Why Going Cashless Has Turned Sweden Into a High-Crime Nation (fortune.com) 167
An anonymous reader quotes a report from Fortune: Ellen Bagley was delighted when she made her first sale on a popular second-hand clothing app, but just a few minutes later, the thrill turned to shock as the 20-year-old from Linkoping in Sweden discovered she'd been robbed. Everything seemed normal when Bagley received a direct message on the platform, which asked her to verify personal details to complete the deal. She clicked the link, which fired up BankID -- the ubiquitous digital authorization system used by nearly all Swedish adults.After receiving a couple of error messages, she started thinking something was wrong, but it was already too late. Over 10,000 Swedish kronor ($1,000) had been siphoned from her account and the thieves disappeared into the digital shadows. "The fraudsters are so skilled at making things look legitimate," said Bagley, who was born after BankID was created. "It's not easy" to identify scams. Although financial crime has garnered fewer headlines than a surge in gang-related gun violence, it's become a growing risk for the country. Beyond its borders, Sweden is an important test case on fighting cashless crime because it's gone further on ditching paper money than almost any other country in Europe.
Online fraud and digital crime in Sweden have surged, with criminals taking 1.2 billion kronor in 2023 through scams like the one Bagley fell for, doubling from 2021. Law-enforcement agencies estimate that the size of Sweden's criminal economy could amount to as high as 2.5% of the country's gross domestic product. To counter the digital crime spree, Swedish authorities have put pressure on banks to tighten security measures and make it harder on tech-savvy criminals, but it's a delicate balancing act. Going too far could slow down the economy, while doing too little erodes trust and damages legitimate businesses in the process.Using complex webs of fake companies and forging documents to gain access to Sweden's welfare system, sophisticated fraudsters have made Sweden a "Silicon Valley for criminal entrepreneurship," said Daniel Larson, a senior economic crime prosecutor. While the shock of armed violence has grabbed public attention -- the nation's gun-homicide rate tripled between 2012 and 2022 -- economic crime underlies gang activity and needs to be tackled as aggressively, he added. "That has been a strategic mistake," Larson said. "This profit-generating crime is what's fueling organized crime and, in some cases, leads to these conflicts."
Sweden's switch to electronic cash started after a surge of armed robberies in the 1990s, and by 2022, only 8% of Swedes said they had used cash for their latest purchase, according to a central bank survey. Along with neighboring Norway, Sweden has Europe's lowest number of ATMs per capita, according to the IMF. The prevalence of BankID play a role in Sweden's vulnerability. The system works like an online signature. If used, it's considered a done deal and the transaction gets executed immediately. It was designed by Sweden's banks to make electronic payments even quicker and easier than handing over a stack of bills. Since it's original rollout in 2001, it's become part of the everyday Swedish life. On average, the service -- which requires a six-digit code, a fingerprint or a face scan for authentication -- is used more than twice a day by every adult Swede and is involved in everything from filing tax returns to paying for bus tickets.Originally intended as a product by banks for their customers, its use exploded in 2005 after Sweden's tax agency adopted the technology as an identification for tax returns, giving it the government's official seal of approval. The launch of BankID on mobile phones in 2010 increased usage even further, along with public perception that associated cash with criminality.The country's central bank has acknowledged that some of those connotations may have gone too far. "We have to be very clear that there are still honest people using cash," Riksbank Governor Erik Thedeen told Bloomberg.
Online fraud and digital crime in Sweden have surged, with criminals taking 1.2 billion kronor in 2023 through scams like the one Bagley fell for, doubling from 2021. Law-enforcement agencies estimate that the size of Sweden's criminal economy could amount to as high as 2.5% of the country's gross domestic product. To counter the digital crime spree, Swedish authorities have put pressure on banks to tighten security measures and make it harder on tech-savvy criminals, but it's a delicate balancing act. Going too far could slow down the economy, while doing too little erodes trust and damages legitimate businesses in the process.Using complex webs of fake companies and forging documents to gain access to Sweden's welfare system, sophisticated fraudsters have made Sweden a "Silicon Valley for criminal entrepreneurship," said Daniel Larson, a senior economic crime prosecutor. While the shock of armed violence has grabbed public attention -- the nation's gun-homicide rate tripled between 2012 and 2022 -- economic crime underlies gang activity and needs to be tackled as aggressively, he added. "That has been a strategic mistake," Larson said. "This profit-generating crime is what's fueling organized crime and, in some cases, leads to these conflicts."
Sweden's switch to electronic cash started after a surge of armed robberies in the 1990s, and by 2022, only 8% of Swedes said they had used cash for their latest purchase, according to a central bank survey. Along with neighboring Norway, Sweden has Europe's lowest number of ATMs per capita, according to the IMF. The prevalence of BankID play a role in Sweden's vulnerability. The system works like an online signature. If used, it's considered a done deal and the transaction gets executed immediately. It was designed by Sweden's banks to make electronic payments even quicker and easier than handing over a stack of bills. Since it's original rollout in 2001, it's become part of the everyday Swedish life. On average, the service -- which requires a six-digit code, a fingerprint or a face scan for authentication -- is used more than twice a day by every adult Swede and is involved in everything from filing tax returns to paying for bus tickets.Originally intended as a product by banks for their customers, its use exploded in 2005 after Sweden's tax agency adopted the technology as an identification for tax returns, giving it the government's official seal of approval. The launch of BankID on mobile phones in 2010 increased usage even further, along with public perception that associated cash with criminality.The country's central bank has acknowledged that some of those connotations may have gone too far. "We have to be very clear that there are still honest people using cash," Riksbank Governor Erik Thedeen told Bloomberg.
What are the details of the scam? (Score:5, Interesting)
It seems BankID is being triggered to authorize transactions without the victim realizing they are authorizing a transaction. How does this work? I looked at every instance of BankID in the article but did not find details.
actually secure your domain ? (Score:5, Informative)
The scam site prompts for all the details including the MFA codes etc
realistically they bankID should be using a swedish website (.SE) and should take responsibility for the fraud since they allowed a scammer to register a domain
plus seemingly they cant figure out how to do key exchange securely on their website for TLS so I dont hold out much hope
this is what happens if you allow banks to create their own system with not enough regulations they just go with the cheap option and push the fraud to the consumer
Re: (Score:3)
I'm still having trouble seeing how someone who was selling something for (electronic) cash got tricked into authorizing a purchase. Was a Nigerian Prince involved?
Just how badly designed is this BankID system?
Re:actually secure your domain ? (Score:5, Informative)
Re: (Score:2)
There have been cases where bank has stopped the transaction and contacted the person transferring money, saying that this looks like a scam and you should not make this transaction, but the person has still chosen to make the transaction.
Re:actually secure your domain ? (Score:4, Interesting)
While true that purely causally she could have seen what was going on, many people cannot deal with the cognitive load the additional verification requires and hence mess it up or leave it out completely. That means the whole process is badly designed, because it did not take the skills and capanibiles of the user population into account adequately. And it did so while it was known that people have real trouble dealing with UAC prompts and the like.
Re: (Score:2)
Re: (Score:2)
No idea. But if they cannot design it in such a way that the risk of people not understanding what they are doing is comparable to cash, then this app has no business being deployed. Replacing a critical mechanism with a worse solution is not acceptable.
Re: (Score:2)
I believe it is called the dancing bunny problem. People want to see dancing bunnies, no amount of warning message stop them!
Re: (Score:2)
Re: (Score:2)
Indeed. If an average (or reasonably below average) skilled person cannot use it reliably and _with_ understanding what they are doing, then the mechanism, whatever it may be, is not fit for public rollout, no excuses. And if we had reasonable product liability for software, that would effectively be enforced. Most people are not technology experts and that is _not_ their fault.
Re: (Score:2)
It's very susceptible to social engineering, because people are just so used to it being the "popup they have to dismiss".
The app itself tells clearly what you're about to authorize. People just don't read.
Re: (Score:2)
It's very susceptible to social engineering, because people are just so used to it being the "popup they have to dismiss".
The app itself tells clearly what you're about to authorize. People just don't read.
With cash, nobody would "accidentally" hand over a stack of notes worth a thousand USD. But safety from fraud for the consumer is way down on the list of priorities wherever "digital payment systems" are being introduced. At the top of the priority list are 1. profits for the payment system provider, 2. data harvesting from every payment, 3. control over who is allowed to pay whom for what.
Re: (Score:3)
Indeed. And that is because cash has a massively, massively superior user interface design. Maybe because it has been optimized over a few 1000 years and electronic transactions are a new thing.
Re: (Score:3)
Re: (Score:2)
Sure. But the risk is a lot smaller because the UI is a lot better.
Re:actually secure your domain ? (Score:4, Interesting)
That is too simplistic. We are talking about average people here. They get cognitive overload easily. Expecting them to act on the level of a competent IT person is excessively bad design and basically screwing them over. Yes, so is expecting regular users to decide whether to allow a privilege escalation (UAC prompt, etc.), to decide whether an email attachment is safe to open, whether a website is fraudulent, etc. Regular people cannot do it reliably and often cannot do it at all. Expecting them to be able to is not professional and not acceptable. And no, this has nothing to do with intelligence or education and everything with bad GUI and process design.
Re: (Score:2)
No amount of GUI and process design is going to fix stupid, and "cognitive overload" is bullshit. If that's the game you people want to play, we'd all be better off just banning you from using the things period.
In this case, we have malicious actors intentionally trying to deceive the public. Knowledge is only preventative solution here. Anything else is yet another thing for those actors to engineer a fake for, and puniti
Re:actually secure your domain ? (Score:4, Interesting)
It was her first time selling. She did not know what to expect. If she had done it before, she would have known it was not right.
-She thought she was linking her account for receipt of funds -because she had made a sale she was expecting to have to do this...
-She actually provided account info for payment of funds -it is mostly the same information. Mostly.
Sure, she should have known better... but scammers count on people not catching on until too late. That is how scams work.
Re: (Score:3)
Re: (Score:2)
From what you said, this is "social engineering"... i.e. just convincing someone else to do some dirty work, cough up a password, login, press a button.
People are always the weakest link.
How do you fix that?
Re: actually secure your domain ? (Score:2)
Re: (Score:2)
The scam site prompts for all the details including the MFA codes etc
realistically they bankID should be using a swedish website (.SE) and should take responsibility for the fraud since they allowed a scammer to register a domain
plus seemingly they cant figure out how to do key exchange securely on their website for TLS so I dont hold out much hope
this is what happens if you allow banks to create their own system with not enough regulations they just go with the cheap option and push the fraud to the consumer
Afaik this doesn't to relate to how popular scams are performed.
Re: actually secure your domain ? (Score:2)
Tell us you donâ(TM)t live in Sweden without telling us you donâ(TM)t live in Sweden.
A BankID authentication for a transaction always states who is requesting it (which may be fraudulent) and for how much the transaction is for. Itâ(TM)s no different from signing a contract you donâ(TM)t actually read.
Re: actually secure your domain ? (Score:2)
I think you ought to read up on how things work here in the Nordics - or at least read the linked article - before posting your brilliant ideas of a centralized ID mechanism.
Re: (Score:2)
What is it specifically that you wanted to mention?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re:What are the details of the scam? (Score:4, Insightful)
Re: (Score:3)
Re: (Score:2)
Re:What are the details of the scam? (Score:4, Informative)
no GeoIP lock on BankID so a purchase or bank-login can be initiated in one location and then be authorized with BankID from a different location. Most of these scams would disappear if both the initiation and the authorization had to take place in the same city (or even country).
BankID has geolock, but it's only mandatory for issuing new BankID on a different device https://www.bankid.com/en/priv... [bankid.com] How accurately it works I don't know and I'm pretty sure it isn't on by default and you're asked if you'd like to give permission (on android).
Re: (Score:2)
> BankID displays that you are going to authorize so this is 100% on the victim
Partially, there may be some physiological play here as when you use cash, something physical is exchanged (bills, coins) while clicking and swiping does not have this feeling. Very similar to using credit car plastic - it is much easier to make purchase with it than with money.
Re:What are the details of the scam? (Score:5, Informative)
Ok so I looked up the original article here in Sweden and in this particular case Ellen was selling used clothes at the site vinted.se that is a real site for selling used clothes. She made a sell (or so she thought) and to reclaim her money she had to authorize via BankID, what she didn't know what the scammers had initiated a transfer of money from her bank account to their account so she authorized that transaction (which was clearly labelled in the BankID app but she must have ignored what it told her).
Original article: https://www.aftonbladet.se/nyh... [aftonbladet.se]
Re: (Score:2)
Ok so I looked up the original article here in Sweden and in this particular case Ellen was selling used clothes at the site vinted.se that is a real site for selling used clothes. She made a sell (or so she thought) and to reclaim her money she had to authorize via BankID, what she didn't know what the scammers had initiated a transfer of money from her bank account to their account so she authorized that transaction (which was clearly labelled in the BankID app but she must have ignored what it told her).
Original article: https://www.aftonbladet.se/nyh... [aftonbladet.se]
My rule of thumb is that "user error" is still a bug.
Users will be distracted, users will start performing actions based on muscle memory, users will become focused on an outcome and miss red flags.
Apps should be designed to work with how users work in the real world, not hypothetical users who read the entire manual and carefully verify every detail.
Re:What are the details of the scam? (Score:5, Insightful)
It seems BankID is being triggered to authorize transactions without the victim realizing they are authorizing a transaction. How does this work? I looked at every instance of BankID in the article but did not find details.
BankID will tell you what's being authorized and you have to actively approve. In the case described it seems like Ellen Bagley got an automated version of https://www.reddit.com/r/vinte... [reddit.com] it involves several steps of authorization. At scale some people are just clicking thru and giving info they really wouldn't do but for the expectation that they are about to do a legitimate transaction to their benefit and ignoring all common sense.
This is not a case of BankID being insecure but the way Vinted (a Lithuanian company) allows buyers to send sellers fishing mail.
Re: (Score:2)
In a properly designed system, there would have been a code on the screen (numeriic or QR) for the user to input into the BankID app.
There was no such code: no link between transaction and authorisation that would have had to actually go through the user.
So the scammer started a login session to the victim's bank on their end, and fooled the user into believing something else was happening.
The scammer could use software to log in and initiate a payment very fast, and fool the victim to believe that instead
Re: (Score:2)
Here's how it works. (Score:5, Interesting)
What enabled this scam was a fundamental design flaw in BankID. The protocol is designed such that the authentication is done in a side channel. Normally when you log in to a website, you send your credentials directly to the server you're connecting to. With BankID, when you initiate a login with the website, the web server contacts the central BankID server and asks it to verify your identity. Your BankID app also connects to the BankID server. The authentication is done between the BankID app and the BankID server. Then the BankID server tells the website "yep, this person is authenticated", and then you're logged in to the website.
Fraudsters quickly figured out how the side channel can be exploited. They initiate a dialogue with a victim. The pretexts used are many and diverse. In this case it was the pretense of buying second-hand clothes. Then some seemingly plausible reason for authentication comes up. In the background the fraudsters request a withdrawal from the victim's bank account, and so the victim's BankID app pops up and asks for authentication. The victim thinks they're authenticating to some other website, when they're actually authorizing the fraudsters' withdrawal.
People use BankID so frequently that it becomes routine, and one more thing that requires BankID doesn't raise suspicion. When they're used to it they no longer read every word the BankID app displays, so they don't notice the text that says what it is they're authorizing. Relying on people to be suspicious every time they use BankID doesn't work.
The way to stop this kind of fraud is to replace BankID with a protocol that sends the credentials through the login session, not through a side channel. A client certificate in HTTPS is one option that has existed for longer than BankID has. Webauthn is a newer protocol that would be suitable.
Another problem with BankID is that it stifles competition in the operating system market. It's a proprietary protocol that requires a proprietary app that requires an Iphone or Android device â" or sometimes Windows, but often not even Windows is allowed. Every additional thing that requires BankID contributes to excluding competing operating systems from the Swedish market, strengthening the Apple/Google duopoly.
Re: (Score:2)
Cash and checks are awful but.. (Score:3)
Re: (Score:2)
> next to zero recourse if its fraud
this!
Banks are generally off the hook legally. I cannot find a way to require my bank to require my physical presents for any transaction above set threshold, if there is a break all can be drained in one step. Yes, they send me email afterwards, great eh?
Re: (Score:2)
I'd say checks are *worse*.
My niece wrote a check to pay her monthly garage parking company in Chicago where she lived. The garage company didn't accept electronic payments, only checks. Somebody fished the envelope out of the mail and altered the $350 check to be $4,000 instead. Even though she had put a stop payment on the check, Chase cleared the check because the amount didn't match the stop payment order. It took six months, and required involving Federal regulators, to get the mess cleaned up.
Clickbait (Score:3)
Whoever calls Sweden a "high-crime nation" has clearly never been to Sweden.
Re: (Score:2)
Re:Clickbait (Score:5, Informative)
The homicide rate tripled? https://bra.se/bra-in-english/... [bra.se]
Re: (Score:2)
Maybe it's like that elephants in Africa thing from a few years back...
Re: Clickbait (Score:2)
He said gun, you provided total. The only reference to guns doesn't cover a decade. Now I understand your user name!
Re: (Score:3)
"the nation's gun-homicide rate tripled between 2012 and 2022"
So this is misleading in at least three ways: it uses "gun homicide", rather than total "lethal violence"; it says "tripled" without mentioning the actual rates; and it starts from 2012, which was a low point with fewer homicides than any other year in the past 20.
The graph itself is confusing: it says "Man", "Woman", and "Total", but "Man" and "Woman" are always exactly the same, and "Man" + "Woman" is much less than "Total".
Re: (Score:2)
https://www.statista.com/stati... [statista.com]
So if that includes a tripling of gun homicides in that time, they must be so small in number as to be mostly statistical noise.
Re: (Score:2)
Just to be clear, if I was criticizing, it was the article in Fortune, not you.
Thanks for the additional graph. Looks like there was a jump in 2015. Wonder if there's any discernable reason for that.
Re: (Score:2)
Yes, immigration. Maybe not the immigrants that arrived 2015 but the immigrants that arrived the 10-20 years before 2015, or even people born in Sweden to immigrant parents.
Re: (Score:2)
Re: (Score:2)
Yes, that is EXACTLY what happened. 2015 had intense gang wars between immigrant gangs with members that mostly arrived 10-20 years before. Things calmed down 2016 (because people where dead or in prison) and then there has been new waves after that. Duh!
Re: (Score:2)
You don't know what you are talking about. The general homicide rate in the Nordic countries has been decreasing for decades, but in Sweden, the last 10-20 years increased gun violence as "compensated" for that general decrease and caused a slight increase in the homicide rate.
2022 there were 60 gun homicides (out of 116 homicides in total) in Sweden, that is 10x the amount of gun homicides in Denmark, Norway and Finland COMBINED (and those 3 countries together have more than 50 % higher population than Swe
Re: (Score:2)
Re: (Score:2)
No it is not misleading considering the current situation in Sweden. The typical homicide in Sweden until the 1990s was two alcoholics involved in a fight with knives. That didn't endanger the surroundings and as long as you stayed out of such company the risk for the average citizen to be murdered was very low. Now there are gangs killing each other in broad daylight downtown with AK47 and they aren't good shots so now anyone can become of victim.
According to https://www.aftonbladet.se/nyh... [aftonbladet.se] there were 53
Re: (Score:2)
Re:Clickbait (Score:4, Interesting)
They're the only county besides Mexico that tracks grenade attacks. That doesn't exactly leave the best of impressions.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
Re: (Score:2)
You mean the 251 per year for bombings? You really need to learn to read your own sources.
Re: (Score:2)
From January 1, 2019, through December 31, 2019, BATS captured a total of 14,940 explosives related incidents
Another idiot who can make a link, but didn't read it.
This report examines the total number of explosives
related incidents reported in BATS for calendar year 2019 and includes explosions and bombings, recoveries,
suspicious packages, bomb threats, hoaxes, and explosives thefts/losses
Recoveries, suspicious packages, bomb threats, hoaxes, and thefts/losses are definitely not attacks.
As for attacks, of all the explosions recorded, including accidental ones, the single military equipment explosion was from propellants. Which means, not a grenade.
Any grenades listed would be in the recovery or losses section, which do include military ordinance.
This is why I ignore people who shout "CITATION NEEDED." They're the same people who link rand
Concerning Statistics (Score:2)
But yeah let the 100 per year in Sweden be a big problem...
That's a huge problem. The statistics you have show only 251 bombings in the US - the number you gave was total incidents and most of these seem to be recovery of explosives or suspicious package incidents not actually setting off explosives near people.
To put that in context though the US's population is 333 million while Sweden's is 10 million. If the US rate of bombings was happening in Sweden you would have only 8 incidents a year.
Whats this got to do with going cashless? (Score:4, Informative)
This was an ONLINE scam. Online purchases have always been cashless, and are cashless in every country in the world.
This has absolutely nothing to do with eliminating use of cash for in person transactions.
Re:Whats this got to do with going cashless? (Score:4, Insightful)
The same app is being used for three things:
1. cashless transactions
2. logging into a bank account
3. "electronic ID" when accessing government services (doing your taxes, medical records, etc.)
The popularity of using it for one thing drives using it for the other two.
