Paypal has a new payment option called "Bank Account" which says:
Enter your online banking ID + password
QUESTION: To me it sounds unsafe (ie: sends my password to a third-party organization like Paypal), but does there actually exist any security mechanism/protocol that they could be using to make this operation safe?
Notes: Seen from Japan, on Firefox 32.0 Ubuntu 2014.04, URL starts with https://www.paypal.com/
The warning symbol in the URL says "Connection Partially Encrypted".
Once you submit that form, the information clearly goes to PayPal. So, yes, your password is definitely sent to PayPal. However, PayPal is saying that that it only uses your bank account credentials to confirm/verify your account.
What seems to happen is that PayPal takes your information then sends it to your online banking provider for verification. What PayPal does with your credentials after that is unknown. They might store it for future payments, or they discard it after the verification process.
In one line: Yes, your bank password goes to PayPal. Is it bad? Well, it depends on how much you trust PayPal.
By comparison, in Finland we have a completely different system with PayPal. When PayPal needs to verify the bank account or withdraw from the bank account, you get redirected directly to the bank's online banking page. You login there, and then you get redirected back to PayPal. They only get a verification token from the bank. The system is called TUPAS.
Is my password sent to Paypal?
Yep. Giving your password to PayPal may be a breach of your bank's Terms and Conditions and/or make you personally liable for any fraud that takes place through that system. Also PayPal can see the personal information and transaction history associated with that account. Hope you trust PayPal real good now!
Or is there a kind of protocol involving the bank's server, which makes this actually safe?
PayPal is most probably running automated screen-scraping scripts attempting to log in to the normal online banking site on your behalf and doing the transfer. This is obviously pretty fragile and risks breaking when banks update their web sites. It is likely that some banks may be co-operating with PayPal to reduce this risk.
This approach has been done a number of times before, eg by Germany's sofort.com. I am disappointed to see PayPal jump on this payment model too. Whilst the rest of the web is working on federated authentication/authorisation schemes that let you approve particular transactions without having to hand over the keys to the kingdom to other participants (OAuth, SAML etc), the financial world is once again plumping for convenience and legacy compatibility over security.
Your information does go to PayPal, who will likely use it to login to your bank account. That way they can verify your information is valid.
However - technically - they can also see other information. Anything you see after logging in (your account balance, the various deposits / withdrawals) is visible to them, and they may or may not store that. Technically they are also able to invoke any other function you don't need another form of authentication for.
So, risk is one matter. The other matter is if your bank actually allows you to do that. A lot of banks will require that you keep your access information confidential. By using this function you will violate that agreement, by giving your access information to a third party.
I have a login and password that is read-only access. That is the login I use when sites such as paypal asks for it. I also use the read only account for my quicken software. If you are curious what paypal does with the login data, read the user agreement or contact support for more details.
I think other answers explain well risks of giving your password to PayPal. I think the bigger issue here is that users are taught in this way that they can sometimes provide password to somebody. This is IMO extremely bad and stupid and I'm highly disappointed by PayPal for doing so.
