Re: online bill payment using OFX or similar?

[Ido Rosen <ido () cs uchicago edu>]

Thank you Lluis, this was very helpful.  I was afraid of this!

"Screen-scrapping" as you put it was what I was hoping I wouldn't have
to do.  (By the way, this is not for banking, this is going to be for
balance checking on various non-bank, non-CC bills, such as phone bills,
etc.)  Oh well.

BTW, encrypting "access codes" symmetrically to the user's site
password, then not storing the user's password, and trying to decrypt a
reference point ("12345") with the password, allowing the user to log in
if that works, is a pretty safe (but not foolproof) way of preventing
anyone but the user from decrypting the "access codes".  Just a thought.

Ido

On Mon, 20 Sep 2004 13:46:54 +0200
Lluis Mora <llmora () sentryware com> wrote:

> Hi Ido,
>
> Although I have no experience with the BoA service, I can speak for
> what 
>   banks in Spain currently use in order to provide a similar service. 
> These services are called "Account Aggregators" and work as an 
> intermediate between the customer and its separate bank accounts. When
>
> you sign up you give the "Aggregator" your various bank account
> details, e.g.:
>
> - Account number/Online banking login
> - PIN/Online banking password
>
> After that, when you login to the Aggregator service, you are shown 
> balances of the accounts you have with differents banks, you can 
> transfer funds, etc.
>
> The way the Aggregator obtains the financial data is by logging in to 
> the different online banking services "behind the scenes", 
> screen-scrapping the balance (or retrieving the OFX description) or 
> transfer screens, then summarizing this information back to the
> customer through the Aggregator service. One could say they work as a
> "proxy" for the customer.
>
> Obviously, banks are not willing to share the account balances of
> their customers (or how they manage their funds), so there usually is
> no agreement between the Aggregator and the different banks - thus the
> only way for the Aggregators to access the customer data is by 
> screen-scrapping it.
>
>  From my point of view, there are severe security implications to this
>  
> process, which usually affect the customer. By giving a third-party
> (the Aggregator) the access codes to your account you are probably
> breaching your contract with the bank - who is it to blame if suddenly
> some money disappears from your account?
>
> Also, can you trust the Aggregator? Although they may say that your 
> access codes are "encrypted", they need the actual codes to access the
>
> bank web application on your behalf - so they need to be able to 
> retrieve them in an automated fashion. The aggregator stores all your 
> access information for separate banks, a very juicy jackpot for a 
> malicious attacker.
>
> Letting alone the procedure they use to harvest the data - 
> screen-scrapping is not an exact science and the information relayed
> to the customer can not be accurate. There is usually a struggle
> between the bank and the Aggregator to make it more difficult to
> aggregate pages (the bank introduces changes to the application to
> break the aggregator robot, such as randomly introduced tags,
> converting balances to images, etc - whilst the Aggregator modifies
> the robot to handle random tags, parse javascript or OCR images).
> Somewhat similar to the fight between web service providers and
> automated registration services - e.g. the hard-to-OCR image which
> Yahoo asks you to interpret before you signup.
>
> The hard-to-OCR image seems not to be a solution for online banking
> (too complex for customers that can change to a different bank),
> although here in Spain the trend is to move to stronger authentication
> that just username/passwords to discourage the use of intermediate
> services (e.g. public key cryptography, using a token on the user side
> make it impossible to use an Aggregator service - you can not send
> them your pricate key).
>
> Now, that is for Spanish banks - maybe in other countries they are 
> willing to exchange customer balance information, although I think
> that greed understands no frontiers :)
>
> Cheers,
>
> Lluis
> .
>
> Ido Rosen wrote:
> > Hi folks,  
> >
> >   This may be a tad off-topic, but since I know there are a few
> >   people
> > reading this list that are employed by financial institutions, I
> > thought I might as well ask it here:
> >
> >   I'm curious how services like Fleet's (BoA) "Universal Link" work.
> >   I'd
> > like to make my own "universal link" program that checks all of my
> > bills with various vendors and merchants and companies and displays
> > them to me or outputs them in OFX format, but I've no clue where to
> > start. If anyone is familiar with Fleet's UL or similar services and
> > has some insight, please share! :)
> >
> > Ido


-- 
+-------------------------------------------------+
|  Email : ido () ieee org / ido () cs uchicago edu     |
| Jabber : phaedo () jabber org                      |
|    PGP : http://www.cs.columbia.edu/~ido/pgp    |
+-------------------------------------------------+

Attachment: _bin
Description: