Re: online bill payment using OFX or similar?

[Lluis Mora <llmora () sentryware com>]

Hi Ido,

Although I have no experience with the BoA service, I can speak for what 
 banks in Spain currently use in order to provide a similar service. 
These services are called "Account Aggregators" and work as an 
intermediate between the customer and its separate bank accounts. When 
you sign up you give the "Aggregator" your various bank account details, 
e.g.:

- Account number/Online banking login
- PIN/Online banking password

After that, when you login to the Aggregator service, you are shown 
balances of the accounts you have with differents banks, you can 
transfer funds, etc.

The way the Aggregator obtains the financial data is by logging in to 
the different online banking services "behind the scenes", 
screen-scrapping the balance (or retrieving the OFX description) or 
transfer screens, then summarizing this information back to the customer 
through the Aggregator service. One could say they work as a "proxy" for 
the customer.

Obviously, banks are not willing to share the account balances of their 
customers (or how they manage their funds), so there usually is no 
agreement between the Aggregator and the different banks - thus the only 
way for the Aggregators to access the customer data is by 
screen-scrapping it.

From my point of view, there are severe security implications to this 
process, which usually affect the customer. By giving a third-party (the 
Aggregator) the access codes to your account you are probably breaching 
your contract with the bank - who is it to blame if suddenly some money 
disappears from your account?

Also, can you trust the Aggregator? Although they may say that your 
access codes are "encrypted", they need the actual codes to access the 
bank web application on your behalf - so they need to be able to 
retrieve them in an automated fashion. The aggregator stores all your 
access information for separate banks, a very juicy jackpot for a 
malicious attacker.

Letting alone the procedure they use to harvest the data - 
screen-scrapping is not an exact science and the information relayed to 
the customer can not be accurate. There is usually a struggle between 
the bank and the Aggregator to make it more difficult to aggregate pages 
(the bank introduces changes to the application to break the aggregator 
robot, such as randomly introduced tags, converting balances to images, 
etc - whilst the Aggregator modifies the robot to handle random tags, 
parse javascript or OCR images). Somewhat similar to the fight between 
web service providers and automated registration services - e.g. the 
hard-to-OCR image which Yahoo asks you to interpret before you signup.

The hard-to-OCR image seems not to be a solution for online banking (too 
complex for customers that can change to a different bank), although 
here in Spain the trend is to move to stronger authentication that just 
username/passwords to discourage the use of intermediate services (e.g. 
public key cryptography, using a token on the user side make it 
impossible to use an Aggregator service - you can not send them your 
pricate key).

Now, that is for Spanish banks - maybe in other countries they are 
willing to exchange customer balance information, although I think that 
greed understands no frontiers :)

Cheers,

Lluis
.

Ido Rosen wrote:
> Hi folks,  
>
>   This may be a tad off-topic, but since I know there are a few people
> reading this list that are employed by financial institutions, I thought
> I might as well ask it here:
>
>   I'm curious how services like Fleet's (BoA) "Universal Link" work. I'd
> like to make my own "universal link" program that checks all of my bills
> with various vendors and merchants and companies and displays them to me
> or outputs them in OFX format, but I've no clue where to start. If
> anyone is familiar with Fleet's UL or similar services and has some
> insight, please share! :)
>
> Ido