60 comments

[ 2.8 ms ] story [ 116 ms ] thread
Fuck it, I am going to build an open source project with the sole goal of automating access to all of these sites with selenium or something.

Get ready for war(in the nice, data science-y way)

That's what these "finance sites" already do. That's why you have to enter your bank username and password to use them - they just scrape the website.

Incidentally, I have never used one, because that requirement is completely insane.

I think the point was so that the banks couldn't block access via ip address. Each person would be able to aggregate their bank info on their home computer or they could secure their own server to do it for them constantly.
I would use that in a heartbeat. Just wanted to point out that it the incumbents' approach as well, rather than some actual API which banks decided to discontinue.
Not my area of expertise, but isn't it fairly trivial to circumvent an IP address block, (given a willingness to devote some resources to it)?
Yes. But that sounds like a great way to get sued.
Why is that insane? It's inelegant, but it's not functionally different than having an API and a system for registering API keys. Either you trust the aggregator or you don't; if you don't you shouldn't give them access to your data either way. If they do something they shouldn't with your data, they'll be ruined if it becomes public.

(Of course there's a huge gray area of things they could do that you wouldn't like, but that would't ruin them. But there's a clear difference between questionable things, like selling your data to advertisers, and completely not-ok things, like stealing your money).

> Why is that insane? It's inelegant, but it's not functionally different than having an API and a system for registering API keys.

Because there is such thing as a read-only API. But logging into the banking site as a customer permits the aggregator to take actions as the customer, like wire transfers--which are not reversible, and not typically covered by fraud protection.

Sure, I might trust Mint not to do that, but what if Mint gets hacked? By definition, Mint can access my bank creds in plain text, since it must paste them into my bank's website. That is worse security than even my own bank's website, which undoubtedly stores only the hash of my password.

My bank is not going to indemnify me for fraud caused by Mint's security problems. Bank agreements usually say "don't share your account creds," so if you do, and then lose your money, the bank is not likely to make you whole.

> but it's not functionally different than having an API and a system for registering API keys

No, it's completely different. The entire point of keys is avoid having to store credentials, it has nothing to do with permissioning. In the case of Mint etc., they have to store credentials because there is no token/key system being provided from the banks (ie: oAuth). In the case of something like oAuth creds are never sent to the 3rd party.

And the ironic part of this is if they banks simply provided something like oAuth then they would have MUCH more control over who they worked with and have an easier time managing 3rd party data.

If you're serious about this, let me know. I've been thinking about doing the same for some time now. How would you solve for accounts with 2-factor auth enabled?
Wesabe was a competitor to Mint that did tons of scraping, including having a browser extension that did the scraping client side.

They've open sourced much of their code. Take a look at https://github.com/wesabe/ssu and the other projects in that organization.

I'm with BoA and have a mint account. This happened months ago. I pretty much knew what was going on, but didn't pursue the matter. I was always a little leery about letting mint into my account anyway.
I don't use the aggregators because I want to, and they don't use my passwords and screen scrape because they want to. I just can't have being aware of my finances take all fucking day.

I wish there was a standard and secure format and protocol for collecting balances and transactions built into the FDIC or NCUA rules or something.

For a secure protocol just use HTTPS. Secure formats don't really exist for data interconnects, since you'd have to send across enough information to decrypt it, and now we're in the "security through obscurity" territory.

It might sound horrifying but JSON or CSV over HTTPS is the most likely to work and the least work for financial institutions to implement (thus giving them less ammo to fight it on cost grounds).

Services interconnecting is largely a solved problem in general. Banks might have needed better security historically, but these days these services are all fairly secure, so there isn't much bar raising that needed. Heck Apple Pay is basically this system.

Why don't banks implement read-only passwords?
Wells Fargo has this via "guest users". I have a read-only user that mint uses
(comment deleted)
1. Some do.

2. Some are trying to provide their own convenience systems as a competitive advantage over other banks, and to create costs for people switching out from them to a different bank. Supporting any method of aggregation where the bank becomes a dumb store of a money is disadvantageous to that strategy.

