[sjtgraham]

Thanks for your feedback. We developed TAuth to provide attribution and non-repudiation for exactly this kind of situation. I personally take security very seriously such that launching our product has taken longer because designing and implementing a system worthy of performing financial transactions on behalf of others is a serious undertaking.

Our terms are comparable to the incumbent "screen-scrapers" in the market, e.g. Yodlee and Plaid. FWIW it is not currently possible for users to move money with Teller. I'm open to revisiting the terms when it is, and I'm always open and listening to feedback such as this.

Thanks for taking the time.

[corobo]

> I personally take security very seriously

Respectfully, your users don't care about technical security if you get compromised - they care about their financial security. Please do reconsider your stance on liability, I found myself wincing while reading that disclaimer.

It pains me to say it as a techie but insurance is more important than security in this case. It'd be great if you were iron clad against all hacks ever but it'd sit more easily if there was insurance backing it up. What if you get a rogue employee dumping out all the credentials for example, not all attacks come from outside.

If you don't trust your security enough to assume liability, why should your users?

> FWIW it is not currently possible for users to move money with Teller

I don't believe it's so much a compromised service or API that's concerning, it's your credential storage. The data you hold does allow users to move money if compromised.

Having picked fault with your service enough, it does look like a great service and I'd love to use it one day. Best of luck!

[biot]

The problem isn't what an attacker can do with Teller credentials. The problem is what an attacker can do with the banking credentials you ask users for. The risk profile is similar here to a breach in an online password manager -- if you used an online password manager to store your banking credentials, are you perfectly comfortable with an attacker gaining access to your credentials since the password manager implements no banking functionality?

[dbbk]

Is there much desire for moving money via API though? Seems like it would expose you to massive risk for little reward.

[anthuswilliams]

Oh my, I have thought about this a lot, and I firmly believe that there is. Sorry for the ensuing wall of text!

Right now I pay for several online services, a gym membership, insurance, a student loan, a mortgage, and an auto loan. Every one of these companies has authorization to pull money from my account each month. They all pay their payment processor a significant sum of money in exchange for the processor running the payments and shouldering the risk of the bank not honoring them.

With an API, I could stop relying on this "pull" model and start using a "push" model instead. Companies get my money only when I explicitly send it to them. I could schedule a payment to go out every month for services I want instead of allowing arbitrary vendors to charge my card (banks do have a partial stab at this in the form of bill-pay, but it tends to be pretty bad).

Presumably since the risk of fraud is lower since I authorized the payment with my RSA key, merchants could pay lower fees to their payment processors.

Now, I'm a little atypical, because I know how to program so I could use the API without help. But I know many people who would certainly take advantages of services built on top of an API like this.

Think of all the people in your life who have accidentally continued paying for something they no longer wanted due to the vendor "mistakenly" continuing to charge their card. Or scummy negative-option marketing companies which loudly tout a free product or service and then continue to charge your card thanks to some tiny section in their terms of service.

The possibilities get better too. You could have budgeting apps that don't let you spend more than $X per month for video games, but still allow you to buy groceries. You could give your children an authorized card with a per-month maximum but still allow them to pay for an Uber home if it's after 9 pm.

I really think this sort of thing would be a massive boon to people and society, and it's unfortunate that banks (in America) are fighting so hard to prevent it.