Other systems for bank authorisation can't be used for direct payments or as an electronic ID.
Competing electronic ID systems can't be used to log into banks or make direct payments.
Personally, I have always kept these three tasks use separate systems. Different keys to different doors. I think it would be a folly to do otherwise. One problem is that even some online government services support only BankID and not the competitors.
OTP (Score:4, Insightful)
Re: (Score:2)
This was an ONLINE scam. Online purchases have always been cashless, and are cashless in every country in the world.
Absolutely not true. For example, the payment method "Nachnahme" ("cash on delivery") has been popular for online purchases in Germany for many years. The parcel is handed over in exchange for cash.
Cash is not a crime, civil asset forfeiture (Score:2)
I don't know if other nations have the same concept of civil asset forfeiture but in the USA the police will routinely seize cash because they believe large amounts of cash is somehow evidence of a crime. If they can't connect the cash to some crime the person possessing the cash may have done they will "arrest" the cash but let the person go. The cash is effectively charged with a crime, which leaves the owner of the cash in a bind because a person has a presumption of innocence while property does not.
I
Re: (Score:2)
Here you try to explain away freedom.
When illicit drugs are found they are held in evidence or destroyed. Police can't use or sell the drugs for personal gain.
The system is broken because humans are greedy. Civil asset forfeiture shows that the citizens understanding of freedom is not the states understanding of freedom and since someone can benefit from a forfeiture it is acted upon.
Re: (Score:3)
Other countries have things like "rule of law" and "civil rights". The US is trying to get rid of those and has been partially successful.
Insecure software (Score:2)
Re: (Score:2)
BankID does have major security flaws (Score:5, Informative)
I have had some opportunity to reflect on the security on BankID as I have to use it on a weekly basis, and I have been interested in security since I discovered Bruce Schneier's Applied Cryptography back in the 90s. It does have a couple of glaringly obvious flaws, and I am not surprised that Average Joe can end up in this type situation.
Issue number one is BankID login often happens in a login window which is embedded on the site or in the app. There is nothing beyond the layout and "authentic-looking theme" to prove neither that this login is provided by BankID, nor what service you are logging in to. Before this was always the case, now this has gotten better as you will more often get redirected to a login page on the BankID web site, which states what service you are logging into. This whole setup practically screams "come exploit this fantastic man-in-the-middle attack opportunity", and the person who got scammed in this story, should count herself very lucky the criminals didn't use the credentials to perform a one time login to _whatever service they could have wanted_ to peform any type of single transaction, like wiring all the money in her savings account.
Issue number two is the option that most people take, that the phone is the source of the second secret in 2-factor authentication. So when you use your phone to do a transaction in a browser or app, you use the BankID app on the phone to generate the second secret, and you type in your BankID password on the phone ... now, if someone has control over your phone because they hacked it or because they gained access to it by some other means, and they get access to your password (e.g. through key logging on a hacked phone) ... congratulations, your BankID are now belong to us.
As for how I deal with these two issues, when it comes to number one I have to make an educated guess about risk. If I am being redirected to the BankID site for login with the appropriate name of the service I am logging into, that works for me. If login is embedded on a web page, I have to decide whether to trust that service with not abusing credentials. I will typically trust well reputed companies that have a very large customer base (so if there was fraud, it would have been a national news story). Some times it is less obvious who you are deciding to trust.
With the second issue, I have chosen the option to have the second-factor code generation done on a physical code generation device, not on the phone - an option that almost noone chooses (and which providers of BankID typically recommend against because it also means they will have to ship that gadget) because it is of course impractical compared to the much more convenient alternative. With the gadget sitting on a shelf at home, I can only use it when physically at home unless I have decided to bring it. But that also means hackers cannot get control of it by means of ... well, hacking. And if I am getting robbed and they take my phone, they are not getting access to my BankID.
If I were to put on a tin foil hat for a few second, I am wondering when we will start to see people getting kidnapped at gun point, taken away for a couple days while the kidnappers use their BankID on the phone to unravel their lives, and take control of all their assets plus take up loans in their name and transfer those funds as wells, plus maybe just for fun do some stuff like log into a public services portal and do stuff like change their official name and their official gender ... because why not. It used to be difficult to separate people from their assets ... like, when the only way to transfer all your money is to talk to someone at the bank, or you have to show up at an office to sign papers to transfer ownership of your house, you can't really take them there at gun point, but probably need to e.g. kidnap a family member or something like that, in a complicated scheme that you are not fully in control of. These days,
Re: (Score:2)
> the only way to transfer all your money is to talk to someone at the bank,
Exactly this - I wish banks had mandatory option for in-person authorizing transactions above set threshold.
