Canada calls screen scraping ‘unsecure,’ sets Open Banking target for 2023
franga2000 2021-08-18 23:41:00 +0000 UTC [ - ]
Open Banking is not, in fact, open in almost any sense of the world. It is standardised and the standards are freely available ("open"), but other than that, you still need to have an official "blessing" to actually access a production API endpoint (even for your own account), you need a legal entity that has some highly specific and entirely meaningless certificates that are hard (and potentially expensive) to get and even after all of that, you'll still need to negotiate access with each bank individually.
What I imagined when I first heard of "Open Banking" was a public OAuth2 endpoint where I can grant my custom script access to just my bank balance and transaction history (possibly with a change webhook) and have it update my finance tracking database.
The "open" part is only relevant to the banks, since they don't have to pay royalties for the standard implementing the APIs. For the rest of us, it might as well be SS7.
rmesters 2021-08-19 04:25:21 +0000 UTC [ - ]
We're connected to 1,500 EU/UK banks and you can connect your bank account to your script/app without any license, certificates or any fees. We don't charge for accessing banking data, we only charge for complimentary data enrichment services like transaction categorisation.
MzHN 2021-08-19 07:24:14 +0000 UTC [ - ]
However, personally, this feels almost as bad privacy-wise as screen scraping my bank account.
Reading your privacy policy only promotes my distrust.
I realize I may not be your target demographic though.
grenoire 2021-08-19 09:26:42 +0000 UTC [ - ]
dottedmag 2021-08-19 11:24:27 +0000 UTC [ - ]
Any plans to add Bank of Valletta (Malta)?
byeokim 2021-08-19 04:43:03 +0000 UTC [ - ]
> It is standardised and the standards are freely available
Same.
> you still need to have an official "blessing" to actually access a production API endpoint (even for your own account)
Same.
> you need a legal entity that has some highly specific and entirely meaningless certificates that are hard (and potentially expensive) to get
Same though not entirely meaningless.
> you'll still need to negotiate access with each bank individually.
Not same.
ghostpepper 2021-08-19 00:45:15 +0000 UTC [ - ]
fy20 2021-08-19 03:41:54 +0000 UTC [ - ]
I guess it makes sense in a way, as it would be easy for scammers to use this ("Oh I need to give access to my bank account to view this Facebook post? Oh sure, why not, moar cats plz").
There are also quite a few budgeting apps here that use open banking, so yes I expect those services will migrate to this when it's available in NA. My only complaint is it takes a few days for them to update the data. I have an accounting program (for my business) which uses open banking and also takes a while to update, so maybe it's a "feature" of open banking?
Gys 2021-08-19 10:06:50 +0000 UTC [ - ]
Banks are dealing in financial stuff. They probably do not want to deal with people having problems understanding OAuth2, API's, sandboxes and such. That is an entire different business.
Nursie 2021-08-19 10:06:23 +0000 UTC [ - ]
“Open” in this case means open standards and access for accredited entities.
Because if you grant access to just anyone, then you’ve created an instant fraudster’s paradise.
The legal requirements in the UK (which you may be talking about, unsure) are not meaningless, they are there to ensure that known parties and known good practice are in use. Open Banking the company is working on ways to help small businesses gain accreditation and may already be able to offer assistance, and while accreditation is not free, it’s only a few £k, hardly enough to break the bank.
As a non-accredited actor, if you have a limited company you can register as a technical service provider for free and develop your product against the sandbox environment.
Oh and you don’t have to negotiate access with each bank either. The whole point is to pre-vet and establish trust ahead of time.
That’s as open as anyone with half a brain should want it to be, given what we know about people’s ability to protect their own finances.
pbasista 2021-08-19 11:34:12 +0000 UTC [ - ]
I believe that everyone might get access to their own data and to performing actions on their own account.
Could you clarify how is that supposed to create a fraudsters' paradise?
Nursie 2021-08-19 11:40:11 +0000 UTC [ - ]
Even read only, fraudsters will find ways to exfiltrate private data that's useful for identity theft, blackmail or any number of criminal acts.
People are not security-savvy enough to be given this access safely. You might be, my parents and millions like them aren't.
RileyJames 2021-08-19 00:51:34 +0000 UTC [ - ]
indemnity 2021-08-19 01:38:05 +0000 UTC [ - ]
https://www.apicentre.paymentsnz.co.nz/join/api-community-co...
So it's "free for 12 months", but the idea is that I build or create an "innovation".
Not interested, I just want APIs for my data, I'm not interested in building a SaaS, I don't want that kind of responsibility for other people's data.
Back to using my personally developed scraper, driven by puppeteer.
Side-benefits, I can and have adapted my scraper to also pull my data from other institutions, like investments and retirement accounts, and dump it into a database as JSON and normalized form.
RileyJames 2021-08-19 02:41:42 +0000 UTC [ - ]
Working on similar stuff, effectively what you have without the requirement to maintain scrapers.
manishsharan 2021-08-18 22:36:32 +0000 UTC [ - ]
From this source https://www.lexology.com/library/detail.aspx?g=8f56092c-ab40...
"Users have complained that after connecting their bank accounts, Plaid stores their credentials and uses them to collect 5 years’ of transactional data and continues to track users’ data in future. Users further claim that the data-gathering scheme is not incidental to Plaid’s business model and is, in fact, its “very purpose.”
user3939382 2021-08-18 23:02:00 +0000 UTC [ - ]
neom 2021-08-18 22:50:22 +0000 UTC [ - ]
vesinisa 2021-08-18 22:54:42 +0000 UTC [ - ]
SilverRed 2021-08-18 23:11:34 +0000 UTC [ - ]
justusthane 2021-08-19 03:42:21 +0000 UTC [ - ]
SilverRed 2021-08-19 04:34:45 +0000 UTC [ - ]
Yes its not perfect security which you may find scary but I struggle to find what about it is shady when they are very open about what happens.
phoenixy1 2021-08-19 03:08:58 +0000 UTC [ - ]
[full disclosure: I work at Plaid]
kaolinite 2021-08-18 23:11:51 +0000 UTC [ - ]
However more often than not now I’m seeing it used for really invasive applications. Such as when I rented my most recent apartment and they asked to use open banking to verify our finances, which as far as I know would have given them access to every single transaction going back a decade or so. The agent was confused as to why I wouldn’t go ahead with it and ultimately let us opt out, but I do worry that at some point I won’t have much choice but to accept.
I’ve also seen credit scoring companies that suggest you’ll get a better credit score if you use open banking to hand over your transactions. I have no need to use that but I suspect others who are desperate to increase their chances of getting a mortgage, etc, won’t have much of a choice.
phil-martin 2021-08-18 23:23:50 +0000 UTC [ - ]
What I would like is some middle step - that instead of allowing open access to accounts, I get to choose how the data is summarised and presented. e.g. just show total income and outgoings, fortnightly, over the last 6 months. Things like that.
Yes, I could export the transactions, do some Excel hand waving and make a report, then make a PDF and send it, then they would do data entry into their system summarising what they read. But automating that data sharing step would be fantastic.
I am in the process of applying for a home loan at the moment, and the amount of documentation is significant. If I were able to automate 80% of it in a fairly anonymised data way, that would be really useful.
abraae 2021-08-19 00:31:37 +0000 UTC [ - ]
There was a Launch HN recently that did just this, but for people like Uber drivers wanting to borrow money to buy their own car. They handed over their Uber credentials, and the service scraped their Uber history to determine whether they were a good risk or not.
I'm not usually into slippery slope arguments but what your landlord asked of you is just that little bit worse than their service (worse as they have access to your bank account, not just your payroll data).
I think the moral of the story is that as a provider (Uber, a bank), you should be proactive about providing read-only access to data, removing the need for screen scraping and providing better security to your drivers/customers.
barbazoo 2021-08-18 22:30:15 +0000 UTC [ - ]
gregsadetsky 2021-08-18 22:40:40 +0000 UTC [ - ]
TD Bank has 2FA which has been SMS-based for a very long time, and they just introduced a 2FA app. FYI.
But yes on Tangerine (and other banks) being so, so behind. Sending a wire online here is pretty much impossible..!
ghostpepper 2021-08-19 00:54:58 +0000 UTC [ - ]
Not to mention the fact that they still don't allow hardware tokens / U2F eg. Yubikey.
coldacid 2021-08-19 02:23:09 +0000 UTC [ - ]
heavyset_go 2021-08-18 23:12:11 +0000 UTC [ - ]
Don't worry, you really aren't missing out on much security because the 2FA most banks implement just involves sending you an SMS.
JamisonM 2021-08-18 23:25:48 +0000 UTC [ - ]
I am aware of attacks that state/very sophisticated actors can use to intercept SMS messages but that's a serious edge case for a normal person, right?
nezgar 2021-08-19 01:51:17 +0000 UTC [ - ]
Paypal makes it hard to remove a mobile number from your account once it's on there too...
If a bank "MUST" have a phone number, I lean towards providing my good ol landline number since in theory thats a "little" harder to instantly take over or port out.
Worthwhile to "test" what it takes to reset a password on your various critical services...
computator 2021-08-19 04:26:00 +0000 UTC [ - ]
If you must provide a phone number, another tip is to call customer service on your cellular service provider and ask them to put a "port out block" or "port protect" on your account. Before anyone can do a sim swap on your account, they'd have to call the cellular service provider and give a password or PIN. (It's amazing that this isn't the default.)
JamisonM 2021-08-19 02:58:31 +0000 UTC [ - ]
Please explain, sorry I did not hear about this.
franga2000 2021-08-18 23:57:39 +0000 UTC [ - ]
But more generally, a sophisticated actor doesn't have to be targeting you specifically. Many people assume that "nobody would put in so much effort to steal from me", but they don't have to be. A sophisticated attacker with the capability to intercept SMS would likely be casting a very wide net. Once people start noticing, they'll be locked out very soon, so they'll be aiming to "hack" as many people as possible.
You might just happen to be one of the N random people that happened to log into their bank on the day of the hack and the spreadsheet happened to be sorted by last login time. Hackers don't discriminate, so as long as you fit "SELECT from account WHERE balance > 0", you'll be on the target list.
JamisonM 2021-08-19 00:45:13 +0000 UTC [ - ]
toast0 2021-08-19 01:24:00 +0000 UTC [ - ]
If your wide net lets you see 2FA codes, sometimes you can do stuff.
JamisonM 2021-08-19 02:57:00 +0000 UTC [ - ]
My recollection is that we had that once incident in Germany with 02, but never really heard how much was lost and it was the result of a bad policy at 02 that they fixed and was particular to 02.
toast0 2021-08-19 03:22:06 +0000 UTC [ - ]
I assume if you pwn a bank, you don't really need 2fa codes, but I dunno
heavyset_go 2021-08-18 23:37:53 +0000 UTC [ - ]
It isn't just state-level or sophisticated actors, it's anyone who is dumb enough to commit fraud with computers or via unauthorized access to telecom networks, which includes a lot of fraud rings.
According to The Verge[1], such services are even advertised on illicit marketplaces, so anyone with some Bitcoin and the Tor Browser can potentially be your adversary in such an attack.
[1] https://www.theverge.com/2017/6/13/15794292/ss7-hack-dark-we...
newsclues 2021-08-18 23:35:32 +0000 UTC [ - ]
newsclues 2021-08-18 23:33:50 +0000 UTC [ - ]
GekkePrutser 2021-08-18 23:44:33 +0000 UTC [ - ]
Strange thing is it seems to randomly ask for SMS or TOTP now, whichever it feels like at the time.
Still it's weird that an official standard mandates SMS 2FA when more secure methods are available.
atatatat 2021-08-19 04:21:14 +0000 UTC [ - ]
dc3k 2021-08-19 01:57:39 +0000 UTC [ - ]
SevenSigs 2021-08-18 22:34:56 +0000 UTC [ - ]
At least they used to have decent interest rates... now what's the point? they don't even have physical banks.
barbazoo 2021-08-18 22:42:03 +0000 UTC [ - ]
james_pm 2021-08-18 22:46:18 +0000 UTC [ - ]
llbeansandrice 2021-08-18 22:28:13 +0000 UTC [ - ]
edit: Of course it helps if the 3rd parties implement it as well. I revoked access to Intuit but Personal Capital only lets me use my userID and password.
varenc 2021-08-19 01:00:16 +0000 UTC [ - ]
- Banks like locking down your financial data since it makes it more likely you'll continue to uses the auxiliary services they provide. Every bank I've used always has a built in send-money-to-friends and budgeting tool. By locking in your data, they help promote these service.
- But mainly, I suspect banks never lose customers because of a lack of an open banking data API. Consumers don't demand it. With no financial incentive, why would they make your data accessible? Also combine that with the increased risk exposure from providing API and it's easy to see why they don't exist.
Funnily, I suspect banks tacitly prefer screen scraping solutions like Plaid since it doesn't require the bank create any new product surface area that needs to be audited and secured. No new API endpoints to create. And in the event of a credential breach, it's easy to point the finger at the user who clearly just gave their password over to Plaid.
javajosh 2021-08-18 22:30:54 +0000 UTC [ - ]
It's an issue but a minor one. The alternative, ad hoc per-request session management, is so much worse in almost every way.
varenc 2021-08-19 01:02:52 +0000 UTC [ - ]
For all the OAuth API services I've worked on we'd just look up the access token in the database on each request, so a revoked token becomes useless immediately.
jon-wood 2021-08-18 22:42:49 +0000 UTC [ - ]
javajosh 2021-08-18 23:04:36 +0000 UTC [ - ]
Ah, so a blacklist eh? ...Checked by an ad hoc per-request session mechanism perhaps?
canada_dry 2021-08-19 03:08:31 +0000 UTC [ - ]
I'd love it if there were API's to access my banking data directly, but failing that I rely on the meager "txn download via csv" my Canadian banks offer (at least).
softveda 2021-08-19 10:37:29 +0000 UTC [ - ]
This is a problem discussed here as well. Generally big banks are advocating getting rid of screen scraping and moving to API but most fintechs are smaller and they don't want to change and there is little appetite from Govt. to force them.
phoenixy1 2021-08-19 03:04:29 +0000 UTC [ - ]
kashkhan 2021-08-19 03:25:25 +0000 UTC [ - ]
That is unacceptable and goes against everything I know.
phoenixy1 2021-08-19 03:43:23 +0000 UTC [ - ]
diogotozzi 2021-08-18 22:42:56 +0000 UTC [ - ]
luisrudge 2021-08-18 23:16:52 +0000 UTC [ - ]
Helmut10001 2021-08-19 04:20:46 +0000 UTC [ - ]
jonny_eh 2021-08-18 22:35:18 +0000 UTC [ - ]
jpmoral 2021-08-18 22:50:13 +0000 UTC [ - ]
SilverRed 2021-08-18 23:13:47 +0000 UTC [ - ]
themantra514 2021-08-19 11:24:58 +0000 UTC [ - ]
celticninja 2021-08-19 02:30:38 +0000 UTC [ - ]
gigatexal 2021-08-19 04:33:27 +0000 UTC [ - ]
rmesters 2021-08-19 05:05:08 +0000 UTC [ - ]
I work at Nordigen and we integrated with 1,500+ banks in less than 8 months. Some APIs took hours to integrate, some took a few weeks, but the fact that it was possible at all is IMO gamechanging.
gigatexal 2021-08-19 06:08:32 +0000 UTC [ - ]
We still had to fall back to scraping at some points. Perhaps that’s different now.
rmesters 2021-08-19 06:24:52 +0000 UTC [ - ]
One major limitation is that PSD2 only regulates access to payment accounts, but doesn't mandate access to credit cards, investment accounts, savings accounts etc. This is why screen scraping (to everyone's dismay) is still used - to "expand" what's possible with real bank APIs.
skrause 2021-08-19 08:59:40 +0000 UTC [ - ]
It only mandates that regulated thirdparty companies can access your banking account using some API.
Here in Germany PSD2 was a big step back. Previously we had FinTS (https://en.wikipedia.org/wiki/FinTS), an open banking protocol used since the last 90s, and many programs supporting it. Then PSD2 came and broke some use cases of FinTS. Many banks didn't want to both fix FinTS and support new PSD2 APIs, so they just switched off FinTS. Now German bank customers are basically forced to use the banking website because PSD2 doesn't allow them to use an API and the API they had was taken from them by PSD2.
ohazi 2021-08-18 22:52:29 +0000 UTC [ - ]
I'm a US citizen and I want this screen scraping / credential sharing / whatever you want to call it to die in a fire already. Forcing banks to implement any sort of API access seems both preferable to the dumpster fire we have today, as well as more inviting to upstarts, because right now the only way to be an upstart is to literally ask your customers to violate their bank's terms of service.
lhorie 2021-08-18 23:02:09 +0000 UTC [ - ]
As others mentioned, the whole point of an effort towards OpenBanking is that services like Plaid literally store your username/password in their system and impersonate you to do whatever they do. Any software dev worth their salt would instinctively know this is a big security no-no, so to have this happen with your banking credentials of all things and on such a large scale seems insane to me.
An effort to implement OpenBanking is akin to working towards Android-style granular permissions instead of just granting root access to any third party who wants to do something on your behalf.
dvt 2021-08-18 23:42:07 +0000 UTC [ - ]
Goes to show what I know.
munk-a 2021-08-19 00:02:47 +0000 UTC [ - ]
sumedh 2021-08-19 00:15:26 +0000 UTC [ - ]
harikb 2021-08-18 23:51:05 +0000 UTC [ - ]
Intuit (via Quicken) and Microsoft Money were in a position to influence this - they required banks to give access to quicken servers.
marvin 2021-08-19 08:33:12 +0000 UTC [ - ]
hamburgerwah 2021-08-19 00:09:11 +0000 UTC [ - ]
version_five 2021-08-18 22:58:21 +0000 UTC [ - ]
Edit: I see this is a losing battle, the comments responding to the parent seem to imply that he is championing open banking against a group that disagree with it. And the replies to me think that I don't want open banking. Enjoy your discussion
lhorie 2021-08-18 23:33:42 +0000 UTC [ - ]
The big telecom lobbying argument vs CRTC about how urban markets need to subsidize rural infrastructure costs is not something 95% of canadians like to hear, but it kinda makes sense (They say rural infra simply isn't cost effective because Canada is so expansive, but you expect high speed Internet access in your Muskoka cottage, right?)
Banking is kind of in a similar boat in the sense that it's an industry with economies of scale effect, so naturally there are going to be big players. Even smaller players like Tangerine need to make "big boy" investments like call centers. ICBC is another example of a bank that isn't the big 5 and yet has brick and mortar branches to serve a highly specific niche.
OpenBanking doesn't mean that TD et al somehow get to tighten the noose on smaller banks to their own advantage; it's actually on them to implement the APIs. If Tangerine can't keep up with other banks improving their technology, that's their own fault. What the whole thing means is that Plaid doesn't get to have root access to your banking.
munk-a 2021-08-19 00:11:42 +0000 UTC [ - ]
For some groups (especially reservations where their location to practice independent governance is government mandated) I can absolutely sympathize - but for most of the rest of rural Canada - uh why? Urban centers like Toronto and Vancouver are already paying property taxes far exceeding rural areas - with the residents paying those taxes also being hit by bigger income tax proportions due to the higher wages in the cities.
There is no allowance for rural Canadians to get subsidized access to live operas and plays - choosing to live in a rural area comes with a general acceptance that those sorts of live performances are always going to be inconvenient and expensive since you'll need to travel to the city to get them. Why are we treating internet significantly different? If you choose to live in the middle of nowhere you can pay the actual cost for a company to maintain a line to your cabin in the woods while enjoying the scenery you're immersed in.
On Monday I've got a hookup guy coming to my place to switch our condo over from Telus to Novus - this will drop our price from 100G/$80 to 300G/$50 along with removing data limits and throttling and probably actually getting closer to the advertised rate (we often get about 15-20 down from Telus right now - I've heard much better things about Novus).
Part of the reason Novus can do this is indeed the fact that it doesn't offer service outside of very dense urban areas - and I'm personally quite okay with that.
lhorie 2021-08-19 00:39:41 +0000 UTC [ - ]
I'd wager that Canada is still largely a wild west when it comes to physical copper coverage. Meaning big players do project long term profit from rural markets and actively invest in them, but that the projections aren't sustainable below some price threshold, hence butting heads with CRTC to make the math work out.
