Hacker News new | past | comments | ask | show | jobs | submit login

Well of course I won't use anything like that! I find it mind-boggling that people even consider giving a third party their bank account login+password. It's like saying "yes, I want to be robbed of all my money, please take these credentials and spread them forth to whichever leaked data pile they might end up in".

My bank considers transactions done using login credentials to be final. There is no recourse if someone steals your money.

Last year an iOS mail application called "Spark" (otherwise a great app) decided to quietly upload my login and password to their cloud servers so that their servers can access my mail for me. I dropped the app immediately (https://jan.rychter.com/enblog/spark-email-app-why-i-dont-us...).

This should not be considered acceptable. If you want to let users authorize external access to account data, use Oauth2.

Plaid doesn’t let you transfer any money through their API, just read data. If Plaid gets compromised and your username and pass get leaked and used then most (all?) will detect the location change and confirm via SMS.

Which bank implements OAuth?

Every bank in the EU will have to have it or near equivalent very soon under the EU’s Payment Services Directive 2 which mandates API based access to accounts.

Sandboxes are already available under reasonable terms for many banks in for example Ireland.

*edit, first word

Most of the nordic countries in Euruope do through an entity called Nordic API Gateway.


Monzo bank in the UK uses OAuth 2.0 for its API: https://docs.monzo.com/#authentication

(disclaimer: I work here)

You likely are just going through the token system, not putting your details directly into the application. Next to nothing works like that.

You can transfer money in your bank without a second factor check? (an SMS with a code for instance?)

An my accounts do that by default (France), except for pre-approved recipients.

Interesting... I use Spark but when I authorized my gmail account I went through a Google Oauth flow, never entered my password into Spark itself.

If you used any IMAP accounts (not from Google), you would need to enter the password. And Spark will quietly send it to "the cloud" and keep it there, with servers accessing your mail whenever they please. This is kind-of mentioned in the Privacy Policy, but in a way that wasn't clear to me at all.

I found this unacceptable, so I can't use Spark, which I regret. I also lost trust for Readdle, so now, even though they make great apps, I am extra careful with handing them any sensitive information.

Storing the IMAP password is basically the same as storing the Gmail OAuth token in terms of access control, not sure why you think storing one is more evil or scarier than the other.

AFAIK Spark’s push notification service relies on checking for mail server-side (so that they don’t drain your battery with constant background refreshes, I suppose?), so I wouldn’t consider it sneaky.

Not sure, but I guess you can revoke an OAuth token and nothing changes for other apps (and you) on the Gmail/Google account side. On the other hand, if you have to change password...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact