Chase moves to Open Banking API
Dawid Wrobel
me at dawidwrobel.com
Sat Oct 8 22:04:26 BST 2022
On Sat, Oct 8, 2022 at 10:27 PM Jack via KMyMoney-devel <
kmymoney-devel at kde.org> wrote:
While direct connect using ONLY name/password may not be considered
> safe, I can think of ways to still use Direct Connect with 2FA. For
> example, any attempt to make such a connection triggers a text to a
> mobile phone, where you can reply "Y" within some limited time to
> authorize the connection. A variant is something that Heroku uses
> (owned by Salesforce, it's hosting site for web apps) which is a custom
> phone app. When you try to log in to their site, the app pops up and
> you click OK or not, to allow or block the login from a browser.
>
That's exactly how these "Open" APIs work. That's not the problem,
actually, we could totally use those APIs instead of Direct Connect. The
problem is the added requirement of being a pre-authorized entity via
on-purpose-issued certificates, as opposed to a regular TLS encryption.
I created an account with https://developer.chase.com and am about to send
a message, asking if they could look into our case. The FinTS precedent
could help.
> Absolutely no reason to totally scrap something that has worked well
> for years
That's a bit of a one-sided view. Banks have to fight fraud, so a simple
user/pass login had to go. Even if it may never have affected you, it
definitely have others, and banks are usually at financial responsibility
for that. So it's understandable that they strengthen their security.
> give various commercial entities near full access to your
> financial information. I largely trust my bank to do a good job
> protecting my data, but I'm not at all so comfortable with Intuit or
> Yodlee (who I never heard of until this discussion.)
>
Well, no one is forcing anyone to do that. Yodlee/Saltedge are just
integrators, the commercial software uses them out of convenience, as this
relieves them from having to deal with all the banks individually — both in
terms of integrating with their often unique/quirky APIs and getting their
authorizations. Yes, they put their users at disadvantage by doing so, but
it's their problem — which they obviously also rather conveniently don't
mention (vide Banktivity).
I wonder if FSF and/or EFF might take any interest in the direction
>
this is going.
>
I'll respond to that in the other e-mail you sent in that regard.
--
Best Regards,
Dawid Wrobel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kmymoney-devel/attachments/20221008/216df99d/attachment.htm>
More information about the KMyMoney-devel
mailing list