[HN Gopher] Canada calls screen scraping 'unsecure,' sets Open B...
___________________________________________________________________
Canada calls screen scraping 'unsecure,' sets Open Banking target
for 2023
Author : exotree
Score : 53 points
Date : 2021-08-18 21:51 UTC (1 hours ago)
(HTM) web link (finledger.com)
(TXT) w3m dump (finledger.com)
| ohazi wrote:
| To everyone in this thread complaining that this is just Canada
| being Canada and trying to snuff out the upstarts... what the
| fuck are you going on about?
|
| I'm a US citizen and I want this screen scraping / credential
| sharing / whatever you want to call it to die in a fire already.
| Forcing banks to implement _any_ sort of API access seems both
| preferable to the dumpster fire we have today, as well as _more
| inviting to upstarts_ , because right now the only way to be an
| upstart is to literally ask your customers to violate their
| bank's terms of service.
| version_five wrote:
| I guess you're talking to me. I'm not arguing for screen
| scraping. I'm stating my experience as a Canadian that our
| oligopolies use legislation like this as a way to discourage
| competition, under the guise of helping users. And they rely on
| people like you to talk about how great it is that we're all
| getting a made in Canada open banking solution when what we'll
| really get is something that makes new entry impossible and
| locks users in to the big 5 banks. Look at our vibrant
| telecommunications sector for a similar example.
| hkt wrote:
| I'm from the UK and can confirm: open banking has massively
| helped startups. My local credit union now underwrites based on
| open banking data, I have a neat budgeting app, I can see all
| my accounts in one place, and best of all, I can approve or
| revoke credentials at will. Nobody gets anything but read
| access. It is mind blowing to me that there are people stuck
| using screen scraping.
| version_five wrote:
| I'm guessing from this that Canada's banks are upset about
| getting their grass cut and are looking to regulate new entrants
| out of business. That's usually what a "made in Canada" solution
| means.
| r00fus wrote:
| Nope. Canadian gov is just saying users need a way to authorize
| limited use to my banking data so we can use YNAB and other
| stuff without resorting to scraping like Plaid or Mint does.
| Some online banks have setup specific auth codes for these
| services but most do not.
|
| Would be nice to aggregate my data without giving them keys to
| my kingdom.
| jpmoral wrote:
| How so? Giving your banking credentials to a third-party for it
| to login and screen-scrape is not secure. Mandating that banks
| provide an API instead for third-party apps to use won't
| necessarily 'regulate new entrants out of business'.
| neom wrote:
| As a Canadian, I'm strongly in favour of a heavily regulated
| banking sector[1][2]. The report[3] mostly just describes that
| banks need to figure out some kinda API that allows me to
| authorize apps to access everything I could access from the
| front end. Seems reasonable? The report is good, and the
| orignal recommendation report from 2019 is also quite good.[4]
|
| [1] https://cba.ca/global-banking-regulations-and-banks-in-
| canad... (I realize this is effectively banking regulator
| propaganda, nevertheless, facts are there)
|
| [2] https://www.brookings.edu/research/know-thy-neighbor-what-
| ca...
|
| [3] https://www.canada.ca/en/department-
| finance/programs/consult...
|
| [4 ]https://www.canada.ca/en/department-
| finance/programs/consult...
| [deleted]
| llbeansandrice wrote:
| I don't know why OAuth tokens aren't the default solution to
| this. BoA recently added this as an option and it's way more
| straight forward than giving my login credentials to Personal
| Capital or, god forbid, Intuit.
|
| edit: Of course it helps if the 3rd parties implement it as well.
| I revoked access to Intuit but Personal Capital only lets me use
| my userID and password.
| javajosh wrote:
| One reason is that (fintech) implementors get freaked out by
| OAuth's ~15min window where your token can be revoked but you
| still have access to the RP.
|
| It's an issue but a minor one. The alternative, ad hoc per-
| request session management, is so much worse in almost every
| way.
| jon-wood wrote:
| There's nothing in OAuth that would make that a limitation.
| Many people decide to issue JWTs without any sort of
| blacklisting of revoked tokens, but that's not really a
| problem with the OAuth spec.
