Thread Tools
Old 10-13-2011, 05:56 PM
Guest
Join Date: Jul 2001
Posts: 9,182
Instant Bank Verification- How does that work?

Sometimes when signing up with a company they allow you to input your online bank login/password, and then they instantly verify that this is your account/you have funds. How does that work?
Old 10-13-2011, 06:03 PM
Guest
Join Date: Apr 2001
Location: Europe
Posts: 5,151
First, a criminal uses some false pretense to trick you into giving them your online banking credentials. Then they claim to have "verified" your account, when in fact what they have really done (or intend to do) is to use your credentials to transfer money out of your account and into theirs or that of a confederate.
Old 10-13-2011, 06:10 PM
Guest
Join Date: Jul 2001
Posts: 9,182
No, these are reputable companies like PayPal or Charles Schwab.
Old 10-13-2011, 06:15 PM
Guest
Join Date: Jan 2001
Location: SLC, USA
Posts: 4,078
No, they are pretending to be legitimate companies like PayPal or Charles Schwab. No reputable company is going to ask for your login/password for your bank account.

If you have given out this info, change your password immediately.
Old 10-13-2011, 06:33 PM
Guest
Join Date: Apr 2001
Location: Europe
Posts: 5,151
Quote:
Originally Posted by FatBaldGuy View Post
If you have given out this info, change your password immediately.
Not only that; you should very carefully examine your transaction records for any unauthorized activity, and possibly also contact your bank personally to check if there are any pending transactions which don't appear in your online statement yet. If there is any unusual activity you should report what happened to the bank immediately. You may not get your money back, since it was almost certainly against your account terms and conditions to disclose your credentials to a third party, but at least they may be able to trace the thieves.
Old 10-13-2011, 06:43 PM
Guest
Join Date: Feb 2006
Posts: 3,687
No, this is a for-real-totally-legit feature offered by some banks. My bank offers such a service, and I've used it to monitor accounts I have with other institutions.

In practice the bank is probably acting as man-in-the-middle-that-happens-to-be-friendly, and perhaps that's not the best security practice and perhaps you also violate the external-account TOS by providing your info to a third party.

(And yes, everyone should be very careful as similar looking things are also common attacks).

Last edited by lazybratsche; 10-13-2011 at 06:45 PM.
Old 10-13-2011, 06:46 PM
Guest
Join Date: Jul 2001
Posts: 9,182
Listen, I'm not a moron. Scottrade does this, and it can access my bank account balance through their site. You don't know what you're talking about. Fuck off.
Old 10-13-2011, 07:11 PM
Guest
Join Date: Apr 2004
Location: San Jose, CA
Posts: 3,514
Quote:
Originally Posted by treis View Post
Listen, I'm not a moron. Scottrade does this, and it can access my bank account balance through their site. You don't know what you're talking about. Fuck off.
Legitimate or not, the way it works is the same for everybody. You give somebody your login credentials to the bank, and the computer on the other end logins to the bank on your behalf using your credentials. Which part of how this works is not clear to you in the first place?
Old 10-13-2011, 07:27 PM
Charter Member
Charter Member
Join Date: Mar 2003
Location: Montana, U.S.A.
Posts: 9,449
Moderator Warning: treis

Quote:
Originally Posted by treis View Post
Listen, I'm not a moron. Scottrade does this, and it can access my bank account balance through their site. You don't know what you're talking about. Fuck off.
[moderator warning]
After ten years on the SDMB, you should realize that telling someone to "fuck off" is out of line for the General Questions forum. Do not do this again.
[/moderator warning]
Old 10-13-2011, 07:32 PM
Charter Member
Join Date: Nov 2003
Location: Southern ontario
Posts: 6,572
Simul-moderation!
__________________
Stringing Words Forum
Aspiring writers and authors supporting each other.
Goals and resolutions our particular specialty - also sharing commiseration and triumphs.
Join today!
Old 10-13-2011, 07:42 PM
Graphite is a great
Moderator
Join Date: Aug 1999
Location: Akron, Ohio
Posts: 25,792
Pay no attention to the man behind the curtain. I was never here.
Old 10-13-2011, 08:47 PM
Guest
Join Date: Jul 2001
Posts: 9,182
Quote:
Originally Posted by groman View Post
Legitimate or not, the way it works is the same for everybody. You give somebody your login credentials to the bank, and the computer on the other end logins to the bank on your behalf using your credentials. Which part of how this works is not clear to you in the first place?
The part where this is how it works.

Besides, you didn't really explain the process. When I go to log in to my accounts I have to select the account type and click on some links from the homepage. So is there some program running on Bank A's machine that knows how Bank B's website works? Does Bank B have public APIs for this?

Quote:
[moderator warning]
After ten years on the SDMB, you should realize that telling someone to "fuck off" is out of line for the General Questions forum. Do not do this again.
[/moderator warning]
Totally worth it. I'm tired of people who don't know the answer to a GQ guessing some bullshit.
Old 10-13-2011, 09:49 PM
Charter Member
Moderator
Join Date: Jan 2000
Location: The Land of Cleves
Posts: 73,430
Anyone who has your bank account number and password can access your bank account. Anyone who can access your bank account can see how much money is in it. What's the mysterious part?
Old 10-13-2011, 10:07 PM
Member
Join Date: Dec 2010
Location: Boulder, CO
Posts: 3,484
Technical question though: Most bank web sites only present your account information in human-readable form. Does Instant Verification (when non-fraudulent) interpret the HTML emitted by the banking website to find the account value number, or just know the layout for a bunch of banks, or is there a more structured access available?
Old 10-13-2011, 10:24 PM
Guest
Join Date: Jul 2001
Posts: 9,182
Quote:
Originally Posted by Chronos View Post
Anyone who has your bank account number and password can access your bank account. Anyone who can access your bank account can see how much money is in it. What's the mysterious part?
How is the mysterious part. Obviously everyone can go through the website and access it that way. But that's not typically how computers do things. The how is what I am wondering. Is there an API, a clearinghouse, or what?
Old 10-13-2011, 11:00 PM
Guest
Join Date: Jul 2000
Location: Santa Barbara, CA
Posts: 10,613
Quote:
Originally Posted by treis View Post
How is the mysterious part. Obviously everyone can go through the website and access it that way. But that's not typically how computers do things. The how is what I am wondering. Is there an API, a clearinghouse, or what?
Some banks have an API, but mostly, yeah, you do actually have to screen scrape.

Mint and Yodlee both have their own system to do this sort of thing. I believe that Yodlee is used as the backend of a number of services. Not sure if Mint contracts theirs out or not.

Clearly the right thing to do for this sort of thing is for banks and other services to give out a "read only" login and password, or to use an authentication method that goes directly through them and hands out temporary credentials with limited access. But I guess we can hardly expect financial institutions to handle security as well as Twitter.

Last edited by iamthewalrus(:3=; 10-13-2011 at 11:02 PM.
Old 10-13-2011, 11:44 PM
Guest
Join Date: Feb 2007
Location: Brooklyn
Posts: 2,371
PayPal does this to verify your checking account.

They send you two very small deposits from their account into your checking account using PayPal, and you have to go to your bank account and tell PayPal what they sent you. If it matches, you are verified. You don't give PayPal your bank passwords or anything.
Old 10-13-2011, 11:58 PM
Guest
Join Date: Feb 2011
Posts: 3,651
Quote:
Originally Posted by iamthewalrus(:3= View Post
Clearly the right thing to do for this sort of thing is for banks and other services to give out a "read only" login and password, or to use an authentication method that goes directly through them and hands out temporary credentials with limited access. But I guess we can hardly expect financial institutions to handle security as well as Twitter.
Actually, ING Direct has done exactly this. They now allow you to set up what they call a "Personal Finance Access Code" that is separate from your regular password specifically for use by the aggregation services.

Unfortunately, I don't know of any other bank that does this (which doesn't prove that there isn't one).

Last edited by Alley Dweller; 10-13-2011 at 11:59 PM.
Old 10-14-2011, 01:53 AM
Guest
Join Date: Apr 2001
Location: Europe
Posts: 5,151
Quote:
Originally Posted by LurkerInNJ View Post
PayPal does this to verify your checking account.

They send you two very small deposits from their account into your checking account using PayPal, and you have to go to your bank account and tell PayPal what they \sent you. If it matches, you are verified. You don't give PayPal your bank passwords or anything.
A quick search didn't turn up any mention of it on PayPal's website, but according to some third-party articles, apparently the OP is correct, and PayPal, probably the most-phished website in history, is (or was) actually doing this unbelievably stupid thing:
Quote:
Some eBay sellers on a discussion board were questioning why PayPal was asking them to reveal passwords to their bank accounts. It certainly seemed like a valid concern, so I asked PayPal spokesperson Michael Oldenburg for more information.

