m. libby

writing financial software as a love letter

blog

The Lurking Security Threat in Online Financial Apps

I am concerned that we do not have a regulatory system ensure consumer protection with services like mint.com, budgetsimple.com, and yodlee.com.

To use these services you are required to give your bank web site user name and password to someone else.

As a web developer, I can say that it is industry best practice to use methods of making sure the password the user enters is correct without ever actually knowing the user's password. This makes it nearly impossible for a hacker to figure out a user's password, even if they get a copy of the application's database.

This current practice used by mint.com, et al., is a security nightmare waiting to happen. As we are seeing, BitCoin "banks" are not immune multi-million dollar losses and Target Corp was breached at level of the card readers in the stores! There is simply no way that storing the login credentials for online banking services is going to be secure over time.

And why does this matter so much? Because the terms and conditions of many online banking services include like this (from one of my services):

"When you give someone your Online Banking ID and passcode, you are authorizing that person to use your service, and you are responsible for all transactions that person performs while using your service. All transactions that person performs, even those transactions you did not intend or want performed, are authorized transactions."

This means that if there is a security breach at mint.com et al., then I could very likely be liable for that balance as far as my bank is concerned... I would have to get mint.com to pay *me* back, but their Terms of Service insist that their liability is limited to $500!

"NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS AGREEMENT, INTUIT’S LIABILITY TO YOU FOR ANY CAUSE WHATEVER AND REGARDLESS OF THE FORM OF THE ACTION, WILL AT ALL TIMES BE LIMITED TO $500.00 (FIVE HUNDRED UNITED STATES DOLLARS)."

One solution is to pass a law that makes it illegal to ask a bank customer for his login credentials without offering unlimited liability in case of a security breach related to use of the service.

Also, because this system of asking people for passwords is counter to the advice of security professionals and industry best practices, it might actually make sense to just make it illegal altogether. We should not be encouraging users to get in the habit of disclosing their most sensitive account login credentials to anyone, ever.

To preserve the ability of non-bank businesses to provide consumer services like aggregating account information, it might make sense to regulate the banks in a way that forces them to provide 3rd party APIs that users can authorize to have specific levels of access to account data (or even to initiate transactions). Such an API could be constructed in an industry-standard format. The basic idea would be to mirror how Facebook (and now many other large platforms) allows users to authorize "apps" to access their Facebook data. Some apps have permission to post to my wall, others can only see very basic info.



about

This is the internet home page of Michael C. Libby.

Current Status

I am writing household finance/budget web app because, frankly, every piece of financial software I have used or reviewed gets critical things wrong, especially in the areas of budgeting or security or both.

Past Statuses