| barbazoo wrote:
| This sounds so futuristic which is awesome but at the same time
| banks like Tangerine, which otherwise I have nothing but praise
| for, don't even allow be to use a password more secure than a 4-6
| digit numeric passcode. Obviously no 2FA. Sorry, that has little
| to do with the submission, I just had to vent about banks.
| SevenSigs wrote:
| > Tangerine
|
| At least they used to have decent interest rates... now what's
| the point? they don't even have physical banks.
| james_pm wrote:
| Low/no fees mostly. A standard bank account at the big banks
| gives you few Interac transactions, for example, unless you
| either pay $12.99 a month or have >$3,000 in your account at
| all times. Tangerine provides unlimited Interac payments on a
| chequing account with no monthly fee.
| [deleted]
| barbazoo wrote:
| Overall it's a pretty good deal, no fee accounts, unlimited
| etransfers, decent credit card, good customer support, things
| like that. Back when I was shopping for no fee accounts this
| was the best deal there was.
| gregsadetsky wrote:
| 2FA is so seriously lacking here it's not funny.
|
| TD Bank has 2FA which has been SMS-based for a very long time,
| and they just introduced a 2FA app. FYI.
|
| But yes on Tangerine (and other banks) being so, so behind.
| Sending a wire online here is pretty much impossible..!
| jt2190 wrote:
| For those outside of Canada: The Canadian banking industry is
| _highly_ centralized. This looks like a way to keep more nimble
| upstarts from actually getting started.
|
| (Not directly related, but Revolut recently retreated from the
| Canadian market, for example.)
| version_five wrote:
| Agreed. See the replies to my other comment in this thread.
| Open banking as a concept is a great idea, in Canada it will be
| a used strategically as a way to limit competition.
|
| Edit: I'd be happy to be wrong, you can let me know when Canada
| sees a flood of great new banking startups in the next couple
| years
| [deleted]
| jonny_eh wrote:
| What's open banking? What's the context?
| jpmoral wrote:
| Third-party apps (e.g. budgeting apps) take users' credentials
| to login and scrape the screen. Open banking is about banks
| providing APIs instead.
| manishsharan wrote:
| This may be driven by TD's suit against Plaid
|
| From this source
| https://www.lexology.com/library/detail.aspx?g=8f56092c-ab40...
|
| _" Users have complained that after connecting their bank
| accounts, Plaid stores their credentials and uses them to collect
| 5 years' of transactional data and continues to track users' data
| in future. Users further claim that the data-gathering scheme is
| not incidental to Plaid's business model and is, in fact, its
| "very purpose."_
| neom wrote:
| This came out of a discovery and recommendation process that
| has been ongoing since _2018_ -
| https://www.canada.ca/en/department-finance/news/2018/09/min...
| vesinisa wrote:
| Holy smokes, that is shady and scary.
| frosted-flakes wrote:
| It's about time. When I learned that applications like YNAB (You
| Need A Budget) use services like Plaid to connect to my bank
| account, and that these services literally take my username and
| password and _impersonate me_ to get my banking data, I was a
| little sketched out. I use YNAB every day, and having it
| connected to my bank account is incredibly useful, but if
| something goes wrong and Plaid loses my money somehow, is there
| any recourse?
|
| Hopefully individuals will be able to use the Open Banking APIs
| to access their own data directly, but it looks like
| accreditation will be required, so probably not.
|
| Here's the full text of the report:
| https://www.canada.ca/en/department-finance/programs/consult...
| jamespullar wrote:
| To be fair, YNAB is rather explicit about how it connects to
| your accounts and also actively recommends against doing so in
| favor of manually entering your transactions. My experience
| with connecting the two is that I still need to manually
| validate every transaction because on occasion Plaid is either
| slow or just misses entries entirely.
|
| Also in the case of YNAB, Plaid is not posting transactions on
| your accounts. It's a screen scraping service transferring
| account data.
| diogotozzi wrote:
| Brazil started Open Banking at 2019
|
| https://www.bcb.gov.br/en/financialstability/open_banking
___________________________________________________________________
(page generated 2021-08-18 23:00 UTC)