would have had to actually go through the user.

So the scammer started a login session to the victim's bank on their end, and fooled the user into believing something else was happening.
The scammer could use software to log in and initiate a payment very fast, and fool the victim to believe that instead

Re:

[F.Ultra]

A QR doesn't help in this case since the scammers simply forward the qr to the victim, the problem is that the victim doesn't read what the qr code informed the app was about to happen.

Here's how it works.

[Rombobeorn]

What enabled this scam was a fundamental design flaw in BankID. The protocol is designed such that the authentication is done in a side channel. Normally when you log in to a website, you send your credentials directly to the server you're connecting to. With BankID, when you initiate a login with the website, the web server contacts the central BankID server and asks it to verify your identity. Your BankID app also connects to the BankID server. The authentication is done between the BankID app and the BankID server. Then the BankID server tells the website "yep, this person is authenticated", and then you're logged in to the website.

Fraudsters quickly figured out how the side channel can be exploited. They initiate a dialogue with a victim. The pretexts used are many and diverse. In this case it was the pretense of buying second-hand clothes. Then some seemingly plausible reason for authentication comes up. In the background the fraudsters request a withdrawal from the victim's bank account, and so the victim's BankID app pops up and asks for authentication. The victim thinks they're authenticating to some other website, when they're actually authorizing the fraudsters' withdrawal.

People use BankID so frequently that it becomes routine, and one more thing that requires BankID doesn't raise suspicion. When they're used to it they no longer read every word the BankID app displays, so they don't notice the text that says what it is they're authorizing. Relying on people to be suspicious every time they use BankID doesn't work.

The way to stop this kind of fraud is to replace BankID with a protocol that sends the credentials through the login session, not through a side channel. A client certificate in HTTPS is one option that has existed for longer than BankID has. Webauthn is a newer protocol that would be suitable.

Another problem with BankID is that it stifles competition in the operating system market. It's a proprietary protocol that requires a proprietary app that requires an Iphone or Android device â" or sometimes Windows, but often not even Windows is allowed. Every additional thing that requires BankID contributes to excluding competing operating systems from the Swedish market, strengthening the Apple/Google duopoly.

Re:

[F.Ultra]

Using a side channel is how all MFA works and how they have to work, if not then scammers can set up fake sites and start to collect authentication replies en masse. The problem is that there is no check on geo-location at all (the scammers mostly operate from outside of Sweden).

Cash and checks are awful but..

[Slashythenkilly]

I have zero faith in banks and their pay apps. Ive had them and somehow I get email after email claiming charges with a link. Of course I check my account to see if anything is posted, forward it to the respective phishing site, and still they keep coming. The charges per transaction are just as outrageous as credit, you have less security, and next to zero recourse if its fraud. People in general have no idea how to secure their systems or how easy it is to through a backdoor, setup a social engineering scheme, or grab a set of credentials without someone knowing it until its way too late. It got so bad with ransomeware in the states with people and corporations, the FBI simply advised just paying them. No thanks.

Re:

[4wdloop]

> next to zero recourse if its fraud
this!
Banks are generally off the hook legally. I cannot find a way to require my bank to require my physical presents for any transaction above set threshold, if there is a break all can be drained in one step. Yes, they send me email afterwards, great eh?

Re:

[Tony Isaac]

I'd say checks are *worse*.

My niece wrote a check to pay her monthly garage parking company in Chicago where she lived. The garage company didn't accept electronic payments, only checks. Somebody fished the envelope out of the mail and altered the $350 check to be $4,000 instead. Even though she had put a stop payment on the check, Chase cleared the check because the amount didn't match the stop payment order. It took six months, and required involving Federal regulators, to get the mess cleaned up.

Clickbait

[r1348]

Whoever calls Sweden a "high-crime nation" has clearly never been to Sweden.

Re:

[timeOday]

Tripling of gun homicide in a decade though? I assume they're still rookie numbers compared to the USA but that's quite an increase. Sad to hear it.

Re:Clickbait

[ArchieBunker]

The homicide rate tripled? https://bra.se/bra-in-english/... [bra.se]

Re:

[93 Escort Wagon]

Maybe it's like that elephants in Africa thing from a few years back...

Re: Clickbait

[50000BTU_barbecue]

He said gun, you provided total. The only reference to guns doesn't cover a decade. Now I understand your user name!

Re:

[Woeful Countenance]

"the nation's gun-homicide rate tripled between 2012 and 2022"

So this is misleading in at least three ways: it uses "gun homicide", rather than total "lethal violence"; it says "tripled" without mentioning the actual rates; and it starts from 2012, which was a low point with fewer homicides than any other year in the past 20.

The graph itself is confusing: it says "Man", "Woman", and "Total", but "Man" and "Woman" are always exactly the same, and "Man" + "Woman" is much less than "Total".

Re:

[timeOday]

On further googling I agree the statistic I quoted from the summary is more misleading than informative. The overall murder rate has maybe gone up a little over time, but not much:

https://www.statista.com/stati... [statista.com]

So if that includes a tripling of gun homicides in that time, they must be so small in number as to be mostly statistical noise.

Re:

[Woeful Countenance]

Just to be clear, if I was criticizing, it was the article in Fortune, not you.

Thanks for the additional graph. Looks like there was a jump in 2015. Wonder if there's any discernable reason for that.

Re:

[henrik stigell]

Yes, immigration. Maybe not the immigrants that arrived 2015 but the immigrants that arrived the 10-20 years before 2015, or even people born in Sweden to immigrant parents.

Re:

[F.Ultra]

so migrants that came 10 years before 2015 explained a sudden small spike in 2015 that then went away in 2016 and with a higher spike in 2007. I guess your feelings doesn't care for the facts? By ever single metric, that small spike in 2015 is simply a random variation.

Re:

[henrik stigell]

Yes, that is EXACTLY what happened. 2015 had intense gang wars between immigrant gangs with members that mostly arrived 10-20 years before. Things calmed down 2016 (because people where dead or in prison) and then there has been new waves after that. Duh!

Re:

[henrik stigell]

You don't know what you are talking about. The general homicide rate in the Nordic countries has been decreasing for decades, but in Sweden, the last 10-20 years increased gun violence as "compensated" for that general decrease and caused a slight increase in the homicide rate.

2022 there were 60 gun homicides (out of 116 homicides in total) in Sweden, that is 10x the amount of gun homicides in Denmark, Norway and Finland COMBINED (and those 3 countries together have more than 50 % higher population than Swe

Re:

[F.Ultra]

you don't know what you are talking about, the gun crime in Sweden is criminals killing other criminals in a gang war. Since there are no gang war in Denmark, Norway and Finland there is ofc no similar amount of gun violence there. Once the gang war in Sweden have ceased and some random dispute ignites a gang war in say Denmark then everyone will ask why Denmark have such higher gun crime than Sweden.

Re:

[henrik stigell]

No it is not misleading considering the current situation in Sweden. The typical homicide in Sweden until the 1990s was two alcoholics involved in a fight with knives. That didn't endanger the surroundings and as long as you stayed out of such company the risk for the average citizen to be murdered was very low. Now there are gangs killing each other in broad daylight downtown with AK47 and they aren't good shots so now anyone can become of victim.

According to https://www.aftonbladet.se/nyh... [aftonbladet.se] there were 53

Re:

[F.Ultra]

the gun homicide is gang members shooting other gang members in an ongoing gang war.

Re:Clickbait

[Amiga Trombone]

They're the only county besides Mexico that tracks grenade attacks. That doesn't exactly leave the best of impressions.

https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[F.Ultra]

Grenade attacks sounds like people are driving around and throwing grenades at people. What is happening is that there is currently an ongoing gang war that involves all of the criminal gangs in Sweden, where one of their tactics is to attach a grenade to the door or car of persons of the opposite gang as a bomb.

Re:

[ravenshrike]

You mean the 251 per year for bombings? You really need to learn to read your own sources.

Re:

[Aighearach]

From January 1, 2019, through December 31, 2019, BATS captured a total of 14,940 explosives related incidents

Another idiot who can make a link, but didn't read it.

This report examines the total number of explosives
related incidents reported in BATS for calendar year 2019 and includes explosions and bombings, recoveries,
suspicious packages, bomb threats, hoaxes, and explosives thefts/losses

Recoveries, suspicious packages, bomb threats, hoaxes, and thefts/losses are definitely not attacks.

As for attacks, of all the explosions recorded, including accidental ones, the single military equipment explosion was from propellants. Which means, not a grenade.

Any grenades listed would be in the recovery or losses section, which do include military ordinance.

This is why I ignore people who shout "CITATION NEEDED." They're the same people who link rand

Concerning Statistics

[Roger W Moore]

But yeah let the 100 per year in Sweden be a big problem...

That's a huge problem. The statistics you have show only 251 bombings in the US - the number you gave was total incidents and most of these seem to be recovery of explosives or suspicious package incidents not actually setting off explosives near people.

To put that in context though the US's population is 333 million while Sweden's is 10 million. If the US rate of bombings was happening in Sweden you would have only 8 incidents a year.

Whats this got to do with going cashless?

[Bert64]

This was an ONLINE scam. Online purchases have always been cashless, and are cashless in every country in the world.
This has absolutely nothing to do with eliminating use of cash for in person transactions.

Re:Whats this got to do with going cashless?

[Misagon]

The same app is being used for three things:
1. cashless transactions
2. logging into a bank account
3. "electronic ID" when accessing government services (doing your taxes, medical records, etc.)

The popularity of using it for one thing drives using it for the other two.

Other systems for bank authorisation can't be used for direct payments or as an electronic ID.
Competing electronic ID systems can't be used to log into banks or make direct payments.

Personally, I have always kept these three tasks use separate systems. Different keys to different doors. I think it would be a folly to do otherwise. One problem is that even some online government services support only BankID and not the competitors.

OTP

[ghoul]

India is heading this way. Almost everything is done with OTPs sent to your registered mobile no instead of passwords. If anyone gets hold of your phone and cracks the code he can change your bank account passwords, official govt id, license, even voter id. Its too many eggs in one basket. All you need to know is the persons aadhar id and get hold of the phone registered with Aadhar and people give out their Aadhar ids and phone nos to anyone. And phones get stolen on the metro all the time. Peoples entire financial life is being protected by one 6 digit pin.

Re:

[ffkom]

This was an ONLINE scam. Online purchases have always been cashless, and are cashless in every country in the world.

Absolutely not true. For example, the payment method "Nachnahme" ("cash on delivery") has been popular for online purchases in Germany for many years. The parcel is handed over in exchange for cash.

Cash is not a crime, civil asset forfeiture

[MacMann]

I don't know if other nations have the same concept of civil asset forfeiture but in the USA the police will routinely seize cash because they believe large amounts of cash is somehow evidence of a crime. If they can't connect the cash to some crime the person possessing the cash may have done they will "arrest" the cash but let the person go. The cash is effectively charged with a crime, which leaves the owner of the cash in a bind because a person has a presumption of innocence while property does not.

I

Re:

[MeNeXT]

Here you try to explain away freedom.

When illicit drugs are found they are held in evidence or destroyed. Police can't use or sell the drugs for personal gain.
The system is broken because humans are greedy. Civil asset forfeiture shows that the citizens understanding of freedom is not the states understanding of freedom and since someone can benefit from a forfeiture it is acted upon.

Re:

[gweihir]

Other countries have things like "rule of law" and "civil rights". The US is trying to get rid of those and has been partially successful.

Insecure software

[bubblyceiling]

This just sounds like a software problem. The bank should be able to trace where the money went. Also financial scams are a hot thing right now. They are happening regardless of cash. Infact with cash it is far easier to mug a person

Re:

[F.Ultra]

The scammers often use mules so there is not much to trace unfortunately. Banning known mules from using the service have not yet occurred as an idea at the banks though.

BankID does have major security flaws

[CptJeanLuc]

I have had some opportunity to reflect on the security on BankID as I have to use it on a weekly basis, and I have been interested in security since I discovered Bruce Schneier's Applied Cryptography back in the 90s. It does have a couple of glaringly obvious flaws, and I am not surprised that Average Joe can end up in this type situation.

Issue number one is BankID login often happens in a login window which is embedded on the site or in the app. There is nothing beyond the layout and "authentic-looking theme" to prove neither that this login is provided by BankID, nor what service you are logging in to. Before this was always the case, now this has gotten better as you will more often get redirected to a login page on the BankID web site, which states what service you are logging into. This whole setup practically screams "come exploit this fantastic man-in-the-middle attack opportunity", and the person who got scammed in this story, should count herself very lucky the criminals didn't use the credentials to perform a one time login to _whatever service they could have wanted_ to peform any type of single transaction, like wiring all the money in her savings account.

Issue number two is the option that most people take, that the phone is the source of the second secret in 2-factor authentication. So when you use your phone to do a transaction in a browser or app, you use the BankID app on the phone to generate the second secret, and you type in your BankID password on the phone ... now, if someone has control over your phone because they hacked it or because they gained access to it by some other means, and they get access to your password (e.g. through key logging on a hacked phone) ... congratulations, your BankID are now belong to us.

As for how I deal with these two issues, when it comes to number one I have to make an educated guess about risk. If I am being redirected to the BankID site for login with the appropriate name of the service I am logging into, that works for me. If login is embedded on a web page, I have to decide whether to trust that service with not abusing credentials. I will typically trust well reputed companies that have a very large customer base (so if there was fraud, it would have been a national news story). Some times it is less obvious who you are deciding to trust.

With the second issue, I have chosen the option to have the second-factor code generation done on a physical code generation device, not on the phone - an option that almost noone chooses (and which providers of BankID typically recommend against because it also means they will have to ship that gadget) because it is of course impractical compared to the much more convenient alternative. With the gadget sitting on a shelf at home, I can only use it when physically at home unless I have decided to bring it. But that also means hackers cannot get control of it by means of ... well, hacking. And if I am getting robbed and they take my phone, they are not getting access to my BankID.

If I were to put on a tin foil hat for a few second, I am wondering when we will start to see people getting kidnapped at gun point, taken away for a couple days while the kidnappers use their BankID on the phone to unravel their lives, and take control of all their assets plus take up loans in their name and transfer those funds as wells, plus maybe just for fun do some stuff like log into a public services portal and do stuff like change their official name and their official gender ... because why not. It used to be difficult to separate people from their assets ... like, when the only way to transfer all your money is to talk to someone at the bank, or you have to show up at an office to sign papers to transfer ownership of your house, you can't really take them there at gun point, but probably need to e.g. kidnap a family member or something like that, in a complicated scheme that you are not fully in control of. These days,

Re:

[4wdloop]

> the only way to transfer all your money is to talk to someone at the bank,
Exactly this - I wish banks had mandatory option for in-person authorizing transactions above set threshold.
Maybe even not banks but some independent service for physical verification 2FA where F means really your face not any factor.

Re:

[SouthSeb]

In Brazil we have Pix, a digital payment system that is much more secure than BankID. And yes, just as you wondered, there are cases of kidnapping so the victim is forced to transfer money to the criminals.

As a palliative solution, banks implemented Pix limits (there are separate limits for daylight and nighttime transfers). The user can decrease these limits instantly in the bank app. But if you increase the limit, it takes 24 hours for it to take effect.

Cashless is not the problem here

[drinkypoo]

This was a transaction that would have been done "cashless" even before the country went "cashless". This problem could come up with some other poorly designed system, too. The system has to educate users, and it's clearly failing at doing that. One way would be for the user to have to complete a tutorial before being allowed to use the app to transfer funds, so they know what it's supposed to look like. This is also an opportunity to make them agree that they understand that they are responsible for certain parts of the process, just as they would be if they were making a cash transaction.

The posters who have noted that the UI could do more to make these fraudulent transactions obvious are also spot on. Not only should it make it obvious when a transaction is international, but it should also make the relevant details of the transaction obvious while you are agreeing to it in general so that you know clearly to what you are agreeing.