Michael said PayPal does under some circumstances ask for that information if users want to instantly confirm their bank accounts. PayPal only asks that question - which is optional - when users are signed in to PayPal as a way to confirm a bank account instantly...

Given that PayPal, like other financial services, is a target of phishers, I'm not convinced it's a good idea to set a precedent for asking for someone's bank account password. Wouldn't it be better if the rule was, never give out your bank account password to anyone under any circumstances, no exceptions?
Old 10-14-2011, 01:29 PM
Guest
Join Date: Feb 2007
Location: Brooklyn
Posts: 2,371
Quote:
Originally Posted by psychonaut View Post
A quick search didn't turn up any mention of it on PayPal's website, but according to some third-party articles, apparently the OP is correct, and PayPal, probably the most-phished website in history, is (or was) actually doing this unbelievably stupid thing:
This is the bank account verification process for the UK from the PayPal site

https://paypal.com/helpscr?cmd=_...utionId=163430

This is the bank account verification process for the USA from the PayPal site

https://paypal.com/helpcenter/ma...389&isSrch=Yes

Last edited by LurkerInNJ; 10-14-2011 at 01:30 PM.
Old 10-14-2011, 02:10 PM
Guest
Join Date: Feb 2009
Posts: 13,287
Hmmm...
I've been on the internet since the early 90's Netscape and dial-up days, I work with computers and I read a lot about such stuff - this is the first I realized that anyone legitimately did this. Can you imagine the risk/liability if they were hacked? Plus, why would anyone link Paypal to their bank acount? I use a credit card.

SO I understand FBG and psycho's collective astonishment. I would certainly NOT trust a third party with this information.

In response to OP, I would assume that (a) they have a database of valid USA bank sites so (b) a valid logon gives them your balance. If they encounter a new site, maybe it takes human intervention to validate it. Maybe there's a company that has already assembled the database for such businesses. Whether they use smart software to analyze the screen scrapes, or have a database of known screen layouts - I'm guessing it's more a combination of the two. Most companies won't share details so that they have one more layer of obscurity for hackers to get past.

The earliest posts warnings stand, though - unless you are sure you are not infected, and type the site name in yourself, do not enter this info. Especially, do not on a link on some weird web site or a link in an email. hat the screen shows you is not always the address you get taken (so to speak) to.

Last edited by md2000; 10-14-2011 at 02:13 PM.
Old 10-14-2011, 02:33 PM
Guest
Join Date: Feb 2006
Posts: 3,687
Quote:
Originally Posted by md2000 View Post
SO I understand FBG and psycho's collective astonishment. I would certainly NOT trust a third party with this information.
But in this case the third party is your bank*, which is probably the most trusted institution that any person ever deals with. You give them money, trusting that they will give it back to you at a later date. They own your car and your house, and you trust that they will pass the ownership to you once you give them enough money. Your bank handles every non-cash transaction you do.

I'm not so worried about handing them a few passwords for my other financial accounts. If they (or a malicious employee) wanted to steal from me, they already have access to all of my money. What they possibly do with my student loan account password that will hurt me?

Now, I have to trust that they keep the third-party login information as securely as they do their own. Perhaps that's a stretch.

*though Paypal isn't a bank, and I don't trust it nearly as much, it provides similar services.
Old 10-14-2011, 04:47 PM
Guest
Join Date: Jul 2001
Posts: 9,182
Quote:
Originally Posted by md2000 View Post
Hmmm...
I've been on the internet since the early 90's Netscape and dial-up days, I work with computers and I read a lot about such stuff - this is the first I realized that anyone legitimately did this. Can you imagine the risk/liability if they were hacked? Plus, why would anyone link Paypal to their bank acount? I use a credit card.
If you want to transfer funds out of Paypal you can't use your credit card.

Quote:
Originally Posted by md2000 View Post

SO I understand FBG and psycho's collective astonishment. I would certainly NOT trust a third party with this information.
I don't see the big deal. These firms are typically other financial firms like banks or stockbrokers.
Old 10-14-2011, 04:54 PM
Guest
Join Date: Feb 2009
Posts: 13,287
If you think banks are mystically hack proof or immune to disgruntled employee thefts, ... they're not.

Basically, this is equivalent to giving someone a blank cheque and trusting them or their employees to fill in the right amount and the correct payee.

Last edited by md2000; 10-14-2011 at 04:55 PM.
Old 10-14-2011, 05:07 PM
Guest
Join Date: Dec 2010
Location: Albany. NY
Posts: 7
I normally just read the SDMB, but this thread has made me want to post considering the overwhelming amount of misinformation in here that's completely unrelated to OP.

