
The Secret API of Banks - gduverger
http://gduverger.com/secret-api-banks
======
dewey
For those in the EU there's something interesting coming next year, banks need
to provide open API to interact with each other:

[https://thenextweb.com/worldofbanking/2018/06/27/openbanking...](https://thenextweb.com/worldofbanking/2018/06/27/openbanking/)

Already right now in Germany there are a lot of banks that share a common API
format which is why there are a lot of banking apps where you can just log
into your bank and don't need bank specific apps. It's called HBCI / FinTS
([https://en.wikipedia.org/wiki/FinTS](https://en.wikipedia.org/wiki/FinTS))
and it's great to have that possibility without doing some web-scraping to get
your data out.

One example of another german bank API would be:

[https://api-docs.fidor.de/v1/introduction/welcome-text](https://api-
docs.fidor.de/v1/introduction/welcome-text)

~~~
Rjevski
PSD2 and “open” banking is bullshit. I wish this myth would die - it is
anything but “open”.

If you want to gain access to API _s_ , you need to become an “AISP” (as they
are called in the UK), this requires a certification and a load of other
nonsense akin to PCI-DSS. This is for read-only access - for “write” access
including the ability to edit payees or make payments you need to become a
“PISP” which I assume requires even more paperwork.

I also said API _s_ because the regulation does not mandate any kind of API
format, so every bank has their own with different capabilities as far as what
data is returned and in which format. Some of them are truly awful.

And finally, “open” banking still does not allow _you_ to get a personal
access token for _your own_ account.

~~~
sjtgraham
> If you want to gain access to APIs, you need to become an “AISP”

It's more complicated than that.

Banks can give unregulated entities access to their APIs, but they don't
because IMO providing API access is directly opposed to their interests. If
you want to be _statutorily entitled_ to API access you need to be a
registered AISP or PISP.

Unfortunately what an AIS is is very specific, i.e. showing the account owner
aggregated information, before or after processing, about one or more payment
accounts. If your product doesn't do this, e.g. credit scoring using the
user's bank transactions instead of credit bureaux, then you're not performing
a regulated activity, therefore the regulator has nothing to authorise, and
you can't enjoy the resulting entitlement of API access.

This means there are whole classes of (unregulated) applications that won't be
allowed to exist by banks if they adopt the position of granting access only
to regulated entities.

> this requires a certification and a load of other nonsense akin to PCI-DSS

AIS and PIS have become regulated activities as a result of PSD2. This is not
the same as PCI-DSS. Becoming a (P|A)ISP means becoming supervised by the
local regulator as an authorised financial institution. This involves a lot of
paperwork, a £1,500 application fee, insurance, fees for any professional
services you needed to complete the application (lawyer), and 3 months (longer
if your application is incomplete or has other issues).

> for “write” access including the ability to edit payees or make payments you
> need to become a “PISP” which I assume requires even more paperwork.

And €50,000 own capital requirements.

> I also said APIs because the regulation does not mandate any kind of API
> format, so every bank has their own with different capabilities as far as
> what data is returned and in which format. Some of them are truly awful.

This is true at the moment for Europe but notionally incorrect for the 9
largest banks in the UK, which are subject to parallel domestic measures
ordered by the Competition and Markets Authority. There is a spec, but there
are many problems with the governance, implementation, etc.

~~~
repolfx
From what I've heard the main problem is banks are afraid popular API access
would overload their mainframe-era systems that don't scale and can't scale.

~~~
deadbunny
Which is utter nonsense. They already have APIs, they're used in their mobile
apps.

~~~
repolfx
That's not an API, that's a private protocol for which they can easily
anticipate and control load (e.g. by pushing changes to their apps).

~~~
deadbunny
All the banks I'm with use rest APIs in their apps (you can see this by
MITMing the traffic), no "private protocol" whatever the hell that is.

As for controlling load, I'm not sure I follow. If you have 1m people with the
mobile app installed and all of them decide to check their balance at the same
time your systems are going to crumble if you've only provisioned for 10,000.

Web/Mobile banking doesn't talk to the mainframes directly, it's essentially a
caching layer which gets committed later when the mainframe does it's job. Not
much different from your average web app just with longer delays.

~~~
repolfx
I think you aren't using the term API correctly. This discussion is about APIs
_for third party developers to write apps_. The fact that banks own mobile
apps often use REST to communicate with their backend does not make such a
protocol an API. For one it's not documented, for another it may change
without notice.

Of course if you define "API" to mean literally any form of communication
between processes or devices then sure. But then you'd have to consider GSM or
FTP or TCP/IP itself to be APIs and I never saw them described that way.

My main point is that an interface that's just being driven by human
interaction has very predictable load characteristics. If you open up a true
API to third party developers they may come up with new uses that aren't
directly human driven or may even be batch jobs. You don't have much control
over your inbound workloads anymore.

~~~
dsmithatx
FTP TCP and IP are protocols, GSM is a european standard and REST is an easy
method for building applications in which the backend is called the API
(application programming interface) which typically use the http protocol.
RESTful generally means using CRUD create, read, update and delete although it
isn't a standard.

Some api's are private as in the one your bank's mobile app most likely uses.
Some companies offer their API's to the public. They are both still APIs
though.

------
benbristow
In the UK the fintech (Financial Tech) scene is becoming more prevalent, for
the better.

Recently I switched to a new online-only bank called Monzo. It's fully
licensed and all accounts are insured up to a certain amount by the UK
government. It's great. They're in the top charts for apps in the UK now on
the iOS App Store. There's a few other alternatives like Starling Bank and
Revolut too.

They're very good. They're open about their tech stack with developer blogs
and it's a modern stack which lets them iterate in a quick and agile manner
unlike the legacy banks.

You get push notifications on every payment (usually you get the notification
before the payment has even processed on the vendor's end!). Tells you exactly
how much you've been spending every day.

They've got RESTful JSON APIs you can integrate with if you want to and they
also have the option in the app to easily export your data into CSV or
Quickbooks format. They even have IFTTT integration.

Really makes you manage your money better.

~~~
sitepodmatt
Revolut are a nightmare. After using it for several months and fully verified
I apparently entered a CVV incorrectly on one transaction. Revolut blocked the
card but with no notification, and no inapp indicators, all showed normal in
app, all toggled enabled for maximum flexibility. It took ages to figure out,
but swiping the card or using online was now returning to the merchant
'FRAUD/STOLEN' marker rather than just insufficient funds, this lead to Ayden
blocking me from merchants and other hell. Best of all support kept telling me
my account was fine and all enabled, it was only after Twitter escalation I
learnt about a backend block their support staff couldn't see. Ridiculous,
weeks to sort, dozens of tickets, suggestion to train support staff or provide
in app indicator of block was ignored.This shit still happens today, avoid
Revolut. Fintech can be rough, it ain't all great, tread carefully. Oh and
they delete feedback from forums if not positive lol

~~~
toomuchtodo
Thank you so much for posting this. Kept waiting for my Revolut invite, but
now I know to steer clear.

~~~
thecupisblue
Tbh I've been using Revolut for like 2 years now if not longer. Saved my ass
whenever I was traveling, helps with geoblocked services, virtual cards are
great and I can uses it with Google Pay. Never had a single problem.

------
KirinDave
The actual secret API of banks-and by the way this is the initial strategy
Plaid pursed if rumor is to be believed (essentially without the consent of
the banks)-is by reverse engineering mobile app APIs. Most of these bank APIs
try to use cheesy secret token vending to prevent casual API traffic on their
endpoints, but the reality is that a sufficiently instrumented Android kernel
(or rooted iOS device) will let you reverse engineer those protocols and
masquerade as legitimate users.

~~~
stephengillie
Why don't banks sell API access at a rate s/similar/lower than Google Maps API
access? This is starting to feel like music and video piracy all over again.

~~~
toomuchtodo
Because the value is in not being commodified. Not giving API access is worth
more than charging for it.

If all of your credit lines, checking, savings, and investment accounts were
an API call away, the institutions providing those no longer build
relationships that can be profitable; they're simply utilities you could swap
out interchangeably. As such, they're not a fan of this idea.

~~~
TeMPOraL
> _they 're simply utilities you could swap out interchangeably. As such,
> they're not a fan of this idea._

It's sad, because that's _exactly what they should be_. :/.

~~~
etherealG
In crime we call it “organised” crime. I’m banking it’s just “doing business”.
Maybe we should make this kind of invention of value out of thin air illegal?

------
misterbwong
This is very clever but makes me sad. It’s 2018 and the best, cleanest way of
monitoring and storing my own transactions programmatically is by scraping an
email.

~~~
orf
*in America

Banks provide an API in Europe. In fact it's a legal requirement that's coming
into force in 2019, and there are a lot of 'mobile-first' banks like Monzo and
Revolut which make this entirely un-needed in the first place (providing
spending exports, decent analytics, push notifications, etc etc).

Welcome to the future. Contact your local politician if you want to join us.
Maybe also ask about chip and pin while you're at it!

~~~
avianlyric
With Monzo you can just use IFTTT[1] for simple stuff like this, and the
API[2] for complicated stuff.

I personally use the API to automatically add flat bill directly to Splitwise.

[1] [https://monzo.com/features/ifttt/](https://monzo.com/features/ifttt/) [2]
[https://docs.monzo.com](https://docs.monzo.com)

~~~
simonvc
Have you opensourced that code? i'd be interested.. (i'm half the team that
built IFTTT at Monzo)

------
ctdean
I talk to (about) a person a week who wants to create a new US bank. Some are
pursuing a de novo charter, some are buying a bank, and some are a quasi bank
on top of another bank.

The real blocker here is the Fed won't grant new charters and often won't
transfer charters. I'm hoping this will change in the next few years and we
can get some real competition.

(Disclosure: my job is making APIs for US Banks.)

~~~
techsupporter
Any idea why this is the situation?

What about doing a state-by-state charter?

~~~
ctdean
The fed is still living with the fear of the 2008 crash. And you still need
FDIC insurance even if you have a state charter.

------
bluetidepro
I was expecting this to outline how you could actually use various APIs from
different banks, but was still pleasantly happy with the actual content of the
article. This is a clever idea I had never thought about doing. Kudos to OP!

------
VikingCoder
I hate sounding like a VC jerk, but the banking industry needs some serious
disruption.

~~~
pgeorgi
The american banking industry, maybe.

One of the ills of VC-mania is the ongoing assumption that a) problems that
exist in the US exist everywhere and b) that there are no other problems.

(see also: Uber busting the "taxi monopoly")

~~~
maxxxxx
And that nobody outside the US ever has solved problems in a way that may
apply to the US.

------
jimmyswimmy
I guess it's not popular or all that well-known anymore, but for quite a while
there's been a Quicken-led banking interface for some banks. Known as OFX or
Direct Connect, it provides at least one-way (download) access to banking
transactions. I think there's a way to upload as well but have never used it
nor had a bank that supports it for upload.

My bank has a separate enrollment - it was free - offering download-only
access to my transactions. I haven't used it in awhile (just too much on my
plate) but it worked well as recently as 2016.

[https://github.com/aqbanking/aqbanking](https://github.com/aqbanking/aqbanking)
is one open implementation for the interface.

~~~
mindslight
^ This.

It's often called "Quicken Direct Connect" (NOT "web connect", that's a
bastardization trying to push the login flow through the proprietary web
interface), and often has to be specifically enabled for your account (Bank of
Slum-merica is the only place I've heard charging for the functionality
though).

Check say [https://ofx-prod-
filist.intuit.com/qb2600/data/fidir.txt](https://ofx-prod-
filist.intuit.com/qb2600/data/fidir.txt) to see if your bank is listed (that
contains both direct and web connect banks, you'll figure out what the flags
mean).

Setup a cron or human cron to pull and save the raw OFX (QFX) query every
day/week/month, and then run whatever reports/analytics you want from that.
This way you'll have history to use with whatever program/scripts you move to,
and can also straightforwardly integrate legacy banks that make you use the
web interface (just at a much lower polling rate).

~~~
burkemw3
How does web connect actually work? I've never found any description of the
method

~~~
mindslight
I don't exactly know. But I'm under the impression that it performs the
standard website login flow via headless browsing, then uses the website's
"download transactions as OFX" functionality. So similar problems as "screen
scraping" but less error prone because if it successfully downloads the data,
it is in a well-defined format.

------
eboyjr
This is an awesome alternative to scraping your own bank transactions. I'm
considering using this technique to automatically add rows to my personal
GnuCash MySQL database.

~~~
beamatronic
Is there a good existing framework that can turn emails into events? Some sort
of IMAP client ?

~~~
jsjohnst
Name your language of choice and I’ll link you to a good one.

