UK banks don't accept any liability if you give your online banking credentials to a third party.
If some fraud was to come about as a result of someone using Teller then they would be out of pocket or has Teller got agreements with the compatible banks to overcome this situation (either by Teller reimbursing the customer or the bank)?
Firstly, we don't always need a credential. Some banks provide other auth mechanisms, e.g. EMV CAP. We use this for Barclays and Nationwide. Using Teller might not violate your bank's terms of service, which is why we advise you to read them in conjunction with ours. Furthermore, it is the view of some senior bank people that I speak to that PSD2 will make such clauses in banking terms illegal. It is also worth mentioning there has never been a single case of fraud or loss attributed to "screen-scraping"
Secondly, we have ongoing dialogue open with every major UK bank at very senior levels, from C-level down. We want to help banks deliver these APIs. Formal agreements with banks are a key strategic objective for Teller, but they only started returning my calls once I'd broken their apps and took their APIs. The market can't wait for the banks, developers and users want new choices, apps and service now.
> It is also worth mentioning there has never been a single case of fraud or loss attributed to "screen-scraping"
This response makes me angry. Every service worth attacking will have security problems at some point. You're running a store of bank credentials, which you have to have access to (as opposed to password managers for example which can store user encrypted data). Given enough time, one of these services will get hacked and "this has never happened before" is not going to be a good answer. Someone will be the first one.
I'm happy your service will push more banks to provide APIs. But I'm already doing bank screen scraping for myself because I don't trust services which require my credentials. I hope people consider that risk seriously.
I like how Jude solved the problem of the password. They do all the scraping on the phone. So no password is stored on their servers. https://blog.jude.io
Mint is probably the one you don't have to worry about. The service that stores credentials and scrapes bank sites is the same one that powers TurboTax and QuickBooks. Intuit spends a lot of money keeping that service secure and they're well aware of how catastrophic a breech would be.
In short, that service is run out of private datacenters, not publicly available. You'd have to compromise not just Mint/TurboTax/QuickBooks but then the FICDS service, which only has methods that take a token representing the credentials and passes back transactions, not the actual credentials.
It's the competitors to Mint who can't afford their own datacenters and don't have the many millions of dollars to put into securing their service the way Intuit does that should be much more worrisome.
Disclaimer: I used to work at Intuit, though not on any of the products I mentioned. But I have had many conversations with the people that run Mint and FICDS and I know the overall architecture used. I give my bank credentials to Mint without any worry. It would probably require a state-level entity to get in, and they'd likely need to get someone hired into that group to facilitate it. The service is very secure.
I don't know, if the general level of bug-ridden-ness of their products is any indication, I wouldn't put much stock in their security. There are glaring bugs in Quickbooks for example that persist year after year, having been reported repeatedly, even as they continue to release a new version every single year with various visual tweaks and seemingly not much else.
QuickBooks, even the online version, are decades old and have major issues that prevent the teams from getting much done. They took a year to do clean-up and basically didn't introduce any new features. Not much got done just due to the complexity of changing anything without causing problems.
FICDS, on the other hand, was spun up more recently and is in much better shape. I wouldn't look at an application like QBO and see much that would inform a behind the scenes service like FICDS.
The more interesting product, to me, is TurboTax. The seasonality of it allows Intuit to basically rebuild it from the ground up every year. It's really a different mindset on the San Diego campus (where TT is developed) and in Mountain View (where QBO is developed). San Diego is much more willing to take (non-security) risks with the product because small changes can add up to big wins. I remember a talk by one of the guys in charge of A/B testing on TT who said that a tenth of a percentage point increase in conversion rate was good for tens of millions in added profit.
Contrast that with QuickBooks, where the difficulty to use is actually a feature. Accountants spend years learning the app and learning the work arounds for those bugs you mentioned. That knowledge and experience becomes a barrier to entry into the field and a job skill that they're compensated for. The result is that QB/QBO is aimed at accountants with years of experience in the product. Their livelihood depends on it and they don't like change. So the teams there do as little as possible that can cause problems and know that they'll still get good reviews if the get almost nothing done so long as they don't cause problems.
It's deeply disfunctional and yet explains why you can put a lot of trust in FICDS. They too have had bugs for years. For example, they don't save cookies between scraping sessions and so are always an untrusted browser to the banks. I have at least two accounts that constantly send me 2FA tokens whenever Mint tries (and fails) to sync. But no one gets fired for not fixing bugs. You get fired for compromising the security or stability of the service, and the easiest way to not do that is to push as little possibly vulnerable code to prod. It's the anti-Zuckerberg environment...move slow and don't break things.
I suppose you could have a point about the fact that (good) accountants know the work-arounds. And many of the bugs are annoyances and UI things rather than critical stuff. There are some that will really bite you (meaning, result in incorrect accounting) if you're not familiar with them. For example, the home currency adjustment in the multi-currency mode skips accounts with a current balance of 0 in foreign currency, even if the balance in home currency is non-zero, and so an adjustment is needed. If you know that, you can go in and do those ones manually (although it's a PITA), but if you don't, your taxes will be off. That seems like something that should not be allowed to persist in accounting software. It's the most glaring example I can think of, but there are others.
Ha, actually, one more - the only way to change the date format in invoices (from mm/dd/yy to YYYY-mm-dd for instance) is to change the overall Windows OS setting. That's crazy enough, but what's worse is, when you do that, it screws up the dates of many pre-existing, closed transactions in your company files. Fortunately in my case (iirc) it reset those dates way in the future, so I was able to find and fix them manually. But I mean, seriously...
Heh...you're talking QBD. That's the true dysfunction of Intuit. It's the product Intuit doesn't want you to use. They want customers to transition to QBO and only "maintain" Desktop because many customers refuse to "upgrade" to Online. I never met a single employee who was currently working on QBD. A product that accounts for more that 1/4 of their revenue and they had literally no engineers participating in company events, or at least disclosing what product they worked on. Hell, I met the entire Quicken for Mac team at one point.
My favorite WTF for QBD: The data upload was literally just using the replication feature of the embedded Sybase database. One of the Distinguished Engineers that I worked with, "I worked on that feature and I probably know more about how it works than anyone and I can't get it to work reliably.
Yeah, I don't love the idea of trying to run accounting software in a browser; doesn't seem like it could possibly have the performance of a desktop app. Also, last I checked, QBD includes features I use that QBO doesn't. I can't recall what they were though, so that may no longer be the case.
So, does this mean QBD is basically the living dead, and inevitably I'll have to find an alternative? It looks like everyone's doing online these days.. :/
Edit: Yeah, looks like it doesn't have inventory tracking. Conflicting reports on multi-currency support too.
> So, does this mean QBD is basically the living dead
That was the impression I got when I was there. They're putting a ton of effort into getting people to migrate. But there's still a ton of die-hards that won't and they were continually having to push back their sunsetting plans. I've been gone more than a year now, so I can't say what the current situation is.
It sounds like you're a lot more familiar with the long-tail features of QuickBooks, so I may be recommending something that's missing a lot of what you need, but my favorite competitor product was Wave. They seemed to be the only one that was actually trying to make an intuitive product that wasn't unpleasant to use. It's online though and I don't really know much about the desktop alternatives, so if you're set on running on-prem software, it won't work for you. The accounting stuff is free, though, if you want to play with it.
But Xero is also online only, right? I was pretty negative on them, considering they basically started from scratch in an era where the result should have been much better than Quickbooks considering it didn't have all the baggage that Quickbooks has to deal with. And yet they came up with something that's arguably just as frustrating to use.
Yeah, Xero is online too. It was just the only one that appeared to check all the boxes I need. (Most were missing one of payroll, inventory management, or multi-currency support.)
Financial Institution something something Service. It's the internal initialism name for the service that communicates with financial institutions on behalf of the applications that need to pull transactions and other information.
> What does it mean "quickbooks online is decades old"?
The project was started in the late 90s. It's as messy a codebase as you'd expect to find when you've got close to 20 years of commits.
