Phil Sim

Web, media, PR and… footy

Banks need dual-level access for Mint-like apps

Have really enjoyed following the TechCrunch40 coverage on TechCrunch (which has made me realise for one, that we need to do a much better job of covering our own events like our recent Influence Forum).

And I couldn’t have agreed more with the decision to give Mint, the grand-winner prize. It’s a hugely impressive application and that’s even without being able to properly test it out because I couldn’t import any of my Australian bank accounts.

However, a lot of the comments on the TechCrunch website point out that you’d be crazy to hand over all of your online banking passwords to a Web 2.0 site. I’m ultra relaxed about such things – maybe I’ve just led a charmed life and I’ll get bitten in the bum one day – but even this gave me pause for thought. If you were a hacker, this would be the greatest hacking target you could possibly think of. And experience has shown that where there’s a will, there’s a hack.

In Australia, we just had a big credit card hack case with an online retailer called Roses Only being the victim.

A few of the TechCrunch comments suggested banks should ban such financial aggregators as Mint but I can’t see that happening, nor should it. However, banks should probably started thinking about this because if applications like Mint take off, it’s certain to cause problems somewhere, sometime down the track.

What banks need to do is have two levels of access. One for the user of the account which enables them to do transactions and so-forth and another level of access for applications like Mint, which allow access to a user’s financial records but doesn’t enable them to make any transactions and is accessed with a different password.

I’m quite confident Mint is going to be a monster success and I can see a plethora of copycats hitting the market.  Banks need to be planning to work these applications without forcing user’s to give up details to full-access to their accounts.

Filed under: AJAX Challenge

2 Responses

  1. staycooldad says:

    The weird thing here is that CBA tried something like this back in about 2001. I PRed it.
    It did not have all the bells and whistles Mint does, but it did have a kind of single sign on to multiple financial institutions from a CBA frontend.
    But for whatever reason, it did not fly.
    Web 2.0 indeed!

  2. Tatham Oddie says:

    Westpac has multi-level account access, however I think you need to be using the Business Online Banking system rather than the personal system to get it.

    They also have a system in their Online Banking that can aggregate other balances for you to. It’s implemented using an ActiveX control, so it only works in IE.

    While I like the idea, I’d more prefer to see a standard (WSDL/SOAP based or something) for accessing this data. Ala, Facebook API where you delegate a particular application a particular level of access.

    Imagine the plethora of uses this would open up. Integration with rich client accounting and budgeting tools, sidebar gadgets, online tools like Mint, all in a secure way.

    Implementing the authentication process on top of something like EAP would facilitate the use of smart cards (which some banks are starting to use), number generating tokens (which banks like Westpac are now forcing the use of) and SMSes (which banks like CommBank are using in place of tokens).

    I would be very happy for banks to require the use of these extra security devices for access to such web services.

    It’s also in the bank’s interests to release such services, as it makes online transactions even easier and more prevalent. (Less and less reasons to visit a branch or call up telephone banking.)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Top Posts


%d bloggers like this: