[LINK] online finance protocols (was Re: mail2web service)

Craig Sanders cas at taz.net.au
Sun Jan 10 16:44:40 AEDT 2010

On Sat, Jan 09, 2010 at 07:51:40PM -0800, Scott Howard wrote:
> In order to use Mint, you have to give them the username and password
> for all of your online finance sites - your bank, your share trading
> company, your 401K (superannuation), etc. So that means that over
> 700,000 people - probably more - have given their online banking
> details to what was previously a small startup.

that goes way beyond insane to "i'm so stupid it's amazing i manage to

and it almost certainly breaks the T&C of any banking or other finance
site - does nobody read the "do not give your login and password to
anyone" warnings from them?

if i was running such a site, i'd trawl the logs for anyone using
mint.com or any similar third-party service and use it as a reason to
disclaim all responsibility for any future security problems with that

what mint.com does should be done in an application on the user's
own computer with all data stored in encrypted format only. this is
definitely one application where storing data in "the cloud" is a really
really stupid idea.

also, there should be a standard, common protocol for applications
to interact with finance sites (e.g. a lot of European banks, esp in
Germany, use something called HBCI, Home Banking Computer Interface),
and users should have the option (after the initial login with
username/password) of using a signed ssl certificate

they could, perhaps, get a cert from their bank, or from a (probably    
non-existent or at least very rare) technically literate JP, or from    
one of the commercial CAs.

BTW, I have never used HBCI so i have no idea whether it's any good.
or safe. i've just heard about it. there are probably numerous similar
standards around.  IMO, the government (or perhaps the banking industry
ombudsman) should evaluate secure internet banking protocols, and
mandate a minimum required system for all financial sites in australia.
and that system should be based on open well-documented protocols,
rather than closed proprietary protocols.

> Whether it makes sense or not, and whether you would have to be insane
> or not, people will do it...

yes, well...people in general aren't very bright. or informed. or
security conscious. or prone to thinking critically, let alone
suspiciously, about anything.

which explains why nigerian 419 scams actually work. and still work
today even after everyone on the net has seen dozens or hundreds of
variations of the scam. you'd think they might just begin to suspect
that there really can't be that many nigerian princes in need of their
help, or deceased foreigners with large accounts.


ps: i won't even give my bank details to paypal, not even to get my
account "verified". i figure that if i give it to them once, i have
absolutely no way of stopping them from misusing it in future. i'm happy
enough just using my credit card through pp. at least credit cards have
standard and well known means of disputing unauthorised transactions.

with a direct debit i'm pretty much limited to begging my bank to fix
any problem....as many people who have authorised direct debit from
dodgy mobile phone companies or ISPs have found, the only guaranteed
solution is to close the account and open a new one.

craig sanders <cas at taz.net.au>

More information about the Link mailing list