The actual secret API of banks-and by the way this is the initial strategy Plaid pursed if rumor is to be believed (essentially without the consent of the banks)-is by reverse engineering mobile app APIs. Most of these bank APIs try to use cheesy secret token vending to prevent casual API traffic on their endpoints, but the reality is that a sufficiently instrumented Android kernel (or rooted iOS device) will let you reverse engineer those protocols and masquerade as legitimate users.
Why don't banks sell API access at a rate s/similar/lower than Google Maps API access? This is starting to feel like music and video piracy all over again.
Because the value is in not being commodified. Not giving API access is worth more than charging for it.
If all of your credit lines, checking, savings, and investment accounts were an API call away, the institutions providing those no longer build relationships that can be profitable; they're simply utilities you could swap out interchangeably. As such, they're not a fan of this idea.
In crime we call it “organised” crime. I’m banking it’s just “doing business”. Maybe we should make this kind of invention of value out of thin air illegal?
Because they know they can't compete on a technical level with Amazons and Google's even dumping a billion dollars into tech growth, and disintermediation is a fast road to becoming a utility.
That rumor sounds far from plausible though. If they were to attempt to use the reverse-engineered API from their own servers without consent, banks would find out (in a matter of hours) and shut them down when they discover a huge spike in traffic from a relatively small pool of IPs. If they were to access it directly from customers' phone/browser via their (web-)apps, I expect that it would've caused a huge media storm by now when someone finds out they are storing/transmitting the password in plaintext (or its equivalent) to be used for authentication.
As for this instance specifically, I believe Chase grants Mint (and few other whitelisted companies) account access via OAuth. It's a step in the right direction, although it's not clear to me what their long term goal is.
Hi, I founded Level Money, was one of Intuit's earliest aggcat customers and one of their last customers, and did this for a lot of people until Capital One bought my company and we did it for them.
AMA, I guess.
But to answer the implicit question: shutting that off can be harder than it sounds. And because it's a mobile API and iOS's store has fairly slow update cycles, it can be very hard to simply rotate your API spec fast enough without interrupting customer service: a difficult thing for a bank to get away with (lol, I'm joking they're down all the time).
You've just banned every client coming from a workplace with a private network, every client on a commercial VPN service, and every client using Starbucks wifi.
Enjoy your customer service costs. On the plus side, bank have really good customer retention once they capture a customer.
Doubt over 5 people log in to a single bank from most starbucks over a 24 hour period.
If it's a big enough bank, the threshold should be higher. But they can easily pull the data and set a threshold that cuts off only the peak of the distribution
You'd certainly better hope so. A national bank going down is national news. You're gonna end up sending some muckety muck out to the press to bob their heads and apologize. They'd don't take kindly to that.
My prior investigations suggest that this strategy is ineffective. You suss out a ratelimit then pick a CSP and start spawning instances. Bonus points if it's a CSP that has a contract with that bank, they'll be petrified to try blocking you. Even well run consumer orgs can get tripped up with that.
But you're also suggesting that banks can use that data in that way or that that the relevant parties had the necessary capability at the time in question. Both are propositions you can make your own judgement on.
Here's another question: what happens when customers complain that you're cutting off their aggregtion service? You have your customer service reps say, "Sorry we locked you out of getting your own data?" Sounds like if you do that enough we have another press row. Thank goodness the CFPB was gutted, they loved 3rd party resale-to-consumer aggregtion services.
My belief is that organizations that can be gamed as easily as you describe have less than 1 fulltime person dedicated to preventing scraping. Or equivalently, 1 fulltime person should be sufficient to make it difficult to scrape at scale.
What do you think of the canary account I suggested?
> What do you think of the canary account I suggested?
I don't know how such a canary account would ever end up as a target for financial aggregation. It'd probably be a lawsuit from the aggregator for TOS violation if it was a sting operation.
They better be tracking logins or how do they investigate fraud? If they don't have a database of every login tied to an IP, I would assert they're negligent with regard to blocking fraud.
A lot of the measures taken to prevent fraud also block proxies and the like.
Re customer service: they say "here's how you can download your statements in pdf format", or for many banks in quickbooks/excel/etc format as well
I don't know how many of them had mandatory 2FA then, but I think many more have now. It would be far less risky to invalidate cookies on those high-volume IPs and force a new 2FA validation. Then legitimate users could reverify.
> They better be tracking logins or how do they investigate fraud? If they don't have a database of every login tied to an IP, I would assert they're negligent with regard to blocking fraud.
Look there are limits to what I'm able to talk about, but consider that a fraud subsystem functioning in transaction-time is running much more slowly than something running in request time.
> A lot of the measures taken to prevent fraud also block proxies and the like.
When was the last time you couldn't use your banking website over a proxy? Only a few mobile apps actually make the decision to do this (mine did) and it's not popular.
> I don't know how many of them had mandatory 2FA then, but I think many more have now.
Which national bank has mandatory 2fa? Not that this would matter. We dealt with 2FA at level via Intuit, that wasn't great at it. Plaid got incredibly good at it. It became pedestrian when we experimented with Plaid.
>Look there are limits to what I'm able to talk about, but consider that a fraud subsystem functioning in transaction-time is running much more slowly than something running in request time.
I was suggesting checking one day snapshots of access counts by IP to see what the distribution looks like to then determine what to block.
2fa: I know that chase asks me for 2fa every time I change IP, and I don't think there's a way to stop that. Should be easy for them to require 2fa on every login for any IP with a high rate of requests.
If it's in the binary Simple ships I can take it or modify it to not need it. It's a huge pain in the ass, but it's not "hard."
And while I know I did a cert pin and you did a cert pin, not everyone does it (or does it bidirectionally). Nor is that the only way folks would get an API spec.