As for the notion that country bumpkins ought to be satisfied with inconvenience, I'm not sure how to respond other than more and more they expect modern things to be available to them. A customer is never in their right mind going to shoulder a 100k upfront cost to lay fiber to a town, so if someone wants to make the cost benefit analysis, it's most likely going to be one of the big players, IMHO
neom 2021-08-19 00:23:21 +0000 UTC [ - ]
frosted-flakes 2021-08-19 00:48:11 +0000 UTC [ - ]
908B64B197 2021-08-19 00:19:39 +0000 UTC [ - ]
When competitors are stopped at the border for dubious pretexts it means that the local monopolies can effectively decide not to wire your property.
Wouldn't it be nice to see an ultra-competitive European carrier laying fiber out there?
grouseway 2021-08-19 00:33:04 +0000 UTC [ - ]
https://www.rogers.com/mobility/network-coverage-map?icid=R_...
Most of my province (BC) is not covered. They cover the urban areas and some wider areas along highways in plateau regions. Where is this burdensome coverage that is keeping them expensive?
neom 2021-08-19 00:56:40 +0000 UTC [ - ]
908B64B197 2021-08-19 00:16:47 +0000 UTC [ - ]
That still doesn't explain why internet service is way more expensive in Canada than pretty much everywhere else in the world.
neom 2021-08-19 01:03:18 +0000 UTC [ - ]
lhorie 2021-08-19 04:23:42 +0000 UTC [ - ]
However, with that said, I saw numbers saying that laying one mile of fiber costs to the tune of $30k, so just connecting Winnipeg to Kenora would cost some $4M. Kenora itself has an area of 80 sq mi and a population of 15k people (though mostly concentrated near Lake of Woods). It's not nothing, but also not exactly a gold mine for telecoms, to be sure.
Timmins might be a better example. It's more than 400 miles north of Toronto, and has some 40k people. Sudbury is half way there and has some 160k people, but still some 250 miles away from Toronto. To give a sense of scale, the distance from Timmins to Toronto is bigger than the distance from Amsterdam (Netherlands) to Berlin (Germany). 200k potential customers is a pretty decent size market (that's a quarter of San Francisco's population, for example), but covering 400 miles w/ fiber at $30k/mile just to reach it comes out to a cool $12M upfront investment. Don't forget this is just to connect two points, there's still last mile coverage and ongoing maintenance which is going to add quite a bit of cost on top. If a single competitor is there, that can cut into the profits pretty deeply.
That's the sort of math that telecoms need to deal with when doing ROI analyses on these markets.
908B64B197 2021-08-19 01:26:13 +0000 UTC [ - ]
neom 2021-08-19 01:35:11 +0000 UTC [ - ]
neom 2021-08-18 23:08:46 +0000 UTC [ - ]
smnrchrds 2021-08-18 23:12:28 +0000 UTC [ - ]
neom 2021-08-18 23:14:19 +0000 UTC [ - ]
echlebek 2021-08-18 23:07:52 +0000 UTC [ - ]
Canada with open banking: 5 big banks, impossible to compete.
1123581321 2021-08-18 23:15:39 +0000 UTC [ - ]
echlebek 2021-08-18 23:21:37 +0000 UTC [ - ]
jpmoral 2021-08-18 23:12:55 +0000 UTC [ - ]
What would a solution look like for you? Would it be that screen-scraping be banned and open banking APIs be encouraged but not mandated? Or mandated within X years for existing banks or within X years of establishing a new bank? Something else?
brailsafe 2021-08-18 23:03:20 +0000 UTC [ - ]
NikolaNovak 2021-08-19 01:51:50 +0000 UTC [ - ]
I lived in states. I banked in First bank of Fairmont ... yes, a city of 11,500 people had its own bank. I could not do ANYthing outside of city. This was a while back of course, but even today that the notion that there are over 5000 banks in USA (down from way over 10k), with complicated inter-state financing laws, from everything I can hear and understand from my USA friends and family, is discouraging both competition and functionality/convenience/sanity, and seems like we are constantly 5-10 years ahead in Canada with basics like Interac, PIN, Chip, Contactless, Interac email transfer, etc. Basically, USA banking system is as strange to me as their health / insurance system.
A bit like, I enjoyed it when Netflix was a monopoly and I could get anything I wanted there. I don't like the "competition" we have now with myriad streaming services that don't interoperate and have different systems and oh yes all want my money.
I guess I am curious: what should I be on the lookout, as a Canadian, that I am missing in our banking system compared to USA? What should I be hopeful a new entry would give me?
(and note, I am talking about banking sector for myself as ignorant consumer; telecom is a whole other ballgame for a myriad different reasons and I'll 100% agree is an area where we are lagging).
Dylan16807 2021-08-19 00:27:57 +0000 UTC [ - ]
It would help if you specified a problem with the proposal or with the Advisory Committee on Open Banking in particular. If you can't, then a guess of "Canada's banks are upset about competition" is a really exaggerated immediate post.
OJFord 2021-08-19 00:09:32 +0000 UTC [ - ]
The reason I've soured on it is that it's not that bloody open at all. It should be called 'InteroperableBanking' or something.
ldiracdelta 2021-08-18 23:24:56 +0000 UTC [ - ]
SilverRed 2021-08-18 23:06:53 +0000 UTC [ - ]
shakna 2021-08-18 23:36:47 +0000 UTC [ - ]
> To access consumer APIs, you'll need to be accredited by the ACCC and get the customer's consent.
Accreditation [0] has a lot of requirements - my paying child support was considered disqualifying. Parts of accreditation make sense, and should keep things more secure, other parts... Make less.
Mandatory AFCA membership, for example, only makes sense at first glance. The ombudsman can still field complaints without it. Consumer Rights still exist without it. However, the mandatory membership is being used by the ACCC as a replacement for yearly auditing.
[0] https://www.accc.gov.au/focus-areas/consumer-data-right-cdr-...
zipline88 2021-08-19 00:17:17 +0000 UTC [ - ]
phil-martin 2021-08-18 23:19:30 +0000 UTC [ - ]
shakna 2021-08-18 23:38:40 +0000 UTC [ - ]
+ CommonWealth Bank - https://www.commbank.com.au/developer
+ NAB - https://developer.nab.com.au/docs/open-banking
+ Westpac - https://www.westpac.com.au/about-westpac/innovation/open-ban...
Tempest1981 2021-08-18 23:29:05 +0000 UTC [ - ]
stephenhuey 2021-08-19 00:11:32 +0000 UTC [ - ]
moeadham 2021-08-18 23:17:58 +0000 UTC [ - ]
Waterluvian 2021-08-19 01:06:11 +0000 UTC [ - ]
hkt 2021-08-18 22:59:58 +0000 UTC [ - ]
lostgame 2021-08-19 03:09:10 +0000 UTC [ - ]
I work for a major bank relevant to this story, and I've honestly not heard anything about it internally.
jt2190 2021-08-18 22:33:05 +0000 UTC [ - ]
(Not directly related, but Revolut recently retreated from the Canadian market, for example.)
brailsafe 2021-08-18 23:08:09 +0000 UTC [ - ]
version_five 2021-08-18 22:41:37 +0000 UTC [ - ]
Edit: I'd be happy to be wrong, you can let me know when Canada sees a flood of great new banking startups in the next couple years
version_five 2021-08-18 22:27:07 +0000 UTC [ - ]
neom 2021-08-18 22:35:46 +0000 UTC [ - ]
[1] https://cba.ca/global-banking-regulations-and-banks-in-canad... (I realize this is effectively banking regulator propaganda, nevertheless, facts are there)
[2] https://www.brookings.edu/research/know-thy-neighbor-what-ca...
