Hacker News new | past | comments | ask | show | jobs | submit login

Yes, but this is increasingly common in online services. Reputable services like Wealthfront also work like this, requiring your bank login to work. The fact that Plaid has their entire business built around providing “bank logins as a service” speaks to that.

I don’t like it either, but I’m not sure how you could get archaic banks and low-tech consumers to adopt something better.

I work at a bank that has a vendor that uses client credentials in order to html scrape their account pages. Most banks refuse to generate consumable methodologies for other financial services to use their data, so they go about it the hackiest way possible.

The bank has many reasons to specifically not provide that functionality. And if your value proposition as a company is to farm people's financial data for your own purposes, all I can say is tread carefully.

It won't take much in terms of negative outcomes generated by increased attack surface to make bank/financial regulations even more strict.

This practice is a clear violation of just about every bank I've seen's security policy. Normal practice would be to negotlate a data sharing of some sort, but that happening would be dependent on your company's ability to generate increased visibility for, or traffic to the bank.

Anyway, tread carefully

I don’t think it’s crazy for customers to be able to retrieve their own data.

I don't either. It is, however, crazy to expect a bank to tolerate you granting a third, unknown party access to their data systems by sharing your personal credentials with the third party.

Your business with the bank entitles you, and only you; barring certain exceptions at their discretion, access to that data.

They do this to minimize risk and culpability in the face of a large number of adversaries that could extract value from possession of data on your personal habits.

It isn't sexy, but that is just the way it works. I've banged my head against the financial industry looking for ways to improve it, but at the end of the day, a lot of the rules and restrictions they put in place actually do make a frustratingly good deal of sense.

Think about this.

Suppose you and 1000000 other people hand login credentials for financial service X to company Y.

Company Y is basically a shell company wrapping a money laundering operation. Your combined set of login credentials becomes an ideal way to wash money into the financial system until everyone else in the financial network catches on. Then that company disappears, and sets up under a different name.

This stuff happens; and even if only some people don't notice, that's all it takes.

In Europe they solve it with laws. PSD2 forces banks to become open, and allow others to make services on top.

*will solve it with laws.

I'm working with a fintech company in Germany at the moment that asks users for their internet banking credentials. Apparently it's quite common in Germany.

That's very strange. Here in Norway we have a unified login system for banks and state services that lets you set up the login with your own bank then any other service that needs you to log in will delegate the login process to your bank and never needs any of your details except for your personnummer (social security number in US/UK I suppose). Then your bank either asks for a code from a one time pad or sends a message to the sim card on your mobile and asks you to confirm with a pin code. It then tells the other entity that you are who you say you are and you are connected. It's called BankID. Beats me why practically everywhere else is so primitive.

(The UK equivalent of a social security number is a National Insurance number. But this is generally only used for tax, and not for authentication)

And few people know it by heart.

Finland has a similar unified login system. Probably common in the Nordics.

Yeah, I heard from a colleague (so anecdotal) that apparently it's because Germany in general is quite behind in terms of digital services, which in part is due to still very patchy broadband in large parts of the country.

Yep, same in Denmark. NemID. But it works with any bank, public service etc. The govt runs the IDP and any company or public institution that wants to utilize trusted user login will delegate authentification to the govt idp

Sofort? When it got introduced in Poland everyone was bewildered as it seemed to stupid to be true. But after some EU nagging banks that support advanced and secured interfaces must tolerate this abomination. Ah, and if you need a US visa you have to use it to pay for your application. Suspicious.

usually this is done using oauth

No, it's not.

We're taking about end-users utilizing a third party service to get some kind of visualisation for their Bank accounts.

While German banks have a standardized API (FinTS), the normal authentication details are still necessary in order to use it, so basically all third party services demand them for that.

The only place where oauth2 is used is for single sign on between services of the same company and maybe - very rarely - you also get social auth from Facebook or similar.

No bank I've ever seen ever provided a public oauth API with which you could fetch data.

I work on PSD2 implementation for a local bank. Will solve is correct, not many banks implement it yet (but "final" deadline is approaching). Also there are rate limits for PSD2 APIs. And also the extremely costly license, which means that there will have to be middlemen reselling PSD2 access.

Costly license? Tell me more, I had no idea there was supposed to be license fees involved.

Yeah, unless banks provide oAuth or APIs to get that information securely and easily revokable, I guess that's the best we have.

FAPI[0] should presumably be the way forward for Banks to do this, given the adoption actually happens at scale.

[0] https://openid.net/wg/fapi/

> I don’t like it either, but I’m not sure how you could get archaic banks and low-tech consumers to adopt something better.

Laws that require banks to provide APIs so that any other service, including other banks, can consume the user's banking data.

Wealthfront doesn't require it, though it is the method that's front-and-center. You can use ACH transfers.

Same with Mint or basically anything else.

and quovo. and yodlee was doing this 15 years ago.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact