[Kmymoney-devel] libOFX question (relates to recent OFX failures with Chase credit card downloads)

Michael Wolfe wolfemi1 at gmail.com
Thu Dec 10 14:43:26 UTC 2015 

I just saw a request for the OFX data that Chase sends; here is a copy 
of the response I got from Chase after trying (and failing) to download 
OFX data:

response:
OFXHEADER:100
DATA:OFXSGML
VERSION:102
SECURITY:NONE
ENCODING:USASCII
CHARSET:1252
COMPRESSION:NONE
OLDFILEUID:NONE
NEWFILEUID:20151210083844.000

<OFX><SIGNONMSGSRSV1><SONRS><STATUS><CODE>15510<SEVERITY>ERROR<MESSAGE>Please 
verify your identity within the next 7 days. Using your desktop 
computer, go to your bankӳ website and visit the Secure Message Center 
for 
instructions.</STATUS><DTSERVER>20151210093848.702[-5:EST]<LANGUAGE>ENG<FI><ORG>B1<FID>10898</FI></SONRS></SIGNONMSGSRSV1><CREDITCARDMSGSRSV1><CCSTMTTRNRS><TRNUID>20151210083844.000<STATUS><CODE>15500<SEVERITY>ERROR</STATUS><CLTCOOKIE>1</CCSTMTTRNRS></CREDITCARDMSGSRSV1></OFX>
Completed

Grabbed from the 'ofxlog.txt' file.

-Mike


On 12/10/2015 8:20 AM, Michael Wolfe wrote:
> As a side note, I am also having this problem; I wasn't aware that 
> there was something Chase was expecting KMyMoney to send back.
>
> If anyone needs testing for a fix with Chase Bank, I'm available to do 
> so if there's a testing version available for Windows (or 
> alternatively some handholding with a code patch so I can build it 
> myself!).
>
> -Mike Wolfe
> wolfemi1 at gmail.com
>
> On 12/10/2015 4:53 AM, Thomas Baumgart wrote:
>> Hi,
>>
>> On Wednesday 09 December 2015 19:38:08 Jack wrote:
>>
>>> Some of you may have seen some other posts I've made about this, but I
>>> think I've tracked down the problem.
>> Thanks for the information. That helped a lot to identify what's going on.
>>
>>> Background: last month Chase credit cards made a "security enhancement"
>>> change that has made all OFX downloads since 11/17 fail.  The error
>>> message says to got to the Chase secure message center for info on how
>>> to verify your identity, but no such message ever appears.  The section
>>> at
>>> http://wiki.gnucash.org/wiki/Setting_up_OFXDirectConnect_in_GnuCash_2#Chase_
>>> .22username_or_password_are_incorrect.22 indicates the need for using a UID
>>> (user id) within the OFX request. It looks like they associate that user
>>> UID with the account, probably to limit access.  However, the first time
>>> they see a UID on an OFX request, they should generate a PIN and send it to
>>> your account at their Secure Message Center.  You then use that PIN on
>>> another page the message links to.  I suppose since KMM isn't sending the
>>> UID, they don't generate that message.
>>>
>>> So - I don't see any place in KMM for a user UID.  In fact, looking
>>> into the libOFX source, I see the UUID type defined, but no element
>>> defined as that type which looks like a user id.  Can someone confirm
>>> this is correct, and if so, does this need to be brought up on the
>>> libOFX list before there is anything that KMM can do?  (Other forum
>>> messages I've seen seem to indicate that aqbanking can handle this, so
>>> I'll see if I can get this set up, but I hate to spin my wheels if
>>> someone can provide a more definitive answer.
>> I took a look into the OFX spec (version 2.1.1) and found chapter 2.5.1.1.1
>> "Client Unique ID <CLIENTUID>". In short, this is a uid generated by the
>> client (KMyMoney). Here's the paragraph of the spec (© 2006 Intuit Inc.,
>> Microsoft Corp., CheckFree Corp. All rights reserved):
>>
>> ---8<---
>> OFX servers can require OFX clients to include a client ID in each signon
>> request. This client ID should be unique to the installation of the client
>> software, but the method that the ID is generated is left up to the client.
>> The server can specify that this field is required using the <CLIENTUIDREQ>
>> tag in the applicable <SIGNONINFO> section of the profile. Servers should
>> expect that users may connect via OFX from multiple locations and may need to
>> associate more than one <CLIENTUID> value with their <USERID>.
>> ---8<---
>>
>> Would be interesting, if you see the CLIENTUIDREQ in the SIGNONINFO message of
>> the server. One can (at least could) enable logging for OFX traffic in some
>> way. Don't know, if that is still available. Will have to check.
>>
>>
>>
>>
>> _______________________________________________
>> KMyMoney-devel mailing list
>> KMyMoney-devel at kde.org
>> https://mail.kde.org/mailman/listinfo/kmymoney-devel
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kmymoney-devel/attachments/20151210/b81d81fe/attachment-0001.html>

More information about the KMyMoney-devel mailing list