fdaniels

Senior Member
Joined
Aug 16, 2006
Messages
898
I think that this is a good thing. I don't bank with ABSA but I do think that they are making the right decision. I bet you that 22seven has a EULA that states that they can't be held responsible if your credentials are compremised (They won't say in those exact words, but I bet they say something of the sort).

Customers stand to lose all their money by using this third party app. :eek:
 

DarkStreet

Expert Member
Joined
Jan 18, 2007
Messages
1,284
I would like to know (in technical terms) how they "login" to your account to start off with if no banks offer an API for this?
 

The_Unbeliever

Honorary Master
Joined
Apr 19, 2005
Messages
103,197
I would like to know (in technical terms) how they "login" to your account to start off with if no banks offer an API for this?

You supply the login details.

It's like handing some stranger the keys to your house...

Don't get me wrong, I think 22seven's offering a good service (one that will help people to manage their finances more efficiently) and Absa should look at creating an API to enable 22seven to access their customers details without being able to fiddle around with money etc.

From the client's side they can just enable the API to access their information.
 

Jan

Who's the Boss?
Staff member
Joined
May 24, 2010
Messages
6,582
I think that this is a good thing. I don't bank with ABSA but I do think that they are making the right decision. I bet you that 22seven has a EULA that states that they can't be held responsible if your credentials are compremised (They won't say in those exact words, but I bet they say something of the sort).

Customers stand to lose all their money by using this third party app. :eek:

Everyone (the banks and 22seven) are just trying to cover their ass (if you'll excuse the slightly crude turn of phrase).

A "good thing" would be the banks providing a secure read-only API. OAuth comes to mind for logging in without giving away your Internet Banking password.

Obviously the banks can't accept the liability of another company, and Yodlee and 22seven obviously want to mitigate their risks as well. That said, a single security breach will tank both Yodlee and 22seven.

That wouldn't bring much comfort to someone that may have lost their life savings through their password falling into the wrong hands, though.

That's to get the information after login.

You'd think a bank would employ measures to prevent login from sources other than the login page of the website.

Screen scraping involves going to the website. I think Yodlee just needs to make it look like it's you logging in from within SA. From tests I conducted overseas, at least some banks don't let you log in from outside SA without prior arrangement.
 

DarkStreet

Expert Member
Joined
Jan 18, 2007
Messages
1,284
Screen scraping involves going to the website. I think Yodlee just needs to make it look like it's you logging in from within SA. From tests I conducted overseas, at least some banks don't let you log in from outside SA without prior arrangement.

Perhaps some sort of CAPTCHA implementation can thwart this.
 

Kosmik

Honorary Master
Joined
Sep 21, 2007
Messages
22,209
Api is the correct way to do this. Handing over usernames, passwords and pins is just asking for trouble.
 

moosag

Expert Member
Joined
Sep 3, 2004
Messages
1,186
Screen srcrapping tech is very advanced nowadays. Have a look at iMacros. As far as the bank is concerned there is nothing that can be done to stop screen scrapers. JavaScript, flash, encryption, captchas can all be bypassed. So can location based IP addresses via proxy servers.

I have my own tool that logs into standard bank downloads my QIF file and imports it into MS money.


Personally I think everyone is looking at this the wrong way. I commend 22Seven for what they doing. Our banks should have offered a open based API for a full range of services a long time ago. Our banking industry is old and outdated. The current bankserv model is hopeless.

If a company wants to offer services such as 22seven they should be able to. If I want to create a B2B billing interface I should be able to. The banks just don't play nicely with anyone. The service they give based in what they charge is ridiculous. It's oly a matter of time till banks will be forced to offer such services. Problem is there is no competition. Look at PayPal. They are that big because of their technology and the type of apps developers are allowed to come up with. Why coz they compete on a global scale.

There are countless 22seven apps available for the US market. Stories and limitations like this just show us how far behind the rest of the world wrt to technology we really are. Both in governance, policies and regulations.

The technology is there to achieve what ever you want. Unfortunately the regulations and policies are not.

I agree there is risk. Everything has risk. If you have a gmail account, FB account you more at risk than a company having your banking detail logins. I could steal your identity off FB and socially engineer your bank details out of you. Stealing money is easy. Getting away with it is the hard part. Attest if someone steals from u and u have a 22seven account you can hold them liable in some way.

Everything is hackable nowadays. Tech is so advanced that if you can think it you can do it. There is a product out there for anything and everything.

And yes I will be giving 22seven a shot when they come out with an IOS version.

Products like this are invaluable. If you don't already have a personal finance app you probably living month to month and have no clue where ur money is going. whether on paper, excel or software like MS money or 22seven, personal finance is important.
 

ranger

Expert Member
Joined
May 2, 2007
Messages
2,062
As far as the bank is concerned there is nothing that can be done to stop screen scrapers.

Two-factor authentication with a time-based cryptographic token would defeat any fully automated access, such as 22seven.
 

Bernie

Expert Member
Joined
May 2, 2006
Messages
2,111
Did I read correctly, ABSA blocked Yodlee and they then tried to circumvent this. They suceeded. If this is true then it certainly doesn't put Yodlee in a good light - not very ethical - why would I give them my banking details?
 

plugger123

Senior Member
Joined
Apr 26, 2005
Messages
508
Wow. Christo Davel must be a serious lunatic or the lunatic that thought this up. This kind of thing should be declared illegal.

There are serious security issues here.. why give out your internet banking pin and details to a third party? I could just as well create a web site and start asking for banking pins.. and one day turn around and start using those pins... to withdraw money.. then disapear.
 

Moby Grape

Honorary Master
Joined
Jul 18, 2008
Messages
54,760
Anyone who gives their banking login auth to a third party has rocks in their head.
 

AntiThesis

Executive Member
Joined
Jul 30, 2005
Messages
5,533
Hang on, the Absa version requires your full login credentials? Really? The FNB flavour has a read-only user that you create and which you can delegate accounts to. Am I missing something here or is this really just "Absa doesn't feel like implementing read-only users"? (genuine question)
 

AniV

Expert Member
Joined
Jul 12, 2010
Messages
1,142
I think 22Seven is awesome and the banks are just being resistant to change because they want to launch their own PFM tools, none of which will be anywhere near as awesome as 22Seven.

Would love to completely cut Absa out of our lives, but our Home Loan was moved to them (not our choice) and so we are stuck. I already got rid of my savings account with them and moved to Capitec.
 
Top