The bank is "correct" about the secondary auth problem. Most banks take an unrealistic approach to net based security though. Things like "verification tokens" that are stored as cookies are not really secure. A real 2 factor authentication will involve one time use keys or rotating fobs. The cost of implementing these is so prohibitive that no commercial bank will implement them for "normal accounts".
BUT, their excuse is legit. The OFX download is inherently insecure from a theoretical perspective. In the real world it holds up fine. Too bad most of the folks who make these decisions "internet security" are so detached from the real world that they are unable to see the stupidity of this position. If we used the same logic to determine is heart transplant were "secure" then we the medical community would never have would have tried it. For the record I am one of those "internet security" types. More on the implementation and verification then decision making, but close enough to see both side of the story. Jaysen On Dec 20, 6:09 pm, Kevin Hoctor <[email protected]> wrote: > On Dec 20, 2008, at 4:22 PM, Kevin M wrote: > > > I have several accounts that I use for various purposes and now that > > I'm manually downloading transactions, I'm starting to re-think the > > need for all these accounts. However, I have contacted the bank where > > my primary checking account is held asking about their plans to > > support ofx. Their response was as follows: "Our customers security > > is our biggest concern. Utilizing OFX technology does not allow for > > extra security measures such as RSA Tokens, Shared Secret Questions, > > or a secure client that we are currently working on. Because of those > > security concerns we have opted not to support automatic download of > > transactions without those methods." I'm curious to get your thoughts > > on this response. > > Hi Kevin, > > I'm not sure this is a valid excuse for not supporting direct OFX > processing. When connecting to an OFX server, MoneyWell has to use > HTTPS secure protocol and has to validate any security certificates or > the communication cannot continue. Plus, if someone knows your > username and password, they can just as easily connect to a web > interface as an OFX interface. > > I'm no security expert but the difference looks terribly small. > > Then there are the sites like Mint that mimic you as a user and answer > all the of shared secret questions so that becomes a moot point as > well. It doesn't sound valid at all. > > > Also, I have 3 accounts at ING direct (mortgage, checking and > > savings). I have heard you state on more than one occasion that you > > are thinking of switching from ING because of the ofx issue. Do you > > care to share what alternatives you are thinking about? My > > requirements would be that it have similar (or better) interest rate, > > auto download and web features for linking accounts / bill pay etc. > > > I welcome anyone else on the forum to chime in as well. Thanks. > > The problem is that I haven't found the same interest rates that I can > get at ING Direct. I haven't found a replacement and I don't do enough > transactions at ING to make it worth too much effort. I can enter the > transactions by hand (actually I just change the imported transactions > from my checking account into transfers with one click) and it's done. > I am annoyed that ING won't turn on OFX direct access. > > Peace, > > Kevin Hoctor > [email protected] > No Thirst Software LLChttp://nothirst.comhttp://kevinhoctor.blogspot.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "No Thirst Software User Forum" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/no-thirst-software?hl=en -~----------~----~----~----~------~----~------~--~---
