I am concerned that we do not have a regulatory system ensure consumer protection with services like mint.com, budgetsimple.com, and yodlee.com.
To use these services you are required to give your bank web site user name and password to someone else.
As a web developer, I can say that it is industry best practice to use methods of making sure the password the user enters is correct without ever actually knowing the user's password. This makes it nearly impossible for a hacker to figure out a user's password, even if they get a copy of the application's database.
This current practice used by mint.com, et al., is a security nightmare waiting to happen. As we are seeing, BitCoin "banks" are not immune multi-million dollar losses and Target Corp was breached at level of the card readers in the stores! There is simply no way that storing the login credentials for online banking services is going to be secure over time.
And why does this matter so much? Because the terms and conditions of many online banking services include like this (from one of my services):
"When you give someone your Online Banking ID and passcode, you are authorizing that person to use your service, and you are responsible for all transactions that person performs while using your service. All transactions that person performs, even those transactions you did not intend or want performed, are authorized transactions."
This means that if there is a security breach at mint.com et al., then I could very likely be liable for that balance as far as my bank is concerned... I would have to get mint.com to pay *me* back, but their Terms of Service insist that their liability is limited to $500!
"NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS AGREEMENT, INTUIT’S LIABILITY TO YOU FOR ANY CAUSE WHATEVER AND REGARDLESS OF THE FORM OF THE ACTION, WILL AT ALL TIMES BE LIMITED TO $500.00 (FIVE HUNDRED UNITED STATES DOLLARS)."
One solution is to pass a law that makes it illegal to ask a bank customer for his login credentials without offering unlimited liability in case of a security breach related to use of the service.
Also, because this system of asking people for passwords is counter to the advice of security professionals and industry best practices, it might actually make sense to just make it illegal altogether. We should not be encouraging users to get in the habit of disclosing their most sensitive account login credentials to anyone, ever.
To preserve the ability of non-bank businesses to provide consumer services like aggregating account information, it might make sense to regulate the banks in a way that forces them to provide 3rd party APIs that users can authorize to have specific levels of access to account data (or even to initiate transactions). Such an API could be constructed in an industry-standard format. The basic idea would be to mirror how Facebook (and now many other large platforms) allows users to authorize "apps" to access their Facebook data. Some apps have permission to post to my wall, others can only see very basic info.
This is the internet home page of Michael C. Libby.
Here's a bunch of stuff I've done over the years...
- Grew up in the Twin Cities Metro Area in the state of Minnesota in the United States of America.
- Programmed games on the family Commodore 64 as a teenager.
- Got a job at the Minnesota Educational Computing Corporation (MECC) as a high school senior.
- Studied fine art at the University of Minnesota and earned a Bachelor of Fine Arts degree.
- Member of the New Riverside Cafe collective for 2.5 years.
- Made fonts under the "m.libby" and "AprilSkies" monikers.
- For a while: car-free, bicycle enthusiast (with blog).
- Day jobs in corporate America: data analyst, business systems consultant, application systems engineer, software developer.
- Programmed games for the internet: go play Mikey's Games.
Solved a few Project Euler problems:
I do some Stack Exchange Q & A stuff
now and again, as well:
Got certified on Brainbench (Transcript ID#: 11130182):