Hacker News new | past | comments | ask | show | jobs | submit login

Why is it a sham? TPPs (who are either AISPs and/or PISPs) process banking information for customers of participating banks. A TPP will typically provide some kind of service like a unified view of customer finances, and as part of that they're processing customer banking info.

It would be an unusual TPP where the data never left the customer's device. Usually there'll be a web service/web app provided by the TPP and the communications will be between the customer and the TPP and then the TPP and the bank (a.k.a ASPSP)

Whilst it's not perfect, it's a hell of a lot better, from a security perspective, than 3rd parties getting full banking creds for customers.

> It would be an unusual TPP where the data never left the customer's device.

Why? The scenario you mention (providing an unified view of a person's multiple accounts & credit cards) can perfectly be done on the device itself and negates plenty of concerns regarding security, the need for a backend, etc. I personally made an app to display my balance & transactions on my Apple Watch. It's purely local and doesn't even have a backend. Yet, I can't actually launch it "by the rules" because I need to become an AISP even though I never come in contact with actual banking data.

> 3rd parties getting full banking creds for customers.

This is clearly a stop-gap solution until something better comes around, and frankly it isn't the worst solution if you trust the third-party. At least it becomes the user's choice whether to share credentials instead of the bank or some other entity deciding who can and can't have access based on potentially stupid or anti-competitive reasons.

Purely on a customer device would be extremely difficult as the OAuth keys for obtaining the consent would need to be stored on the device, which isn't a solution that scales past one user, from a security standpoint.

The problem of customer choice is that customers are very badly informed about the relative security of services, so there's a market for lemons. If the bank has no liability, that's possibly fine (although it could be argued the bank has some responsibility to advise the customer), but if the bank has any liability for issues resulting, then they get a say in the outcome.

Why wouldn't it be good from a security standpoint? How do social media clients do it then? As far as I know they do oAuth too and so hold the consumer key & consumer secrets inside the binary.

Leakage of the consumer secret/consumer key alone doesn't compromise security as you still need the access token and refresh token which are per-user.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact