undefined | Better HN

0 pointsmeredydd9y ago0 comments

This is startup-ese for "Every single one of our users is breaking their bank's ToS, and we maintain plausible deniability by telling them to go and read complex legal documents themselves".

I can totally understand the motivation (particularly with PSD2 around the corner, which will mandate banks to provide legit APIs - I'm guessing the plan is to grab market share before that happens). However, I am very skeptical of this approach when applied to finance. Any technical product whose risk profile is "break into us and steal money directly" is a really dangerous place to leave your users on the hook for liability.

0 comments

6 comments · 2 top-level

stouset9y ago· 3 in thread

Yeah. "No cases of fraud or loss due to screen-scraping" doesn't mean your service isn't going to be the one that leaks a treasure trove of banking credentials.

It's also highly probable that it has happened, it just wasn't attributed properly.

chirau9y ago

Why do you assume everything has already happened? Do you also assume Gmail passwords have already been hacked? Just asking.

stouset9y ago

Why do you say I think "everything" has already happened?

I think it's likely one of these screen-scraping sites that store bank passwords has been breached, and any losses as a result have simply not been attributed to it.

I say this having experience in infosec and seeing how comically little companies who should care about security actually do. Often there's not even a single person with infosec experience. And they make every mistake you'd passively learn not to by casually reading HN comments.

That's not to say some companies don't get it right. Some (including my current employer) do an extraordinary job. But even teams with solid infosec staff get broken in to. The odds that a site storing large numbers of bank passwords with only a handful of engineers not getting popped sooner rather than later is slim.

lazyasciiart9y ago

Define 'hacked'. http://money.cnn.com/2014/09/10/technology/security/gmail-ha...

dbbk9y ago· 1 in thread

To be fair I think there is still going to be a lot of appetite for a service like Teller once PSD2 launches to unify these individual bank APIs. They may not even all work the same way. It'd be much better to have one entry point than develop for multiple different banks' implementation.

traviscj9y ago

The Stripe business model, basically.

j / k navigate · click thread line to collapse