~~~
beamatronic
Java

~~~
jsjohnst
JavaMail API ;)

~~~
beamatronic
Does that have the ability to call a specified callback function when an email
arrives from a specified sender?

~~~
jsjohnst
It’s a full framework for handling almost everything a MUA would do (imap/pop,
email parsing, mime parsing, sending email, etc), so yeah, it can do that.
You’ll have a bunch of boiler plate code you’ll need, but a Google search will
give you plenty of samples.

------
iamdbtoo
Anyone use Firefly III? It uses the Spectre API to allow you to have a self-
hosted Mint.

[https://firefly-iii.org/](https://firefly-iii.org/)

~~~
shiv86
This seem like a great option!...thanks for sharing

------
yurishimo
Posts like this make me pretty excited to be a customer of a "tech-y" online
bank. (In my case, Simple, not shilling, I just like them)

Theoretically, these banks with great mobile apps are one step away from
giving you API access once it's needed/wanted by enough consumers.
Technically, your phone is doing it under the hood already.

Simple uses React for their web interface, so I imagine they have nice JSON
APIs for all of the data already.

There was a site advertising developer managed bank accounts last year,
[https://root.co.za/](https://root.co.za/), I think it's also a cool idea.

~~~
RickS
You can prod the network panel to reverse engineer simple's APIs. I've done it
for some visualization tools in the past.

It's sloppy and undocumented, but their support staff are fantastic and
surprisingly technical, so I had about a 100% success rate tweeting them
things like "what's the new endpoint for what was previously
/bank/transactions?"

A public version of this API was one of their stated goals in 2010 or so, but
they're more interested in chasing non-technical product goals like couples
accounts. I expect their most technical customers don't make up enough
transaction volume to justify attention.

I love simple for being the least worst, but am still saddened by what they
could have been if they had stripe's passion for technical execution. But hey,
at least there's an API and they won't slap you with the CFAA for hitting it.

~~~
yurishimo
Sorry for the late reply here. I'm still new to HN and haven't figured out
everything yet...

How are you doing authentication for the API? Is it session based or can you
pass some sort of API token after logging in?

------
loisaidasam
I tried doing something like this, but it didn't work for Bank of America, as
their minimum alert level is $100.

When I lived in Slovenia, I could set SMS alerts from my bank there
(UniCredit). I wrote an Android app [1] that intercepted those SMS messages
and parsed out the relevant bits. Those were the days...

[1] [https://github.com/loisaidasam/poor-mans-money-
counter](https://github.com/loisaidasam/poor-mans-money-counter)

~~~
djrogers
> I wrote an Android app [1] that intercepted those SMS messages and parsed
> out the relevant bits.

Sounds like a nice hack, but at a meta level, I find the idea that a mobile
platform even allows an app to ‘intercept’ SMS messages to be a little
troubling.

~~~
TomMarius
Well, it doesn't. You have to do a lot of things in order to allow it that
it's impossible to not know exactly what you're doing. I think it's positive
that I am in control of my device when I want to.

~~~
jsjohnst
Actually there are quite a few popular Android apps that bulk harvested SMSes,
so your point in defense of its security is rather weak.

~~~
TomMarius
But that was in the past, right? Current version shouldn't allow it unless
user explicitly agrees.

~~~
jsjohnst
It was permissioned before too. The general population mostly doesn’t
understand what they are giving up when they agree to that when an app asks.

~~~
loisaidasam
A few things -

1\. In order to achieve this functionality, the app explicitly requires
permission to receive SMS [1] [2]

2\. I agree that the general population likely isn't fully aware of the
implications of granting permissions for such things. Having said that, I
think that privacy/security/transparency is one of the things constantly being
worked on with subsequent Android OS updates [3] [4], and I think that things
are getting better.

Personally, I don't grant access to sensors like microphone/camera/location to
apps that I don't want using them (most apps), and I think people should be
aware of potential hazards here. Then again, people are openly inviting Amazon
Alexa and Google Home into their homes ...

On the other hand, as a developer I like having the ability to build this, for
me, and potentially for others who find use for what I wrote, with full
transparency/visibility into the source.

[1] [https://github.com/loisaidasam/poor-mans-money-
counter/blob/...](https://github.com/loisaidasam/poor-mans-money-
counter/blob/dc35e75c2ad57a658a849fba54e96f2d8a6af2d8/AndroidManifest.xml#L7)

[2]
[https://developer.android.com/reference/android/Manifest.per...](https://developer.android.com/reference/android/Manifest.permission#RECEIVE_SMS)

[3] [https://www.android.com/security-
center/](https://www.android.com/security-center/)

[4]
[https://www.android.com/versions/pie-9-0/](https://www.android.com/versions/pie-9-0/)

------
RickS
There's so much cool stuff you can do with this data. Think of all the creepy
shit amazon does with your browsing data, but for your spending data, and you
can browse it.

We're leaving a crazy amount of insight on the table.

Shameless plug: I built some personal finance viz tools based on similar data.
they also just barely scratch the surface:
[http://rick.xxx/orchid.html](http://rick.xxx/orchid.html)

If you're working on interesting things in the fintech space, I'd love to chat
with you about strategy or execution, especially w/r/t product design. Email
in profile.

------
btmerr
Forgive the shameless self-promotion, but we at Seed offer a customer facing
API for read-only transaction data. We would happily build out more API
features, but we've seen very little demand, despite the frequent HN threads
about bank APIs.

We are a business focused bank, but we support sole proprietors and
freelancers as well.

API docs are here:
[http://docs.seed.co/v1.0.0/docs](http://docs.seed.co/v1.0.0/docs)

[https://seed.co](https://seed.co)

p.s. We are working on Android I promise please don't yell at us (again).

~~~
mattkopecki
It's really unclear to me what your product is. I would have given up trying
to figure out if you hadn't implied that it's somehow related to what this
cool blog post accomplishes.

From the FAQ, my best guess is that you offer businesses bank accounts that
come bundled with the reporting you'd get with something like Mint/Quickbooks?

It's OK to basically be two services glued together, but why are you _better_
than just the two existing services, were they to be glued together?

------
altmind
You may want to try plaid. They've integrated every major US bank(and some
CUs) either using bank api or scraping their web pages.

You can get not only transactions, but also account info, balances and enough
info to perform charges/payments(e.g. ACH routing/account numbers). Api is no-
nonsence and they got decent dashboard.

Its paid service, but they allow 100 accounts for free(you need to apply
though). To check what are major banks they support, you can visit their
status page: [https://status.plaid.com/](https://status.plaid.com/)

------
nbap
Yeah, I've been doing this for a couple of months now. I just happen to use a
combination of Gmail filters, IFTTT actions to post to a webhook of a custom
app hosted for free at Heroku to parse and send to Google Spreadsheets. It's
been serving me well, definitely better than my bank's app.

~~~
win_ini
I'm sorry, I'm not sure I heard you right. Did you say you can build a custom
app but still use IFTTT?

Here's a link to [http://Zapier.com](http://Zapier.com)

~~~
driverdan
I downvoted you because you seem to be implying that programmers shouldn't use
IFTTT. There's nothing wrong with IFTTT if it meets your needs.

~~~
netsharc
Not original commenter, I used to use and like them, but at one point they
changed all URLs to use their shortener (I was using it to archive all links I
post on FB into an Evernote note). Great, they want to do more analytics and
they're making sure all URLs in content they're supposed to be just plumbing
will die with them, very customer friendly.

And then there's this:
[https://blog.pinboard.in/2016/03/my_heroic_and_lazy_stand_ag...](https://blog.pinboard.in/2016/03/my_heroic_and_lazy_stand_against_ifttt/)

------
poulsbohemian
I just spent 20 minutes reading about the fascinating case of Ellis vs. Grand
Rapids, as linked from the poster's site ([http://gduverger.com/ellis-v-
city](http://gduverger.com/ellis-v-city)). This was like a two-for-one deal,
so thanks!

~~~
gduverger
Haha, thank you!

------
ccarse
OP, could you share the code for this?

~~~
nodesocket
Agree, open sourcing the e-mail parsing and pandas code would be amazing!

~~~
mail2vks
Agree. Upvoting need for open sourcing.

~~~
gduverger
I've been getting a good amount of requests for open sourcing it. It would
require a few hours of work but I might take the time one of those weekends.
Please feel free to send me an email (georges.duverger@gmail.com) if you'd
like me to keep you updated.

------
technofiend
I've had to do something similar when a bank decided that CSV history was
limited to a much shorter time period than PDF documents. Nothing a little
python-driven OCR can't handle. But it was stupid I had to employ such
measures in the first place.

------
heinrichf
Many banks do not actually include any information in the notifications,
because of the unencrypted nature of in-transit email. That is, "There has
been a debit on your account" instead of "There has been a debit of X$ from
merchant Y".

~~~
exegete
It'd be pretty neat to give a bank your public PGP key and then they could
send you encrypted emails with more details.