The level of bugs and slowness in Quicken is mind bending. I've been using Quicken since it ran in MS-DOS and I've watched it get slower and buggier every year.
My latest version (Quicken 2016) literally takes seconds to tab between fields and often does not keep a correct tally balance until I close the check register view. I only have a year of data in it (I thought the slowness might have been due to importing my old data so I restarted fresh).
Since I've been getting bombarded with upgrade ads that I can't seem to disable each time I start Quicken I'm thinking of moving to another app like Moneydance. It feel like an end of an era.
First, Quicken was sold to a private equity firm at the beginning of last year, so you can't really blame Intuit for it anymore.
Second, even before it was sold, it was like Intuit's vestigial tail. It was an important part of the evolution of the company, but it didn't fit into what Intuit was trying to do and was largely ignored inside the company. Even before they announced plans to sell it, it felt like the kitchen table they keep at headquarters...something that's there to remind people of Intuit's past but feels really out of place with its present.
Agreed. I used to work for a division of Intuit (not financial stuff) and a lot of the dev work I saw was pretty shoddy. Lots of weird bugs constantly.
With that said, security is taken very seriously and most of the stuff I experienced was UI related. So hard to say...
Tbh, its only worth considering for pure "credit card" services where its essentially read-only already and any damage can be attributed to fraud you can perform a chargeback against.
That being said, if you run all your spending through your credit cards except obvious notables you update manually you are golden. (i.e. Rent/Mortgage)
It would be interesting if there were a way to run a local client that holds your credentials and does the screen scraping to send back to this API (or others).
Wesabe built our own data acquisition system, first
using downloadable client programs (partially because
that was easier and partially to preserve users’
privacy)
Technically, they could provide a self-hosted version. But that may not be a very profitable business. Also, screen scraping needs continuous updating as the bank's interface changes.
The best option I found (for read-only access) was chromedriver > download CSV statement > process that into your own database.
Using minimal standard screen scraping will be hard because most bank apps are a complicated mess of client and server side processing using ancient tech. After many tries, I just used python+chromedriver and that's doable in ~100 loc per bank.
CSV statements because OFX and others are a complete mess in most cases. I haven't seen a single compliant and correct file so far. (This may be AU specific)
Own database / spreadsheet so you have a local copy you can easily filter on. Obtaining specific date range from a bank may be an interesting challenge. I default to importing last 30 days every day with duplicates detected using a hash(date-description-amount-idx) where idx increases for every date-desc-amount duplicate.
So far I'm happy. Actually I'm in the process of writing a post about it - will submit sometime next week most likely.
Coming from a slightly different angle but it may be of use, I wrote a chrome browser extension that automates logging into banks and other financial sites. It also scrapes the balances once logged in to provide a net worth total. It currently works on around 25 banks (mainly UK). You can also build your own logins and all passwords/private data are stored encrypted in the browser.
I wrote it as I just spend too much time digging out passwords all the time and the usual crowd like LastPass are a) stored online and b) fail to login automatically to complex input sequences like banks.
I hand-rolled a wells fargo scraper recently using the haskell webdriver package and Selenium. It was working fairly well until they started requiring a captcha - something I've never seen as a human user. I'm not quite sure what triggered that or how to get around it.
This is startup-ese for "Every single one of our users is breaking their bank's ToS, and we maintain plausible deniability by telling them to go and read complex legal documents themselves".
I can totally understand the motivation (particularly with PSD2 around the corner, which will mandate banks to provide legit APIs - I'm guessing the plan is to grab market share before that happens). However, I am very skeptical of
this approach when applied to finance. Any technical product whose risk profile is "break into us and steal money directly" is a really dangerous place to leave your users on the hook for liability.
Yeah. "No cases of fraud or loss due to screen-scraping" doesn't mean your service isn't going to be the one that leaks a treasure trove of banking credentials.
It's also highly probable that it has happened, it just wasn't attributed properly.
Why do you say I think "everything" has already happened?
I think it's likely one of these screen-scraping sites that store bank passwords has been breached, and any losses as a result have simply not been attributed to it.
I say this having experience in infosec and seeing how comically little companies who should care about security actually do. Often there's not even a single person with infosec experience. And they make every mistake you'd passively learn not to by casually reading HN comments.
That's not to say some companies don't get it right. Some (including my current employer) do an extraordinary job. But even teams with solid infosec staff get broken in to. The odds that a site storing large numbers of bank passwords with only a handful of engineers not getting popped sooner rather than later is slim.
To be fair I think there is still going to be a lot of appetite for a service like Teller once PSD2 launches to unify these individual bank APIs. They may not even all work the same way. It'd be much better to have one entry point than develop for multiple different banks' implementation.
> It is also worth mentioning there has never been a single case of fraud or loss attributed to "screen-scraping"
Saying "it's never happened before" doesn't in anyway mitigate the attack vector. For what it's worth, there have been cases of fraud attributed to screen scraping, but they don't tend to get publicized.
It is pretty telling (no pun intended) that nowhere in your blog post does the word "security" appear, and no details about how you're storing credentials when you do need them. Why should I trust you with a credential from another party if you refuse to tell me how you're actually storing it.
> "We are not liable for any loss or damage that may result from your use of our services. This includes any direct, indirect, or consequential losses; any loss or damage caused by tort, including negligence, breach of contract or otherwise. This applies if the loss or damage was foreseeable, arose in the normal course of things or you advised us that it might happen."
I don't know which solicitor gave you those terms, but they will be laughed out of a court in England as unconscionable. You're not liable for any negligence, even if it's foreseeable or someone told you you were being negligent??
It sounds to me like you added a lot of detail around a core message of "yes, you may be violating your bank's ToS by using our service, please verify this by reading through page upon page of legalese in your spare time."
Well... no thanks. I (and likely many others) would only consider using such a service if I had a guarantee, both from you and my bank, up front.
from your ToS:
>"We are not liable for any loss or damage that may result from your use of our services. This includes any direct, indirect, or consequential losses; any loss or damage caused by tort, including negligence, breach of contract or otherwise."
It wouldn't surprise me if it wouldn't stand up in court either. Short of having a huge banner that says "WE WON'T ACCEPT ANY RESPONSIBILITY FOR ANY LOSSES IF YOU USE ARE SERVICES, TYPE 'I AGREE' TO CONTINUE" I imagine someone could probably claim that the risks weren't sufficiently highlighted.
There's a reason every investment-related advert has to state that "The value of your investment may go down as well as up", etc.
At least in the U.K. Banks are starting to provide API's so bookkeeping platforms can securely download bank feeds without having to give a 3rd party login credentials.
Would be prudent and indeed consumer friendly if you where to go thru those TOS the banks have in conjunction with your own and provide a simple at a glance list of liability/impact. Reassure people that way and shows, you care and thought this thru beyond saying we recommend reading this and that as people are wary and equally might not understand it.
Sure would take time and some effort, but would certainly return well for such an effort and as said, people would appreciate that greatly, so can only help you and your business.
From a business perspective? Yes. If you go out of business it's game over, and it's unreasonable to expect them to provide legal advice.
That said, I don't think the business model on display here is tenable at all and I don't think it will be successful. I certainly wouldn't sign on for this, way too risky.
While it may be true that there hasn't been historical fraud attributed to "screen-scraping", what has been seen historically is insider fraud - you pretty much have to expect a certain rate of incidents where your own employees, included tenured ones in high trust positions, will intentionally risk jail time and attempt to steal money; in the finance industry (despite all reasonable precautions) it's not a question of if it will happen, it's a question of how often it'll happen (i.e. if it's 1 incident per annum per 100 employees or if it's 1 incident per annum per 1000 employees), how large will be the impact (most precautions don't prevent the risk as such, but limit the amounts involved), and what are you going to do about it.
E.g. the idea that your main technical administrator might sell a database of stored credentials to organized crime; (or get his/her family kidnapped in order to get access to them, that has happened as well) isn't ridiculous fiction, it's a rare but feasible scenario that's more likely to happen than e.g. a datacenter burning down, so what you're going to do in similar cases is quite relevant, not only to your own internal risk analysis but also to your customers. A bank might say "oh, we've got it covered, but if a major hack-event happens, our capital reserves and deposit insurance will still guarantee that you don't lose your savings" - an API company can't fall back on that.
Anecdotally, I've seen banks claim the reason for $something_bad was a virus on a chromebook.
Whether or not there's 'been a single case of fraud or loss attributed to "screen-scraping"', I believe most banks are more than happy to blame you by default and make it difficult/expensive to resolve.
>it is the view of some senior bank people that I speak to that PSD2 will make such clauses in banking terms illegal
If that is close to explicitly as you have stated then either 1) The senior bank people you talked to are lying to you 2) the senior bank people you talked to really don't know anything about PSD2 3) They mistated to you how PSD2 changes will affect this 4) You misunderstood what they mentioned about PSD2 changes.
If a bank mentions in its clauses as per PSD2, that only authorized persons/firms are use an API and their acccess, they are authorized to negate any liability if it was given/accessed by an unauthorized party. Banks are required to make API's available (not same as accessible) to any SaaS or other developer as long as it is authorized by the bank.
Banks are not required to give access to any developer or SaaS, but to authorized third parties.
Authorized in this context means that the third party obtained an authorization from their local financial authorities, and that the authorization is for the type of service they are requesting (Payment Initiation or Account Information).
We want to help banks deliver these APIs ... The market can't wait for the banks, developers and users want new choices, apps and service now.
It was my understanding that the YC-backed company Standard Treasury (acquired by Silicon Valley Bank in 2015) was trying to do this. I don't know where they went with this or what happened (although I believe there was techcrunch write-up about them and the purchase by SVB). Hopefully you can make this work securely because having to navigate a shitty branded (which apparently means constantly changing) web interface to monitor and move money is increasingly frustrating.
I can't even count how many promising-looking Fintech products I had to pass over because the only auth mechanism they offered was through sharing online banking credentials.
Until bank policies regarding credentials-sharing actually change, I think it's really irresponsible for products to even ask for credentials at all, let alone offer it as the default/only auth option. Users could be unwittingly putting their entire life savings at risk.
Yodlee not only wants your credentials but at one point updated their customer agreement to grant them Power of Attorney with each institution they managed on your behalf. I don't know about you but PoA, a binding arbitration clause and their marketing your data to boot is well beyond my comfort level.
That reversal is not instantaneous, and by no means is it a guarantee that you'll ever get the whole amount back when overdraft fees, third-party bounced check fees, and all of the other non-monetary impacts are taken into account.
Depending on the scope of your accounts with the financial company that you're banking with it's possible that beyond your day-to-day operating funds and your mid-term savings accounts that you may also have access to your investments and other long-term stores of value. They aren't as liquid, and it would be harder for a thief to shift them into something that can be transferred out of your account, but it certainly is possible for it to happen if sales of stocks/bonds/etc. are conducted without your knowledge and then the funds are wired out.
In this particular case, yes, because banks tend to deny all liability for fraudulent transactions that result from credentials sharing, so the user is entirely liable for whatever loss that occurs.
It's a realistic concern. For example, a lot of elderly people are targeted for scams because they A.) Are often little easier to trick and B.) Tend to have more money. Comes up in the news a lot. They don't get it back.
It's the same in France, yet some aggregators (e.g. Bankin) are using those credentials directly (and afaik the risk is handled via some sort of insurance).
I'm personally waiting for the PSD II law to be deployed (see https://blog.teller.io/2016/04/26/tauth.html) in order to have clear-cut protections & boundaries, before leveraging Bankin or similar (Teller) as a SaaS product builder.
It’s better because going through the same process as the official banking apps means that you should end up using tokens etc rather than actually storing the original credentials.
If some fraud was to come about as a result of someone using Teller then they would be out of pocket or has Teller got agreements with the compatible banks to overcome this situation (either by Teller reimbursing the customer or the bank)?