undefined | Better HN

0 pointspaublyrne7y ago0 comments

For your banking script, are you able to use an API with a limited access token? Or does it use your normal credentials. I don't save my various banking credentials anywhere, not even 1password, as they're so sensitive, curious how you do this.

0 comments

gizmo7y ago

Your banking password isn't that sensitive, because banks are used by regular people who don't have any conception of good security practices. The worst case scenario of your bank login credentials leaking are really not that bad.

Your personal email account is probably a million times more sensitive. It contains enough personal information to get your identity stolen a thousand times over, and once your email has been compromised there is no way to ascertain the damage.

gingerlime7y ago

Couldn't agree more. See my comment above. My online bank only provides readonly access with a password. Anything else requires a one-time-password anyway.

I'd be much more worried about my email getting hacked though.

HumanDrivenDev7y ago

Huh? The worst case scenario of your bank login details is... someone depositing all your money to their account, surely.

icebraining7y ago

Nope, the login in (some? many?) banks is just a first step, to actually perform transactions they require a second stage auth. Most they can do is transfer money to some of my family members (I've disabled the second stage for a few specific destinations).

ianhowson7y ago

Most banks request a second auth factor (SMS, code, phone call) before executing a transfer to a new recipient.

dzek697y ago

I don't hear often about banks providing API access. Only big companies on special contracts may get something like that, but it is usually very limited - talking from my personal experience, but what I learnt from the internet - it's the same everywhere.

But... In Europe thanks to just another EU laws we should have every bank offering an API access for everyone starting from September 2018 IIRC. That would help a lot with automation, I hope generating few api keys with different access permissions would be possible with that.

IshKebab7y ago

I'm going to be so amazed if the API (PSD2 if you want to Google it) turns out to be what we want.

I'm fully expecting banks to throw extreme security hurdles and probably registration fees in the way if they can.

Hopefully I will be wrong.

Tharkun7y ago

PSD2 is not what you think it is. It has API access, but not for the end user. Only 'integrators' will have access to these APIs. You will need to request permission to write/deploy software using the APIs. This involves massive bureaucratic overhead and in some cases permission from your country's national bank.

dcbadacd7y ago

Automated GDPR requests for personal data...

kyriakos7y ago

Can you please give some more info about this eu regulation? I'm really interested to see if my bank has an API in place.

egourlao7y ago

Look up PSD2 regulations.

namibj7y ago

There is a system for integrating with larg(er) corporate banking software, but here it seems to require a smartcard, likely with a PIN, and no way to restrict it to be readonly. It's horrible XML protocol stuff though.

gingerlime7y ago

My bank gives only readonly access by default with the username/password. Any transaction (transfer, operation) requires a one-time pin (TAN) anyway. So I'm not particularly worried about leaking my password.

I wish they had an API but I just use a selenium script essentially. Luckily(?) logging in to this particular account only requires user/password and no fancy codes etc. I guess when the system is built with readonly default and OTP for anything else, then the login can be kept simple.

j / k navigate · click thread line to collapse

0 comments

gizmo7y ago

gingerlime7y ago

Couldn't agree more. See my comment above. My online bank only provides readonly access with a password. Anything else requires a one-time-password anyway.

I'd be much more worried about my email getting hacked though.

HumanDrivenDev7y ago

Huh? The worst case scenario of your bank login details is... someone depositing all your money to their account, surely.

icebraining7y ago

ianhowson7y ago

Most banks request a second auth factor (SMS, code, phone call) before executing a transfer to a new recipient.

dzek697y ago

IshKebab7y ago

I'm going to be so amazed if the API (PSD2 if you want to Google it) turns out to be what we want.

I'm fully expecting banks to throw extreme security hurdles and probably registration fees in the way if they can.

Hopefully I will be wrong.

Tharkun7y ago

dcbadacd7y ago

Automated GDPR requests for personal data...

kyriakos7y ago

Can you please give some more info about this eu regulation? I'm really interested to see if my bank has an API in place.

egourlao7y ago

Look up PSD2 regulations.

namibj7y ago

gingerlime7y ago

j / k navigate · click thread line to collapse