WebApp Sec mailing list archives
RE: online bill payment using OFX or similar?
From: "Lluis Mora" <llmora () sentryware com>
Date: Tue, 21 Sep 2004 10:44:42 +0200
Hi Ido, My point about encryption was that the one interacting with the bank web application (Aggregator) has to know the actual "acces codes" at some point in order to pose as the legitimate customer to the bank (e.g. after being decrypted with the user's site password). That is what scares me :) I guess that apart from "screen-scrapping" a good solution is to look for "Personal Information Manager" integration functionalities on the website (e.g. some services allow you to download balances in a standard format - maybe OFX - so that you can import them to your PIM). Some PIMs (pun intended) even access the data from within the application, and I doubt they use "screen-scrapping" to do so - maybe there are some non-public interfaces/webservices on the bank application to access the data the PIM needs :? A PIM + a HTTP proxy might be a good way of further investigating into this, sounds like an interesting project. Cheers, Lluis .
-----Original Message----- From: Ido Rosen [mailto:ido () cs uchicago edu] Sent: martes, 21 de septiembre de 2004 8:22 To: Lluis Mora Cc: webappsec () securityfocus com Subject: Re: online bill payment using OFX or similar? Thank you Lluis, this was very helpful. I was afraid of this! "Screen-scrapping" as you put it was what I was hoping I wouldn't have to do. (By the way, this is not for banking, this is going to be for balance checking on various non-bank, non-CC bills, such as phone bills, etc.) Oh well. BTW, encrypting "access codes" symmetrically to the user's site password, then not storing the user's password, and trying to decrypt a reference point ("12345") with the password, allowing the user to log in if that works, is a pretty safe (but not foolproof) way of preventing anyone but the user from decrypting the "access codes". Just a thought. Ido On Mon, 20 Sep 2004 13:46:54 +0200 Lluis Mora <llmora () sentryware com> wrote:Hi Ido, Although I have no experience with the BoA service, I can speak for what banks in Spain currently use in order to provide asimilar service.These services are called "Account Aggregators" and work as an intermediate between the customer and its separate bankaccounts. Whenyou sign up you give the "Aggregator" your various bank account details, e.g.: - Account number/Online banking login - PIN/Online banking password After that, when you login to the Aggregator service, you are shown balances of the accounts you have with differents banks, you can transfer funds, etc. The way the Aggregator obtains the financial data is bylogging in tothe different online banking services "behind the scenes", screen-scrapping the balance (or retrieving the OFX description) or transfer screens, then summarizing this information back to the customer through the Aggregator service. One could say theywork as a"proxy" for the customer. Obviously, banks are not willing to share the account balances of their customers (or how they manage their funds), so thereusually isno agreement between the Aggregator and the different banks- thus theonly way for the Aggregators to access the customer data is by screen-scrapping it. From my point of view, there are severe securityimplications to thisprocess, which usually affect the customer. By giving a third-party (the Aggregator) the access codes to your account you are probably breaching your contract with the bank - who is it to blameif suddenlysome money disappears from your account? Also, can you trust the Aggregator? Although they may say that your access codes are "encrypted", they need the actual codes toaccess thebank web application on your behalf - so they need to be able to retrieve them in an automated fashion. The aggregatorstores all youraccess information for separate banks, a very juicy jackpot for a malicious attacker. Letting alone the procedure they use to harvest the data - screen-scrapping is not an exact science and the information relayed to the customer can not be accurate. There is usually a struggle between the bank and the Aggregator to make it more difficult to aggregate pages (the bank introduces changes to the application to break the aggregator robot, such as randomly introduced tags, converting balances to images, etc - whilst the Aggregator modifies the robot to handle random tags, parse javascript or OCR images). Somewhat similar to the fight between web service providers and automated registration services - e.g. the hard-to-OCR image which Yahoo asks you to interpret before you signup. The hard-to-OCR image seems not to be a solution for online banking (too complex for customers that can change to a different bank), although here in Spain the trend is to move to strongerauthenticationthat just username/passwords to discourage the use of intermediate services (e.g. public key cryptography, using a token onthe user sidemake it impossible to use an Aggregator service - you can not send them your pricate key). Now, that is for Spanish banks - maybe in other countries they are willing to exchange customer balance information, although I think that greed understands no frontiers :) Cheers, Lluis . Ido Rosen wrote:Hi folks, This may be a tad off-topic, but since I know there are a few people reading this list that are employed by financial institutions, I thought I might as well ask it here: I'm curious how services like Fleet's (BoA) "UniversalLink" work.I'd like to make my own "universal link" program that checksall of mybills with various vendors and merchants and companiesand displaysthem to me or outputs them in OFX format, but I've noclue where tostart. If anyone is familiar with Fleet's UL or similarservices andhas some insight, please share! :) Ido-- +-------------------------------------------------+ | Email : ido () ieee org / ido () cs uchicago edu | | Jabber : phaedo () jabber org | | PGP : http://www.cs.columbia.edu/~ido/pgp | +-------------------------------------------------+
Current thread:
- online bill payment using OFX or similar? Ido Rosen (Sep 18)
- Re: online bill payment using OFX or similar? Lluis Mora (Sep 22)
- Re: online bill payment using OFX or similar? Ido Rosen (Sep 21)
- RE: online bill payment using OFX or similar? Lluis Mora (Sep 21)
- Re: online bill payment using OFX or similar? Ido Rosen (Sep 21)
- Re: online bill payment using OFX or similar? Lluis Mora (Sep 22)