Working per plan

[PPH]

The fraud has been shifted from the merchants to the consumers.

UI Must Be Awful

[laughingskeptic]

if a debit can be confused with a credit. No one thinking they have initiated a credit to themselves should be at risk of having thousands taken from them.

In cash we trust, while we still have it.

[newbie_fantod]

Selling a physical object? Insist on a physical payment.

What else changed to raise the crime rate?

[couchslug]

How much crime is perpetrated by indigenous Swedes vs. humans they imported out of misplaced naive sense of obligation?

While Swedes has every right to disrupt and discard indigenous Swedish culture in favor of all the others which must of course be better, it's dishonest not to discuss that openly with blunt directness.

How is 2024 Sweden different from say 1964 Sweden and are indigenous Swedes delighted with their self-imposed changes?

Re: hmmm

[vbdasc]

Nope, it's actually the fault of over-enthusiastic techbros who believe that people with IQ under 90 have no rights or a place in the brave new tech world and that when they fail to thrive in the cyber setting imposed on them then it's their own fault. I sincerely wish that these techbros live long enough to become senile and start falling victim of their own sci-fi ideas.

Re:

[F.Ultra]

actually in this case it's more the victims fault for not reading on the BankID app what she was authorizing

Re: hmmm

[dpille]

lazy developers and cheap managers

Um, what kind of people do you think Obama hired?
"Somehow" they say sarcastically. Like this post too.

Re:

[ghoul]

Developers are guilty of thinking the average person is as smart as them. The average person is stupid. Developers should develop with their 5 yr old in mind not themselves.

Re:

[quonset]

Developers are guilty of thinking the average person is as smart as them.

It's worse than that. A large number of developers believe they are a god. They can do no wrong. It's always their manager who screws up. It's the project manager who doesn't know what they're doing. It's never the developer who is writing the code.

Re: Bullshit

[Fons_de_spons]

Citation?

Re:

[Anonymous Coward]

Fox News

Re:

[ravenshrike]

One need only look at rape rates to understand.

Re: Bullshit

[Fons_de_spons]

Again... citation?

Re: Bullshit

[bjoast]

Completely ignoring the effect Swedish immigration policy has had on crime rates does not make you appear smart, if that's what you think.

Re:

[F.Ultra]

Completely inventing a link that doesn't exist also doesn't make you appear smart. Yes there where initially a large increase in crimes after the Syrian crisis where Sweden had to take in a large amount of refugees but it turned out that this increase was from refugee on refugee crime done on the refugee camps to do over crowding these centers. A few years later and the crime rate was back to the baseline again.

Re:

[Bongo]

Whilst I do not want to downplay the work of skilled cryptographers, what you were saying is similar to how we build buildings with glass and wood and other materials which can be broken, and how we drive cars which have the inherent problem of being large moving objects, and how any medical treatment can react in bizarre ways with biology, and so every single treatment ( cough cough including vaccines cough cough ) will harm someone somewhere, and that's just the nature of things, so it's all about the bal

There is a way...

[Roger W Moore]

ONES AND ZEROS CANNOT BE SECURED. NOT EVER. It's not possible

Sure it is - I defy you or anyone else to access any of the ones and zeros I've sent to /dev/null over the years.

Re:

[gweihir]

Here is a sample, in arbitrary order: "1", "1", "1", "0", "0", "0". Gotcha!

Re:

[gweihir]

There will NEVER be perfect digital security

It does not matter one bit. The goal is NEVER perfect security. That is only something amateurs with no understanding of risk management call for. The goal is always "good enough" security. If a scammer or other attackers typically needs to invest more work than the payoff, then security is good enough.

Re: Use color

[PPH]

Right. Because no fraudster has ever figured out how to set the font or background colors.

Re:

[F.Ultra]

the scammers are not in control of that, we are talking about the MFA app, not some random web site.

Re:

[Woeful Countenance]

Shapes are also good, like a triangle for paying and a circle for receiving payment.