[3] https://www.canada.ca/en/department-finance/programs/consult...
[4 ]https://www.canada.ca/en/department-finance/programs/consult...
jpmoral 2021-08-18 22:34:49 +0000 UTC [ - ]
r00fus 2021-08-18 22:50:49 +0000 UTC [ - ]
Would be nice to aggregate my data without giving them keys to my kingdom.
SilverRed 2021-08-18 23:12:51 +0000 UTC [ - ]
frosted-flakes 2021-08-18 22:40:10 +0000 UTC [ - ]
Hopefully individuals will be able to use the Open Banking APIs to access their own data directly, but it looks like accreditation will be required, so probably not.
Here's the full text of the report: https://www.canada.ca/en/department-finance/programs/consult...
williamscales 2021-08-19 01:27:25 +0000 UTC [ - ]
It’s utterly irresponsible and I have no idea how Plaid hasn’t been shut down. You have no recourse if they are breached. The TOS of your online banking probably says that if you disclose your username and password to any third party then you have no liability protections.
computator 2021-08-19 03:58:37 +0000 UTC [ - ]
Wise (formerly TransferWise) is another example. You have to move funds into your Wise account before you can do a transfer, payment, or currency exchange. Wise offer various ways to fund your account such as wire transfer, credit card payment, debit card payment, etc., each of which has different fees, but by far the lowest fee is "direct debit" which involves giving Wise your bank card number and password. I imagine that the overwhelming majority of Wise customers have no idea that this is terrible for security and privacy.
Everything about this practice is hard to believe:
1) I doubt that any bank has given Wise permission to do this.
2) Which raises the question about why the banks aren't blocking IP addresses that Wise uses to log into bank accounts, or at least making a complaint to Wise.
3) It's obviously against the banks' terms of service, but Wise may be breaking some law regarding unauthorized access (in the same vein that you can't authorize a third party to use your passport, for example).
4) What else is Wise doing after they log into your bank account? Are they collecting other information about your transactions and balance?
5) Does Wise store your bank card number and password? If they do, they'd have to store it as cleartext (not as a one-way hash) if they expect to use it again. They could encrypt it of course, but it would have to be reversible so they could get the cleartext back.
6) Why hasn't any bank regulator forced them to stop doing this?
alibarber 2021-08-19 08:55:17 +0000 UTC [ - ]
They use Trustly in the Nordics to do something similar to what you mention, which does seem to use propper bank APIs - as I have to authenticate it on the bank app or website separately.
john_moscow 2021-08-19 04:16:29 +0000 UTC [ - ]
computator 2021-08-19 04:42:01 +0000 UTC [ - ]
Their "debit" option works the way you think. You give only your bank card number, expiry date, and CVV.
However, their "direct debit" option requires you to enter your bank debit card number and bank password into Wise's web form. It is not a redirect to the bank website. The URL says "https://wise.com/..." when you're asked to enter that info. Wise definitely gets your bank credentials.
They have yet another option called "bill payment" in which you log into your bank account yourself and do a bill payment to Wise (and giving your Wise account number).
Both the "debit" and "bill payment" methods look secure and acceptable. But Wise charges a considerably higher fee than with their "direct debit" method. And it always seems to take a day or two for the funds to appear in your Wise account with those other methods. They really want to encourage their "direct debit" method in which they get your bank login info.
andylynch 2021-08-19 06:17:56 +0000 UTC [ - ]
computator 2021-08-19 07:42:12 +0000 UTC [ - ]
Mordisquitos 2021-08-19 08:43:54 +0000 UTC [ - ]
The reason I ask is that that is what is called a "Direct Debit" in the UK and the European SEPA area, and it does not involve providing any credentials to the bank account. Rather, you only need to provide your International Bank Account Number (IBAN) and maybe your name. However, the ability for a company to be able to take Direct Debit payments is heavily regulated, you can easily cancel them via your bank, and even reverse charges if they were illegitimate.
softveda 2021-08-19 10:48:59 +0000 UTC [ - ]
Mordisquitos 2021-08-19 11:31:14 +0000 UTC [ - ]
pdpi 2021-08-19 08:56:44 +0000 UTC [ - ]
fatfox 2021-08-19 09:11:20 +0000 UTC [ - ]
2021-08-19 05:17:58 +0000 UTC [ - ]
chx 2021-08-19 11:36:43 +0000 UTC [ - ]
It is not. The direct debit feature you describe is provided by Plaid.
Wise itself says so in this TrustPilot answer https://ca.trustpilot.com/reviews/60e668daf9f48702a893a5e6
> It sounds like you might be trying to make a ACH direct debit payment, in which case Plaid is indeed one of the payment handlers that help us process these types of payments. However, we also offer other payment options for USD, if your account isn't able to support ACH direct debit.
There are other sources mentioning TransferWise is a customer of Plaid like https://www.digfingroup.com/plaid-visa/ and https://politechs.ca/2020/09/09/visas-acquisition-of-plaid-c...
softveda 2021-08-19 10:45:15 +0000 UTC [ - ]
I use my banks app and transfer money to their PayId using the reference number. The transfer takes a few seconds. When Wise gets the money in their account they resume the transfer and I get an in-app notification. Easy
stephen_g 2021-08-19 07:55:02 +0000 UTC [ - ]
Given that it seems to be a similar case in Europe, UK etc. I assume this might just be a US thing?
kyelewis 2021-08-19 08:33:53 +0000 UTC [ - ]
phoenixy1 2021-08-19 04:29:34 +0000 UTC [ - ]
Source: https://www.consumerfinance.gov/compliance/compliance-resour...
atdt 2021-08-19 04:47:52 +0000 UTC [ - ]
lhorie 2021-08-19 05:13:19 +0000 UTC [ - ]
lucasyvas 2021-08-19 02:15:38 +0000 UTC [ - ]
Why do we bother being ethical when nobody besides us gives a shit outside a slap on the wrist?
You know how many people thought of Plaid before it was a thing, then rightfully wrote it off as "don't attempt"? What kind of sick precedent does this set?
Why do I even bother caring.
dataflow 2021-08-19 03:53:11 +0000 UTC [ - ]
Who knew what wasn't legal? I don't think anyone is doing anything illegal here?
lucasyvas 2021-08-19 14:11:00 +0000 UTC [ - ]
SevenSigs 2021-08-19 07:22:43 +0000 UTC [ - ]
> Nearly 98 million people were affected, according to the settlement
xwdv 2021-08-19 02:18:47 +0000 UTC [ - ]
lucasyvas 2021-08-19 02:48:05 +0000 UTC [ - ]
vegetablepotpie 2021-08-19 04:35:24 +0000 UTC [ - ]
As an early career engineer, who works at a highly bureaucratic company, I always asked for permission for access to things I needed for my job. The gate keepers would ignore me. Worst example was when my management asked me to start version controlling a project I created. I had to work with the change management department, it took them six months to create a repo on a server just because no one knew the person who knew how to do that, and they had to be the ones to make it, not me.
Then I moved up in the company and got direct communication with the customer. The gate keepers come to me, not the other way around. Repos get created in a day now.
The problem with every bureaucracy is the incentives are never aligned with the organizations stated mission. When you say “version control” what you really mean is version control for employees who directly bring money to the company, for which we’ll dedicate significant parts of our budget to employ people for a function that can be automated as some sort of make-work scheme. The incentives are messed up.
Bureaucrats only win when they don’t get fired, and they don’t get fired when they follow the policies and procedures. And policies and procedures are there for the well trodden happy path. If you are innovating, there will, by definition, be no happy path, you have to make it, and if you ask a bureaucrat for help, they’ll seize up because there is no procedure to follow. At best they’ll direct you to someone else, who will also seize up and direct you back to the same person who sent you.
I discovered that the best way around that is to make seizing up a more likely way to visibly fail. I need you to help me get this build out to the customer TODAY if failure to do that will result in higher consequences than failing to follow procedures, they will make the build.
So moving fast and breaking things can get you to that high consequence state that bureaucrats seem to budge on. If you have a successful startup that breaks the law, you can please your users, and afford lawyers to defend you in court and afford PR firms that can convince the media to harass your regulators on your behalf.
cycomanic 2021-08-19 04:45:12 +0000 UTC [ - ]
The thing is, because software companies have become the most successful businesses in the world, SE principles (move fast, break stuff) are now viewed as "being innovative" and necessary for success. So they are increasingly being applied to other engineering disciplines.
kennywinker 2021-08-19 05:13:23 +0000 UTC [ - ]
aclindsa 2021-08-19 11:31:44 +0000 UTC [ - ]
Additionally, though I think the advent of new APIs which will allow you to authenticate directly with your bank (FDX) are a great improvement for overall security, I think they're going to be a step backwards for free access to your own personal financial information. Because banks are limiting access to FDX to large players like Plaid/Quicken, I fear you will be forced to pay a third-party to get your own personal financial data in the future!
perl4ever 2021-08-19 03:55:26 +0000 UTC [ - ]
cocoa19 2021-08-19 04:35:06 +0000 UTC [ - ]
perl4ever 2021-08-19 04:49:19 +0000 UTC [ - ]
When I wrote "how is it different" I meant how is it different in the task it performs which (I assume) Mint and Quicken also perform.
w4llstr33t 2021-08-19 05:51:54 +0000 UTC [ - ]
They later moved off of Yodlee to Intuit APIs, post acquisition, although those also do screen scraping [2], and thus carry the same risks.
[1] https://news.ycombinator.com/item?id=1537825
[2] https://money.cnn.com/2010/12/02/pf/mint_leaves_yodlee/
midasuni 2021-08-19 07:32:01 +0000 UTC [ - ]
My bank requires 2FA to send money to new payees. While losing my user/pass would lead to information leak, there’s little chance of my money being shipped off without further breeches.
dataflow 2021-08-19 01:43:26 +0000 UTC [ - ]
Buttons840 2021-08-19 01:46:41 +0000 UTC [ - ]
devin 2021-08-19 02:05:42 +0000 UTC [ - ]
jeffrapp 2021-08-19 02:13:23 +0000 UTC [ - ]
xwdv 2021-08-19 02:20:39 +0000 UTC [ - ]
vorpalhex 2021-08-19 02:30:37 +0000 UTC [ - ]
Robin_Message 2021-08-19 09:20:59 +0000 UTC [ - ]
I believe the cool kids call it a "hard fork", as in, if you are the bank that received the stolen funds and let someone withdraw them, you get forked, hard.
xwdv 2021-08-19 15:42:11 +0000 UTC [ - ]
Jarwain 2021-08-19 02:12:58 +0000 UTC [ - ]
xmodem 2021-08-19 02:37:25 +0000 UTC [ - ]
Beldin 2021-08-19 03:01:53 +0000 UTC [ - ]
The latest malware was a man-in-the-browser style one: it intercepted your input and changed what you saw on-screen. This was used to defeat extra authentication: the malware inserted a (fake) deposit (something like "yearly subscription mr. X" for $2134.56) into your on-screen total and phoned home. The victim was then called by a mr. X who claimed to have accidentally swapped two digits in a transfer, and that the bank had said they can't fix it because the target account was a valid account. All they could do was exceptionally give out the phone number of the receiving side. Would you be so kind to rectify the situation?
Since mr. X had all the details correct (amount, statement on transaction), the victim would initiate and authenticate a transfer. No way for the bank to detect, as this wouls be a genuine transfer order by the account owner.
To be clear: the attack requires a victim whose browser is hacked and an associated phone number. That seemed like a tall order to me, but apparently not tall enough to stop this attack from being integrated into multi-banking malware.
In short: read-only access is good, but not sufficient to prevent all attacks.
midasuni 2021-08-19 07:35:04 +0000 UTC [ - ]
Idiots fall for these scams all the time, password not needed.
lucasyvas 2021-08-19 02:19:03 +0000 UTC [ - ]
ceejayoz 2021-08-19 02:33:44 +0000 UTC [ - ]
Citi and Capital One have OAuth flows that Plaid supports, too, which tends to make me angrier at the banks than Plaid; the need for this stuff has been clear for a decade now, but only a few have added OAuth or similar.
westurner 2021-08-19 03:16:38 +0000 UTC [ - ]
Banks could save themselves CPU, RAM, bandwidth, and liability by implementing read-only API tokens and methods that need only return JSON - instead of HTML or worse, monthly PDF tables for a fee - possibly similar to the Plaid API: https://plaid.com/docs/api/
There is competition in consumer/retail banking, but still the only way to do e.g. budget and fraud analysis with third party apps is to give away all authentication factors: u/p/sqa; and TBH that's unacceptable.
Traditional and distributed ledger service providers might also consider W3C ILP: Interledger Protocol (in starting their move to quantum-resistant ledgers by 2022 in order to have a 5 year refresh cycle before QC is a real risk by 2027, optimistically, for science) when reviewing the entropy of username+password_hash+security_question_answer strings in comparison to the entropy of cryptoasset account public key hash strings: https://interledger.org/developer-tools/get-started/overview...
> Sender – Initiates a value transfer.
> Router (Connector) – Applies currency exchange and forwards packets of value. This is an intermediary node between the sender and the receiver. {MSB: KYC, AML, 10k reporting requirement, etc}
> Receiver – Receives the value
Multifactor authentication: Something you have, something you know, something you are
Multisig: n-of-m keys required to approve a transaction
Edit: from "Fed announces details of new interbank service to support instant payments" https://news.ycombinator.com/item?id=24109576 :
> For purposes of Interledger, we call all settlement systems ledgers. These can include banks, blockchains, peer-to-peer payment schemes, automated clearing house (ACH), mobile money institutions, central-bank operated real-time gross settlement (RTGS) systems, and even more. […]
> You can envision the Interledger as a graph where the points are individual nodes and the edges are accounts between two parties. Parties with only one account can send or receive through the party on the other side of that account. Parties with two or more accounts are connectors, who can facilitate payments to or from anyone they're connected to.
> Connectors [AKA routers] provide a service of forwarding packets and relaying money, and they take on some risk when they do so. In exchange, connectors can charge fees and derive a profit from these services. In the open network of the Interledger, connectors are expected to compete among one another to offer the best balance of speed, reliability, coverage, and cost.
W3C ILP: Interledger Protocol > Peering, Clearing and Settling: https://interledger.org/rfcs/0032-peering-clearing-settlemen...
westurner 2021-08-19 10:37:22 +0000 UTC [ - ]
When you loan your money to a bank by depositing ledger dollars or cash - and they, since GLBA in 1999, invest it and offer less than a 1% checking interest rate - and they won't even give you the record of all of your transactions as CSV/OFX `SELECT * FROM transactions WHERE account_id=?`, you have to pay $20/mo per autogenerated PDF containing a table of transactions to scrape with e.g. PDFminer (because they don't keep all account history data online)?
Seemingly OT, but not. APIs for comparison here:
FinTS / HBCI: Home Banking Computer Information protocol https://en.wikipedia.org/wiki/FinTS
E.g. GNUcash (open source double-entry accounting software) supports HBCI (and QIF (Quicken format), and OFX (Open Financial Exchange)). https://www.gnucash.org/features.phtml
HBCI/FinTS has been around in Germany for quite awhile but nowhere else has comparable banking standards? I.e. Plaid may (unfortunately, due to lack of read-only tokens across the entire US consumer banking industry) be the most viable option for implementing HBCI-like support in GNUcash
OpenBanking API Specifications: https://standards.openbanking.org.uk/api-specifications/
Web3 (Ethereum,) APIs: https://web3py.readthedocs.io/en/stable/web3.main.html#rpc-a...
ISO20022 is "A single standardisation approach (methodology, process, repository) to be used by all financial standards initiatives" https://www.iso20022.org/
Brazil's PIX is one of the first real implementers of ISO20022. A note regarding such challenges: https://news.ycombinator.com/item?id=24104351
What data format does the FTC CAT Consolidated Audit Trail expect to receive mandatory financial reporting information in? Could ILP simplify banking and financial reporting at all?
FWIU, RippleNet (?) is the only network that supports attachments of e.g. line-item invoices (that we'd all like to see in the interest of transparency and accountability in government spending).
W3C ILP: Interledger Protocol. See links above.
Of the specs in this loose category, only cryptoledgers do not depend upon (DNS or) TLS/SSL - at the protocol layer, at least - and every CA in the kept-up-to-date trusted CA cert bundle (that could be built from a CT Certificate Transparency log of cert issuance and revocation events kept in a blockchain or e.g. centralized google/trillian, which they have the trusted sole root and backup responsibilities for).
Though, the DNS dependency has probably crept back into e.g. the bitcoind software by now (which used to bootstrap its list of peer nodes (~UNL) from an IRC IP address instead of a DNS domain).
FWIU, each trusted ACH (US 'Direct Deposit') party has a (one) GPG key that they use to sign transaction documents sent over now (S)FTP on scout's honor - on behalf of all of their customers' accounts.
vmception 2021-08-19 03:45:19 +0000 UTC [ - ]
Consumers are only protected by people pointing this out over and over again
xibalba 2021-08-19 00:31:19 +0000 UTC [ - ]
WHAT. THE. F.
I'm a longtime, happy YNAB user. I had no idea this was going on until just now. I always just assumed there were secure APIs used to import my data. YNAB's Capital One "integration" stopped working a few years ago (possibly because they cracked down on screen scraping?) and I was upset with Capital One. Perhaps Capital One took steps to prevent insecure access/screen scraping?
varenc 2021-08-19 00:48:55 +0000 UTC [ - ]
kryptk 2021-08-19 01:13:21 +0000 UTC [ - ]
I have never noped out of anything so hard.
amluto 2021-08-19 01:16:25 +0000 UTC [ - ]
varenc 2021-08-19 01:49:37 +0000 UTC [ - ]
IMHO, the Canadian proposal seems like the ideal solution. Force the banks to offer a secure and more efficient way for consumers to access their open banking data. (This will also massively lower the barrier to entry for another Plaid competitor)
edit: Plaid's docs mention that banks may detect and block this screen-scraping. They frame it as the bank limiting "your ability to access your financial information", which I think is somewhat valid. They're quite obtuse about the whole scraping thing though: https://plaid.com/trouble-connecting/#:~:text=Your%20financi...
coldacid 2021-08-19 02:15:59 +0000 UTC [ - ]
I'd rather have no convenience than a convenience that hands off the keys to my life behind my back. And so should the rest of us.
underwater 2021-08-19 08:53:49 +0000 UTC [ - ]
dageshi 2021-08-19 09:45:28 +0000 UTC [ - ]
phoenixy1 2021-08-19 02:19:09 +0000 UTC [ - ]
lucasyvas 2021-08-19 02:20:44 +0000 UTC [ - ]
It seems to have paid off though, so congratulations. Nobody with half a brain would trust you.
Fogest 2021-08-19 02:37:58 +0000 UTC [ - ]
lucasyvas 2021-08-19 02:43:38 +0000 UTC [ - ]
Fogest 2021-08-19 03:07:21 +0000 UTC [ - ]
Just look at Uber and AirBnB as examples. Most cities they started in they were operating in kinda grey areas or even breaking laws. But they could afford to eat any fines and continue on anyway. It forced governments to put regulations in place to support these systems.
Especially when it comes to banking, it moves at such a snails pace for anything to ever evolve. The two banks I am with in Canada only just recently finally added support for 2FA. But it's not even the type where you can use your own authenticator app. You have to use SMS, Phone Call, or their app. My one bank has my "password" being restricted to 6 characters. It's basically got to be a 6 digit pin. It's incredibly insecure already, Plaid doesn't make it much worse.
Now with 2FA finally there I feel a lot more secure using Plaid. Because now everytime I want to import my transactions in YNAB I have to enter my 2FA code before it can pull things.
ptx 2021-08-19 11:18:03 +0000 UTC [ - ]
Fogest 2021-08-19 16:57:53 +0000 UTC [ - ]
Governments for the most part worldwide have still done barely anything to address things like "loot boxes" in gaming despite them being almost identical to gambling. They aren't even getting fined or anything for this and are raking in billions of dollars. So whether or not big companies are doing things to break regulations they can still be doing things that should be regulated or are not ethical anyway.
The taxi industry was pretty bad and often filled with scams and corruption. One of the cities I live near only allowed one cab company to be licensed in the city and they sucked especially when people needed rides home at night. So when Uber came in people loved it because they could finally get home safety after a night of drinking and it discouraged people from having to try and drive home drunk. For whatever reason the city always only allowed this one cab company. It would be reasonable to think a city official had some affiliation with that company to not allow other cab companies to come in.
Uber forced that to happen and it forced them to make regulation for it. There seemed to be no progress in that happening before Uber came to town.
So while Uber has some pretty shitty practices and I wouldn't consider it a good company, it is definitely a good example of what often needs to be done to force regulation.
And I mean a city always had the option to increase their fines to something massive and hit Uber hard, but instead they realized that their population wanted that and they would likely lose a lot of votes if they did something against the people like that.
thiht 2021-08-19 08:01:18 +0000 UTC [ - ]
And insulting their whole user base like this sure will get you lots of support.
nl 2021-08-19 07:12:59 +0000 UTC [ - ]
Plaid better have good security!
But I don't see this as unethical in the slightest. In fact, I see it as a company doing the right thing by consumers in letting them get access to their own data.
marvin 2021-08-19 08:25:52 +0000 UTC [ - ]
Don't know US regulations, but my country has plenty of case law determining that the customer is liable for every single dollar of loss if someone uses their account details to steal their money or take a massive loan in their name.
jcheng 2021-08-19 06:36:31 +0000 UTC [ - ]
phoenixy1 2021-08-19 08:55:15 +0000 UTC [ - ]
vmception 2021-08-19 03:47:37 +0000 UTC [ - ]
And now after you made your solution and gained traction with many fintech apps, the timeline was accelerated by FTC settlements
But don't get the order twisted, you're trying to plai us.
poopsmithe 2021-08-19 01:30:06 +0000 UTC [ - ]
smnrchrds 2021-08-19 02:57:58 +0000 UTC [ - ]
phoenixy1 2021-08-19 03:16:45 +0000 UTC [ - ]
IMO it does clearly tell end users that they are connecting to Plaid.
smnrchrds 2021-08-19 03:50:35 +0000 UTC [ - ]
xibalba 2021-08-19 03:07:34 +0000 UTC [ - ]
jamespullar 2021-08-18 22:56:16 +0000 UTC [ - ]
Also in the case of YNAB, Plaid is not posting transactions on your accounts. It's a screen scraping service transferring account data.
frosted-flakes 2021-08-18 23:17:17 +0000 UTC [ - ]
Also, some accounts update faster than others for some reason. Usually YNAB will import them the same day.
Plaid doesn't post transactions, but it does have my credentials which I said I would not share with anyone when I opened my bank account. Those credentials do allow posting transactions, and while it's not likely that anything will happen, if something does, I'm theoretically responsible. At the moment, I'm willing to take that risk.
KerrickStaley 2021-08-18 23:34:15 +0000 UTC [ - ]
As an added plus, you can keep 2FA enabled. Schwab does 2FA through an app so it's a touch above SMS-based 2FA (although only a single app is supported, Symantic VIP Access, rather than generic support for apps like Google Authenticator).
I also hate Plaid's model where you provide Plaid your credentials, and I've never entered my credentials into Plaid.
ZekeSulastin 2021-08-19 06:58:56 +0000 UTC [ - ]
1) Install pip, a python package manager, using your OS package manager.
2) Install python-vipaccess by executing `pip install --user python-vipaccess`
3) Execute `vipaccess provision -p -t VSMT` - this will print out all the information needed. Note the Symantec ID (it looks like VSMT12345678). It is what goes in the "Credential ID" field when adding a new device on Schwab's website.
4) Save the `otpauth://...` data into data.txt.
4.5) (Optional) Modify the `issuer=Symantec` parameter to read `issuer=Charles%20Schwab` Also change `VIP%20Access:VSMT123456789` to your Schwab online banking username. These are purely aesthetic changes and will only make a difference in the label that shows up in the Google Auth app.
5) Install qrencode using your OS package manager.
6) Execute `qrencode.exe -o qr.png -s 15 < data.txt` to generate the QR image (qr.png) from your otpauth data file. The -s 15 scales how many pixels wide a QR block is in the image (in this case, 15).
7) Scan the QR image (qr.png) with your google auth app.
8) Go to Schwab -> Service -> Security Center -> Manage Two-Step Verification -> Add another Security Token and input the Symantec ID from step 3 (it looks like VSMT12345678) and the current rolling TOTP code from the Google Auth App. (If you use Authy you may have to type it manually)
[0] https://github.com/dlenski/python-vipaccess
[1] https://www.reddit.com/r/personalfinance/comments/hvvuwl/usi...
frereubu 2021-08-18 23:49:32 +0000 UTC [ - ]
omginternets 2021-08-19 01:19:11 +0000 UTC [ - ]
omginternets 2021-08-19 13:12:45 +0000 UTC [ - ]
adrr 2021-08-19 00:11:37 +0000 UTC [ - ]
harringtonjones 2021-08-19 01:09:11 +0000 UTC [ - ]
adrr 2021-08-19 01:57:49 +0000 UTC [ - ]
phoenixy1 2021-08-19 01:56:58 +0000 UTC [ - ]
adrr 2021-08-19 02:04:10 +0000 UTC [ - ]
ceejayoz 2021-08-19 02:36:05 +0000 UTC [ - ]
phoenixy1 2021-08-19 02:42:07 +0000 UTC [ - ]
jrootabega 2021-08-19 12:35:34 +0000 UTC [ - ]
SilverRed 2021-08-18 23:09:28 +0000 UTC [ - ]
function_seven 2021-08-19 00:21:26 +0000 UTC [ - ]
Having a standard and open API across banks, brokerages, and credit providers would be killer.
frosted-flakes 2021-08-18 23:21:07 +0000 UTC [ - ]
andylynch 2021-08-19 06:27:04 +0000 UTC [ - ]
toomuchtodo 2021-08-18 23:12:12 +0000 UTC [ - ]
shados 2021-08-19 02:36:15 +0000 UTC [ - ]
phoenixy1 2021-08-19 04:24:02 +0000 UTC [ - ]
Source: https://www.consumerfinance.gov/compliance/compliance-resour...
frosted-flakes 2021-08-19 06:52:54 +0000 UTC [ - ]
robertlagrant 2021-08-19 04:41:16 +0000 UTC [ - ]
devinsit 2021-08-19 04:44:56 +0000 UTC [ - ]
Although, knowing how these things usually go, I'm sure the "2023" target is a little optimistic...
perl4ever 2021-08-19 03:52:03 +0000 UTC [ - ]
Wait, you mean you don't read and understand every word of every legal agreement you accede to??
Ok, well, as a responsible consumer, have you considered keeping a lawyer on retainer?
marvin 2021-08-19 08:14:11 +0000 UTC [ - ]
I suppose EU users have an easier time with the PDS2 directive mandating interoperability between banking actors, but I'm unsure how many have found a way around properly implementing it.
barbarbar 2021-08-19 03:31:22 +0000 UTC [ - ]
deathanatos 2021-08-19 03:57:25 +0000 UTC [ - ]
robertlagrant 2021-08-19 04:42:46 +0000 UTC [ - ]