I got notified of a new service that is popping up at merchants these days, particularly grocery chains. The service is called Linkables (mylinkables.com) from Linkable Networks, Inc. The issue I discovered with this service is not PCI related, but it is privacy related. With all of the discussion going on regarding the NSA collecting and analyzing telephone records, I think this is a good venue to make people aware of a practice that is possibly even more risky than storing PANs.
According the their Web site:
“Linkables are savings offers that can be connected to your credit or debit card to deliver savings to you automatically after you shop. It’s a simple and convenient way to take advantage of advertisers’ online and offline promotions, with no coupons to clip and no paperwork after you shop. Offers can be used online and offline just by using your credit or debit card.”
When you go to the Linkables Web site, you set up an account using an electronic mail address and a password as is standard operating procedure these days. But where this service goes terribly wrong is in the registering the subscriber’s credit/debit card(s). While you are required to provide your PAN and expiration date, the subscriber is then required to provide their logon identifier and password to the online banking system for the bank that issued the card.
Yes, you read that right. The customer needs to provide access to their online banking system. The reason given on the Linkables’ FAQ is:
“To deliver your savings, MyLinkables needs to be able to see when you redeem offers. To identify your redemption transactions in a secure way, MyLinkables prompts you to enter your card number and expiration date, and in some cases, your online banking credentials. This is to establish a secure connection for ongoing read-only access, and for the ability to credit your account with your savings. This connection is sustained via a PCI-compliant secure token. For some banks, we are able to create this connection without asking you to enter this information.”
The first problem I have with this is that Linkables invokes PCI compliance as though it should provide some sort of comfort to their customer. However, PCI compliance has nothing to do with access to someone’s bank account. They have a green colored seal at the bottom of their home page that indicates they are a “Payment Card Industry Data Security Standard PCI Level 1” which is meaningless on a variety of levels. If you read the FAQ, PCI compliance is brought up all over the place for not only securing cardholder data, but for implying Linkables is secure as a whole because of their PCI compliance.
But an even more troubling discussion is in regards to the fact that in order to provide you your rebates, they need access to an online banking account.
To give customers a better sense of security, the following FAQ answer is given in regards to if someone does manage to compromise Linkables and obtain customer online banking login information.
“No, MyLinkables encrypts your card number and expiration date, and does not store your bank account credentials. The identifier that was created when you entered your account credentials is encrypted, never displayed within MyLinkables, and connects to your account exclusively with read-only access to view your completed transactions. In addition, details about your banking transactions are not stored in MyLinkables.”
You might want to read that response multiple times as it makes no sense. In the first sentence they claim they do not store the credentials, then in the second sentence it appears to imply that the credentials are stored but encrypted. But the real troubling statement is that somehow Linkables only gains read-only access to the customers’ bank accounts. I have audited a lot of online banking environments over the years and I have never run across one that had read-only access. Last I knew my online banking credentials gave me full access to my accounts. So how Linkables ensures that they only have read-only access must be in the fact that their software only reads information.
The bottom line on this service is that either this is the biggest, legitimate looking scam to obtain access to peoples’ bank accounts through their online banking system OR this system was developed by people that had no clue as to how the financial systems in the world operate. I am hoping it was the latter, but I really have to wonder based on the FAQ answers.
The PCI SSC and the card brands should be concerned about this service’s abuse of the PCI standards.
Update: I got the following response today from Linkables regarding the question I put to them regarding why online banking credentials are required.
“We’ve partnered and integrated with Visa and MasterCard. When you register a Visa or MasterCard, only the 16-digit card number and expiration date is required.
We’ve not yet completed our integration with the AMEX and Discover card networks, however. Until then, cards must be registered via Yodlee, our PCI-Compliant processing partner. Yodlee then communicates with the card-issuing bank and is issued their own token for use in receiving read-only transactional data from the bank. We don’t have any access to initiate any new transaction of any type.”
While I get this, I still do not understand what the bank has to do with anything. They state that they need transactional data from the bank, yet the customer’s bank would not have transactional detail other than a total transaction amount. As I understand it, Linkables is refunding like a coupon. So they need to know you purchased ABC Orange Juice for example so that they can rebate $1USD to your account. That detail comes from the merchant that sold the orange juice, not the bank. The mystery about this service just gets worse, not better.
PCI Guru 