Mint, OAuth, Banks, and Security

If you're a user of Mint, PersonalCapital, Check (now owned by Mint), CreditKarma, Level Money (now owned by Capital One), or any other site that lets you enter your bank credentials to enable financial account aggregation, you've given that service access to your entire financial life. Odds are, you use one platform to access all bank accounts in your name. This enables great things like multi-bank budget tracking, goals, and a great holistic view of your finances. They have a dark side however. To prove this, I will use the fictional aggregator service Dude Where's My Cash and the fictional banks So Money and Very Dollars, all of which our fictional user (the obligatory Alice) holds fictional accounts at, in the examples below.

The dark side to Dude Where's My Cash is that it offers attackers a much more valuable target. Instead of having to attack Very Dollars and So Money individually, both with varying security profiles and requirements, your attacker only needs to compromise one entity, Dude Where's My Cash.

Granted, the risk to Dude Where's My Cash is much greater and thus their security is (or should be) much stricter, but while the attack surface is much smaller, an advanced, persistent threat would likely result in a much greater compromise of consumer information.

There are many ways to reduce the attack surface. Chief among them is OAuth. OAuth would let a third party access your bank account only in the manner you authorize (want it to be read-only? no problem), while also keeping your credentials safe (hopefully salted and hashed) only in your bank's database.

Let's say Very Dollars supports OAuth, while So Money does not. Alice creates a new account on Dude Where's My Cash and the first thing it asks for is what banks at which she has accounts. She enters Very Dollars into the search bar. It redirects her to the Very Dollars website to log in to her Very Dollars account, and then the Very Dollars site asks which information (and privileges) she authorizes Dude Where's My Cash to access.

What access would you like to grant to Dude Where's My Cash?

[] List your accounts
[] View your balances
[] Deposit money
[] Withdraw money

Upon authorizing these access levels, Very Dollars issues an access token to Dude Where's My Cash that acts as a one-time username and password, linked to her account and programmatically limited (on the Very Dollars side) to the intended access levels.

Suppose she now wants to link her So Money account. She is asked to input her So Money Super Secure* Portal tm credentials directly on the Dude Where's My Cash website. If she does this, she is trusting Dude Where's My Cash with read and write permission to all of her So Money accounts.

Fast forward 3 months. Dude Where's My Cash is sending Alice bill reminders, account low notifications, etc. Everything is working great.

Fast forward another 3 months. Dude Where's My Cash turns out to be run by some less than reputable business people (I think one of them was named Eve). These people steal their users' credentials and start withdrawing money. All of Alice's accounts at So Money have been drained, and since this is the Internet, the culprits are in <insert country of choice here>. She has authorized them to take her money by giving them her online bank credentials. She has no recourse. So Money's security policy explicitly states that by handing her credentials to someone else, she has authorized them to act on her behalf. She has given them root access to her bank accounts, and there are no backups or re-images in the world of finance.

Very Dollars blocks all API access to Dude Where's My Cash and likely refunds you any funds withdrawn from Alice's (and others') accounts by Dude Where's My Cash as soon as they detect any fraudulent activity.

If So Money had been compromised and their customers' accounts drained, the FDIC or NCUA would reimburse the customers. Instead, a third party was compromised and neither will take responsibility for the theft.

Dude Where's My Cash states they use the same security protocols as banks. I guess that means Dude Where's My Cash will be compromised in the near future.

No banks that I know of currently support OAuth. The only thing I find when I search "OAuth Banks" is the Open Bank Project, people asking why banks don't support OAuth (or something like it), and calls for banks to support OAuth. Open Bank Project seems to be limited to Germany for some reason, and all of these questions are going unanswered. There was even a petition a while back, which went practically nowhere.

The way I see it, OAuth would put the power into the hands of the users. It would enable many novel and exciting applications not yet devised due to the current lack of support. It might even spawn an entirely new financial transaction paradigm.

Say you want to pay your friend a few dollars. You can authorize your favorite third-party app with a one-time transaction, or just send your friend a one-time code which he or she clicks (or scans), and that moves the money instantly. Since you pre-authorized the transaction, and both of your banks provide API access, the third-arty app can simply take the one-time code from one bank to the other. Both banks then check its authenticity and make the transaction happen.

This is just a small example of what OAuth would open up, but it would accelerate innovation in a historically slow marketplace. It would also be a boon for trust of third-party financial aggregation services. Knowing that the bank was guaranteeing the security of my money even when someone else can see the accounts would restore my faith and render this post moot.

In all actuality, there may be some protocol that the banks use to offset security concerns with financial aggregation services (I found references to OFX in my travels), but they seem more focused on encryption than on access rights granted by the user. In fact, it appears that they simply send user credentials in the clear over the protocol (itself TLS encrypted; Heartbleed or Poodle anyone?). Ultimately however, it is not publicized that financial aggregation sites actually use OFX nor is the principle of least privilege apparently in use.

Banks! What is stopping you from providing OAuth? It's your time to shine!


* Only secure if you do not share your credentials with anyone else.