Hacker News new | comments | show | ask | jobs | submit login

Wait till you guys see what sjtgraham has been up to

EDIT: teller.io

He's had to do impossible things to make it




As isomorph says I've built a fully transactional API that works with existing major banks. We currently have a closed beta supporting banks in the RBS group (RBS, Natwest, Ulster, IOM) and we'll be adding Barclays and HSBC next.

http://teller.io/


What prevents you from emptying my account if I use your service?


Looks like just their honour, unfortunately. If banks provided first-party support, rather than forcing people to reverse engineer mobile phone app APIs, we might see safer implementations.


Have the banks provided you with a private API or are you doing everything by scraping the web UI?


Neither. We cracked their mobile apps to reverse engineer their private mobile app APIs, and then implemented our own clients for those APIs. To the bank Teller looks like one of their own mobile apps.


So you're building a service on top of undocumented and private APIs? They could shut you down an instant - no?


No. There are a number of things that stop them doing this practically:

- Making breaking changes to their APIs break all in-flight clients. This is poor UX for their regular customers if their first party app stops working every week.

- App store approval time is a choke point

- Internal change control is another choke point

- I can find what's changed and deploy a fix in no time.


What if they block the ips you use to power the API? Furthermore, using some simple heuristics it should be easy to fingerprint your API and automate the blocking. Eg A normal user is unlikely to cycle IPs between requests. Your ApI might.


What are you going to do when you start getting C&D letters?


Buy some nice frames and put them on the wall.


I've thought about doing this (and sort of started) but for a separate industry. This is going to prove challenging legally, no?


What I've done is actually completely legal and specifically protected by the law in the EU.


This is exactly what Tink app have done and they have been in operation for the past 3 years. Legally your using public available endpoints so even if they did block your IP's spin that docker image up on a new host ;)


This is a sign of how bad and far behind the bank technology stack has become. They are all fighting to stay relevant by keeping others out. But technologists are finding loopholes around their stack.


how are you handling the problem of banks revoking customers online fraud guarantees if they make use of 3rd party services to make transactions?

From what I saw of the aggregation sites that pulled details from UK banks in the past, this was a major stumbling block...


This is incredibly exciting! I got myself on the waiting list, looking forward to trying it out!


I was a user of Egg Money Manager. This site from the (now gone) UK bank presented all of your bank accounts, loans and credit card balances in a single place.

A clever way to avoid them handling any of your bank account details, they used a Java applet that stored your creds locally, interacting with their site so as to appear 'on the web'. Actually a great solution vs. giving your banking creds to a third party.

Encouraging that teller.io seems to be architected similarly. Would love to hear more.




Applications are open for YC Winter 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: