Hacker News new | ask | show | jobs
by meredydd 3286 days ago
This is startup-ese for "Every single one of our users is breaking their bank's ToS, and we maintain plausible deniability by telling them to go and read complex legal documents themselves".

I can totally understand the motivation (particularly with PSD2 around the corner, which will mandate banks to provide legit APIs - I'm guessing the plan is to grab market share before that happens). However, I am very skeptical of this approach when applied to finance. Any technical product whose risk profile is "break into us and steal money directly" is a really dangerous place to leave your users on the hook for liability.
2 comments
stouset 3286 days ago
Yeah. "No cases of fraud or loss due to screen-scraping" doesn't mean your service isn't going to be the one that leaks a treasure trove of banking credentials.

It's also highly probable that it has happened, it just wasn't attributed properly.

link
chirau 3286 days ago
Why do you assume everything has already happened? Do you also assume Gmail passwords have already been hacked? Just asking.
link
stouset 3286 days ago
Why do you say I think "everything" has already happened?

I think it's likely one of these screen-scraping sites that store bank passwords has been breached, and any losses as a result have simply not been attributed to it.

I say this having experience in infosec and seeing how comically little companies who should care about security actually do. Often there's not even a single person with infosec experience. And they make every mistake you'd passively learn not to by casually reading HN comments.

That's not to say some companies don't get it right. Some (including my current employer) do an extraordinary job. But even teams with solid infosec staff get broken in to. The odds that a site storing large numbers of bank passwords with only a handful of engineers not getting popped sooner rather than later is slim.

link
lazyasciiart 3285 days ago
Define 'hacked'. http://money.cnn.com/2014/09/10/technology/security/gmail-ha...
link
dbbk 3286 days ago
To be fair I think there is still going to be a lot of appetite for a service like Teller once PSD2 launches to unify these individual bank APIs. They may not even all work the same way. It'd be much better to have one entry point than develop for multiple different banks' implementation.
link
traviscj 3286 days ago
The Stripe business model, basically.
link