USAA does, but it's not implemented as simply as app passwords. There are two major issues with aggregators: 1) authentication and 2) data access mechanism. A read-only app password would solve #1, but aggregators commonly implement #2 by screen-scraping, which is the bane of everyone's existence. I wouldn't be surprised if half of the reason BoA cut off aggregator access was because most of the aggregators were screen-scraping, and BoA got tired of the support calls whenever they made a site change and people's accounts stopped syncing.

Last I heard (um, a couple of years ago), USAA's solution was a proper API, but Mint was still screen-scraping. I have no idea if that's because Mint is lazy or USAA'S API is too limited for what they want, but my money would be on the former.

The US banking system has not adapted to the modern world at all. Anyone who has worked with ACH will tell you how bad it is from a payment processing point of view - for those who don't know - you only receive negative ack, i.e., when a transfer failed and it's nowhere close to being instantaneous. It's common elsewhere to have a "read" password and a "write" password. Basically, you'll be prompted with additional security measures when you are doing a transfer. Also, the details I give out to somebody to receive money is the same details someone needs to take money out from my account. What the US banks have is a "digital" cheque processing system and not a digital banking system.

It's antiquated.

The good thing is that there are efforts to improve ACH. For example the UK already has "Faster Payments"[0]. In the US the Federal Reserve has a task force[1] going to implement fast pay. Sadly it will be a while before the US gets it as they are still in the planning stages for the system. The completed spec is expected by the end of 2016, so we probably won't see it implemented until 2018.

To add, the US is so complicated because we have so many friggin banks. Many countries there are only a few banks the service the nation, while the US has something like 14,000 different banks.

[0] https://en.wikipedia.org/wiki/Faster_Payments_Service

[1] https://fedpaymentsimprovement.org/get-involved/faster-payme...

They'll never disclose what the security issue is, I assume?
More people knowing a password is never going to be better security though is it? That said, if you're trying to beat a competitor and you are doing it like this, you're not doing well.
I suspect they mean that handing out your password is a security issue. It's not like these sites are new, though, so I don't trust that "security" is the main motivator.
(Mins involved over 6 months logging into 8 different banking websites/apps) > (Mins for me to just move my money to a bank that supports aggregators)

The banks' ship has sailed on the presentation front. They need to concentrate on strong read APIs and novel ways for authentication.

My credit union has an article on their FAQ on how to connect to mint :)
There are solutions out there that the banks could use to allow their customers to have programatic access to their transactions (i.e. an API). OAuth 1.x and 2.0 both have ways to provide access to your data without you having to turn your password over to an aggregator (i.e. Mint). Banks have no incentive to evolve, the barrier to entry is so large (regulatory barriers) that there are not startup banks who could truly show the world what is possible.
> Banks said they are within their rights to block or slow customers' access to their own financial data.

I find this mindset incredibly disturbing

Reminiscent of taxi companies vs ridesharing companies. Trying to fight/shut down these services vs working with them (or even developing your own competing solutions) didn't end well for taxis.
(comment deleted)
BoA used to have its own aggregator, have they removed it?
I stopped using mint a while ago since there was no way to get it to work with my Bank's two factor authentication. read only password would make things a lot easier.
This leads to an opening for either a challenger to Mint that has better relationships with the banks, a bank with a better UI than the existing banks, or a bank that explicitly supports Mint.

The existing banks burying their heads in the sand when there is obvious consumer demand makes the area much more ripe for a new entrant. I'm not sure how it will play out, but I would consider switching banks in order to have a better UI on my money. Supporting something like Mint or Personal Capital is basically a requirement for me to put my money in your bank.

Note that I'm not even particularly happy with Mint, I just can't imagine not having some form of aggregation of my financial life. I probably check it at least 1-2x a week and have been for 5+ years, it's a critical piece of software for me.

Is this just for bank accounts (checking / savings)? I have a credit card account with BoA, and Mint isn't having any problems accessing it.
Banks have been purposefully limiting customers' view of electronic data for years, first by eliminating running balances about 10 years ago and then by limiting online data to 90 days. They do this because confused customers are more likely to pay fees such as overdraft fees, which is where retail banks make most of their money.

Mint complied with the banks' demand to not display running balances but they do display data going back indefinitely in time.

