RE: online bill payment using OFX or similar?

["Lluis Mora" <llmora () sentryware com>]

Hi Ido,

My point about encryption was that the one interacting with the bank web
application (Aggregator) has to know the actual "acces codes" at some point
in order to pose as the legitimate customer to the bank (e.g. after being
decrypted with the user's site password). That is what scares me :)

I guess that apart from "screen-scrapping" a good solution is to look for
"Personal Information Manager" integration functionalities on the website
(e.g. some services allow you to download balances in a standard format -
maybe OFX - so that you can import them to your PIM). Some PIMs (pun
intended) even access the data from within the application, and I doubt they
use "screen-scrapping" to do so - maybe there are some non-public
interfaces/webservices on the bank application to access the data the PIM
needs :? A PIM + a HTTP proxy might be a good way of further investigating
into this, sounds like an interesting project.

Cheers,

Lluis
.

> -----Original Message-----
> From: Ido Rosen [mailto:ido () cs uchicago edu] 
> Sent: martes, 21 de septiembre de 2004 8:22
> To: Lluis Mora
> Cc: webappsec () securityfocus com
> Subject: Re: online bill payment using OFX or similar?
>
>
> Thank you Lluis, this was very helpful.  I was afraid of this!
>
> "Screen-scrapping" as you put it was what I was hoping I 
> wouldn't have to do.  (By the way, this is not for banking, 
> this is going to be for balance checking on various non-bank, 
> non-CC bills, such as phone bills,
> etc.)  Oh well.
>
> BTW, encrypting "access codes" symmetrically to the user's 
> site password, then not storing the user's password, and 
> trying to decrypt a reference point ("12345") with the 
> password, allowing the user to log in if that works, is a 
> pretty safe (but not foolproof) way of preventing anyone but 
> the user from decrypting the "access codes".  Just a thought.
>
> Ido
>
> On Mon, 20 Sep 2004 13:46:54 +0200
> Lluis Mora <llmora () sentryware com> wrote:
>
> > Hi Ido,
> >
> > Although I have no experience with the BoA service, I can speak for 
> > what
> >   banks in Spain currently use in order to provide a 
> similar service.
> > These services are called "Account Aggregators" and work as an 
> > intermediate between the customer and its separate bank 
> accounts. When
> > you sign up you give the "Aggregator" your various bank account 
> > details, e.g.:
> >
> > - Account number/Online banking login
> > - PIN/Online banking password
> >
> > After that, when you login to the Aggregator service, you are shown
> > balances of the accounts you have with differents banks, you can 
> > transfer funds, etc.
> >
> > The way the Aggregator obtains the financial data is by 
> logging in to
> > the different online banking services "behind the scenes", 
> > screen-scrapping the balance (or retrieving the OFX description) or 
> > transfer screens, then summarizing this information back to the
> > customer through the Aggregator service. One could say they 
> work as a
> > "proxy" for the customer.
> >
> > Obviously, banks are not willing to share the account balances of 
> > their customers (or how they manage their funds), so there 
> usually is 
> > no agreement between the Aggregator and the different banks 
> - thus the 
> > only way for the Aggregators to access the customer data is by 
> > screen-scrapping it.
> >
> >  From my point of view, there are severe security 
> implications to this
> >  
> > process, which usually affect the customer. By giving a third-party 
> > (the Aggregator) the access codes to your account you are probably 
> > breaching your contract with the bank - who is it to blame 
> if suddenly 
> > some money disappears from your account?
> >
> > Also, can you trust the Aggregator? Although they may say that your
> > access codes are "encrypted", they need the actual codes to 
> access the
> > bank web application on your behalf - so they need to be able to
> > retrieve them in an automated fashion. The aggregator 
> stores all your 
> > access information for separate banks, a very juicy jackpot for a 
> > malicious attacker.
> >
> > Letting alone the procedure they use to harvest the data -
> > screen-scrapping is not an exact science and the information relayed
> > to the customer can not be accurate. There is usually a struggle
> > between the bank and the Aggregator to make it more difficult to
> > aggregate pages (the bank introduces changes to the application to
> > break the aggregator robot, such as randomly introduced tags,
> > converting balances to images, etc - whilst the Aggregator modifies
> > the robot to handle random tags, parse javascript or OCR images).
> > Somewhat similar to the fight between web service providers and
> > automated registration services - e.g. the hard-to-OCR image which
> > Yahoo asks you to interpret before you signup.
> >
> > The hard-to-OCR image seems not to be a solution for online banking 
> > (too complex for customers that can change to a different bank), 
> > although here in Spain the trend is to move to stronger 
> authentication 
> > that just username/passwords to discourage the use of intermediate 
> > services (e.g. public key cryptography, using a token on 
> the user side 
> > make it impossible to use an Aggregator service - you can not send 
> > them your pricate key).
> >
> > Now, that is for Spanish banks - maybe in other countries they are
> > willing to exchange customer balance information, although I think
> > that greed understands no frontiers :)
> >
> > Cheers,
> >
> > Lluis
> > .
> >
> > Ido Rosen wrote:
> > > Hi folks,
> > >
> > >   This may be a tad off-topic, but since I know there are a few
> > >   people
> > > reading this list that are employed by financial institutions, I 
> > > thought I might as well ask it here:
> > >
> > >   I'm curious how services like Fleet's (BoA) "Universal 
> Link" work.
> > >   I'd
> > > like to make my own "universal link" program that checks 
> all of my 
> > > bills with various vendors and merchants and companies 
> and displays 
> > > them to me or outputs them in OFX format, but I've no 
> clue where to 
> > > start. If anyone is familiar with Fleet's UL or similar 
> services and 
> > > has some insight, please share! :)
> > >
> > > Ido
>
>
> -- 
> +-------------------------------------------------+
> |  Email : ido () ieee org / ido () cs uchicago edu     |
> | Jabber : phaedo () jabber org                      |
> |    PGP : http://www.cs.columbia.edu/~ido/pgp    |
> +-------------------------------------------------+