~~~
jsjohnst
For the 0.001% of Nanking customers who understand PGP, let alone who can set
it up. Yes, I’d love it too, but until PGP is more user friendly for the
masses, I wouldn’t hold my breath on any bank bothering.

~~~
exegete
Oh I agree. I think it will never happen. But as a data point, Facebook has
the option to add it: [https://www.facebook.com/notes/protect-the-
graph/securing-em...](https://www.facebook.com/notes/protect-the-
graph/securing-email-communications-from-facebook/1611941762379302)

So, it's not too far fetched.

------
cjpa
So, he does not trust third-parties with his banking details, but uses a
third-party to send emails with a complete detail of his account to an email-
server (which might or might not be run by a third party). The logic is lost
on me.

~~~
Legogris
Furthermore, the e-mails are sent in clear-text and readable by any endpoint
on the way transporting the e-mail to its destination. It's akin to sending
your information back to yourself by post card rather than stored in a file
with a third-party.

~~~
gduverger
The alert emails do not contain “detail of [my] account,” only the last 4
digits of my account (for Chase). Even if someone were to intercept those
emails, they couldn't do much with them.

------
vonseel
Can you expand on unwanted transactions?

TBH, the only “unwanted” transactions I’ve found were indeed fradulent, and
these have been immediately caught by BoFA, VISA, and other financiers. I have
had problems with false positives, however.

~~~
chrismeller
People would normally call out fraud if that were the case, but it's certainly
possible that it's something the bank isn't aware of yet so their systems did
not catch.

In general I just assumed he meant things like "signed up for that trial and
forgot to cancel", "accidentally got charged twice", "tip amount was clearly
wrong"... Innocent things that happen from time to time, but clearly need to
be resolved.

~~~
gduverger
Exactly. By “unwanted,” I meant things like subscriptions I forgot I was
paying or (innocent?) merchant mistakes but that rarely happened.

------
joaoheleno
Are the bar charts generated with the pandas library? The ones in the report
received by mail... Took a peek at the documentation but all I see is graphic
based ones with plot functions. Thanks

~~~
gduverger
The bar charts are my own, not part of pandas. I wrote a little thing for it.
It's not very sophisticated right now but I've been thinking of packaging it a
little bit better and maybe sharing it.

------
timvisee
I'm so happy to be a bunq user (which is a Dutch bank), they provide a fully
featured and easy to work with API to do and build anything you want. Other
banks should follow.

------
patsplat
Email notification is a fantastic event notification tool for services that
don't / won't emit events or submit to callbacks.

It's the one pixel gif of systems integration.

------
cja
Bank Millennium is a normal Polish bank, with branches everywhere. Their
mobile app gives me an instant notification when transactions occur. They even
have an Android Wear app.

Irrelevant but also impressive: their app uses fingerprint login and whenever
I phone them they talk to me in English without me having to ask.

------
achandlerwhite
Look into OFX for pulling down account and transaction data It’s the api that
TurboTax, Quicken, and others have used for years and you can use it too. It’s
a little outdated in its design and implementations are hit or miss on the
banking side. But for most large banks it works.

------
a-b
[https://wiki.gnucash.org/wiki/OFX_Direct_Connect_Bank_Settin...](https://wiki.gnucash.org/wiki/OFX_Direct_Connect_Bank_Settings)

------
Tharkun
My bank allows me to export my account statements in SWIFT MT 940 format,
which is pretty convenient. Sadly there's no easy/free way to automate this
process.

------
lgregg
I'm definitely going to check this out for my credit union.

------
RyanShook
This is cool. Will OP open source this so others can use it?

~~~
gduverger
I've been getting a good amount of requests for open sourcing it. It would
require a few hours of work but I might take the time one of those weekends.
Please feel free to send me an email (georges.duverger@gmail.com) if you'd
like me to keep you updated.

------
Splendor
I'm not sure I'd feel better about having every single transaction in email.
That doesn't seem any more secure to me.

~~~
packet_nerd
Concerning, but still much better than giving a third party your username and
password which could be used to initiate a transfer or something.

------
homero
Capital One just added oauth with mint and before that they had read only
passwords

------
virusduck
AmEx sends notifications for any use of my card. It is really a great thing.

------
fleetside72
"please enter a value greater than 0" lol oh well

~~~
joezydeco
0.01 will work in most cases. I use this at Chase to push alert on every
transaction.

I suppose if my # is lifted and $0.01 is used as the test transaction it would
sneak by, but oh well.