What Mint has shown the banks is how valuable the data is to advertisers. The data is so valuable that Intuit is shutting down their popular $50/year semi-subscription Quicken software in favor of advertising to people via Mint.

In an ideal world a government regulator would step in and ensure data access and privacy. But we do not live in a very ideal world.

> In an ideal world a government regulator would step in and ensure data access and privacy.

No, in an ideal world there would be much more competition between banks, forcing them to offer better services in order to keep their customers.

Given that I think everyone here wants banks to give us better data access and privacy, why is the more-competition ideal world better than the government-regulation ideal world in this specific regard?
A while ago I had to look up something about a 4 year old transaction. The bank had the data but for whatever reason would fight tooth and nail not to give it to me.
I've noticed and been frustrated by that at two different banks. I always assumed it was because banks were hostile to technology and saw their online banking operations as a cost center, a box to be ticked by the cheapest third-world outsourcing firm, without regard for UX. That + 60-year-old mainframes is not a recipe for good software.

I recently switched to a university credit union. It's generally less internet-friendly (no mobile app, let alone photo check deposit). But unlike M&I, Harris (when it bought M&I), or Citi, my credit union shows every transaction through account creation, with running balances, on a single lightweight HTML page.

Any source on Mint and the banks colluding to not show running balances? I don't doubt you, but I'd love to be able to tell people about it.

I'll never go back to a big bank for checking, but I'm still lining their pockets for credit card interchange fees. CapitalOne's 1.5% back is pretty hard to beat.

I wonder when people do realize that data about themselves is really valuable and stop giving it away for free or cheap and making themselves products that are traded like slaves without anybody asking their permission.

What do you have to hide? Everything.

We're on Wells Fargo who are also doing this.

Does anyone have an alternative banking solution? We aren't eligible for USAA. I'd love to keep local free ATM withdrawals, and I have no idea how depositing cash works for online only financial services.

In the case of my online only bank, you just can't deposit cash. This is only a small nuisance for me, though, as the only instance I receive cash anymore is when selling things on Craigslist.
EDIT: This is all wrong: I think USAA checking and other financial services are open to most people now, not just military and relatives of current members. Insurance and perhaps retirement accounts, I think, are all that are still restricted.

This either used to be true and its switched back, or they were discussing it and decided not to implement it. Sorry for the mistake.

Also, yeah, as my sibling reply says, you can't deposit cash easily. I think you can technically mail it, but I would never do that. I used to get paid rent by a roommate in cash, it was a few hundred a month. I'd just pay for my meals and groceries with it instead of depositing it.

When you try and open a USAA Checking account, they ask you for your military affiliation, if you say none they say:

> Sorry, we can't open this account for you.

> USAA Bank products are only available to military members, veterans who have honorably served and their eligible family members.

People keep saying USAA opened up the door to everyone, but their website says nothing like that.

Yeah, I tried to make a new account and saw the same message, that's why I edited it. A google search revealed a Reddit post from 2013 of people discussing it. Apparently that's when they closed it to non-military affiliated folks.
Oh sorry, I read your edit backwards.
No worries. I haven't been the best communicator this week.
(comment deleted)
> Does anyone have an alternative banking solution? We aren't eligible for USAA.

USAA is a big credit union with national visibility but restrictive membership, but they aren't the only credit union, and credit unions generally are customer-friendlier (since their customers are also their owners); you may want to research local credit unions, most of which now have more open membership than USAA.

Wait a minute. From ITS data? From Bank of America's data? I think they mean from the customer's data. Data that the customer specifically authorized these services to access.
The way it works here in the US is that data belongs to the bank and not the customer.
Couldn't banks and aggregators just implement OAuth, so the aggregator gets just the level of access they need, and you never have to give them your password?
Can someone recommend a bank with accounts for small businesses that is unlikely to do this in the future? I'm on BofA now and refuse to hand reconcile transactions in 2015!
The solution is to stop using institutions like BoA and Chase that actively fight against your interests. Let your money talk.
The crazy thing is that this problem has been solved a long time ago. MS Money had the ability to download from different banks and then you had all the data on your hard disk. Worked like a charm ,but as it seems to be the trend these days with things that worked well, MS abandoned it.

Mint is so primitive in comparison.