Private Bank requesting user name and password to verify identity before sending money to acct

Question

I have been asked to provide my user name and password, so my fiance' can have his bank, Macoto, verify my identity, before they will send the funds. Does this sound right? I figure if he gives the ok, and they have my acct number, and tracking number, that should be sufficient? Has anyone every heard of this practice?

Answer 1

I think that's a steaming crock of cow manure.

The (well, a) standard method for determining whether an account is "on the level" are micropayments: you give them your bank's "routing number" (name will change depending on the country) and your account number. They make a couple of small deposits, and then you log into their website and enter in the amount of those deposits.

Even if it is legitimate, it's horribly insecure, and there's no way that I'd do it.

(Of course, it's always possible that your BF is using this as a subterfuge to get access to your bank accounts.)

Answer 2

This sounds like scam. There is no reason for any one to know your username and password. Are you sure it is your fiancee or some fraudsters.

They may run with your money or use it for illegal activity.

Answer 3

To reinforce an earlier answer; it is a steaming pile of cow manure. Not only is the bank username/password the most important information you carry, for the real Macoto Bank it would be utterly useless for authentication purposes (as they (should) have no way of verifying that information)!

Provided that the Macoto bank mentioned is the Macoto Bank of Taiwan, this process is not only suspicious, but illegal, as Taiwan has pretty advanced privacy and data protection laws, fully on par with the US and the EU. That also means that Macoto bank has at the very least suffered a breach of procedure, as the inquired information is not only useless for them, but also because waaaaaaaayyyyy better methods of authentication exist!

If you have not received the inquiry directly from Macoto Bank, it's with 99.9999% certainty a form of scam.

If you DID receive the inquiry directly from Macoto Bank, you should ask about alternative means of authentication. In Germany (at least with VolksBank and DiBa) you're usually asked to deliver a handwritten note in person at the nearest branch. Also, if you DID receive the inquiry from Macoto Bank, they should be reported to the consumer protection authorities (if you have any).

The best solution would be to simply ask them about their authentication procedures in the scope of your case, at multiple branches and through customer service if you can. Verify as much as you can before you proceed!

Also, provided your fiancee has conducted the transaction either in person or via 2-factor authenticated online banking, that should provide enoough authentication unless her account is actively under investigation.

tl;dr: No respected authority or company asks directly for private account information, especially usernames and passwords. Unless it's a direct scam, the information will (and should be) completely and utterly useless for the inquirer!

Update Another thought that just hit me, is that the burden of proof of the transaction itself normally lies on the debtor (your fiancee, who sends the money and the party who risks harm), except if suspicious circumstances surround the creditor (you, the one who receives the money).

I'd check my account statements and tax records if I were you...

Answer 4

A bank will only ask for your full name, Ic number, or your bank account number. A bank will never ask for your password: they don't want to know your password because it is private and known to no one else except you.

I've never come across a bank asking for your bank personal password. If someone is asking for your password, that means they are not a bank but a scammer.

Be aware: just hang up the call, or ignore it.

Answer 5

When someone asks for your password, here's how you give it.

First invent a new username that you never use anywhere.

The go to any password-geneartor site and let it make you up a completely new password not used anywhere else. Lt. Cmdr. Data gets it.

If they come back and say "That password doesn't work", then they are scamming you. The only legitimate reason to ask a password is if they are setting up a new account for you. If a password already exists, never give it to anyone.

Answer 6

This might not be a scam, but I'd still avoid it

This is actually becoming a more common practice, at least in the US. I have seen a number of banks offer this as a means to authenticate your account ownership instantaneously. By providing your online banking credentials, their service is able to impersonate you and scrape data from your bank's online banking portal automatically. They use the data they collect to verify your account info matches what you previously entered. It's always made me a bit nervous, as there is no way to tell what additional data they might be gathering or what they might do with it. As such, I tend to avoid these services personally, but as far as I can tell they are legitimate. For example, Dwolla offers this as an option for adding an account.

As @RonJohn said, the more standard means of verifying an account is through microdeposits. Most banks that offer the online banking option, also offer this as an alternative. Not everyone has online banking, and their scraper probably wouldn't work with all smaller banks anyway.

If you absolutely must use the online banking option, either due to time constraints or whatever reason, change your password, both before and after. In case you reused this password somewhere else, you should change it to a dummy password beforehand so that if they do keep it in a database somewhere, and it gets compromised, that password is useless to the hackers. You should change it after because, well, otherwise they have your real password and can log in anytime.

Just know that any and all funds in your accounts are at risk until you change your password the second time. (And even then potentially, if they've managed to change any of your details or schedule future transactions.)

Answer 7

Passwords should always be a secret known only to you and the service the password is meant to keep secure (e.g your bank, your email account, etc.). Any respectable service will secure your password in such a way that no person other than you can ever know it without you disclosing it, because no one but you need ever know your password for any honest purpose.

Giving out your password is handing over control of whatever it is your password is protecting, effectively allowing someone else to "become you" for whatever that service does.

Any third party asking for your password is doing so for nefarious purpose, such as emptying all your funds out of your account.

For a bank to send funds to a recipient account at another bank, all they need is identification of the destination bank and the destination account number. To confirm that it is the correct account, they will probably want/need to know the name of the account holder. No passwords.

The sending bank doesn't need to verify your identity. They don't have to know or care who you are. They will want to verify the identity of the person requesting the withdrawal of funds (i.e. your fiance); before they draw any funds from his account, they will want to know he is OK with it. All they need to know about your account is enough to avoid any mistakes in executing his request; having the account holder's name to go with the destination account number is enough.