Hacker News new | past | comments | ask | show | jobs | submit login

> It would be an unusual TPP where the data never left the customer's device.

Why? The scenario you mention (providing an unified view of a person's multiple accounts & credit cards) can perfectly be done on the device itself and negates plenty of concerns regarding security, the need for a backend, etc. I personally made an app to display my balance & transactions on my Apple Watch. It's purely local and doesn't even have a backend. Yet, I can't actually launch it "by the rules" because I need to become an AISP even though I never come in contact with actual banking data.

> 3rd parties getting full banking creds for customers.

This is clearly a stop-gap solution until something better comes around, and frankly it isn't the worst solution if you trust the third-party. At least it becomes the user's choice whether to share credentials instead of the bank or some other entity deciding who can and can't have access based on potentially stupid or anti-competitive reasons.

Purely on a customer device would be extremely difficult as the OAuth keys for obtaining the consent would need to be stored on the device, which isn't a solution that scales past one user, from a security standpoint.

The problem of customer choice is that customers are very badly informed about the relative security of services, so there's a market for lemons. If the bank has no liability, that's possibly fine (although it could be argued the bank has some responsibility to advise the customer), but if the bank has any liability for issues resulting, then they get a say in the outcome.

Why wouldn't it be good from a security standpoint? How do social media clients do it then? As far as I know they do oAuth too and so hold the consumer key & consumer secrets inside the binary.

Leakage of the consumer secret/consumer key alone doesn't compromise security as you still need the access token and refresh token which are per-user.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact