Table of Contents
Why does Trustly require my online banking credentials for eBay sales?
Recent reports indicate eBay users, particularly sellers, encounter prompts requesting their online banking login details. This usually occurs post-sale or during account verification. The prompt often redirects to a third-party service, prominently displaying “Trustly” or referencing “RiskRemedy.”
Users naturally view this with suspicion. Asking for direct bank login credentials (username and PIN) traditionally signals phishing. However, this specific scenario involves legitimate, albeit intrusive, financial technology protocols.
The Mechanism: Trustly and RiskRemedy
The popup is likely not phishing but a legitimate integration with Trustly, an authorized payment processor.
- Risk Minimization: eBay utilizes services like “RiskRemedy” to assess user risk.
- Identity Verification: Accessing the bank account verifies the seller’s identity immediately.
- Creditworthiness: Analyzing transaction history helps platforms predict default risks.
Trustly operates as a bridge. The merchant (eBay) never sees your login data. Trustly inputs your credentials into the banking interface to authorize a connection.
The Legal Framework: PSD2 Directive
The European Union’s Payment Services Directive 2 (PSD2) enables this technology. This directive requires banks to open their APIs to third-party providers (TPPs) like Trustly, provided the account holder grants consent.
When you enter credentials, you authorize the TPP to access your account data. This access can range from a single identity check to viewing 90 days of transaction history.
Privacy Implications and Security Risks
While legally permissible, this practice carries significant privacy implications.
- Data Scoping: Granting access may allow the provider to view your account balance, income, and spending habits.
- Duration of Access: It is often unclear if the consent is for a one-time transaction or continuous access for up to 90 days.
- Consumer Warnings: Consumer protection agencies warn that sharing login credentials increases abuse potential. If a breach occurs at the third-party provider, your banking security is compromised.
How to Verify Legitimacy
Before entering data, perform these security checks to rule out actual phishing:
- Check the URL: Ensure the address bar shows a legitimate eBay or Trustly domain.
- Verify the Certificate: Click the padlock icon in the browser bar. The SSL certificate must identify the site owner (e.g., eBay Inc. or Trustly Group AB).
- Search Recent Reports: Check community forums. If the request is a new phishing campaign, other users will likely have flagged it recently.
Advisor Recommendation
If you are uncomfortable sharing banking login credentials, stop the process. Legitimate platforms typically offer alternative verification methods, such as micro-deposits (where they send a few cents to your account, and you verify the amount). While slower, this method maintains the secrecy of your banking login data.
If the platform insists on Trustly verification and offers no alternatives, you must weigh the convenience of selling on that specific platform against the privacy cost of exposing your financial transaction history.