Can "Trustly" be trusted with my bank credentials?

Question

To add money into my PayPal wallet I have to use Trustly. Trustly connects to my bank account and draws the funds from there.

In order to connect to my bank account I need to provide them with MY BANK USERNAME AND PASSWORD.

I can see my bank balance, I receive a one time token SMS from my bank to agree with the transfer... the integration between Trustly and my bank is legit.

However...

The thing that bothers me is that I need to add my bank username and password on the Trustly site. Most of the merchant integrations of these type I have seen usually involve a redirect to my bank site where I insert my username and password, I authorize what needs to be authorized, etc, then get redirected back to where I came from. So basically, nobody but my bank deals with my credentials. Not so with Trustly, where I give them my bank username and password. They say they don't store any credentials, and I still need a one time token that my bank provides, but still... can they be trusted with my bank credentials?

If they do store them and someone gets access to them, I am still exposed to social engineering attacks where someone might try to convince me to give them the one time password.

Answer 1

Nobody but you can be trusted with your bank login credentials. Sharing them is probably a violation of the terms of your bank's online access.

Which is part of why I refuse to use web-based financial management tools except those built into the banks themselves. I'm willing to give a password to Quicken to be recorded on my own machine (or store it on my non-networked password manager, also only on my own machine) but that's my limit, and I'd much rather folks moved to the newer protocol which assigns a separate credential for that purpose.

Whatever Trustly is, the mere fact that they are making the request would send me screaming in the other direction.

Especially since PayPal should be able to credit and debit your account with nothing more than the routing number and account number, the same way other direct deposits and direct payments do. (Even with that more protected access, I've seriously considered setting up a separate account to isolate it from the rest of my funds.)

This really sounds much more like scam than anything else. It might be honest, but I see no reason to assume so... and even granting the assumption, not knowing how they store and protect the credentials would make me extremely uncomfortable. And I see absolutely no need for it, at least in the banking systems I am familiar with.

I would assume scam, or if not scam then incompetent and untrustworthy, untill proven otherwise. And even with proof, I wouldn't trust it.

Answer 2

"Can be trusted" isn't really a binary question, it's a balance of risk and benefit. I have to place a lot more trust in my bank than Paypal, since my bank is ultimately the holder of my money. However in this case, as you have pointed out, Trustly would effectively have full access to your bank account if they desired. Assuming they are a company that you can verify PayPal is actually partnering with, you can be pretty sure that they won't outright steal your money. However, they could covertly use the opportunity to automatically scrape your account information, transaction histories, and any other information on the account that could be sold to data agencies. The other problem is that your bank likely specifies in their TOS that sharing your banking login information violates it, which could introduce you to other problems if Trustly does misuse your account information and you ask your bank for help. None of this considers what happens if Trustly has nothing but the purest intentions, but does not properly scrub your account information and it is stolen from them.

Ultimately I cannot tell you how important tying your Paypal account directly to your bank is to you. However, providing your bank login credentials to a third party is extremely inadvisable in almost any situation.

Answer 3

I never use Trustly because of the way the integration is implemented. There are ways to allow payments without having to give total control to the payment provider, so it sounds to me that they are most likely not having only the most pure intentions. Oh and I don't care what they officially try to parrot.