Hi I just signed up to Revolut and Bankin.com Service and think that getting Bankin to support you accounts would be a great idea. The Bankin service allows you to manage money flows for lots of accounts in multiple currencies and provide alerts for transactions on your accounts.
Looks like it’s supported now, I can see it in the list.
You have to add it on their website though, looks like you can’t from the app directly.
I wonder if it’s an official support though, they ask for the PIN code
It would have been better to simply receive a request from Revolut, to allow/deny Bankin to access our data. (or any other third party for that matter)
@AndreasK do you know anything about this? Is the support “official”?
If anyone wants to use this: be aware they currently have a bug with the crypto-currency support with Revolut, which will make whatever amount you have around 1,000,000 times bigger.
Isn’t it dangerous to share your Revolut PIN code with a 3rd party?
Yes. It absolutely is.
If a 3rd party app asks for access via the APIs, you get a notification and the 3rd party app should ask for a 6 digits security code, similar to how it is when logging in with Revolut itself.
Yes, and no. It really depends on what can be done with it. With most banking services, an initial log in only allows to read transaction logs. As long as 3rd party apps can’t execute payments, the immediate fraud risk is relatively low. It is mainly a data privacy concern then.
But sure, I would only provide access to an account for a 3rd party if I trust this party and if I have understood their business model.
If Bankin was using an official api via Revolut then I very much doubt they would need the pincode for the app. Instead Revolut could trigger a notification inside the app or something. Asking for the PIN is that as asking for my password.
It is very shady and should be stopped!
Exactly. In this case the Bankin app is well known and uses that kind of login for many bank services.
I believe they are audited to be safe.
Not saying it’s 100% safe, it never is, but it’s a good compromise between usability and safety.
I don’t use it anymore anyway, as I’ve switched to Revolut for 99% of my transactions
There is a reason why systems like OAuth etc. were invented. It is not safe EVER to send a password to a 3rd party. You can’t be sure in which log files that the pin code will be written to. Also it does not give you a way to easily remove access, without changing the PIN code.
Also to verify account api calls, they must send that pin along to the api. Which means it have to be stored somewhere, likely in plain text.
I use Outbank, a German multibank app. They use the official APIs, but the account log-in for Revolut is phone no + app PIN.
When Outbank tries to connect to Revolut, Revolut sends a notification about this attempt. Outbank asks for a 6 digit code that is sent to the registered phone, similar to how it is when logging in with Revolut itself. Outbank then can read only the transaction history. The API does not seem to grant access to any payment related functionalities. (Or outbank hasn’t implemented this, I don’t know.)
This wouldn’t be a problem at all if the pin was asked on the Revolut site and not entered into their custom formula.
You get a Notification about logging in on a new device, and to make sure it is you. Just like if you logged in on a new phone. This is also and indication that they are not using official API’s to interact on your behalf.
The SMS you receive is the normal two factor authentication, they are just entering it for you. I am sure they are getting COMPLETE access to your account. If they use it or, i don’t know. But i would never trust them.
No, it’s a specific notification about granting access to Revolut via a 3rd part.
I just tried with Banking that was not about 3rd party.
The correct way this was to be implemented is:
- Go to bankin and click connect.
- Connect redirects you to a purpose build page on https://revolut.com domain, where you can enter you phone number.
- They send out a two factor authentication and push, which you enter ON the https://revolut.com domain.
- After success authentication you are redirect back to Bankin and Bankin will receive a form of token.
- Bankin can then use this Token to call the api’s they want. Also it is easy to revoke these etc.
Having to enter the pin on a 3rd party homepage and afterwards your two factor authentication is a HUGE red flag for any software developer. I can’t imaging in any way that this is how the “official” api works between Revolut and their partners.
I am not going through a chargeback application. And it is not a new device. And there is no mention of 3rd party.
But your attempt to log-in is not unnoticed.
I agree, sharing a password is not the best possible case. It was a major discussion point in figuring out PSD2, banks argued they can rule this out via their T&Cs, the European Commission did not agree here and saw it an unnecessary constraint for services that have to rely on screen grabbing until banking services provide PSD2 conform APIs.
True. But it is far from a “3rd party wants access” notification. So we agree it is shady and not an official integration.