Maybe even not banks but some independent service for physical verification 2FA where F means really your face not any factor.
Re: (Score:2)
In Brazil we have Pix, a digital payment system that is much more secure than BankID. And yes, just as you wondered, there are cases of kidnapping so the victim is forced to transfer money to the criminals.
As a palliative solution, banks implemented Pix limits (there are separate limits for daylight and nighttime transfers). The user can decrease these limits instantly in the bank app. But if you increase the limit, it takes 24 hours for it to take effect.
Cashless is not the problem here (Score:3)
This was a transaction that would have been done "cashless" even before the country went "cashless". This problem could come up with some other poorly designed system, too. The system has to educate users, and it's clearly failing at doing that. One way would be for the user to have to complete a tutorial before being allowed to use the app to transfer funds, so they know what it's supposed to look like. This is also an opportunity to make them agree that they understand that they are responsible for certain parts of the process, just as they would be if they were making a cash transaction.
The posters who have noted that the UI could do more to make these fraudulent transactions obvious are also spot on. Not only should it make it obvious when a transaction is international, but it should also make the relevant details of the transaction obvious while you are agreeing to it in general so that you know clearly to what you are agreeing.
Working per plan (Score:2)
The fraud has been shifted from the merchants to the consumers.
UI Must Be Awful (Score:2)
In cash we trust, while we still have it. (Score:2)
Selling a physical object? Insist on a physical payment.
What else changed to raise the crime rate? (Score:2)
How much crime is perpetrated by indigenous Swedes vs. humans they imported out of misplaced naive sense of obligation?
While Swedes has every right to disrupt and discard indigenous Swedish culture in favor of all the others which must of course be better, it's dishonest not to discuss that openly with blunt directness.
How is 2024 Sweden different from say 1964 Sweden and are indigenous Swedes delighted with their self-imposed changes?
Re: hmmm (Score:2)
Nope, it's actually the fault of over-enthusiastic techbros who believe that people with IQ under 90 have no rights or a place in the brave new tech world and that when they fail to thrive in the cyber setting imposed on them then it's their own fault. I sincerely wish that these techbros live long enough to become senile and start falling victim of their own sci-fi ideas.
Re: (Score:3)
Re: hmmm (Score:2)
Um, what kind of people do you think Obama hired?
"Somehow" they say sarcastically. Like this post too.
Re: (Score:2)
Re: (Score:2)
Developers are guilty of thinking the average person is as smart as them.
It's worse than that. A large number of developers believe they are a god. They can do no wrong. It's always their manager who screws up. It's the project manager who doesn't know what they're doing. It's never the developer who is writing the code.
Re: Bullshit (Score:2)
Re: (Score:2, Informative)
Fox News
Re: (Score:2, Troll)
One need only look at rape rates to understand.
Re: Bullshit (Score:2)
Re: Bullshit (Score:3, Insightful)
Re: (Score:2)
Re: (Score:3)
Whilst I do not want to downplay the work of skilled cryptographers, what you were saying is similar to how we build buildings with glass and wood and other materials which can be broken, and how we drive cars which have the inherent problem of being large moving objects, and how any medical treatment can react in bizarre ways with biology, and so every single treatment ( cough cough including vaccines cough cough ) will harm someone somewhere, and that's just the nature of things, so it's all about the bal
There is a way... (Score:3)
ONES AND ZEROS CANNOT BE SECURED. NOT EVER. It's not possible
Sure it is - I defy you or anyone else to access any of the ones and zeros I've sent to /dev/null over the years.
Re: (Score:2)
Here is a sample, in arbitrary order: "1", "1", "1", "0", "0", "0". Gotcha!
Re: (Score:2)
There will NEVER be perfect digital security
It does not matter one bit. The goal is NEVER perfect security. That is only something amateurs with no understanding of risk management call for. The goal is always "good enough" security. If a scammer or other attackers typically needs to invest more work than the payoff, then security is good enough.
Re: Use color (Score:2)
Right. Because no fraudster has ever figured out how to set the font or background colors.
Re: (Score:2)
Re: (Score:2)