My experiences with Kwixo

Kwixo is supposedly a response to PayPal, by some French banks.

I tried to use it to allow a simpler way to pay for the Weboob Association membership fee. PayPal is out anyway, given the fees it charges, we’d be lucky to see half of the actual fee make it back to a bank account.

We’ve tried two times. With the first member it failed because it was asking so many verifications he gave up. With the second one, given that his bank was one of Kwixo’s partners, it worked. Or so I thought!

After sending me an e-mail telling me it was received, one day later (a Saturday!) they tried to call me1. For something that is supposedly on the Internet, why not send an e-mail instead? Anyway, they told me the service was only an exchange between individuals, and since they saw the mention of “Cotisation” in the payment reason I had to register with their Association service by calling another number.

The thing is, I shouldn’t have to do this. This isn’t worth the hassle, and thus will be my last interaction with them. What this story tells us however is that they must get so little business they can still screen all transaction motives, and afford to call people instead of having some sort of semi-automated support system.

Anyway, most of the membership fees have been paid in cash, and the others SEPA. For more details, see here.

The BitPay option is for people with no access to SEPA, but is unlikely to be used anytime soon. But at least, I was able to explain what I would be using them for by e-mail.

However, I didn’t learn my lesson. I thought Kwixo could work, the other way, as a client. Unfortunately, I forgot to never trust a French bank.

I ordered supplies from a website, and chose to pay on delivery, by using Kwixo as an escrow. After all, it was my first order there, and I could use the extra safety.

They asked for a lot of personal details, to an extent I was never asked before; it already started smelling like a scam. The worst was that they first asked some documents, which I sent promptly, and they replied after a day that I forgot to send some others, even though they did not ask for them in the first place. This cycle took a whole week, and choked on the fact that my latest electricity bill was deemed “too old”, despite me explaining that it was the absolute latest.

So I told them to go fuck themselves – literally. They did not budge, and I figured they actually never read any text in the mails! So I sent an image showing them to go fuck themselves. It worked; they canceled the order, and I was able to order again without using them. I suspect the people I was interacting with did not even speak French.

This “fraud protection” lost Kwixo a customer, and almost lost the website a customer. Funny thing is, just looking at the order would make any fraud suspicions silly: the total was well below the machine it was for. Why would I steal that when I already paid much more? Is the car dealership afraid clients will steal their pens?

  1. I rarely answer to unknown numbers, as I dislike the unsolicited nature of phone calls. []
Posted in Technology | Tagged , | Leave a comment

In case you still think banks know what they are doing

Working with Weboob has confirmed my suspicions that banks’ IT departments are clueless (at least the French ones).

It’s not only that they have terrible websites with snake-oil security (i.e. keypads are easily logged, they only bother regular users).

It’s that their approach to security is from another world. When I was working with a client that was a bank a few years ago, they forced on us a lot of stupid things in the name of security, but to make things work the chosen solutions were worse from every point of view, including actual security.

This is not a technical problem; the problem is a lack of technical people where they should be.

The cherry on the cake is the BNP Paribas bank. They have been historically terrible at configuring their DNS server (with a tendency to return a different IP depending on yours, and of course those two IPs gave two different versions of the site… unless one of them was out of commission).
And now, for over a year, they have been forcing SSL connections to RC4 128 bits, which is a known weak cipher. If you try to force something better, the server will reject you!

Banks try hard to be taken seriously, and they usually are. I just can’t help laughing at them.

Posted in Security | Tagged , | 1 Comment

New GPG key

I have set up a new OpenPGP key, to benefit from better security settings
and better storage practices of mine, and will be transitioning
away from my old one. The old key is not compromised in any way.

The old key will continue to be valid for some time, but I prefer all
future correspondence to come to the new one. I would also like this
new key to be re-integrated into the web of trust.

Full details here.


gpg --recv-key 0x3463EA5A518A9C75
gpg --check-sigs 0x3463EA5A518A9C75

# either just sign locally
gpg --lsign-key 0x3463EA5A518A9C75
# or sign and publish in the web of trust
gpg --sign-key 0x3463EA5A518A9C75 && gpg --send-keys 0x3463EA5A518A9C75
Posted in Meta, Security | Leave a comment