FSFE supporters affected: Payment provider Nexi cancelled us (opens in new tab)

(fsfe.org)

109 pointsrasjani6d ago27 comments

27 comments

sam_lowry_6d ago

Reminds me of the famous "Our security auditor is an idiot. How do I give him the information he wants? [1]

[1] https://serverfault.com/questions/293217/our-security-audito...

zvqcMMV6Zcr6d ago

That is crazier than any old dailywtf stories, and that site felt like everyone tried to one-up each other.

rcxdude6d ago

Is there some part of PCI auditing requirements that is getting misinterpreted by some auditors to demand this? Though in my experience with standards like this what auditors want to see and what the standards say often have only loose overlap anyhow.

SpicyLemonZest6d ago

It's pretty counterintuitive from an auditing perspective. If the PCI standards require server racks to be painted red, it's entirely normal for an auditor to ask to see them, and very suspicious for you to say that they're in an encrypted box where nobody can check if they're red or not. I don't mean to excuse it, but I can understand how the error happens.

1 more reply

samus6d ago

Right until the end I thought the guy was doing a social engineering penetration test, checking whether he could brow beat the server admins into bending over backwards to reveal this information.

Freak_NL6d ago

The FSFE justly drew the line at providing private information of supporters. How many other customers of Nexi simply handed over such data 'because audit'?

rasjaniOP6d ago

So this was not only about FSFE and payments for them but a general audit of their (Nexi's) customers ?

rcxdude6d ago

It seems unlikely that the FSFE is the first customer they have asked for this information.

altairprime6d ago

Nexi’s mid-2025 statement notes that they’re finalizing imposition of a ‘one process, all subsidiaries’ auditing costs reduction program across all of their subsidiary banks. The FSFE was likely being (incorrectly) audited under business-provides-services rules imposed by the parent megacorp, rather than as whatever human-led interpretation the bank had used formally, or as whatever charities or PACs are called in the EU. Ironically, had they switched exclusively to freedom-restricted passkeys, they could have structured their credentials store to divulge no private information and no usable credentials while formally complying with the bank’s efforts to find cause to fire them as a customer. But I think the bank would still have just found another way to fire them regardless.

andrewflnr6d ago

Yeah, using the word "cancelled" that way in the title is... hyperbolic, even if it is technically true that the contract was cancelled.

TavsiE9s6d ago

That’s how I read the linked post as well, yes.

zettabomb5d ago

It's not even just private information, because in any properly configured system it is explicitly unknowable information.

eequah9L6d ago

> Over the past few months, our former payment provider Nexi S.p.A. (“Nexi”) requested access to private data, which we understood to be specifically the usernames and passwords of our supporters.

I must be missing something, but why is there an expectation that clear text passwords would even be known?

rcxdude6d ago

Probably because most people haven't internalized how password hashing works.

samsk6d ago

We work with MLS provider(s) that requires us to keep plaintext password for our users and provide it on request in case of `breach in the security of MLS Listing Information or a violation of MLS Rules`.

The user is accessing only copy of their data in _our_ systems, the user has no contact with MLS itself directly or indirectly.

rswail6d ago

Sounds like someone is being "overenthusiastic" about interpreting the KYC/ALM regulations.

Combined with the FSFE not being your "usual" charitable or business organization so setting off auditor red flags and perhaps raising the risk profile of Nexi as a payment processor.

butokai6d ago

As an Italian living in another EU country, I always thought that the amount of (broken) bureaucracy of Italy was not particularly worse. However this story comes after a couple more I heard this week, in a line of absurd practice possibly due to absurd regulations.

ahofmann3d ago

Just a follow up: I wrote nexi germany via some contact form, that I will avoid using their services because of that story. They called me back and told me, that they asked the fsfe for a test account only. They also made an internal investigation, if someone asked for passwords of real accounts, which is a clear no-go for them.

janpio6d ago

So what did Nexi really want, and how did it get mangled so badly that it came out as "specifically the usernames and passwords of our supporters"?

rcxdude6d ago

It's entirely possible that is actually what they wanted (at least what the people in the company they were talking to wanted). I suspect that "we understood to mean" is language carefully designed to avoid a lawsuit.

littlecranky676d ago

Everytime people say bitcoin has no use case, I'd like to point them to cases like this.

zvqcMMV6Zcr6d ago

I will bite. How do I set up recurring crypto payments/donations for my site? How big cut will be taken by intermediary?

adrianwaj6d ago

OrvexPay and RequestNetwork both do that. Some answers here: https://gemini.google.com/share/830bc00cfd34

grigio6d ago

Maybe now more F/OSS supporters will understand the need of Bitcoin/Monero

g947o6d ago

You could put it this way, but to me the bigger question is why would a payment processor have such ridiculous requests? That probably should be examined first.

jasonvorhe6d ago

Not unless they start questioning the Club of Rome induced climate scam.

j / k navigate · click thread line to collapse

27 comments

sam_lowry_6d ago

Reminds me of the famous "Our security auditor is an idiot. How do I give him the information he wants? [1]

[1] https://serverfault.com/questions/293217/our-security-audito...

zvqcMMV6Zcr6d ago

That is crazier than any old dailywtf stories, and that site felt like everyone tried to one-up each other.

rcxdude6d ago

SpicyLemonZest6d ago

1 more reply

samus6d ago

Right until the end I thought the guy was doing a social engineering penetration test, checking whether he could brow beat the server admins into bending over backwards to reveal this information.

Freak_NL6d ago

The FSFE justly drew the line at providing private information of supporters. How many other customers of Nexi simply handed over such data 'because audit'?

rasjaniOP6d ago

So this was not only about FSFE and payments for them but a general audit of their (Nexi's) customers ?

rcxdude6d ago

It seems unlikely that the FSFE is the first customer they have asked for this information.

altairprime6d ago

andrewflnr6d ago

Yeah, using the word "cancelled" that way in the title is... hyperbolic, even if it is technically true that the contract was cancelled.

TavsiE9s6d ago

That’s how I read the linked post as well, yes.

zettabomb5d ago

It's not even just private information, because in any properly configured system it is explicitly unknowable information.

eequah9L6d ago

I must be missing something, but why is there an expectation that clear text passwords would even be known?

rcxdude6d ago

Probably because most people haven't internalized how password hashing works.

samsk6d ago

The user is accessing only copy of their data in _our_ systems, the user has no contact with MLS itself directly or indirectly.

rswail6d ago

Sounds like someone is being "overenthusiastic" about interpreting the KYC/ALM regulations.

Combined with the FSFE not being your "usual" charitable or business organization so setting off auditor red flags and perhaps raising the risk profile of Nexi as a payment processor.

butokai6d ago

ahofmann3d ago

janpio6d ago

So what did Nexi really want, and how did it get mangled so badly that it came out as "specifically the usernames and passwords of our supporters"?

rcxdude6d ago

littlecranky676d ago

Everytime people say bitcoin has no use case, I'd like to point them to cases like this.

zvqcMMV6Zcr6d ago

I will bite. How do I set up recurring crypto payments/donations for my site? How big cut will be taken by intermediary?

adrianwaj6d ago

OrvexPay and RequestNetwork both do that. Some answers here: https://gemini.google.com/share/830bc00cfd34

grigio6d ago

Maybe now more F/OSS supporters will understand the need of Bitcoin/Monero

g947o6d ago

You could put it this way, but to me the bigger question is why would a payment processor have such ridiculous requests? That probably should be examined first.

jasonvorhe6d ago

Not unless they start questioning the Club of Rome induced climate scam.

j / k navigate · click thread line to collapse