Paypal lets you instantly verify your bank account by putting in your online banking credentials. I did this to link my Bank of America checking account to Paypal.

Now, on OP's topic, I would presume this is done by simply checking to see if the credentials you gave are valid. Once validated, they probably discard your login information.

[talking about Paypal] Paypal doesn't need to use your bank credentials to log in every time you make a transaction, because there are plenty of people who have verified they Paypal by the two little deposit method, and Paypal can withdraw money without a problem, having never received anything.

So it only makes sense that its a 1 time verification thing that gets thrown out after its initial use.
Old 10-14-2011, 05:50 PM
Member
Join Date: Apr 2004
Location: Europe
Posts: 552
Actually, secure ways to offer these services have existed for many years and are used in many European countries, although I am having trouble finding good cites.

Dutch link - iDeal

Finnish link - TUPAS

The critical trick that makes this safe is that the merchant redirects the customer's browser to their own familiar online banking site. The merchant never sees the customer's password or any other traffic between the customer and the bank. After the authentication between the bank and the customer completes, the bank redirects back to the merchant, passing a digitally signed success message confirming the transaction.

I also use Mastercard SecureCode and for me it works the same way - for some reason Wiki gets this wrong, talking about iframes and other issues that would make this insecure.
Old 10-14-2011, 05:53 PM
Guest
Join Date: Jul 2001
Posts: 9,182
Quote:
Originally Posted by md2000 View Post
If you think banks are mystically hack proof or immune to disgruntled employee thefts, ... they're not.

Basically, this is equivalent to giving someone a blank cheque and trusting them or their employees to fill in the right amount and the correct payee.
The point is that these people already have access to my money. I'm trusting them with thousands of dollars of stock, or balances due, or whatever. If I trust them that much, I don't see why I shouldn't trust them with holding a bank password.
Old 10-14-2011, 06:14 PM
Guest
Join Date: Jun 2002
Location: Sweden
Posts: 942
Personally I'm having trouble deciding which is worse:
That there are banks that rely on a simple username/password-combo for their online services.
or
That some companies feel the need to set up their systems in such a way that they need the login/pass for your bank account to do business with you.(Unless there is some trick, like the one Frankenstein Monster mentioned, involved somewhere.)
or
That some people think it's fine to share the login information for their bank account with, well, anyone.
Old 10-14-2011, 06:23 PM
Guest
Join Date: Jul 2001
Posts: 9,182
Quote:
Originally Posted by Mogle View Post
Personally I'm having trouble deciding which is worse:
That there are banks that rely on a simple username/password-combo for their online services.
or
That some companies feel the need to set up their systems in such a way that they need the login/pass for your bank account to do business with you.(Unless there is some trick, like the one Frankenstein Monster mentioned, involved somewhere.)
or
That some people think it's fine to share the login information for their bank account with, well, anyone.
You don't understand how it works:

(1) They can't withdraw/send money using the login information. That is done as a ACH transaction.

(2) You typically don't have to give them the information. If you don't, they make two deposits in your account, and you need to tell them how much they were for. Logging in is just faster.

(3) Scottrade typically holds more of my net worth than my bank does. Why should I be afraid to give them a password/login? Should I be worried that they will take 100% of my money instead of 75% of it?

I thought "Fuck off" was strong enough to get rid of the posters who don't know what they are talking about, but apparently not.
Old 10-14-2011, 06:59 PM
Member
Join Date: Dec 2010
Location: Boulder, CO
Posts: 3,484
Quote:
Originally Posted by treis View Post
The point is that these people already have access to my money. I'm trusting them with thousands of dollars of stock, or balances due, or whatever. If I trust them that much, I don't see why I shouldn't trust them with holding a bank password.
Because Scottrade has plenty of internal auditing procedures dealing with the possibility that their own employees are stealing from them. No doubt they have records of which employees have accessed your account, no low-level employee will know your password except on a need-to-know basis (and they won't need to know for any basic account inquiries) and any internal access to your account will be logged so if there are problems later the guilty party can be tracked down.

In contrast, a corrupt Scottrade employee is unknown to your bank, and is just like any other random attacker. They have no special ability to monitor his access and track him down if he does anything bad. He can cause a lot more trouble with less potential for repercussions.

In short, while Scottrade as a whole has similar access to your wealth as your bank does, any individual corrupt employee of scottrade has a lot less access.
Old 10-14-2011, 07:14 PM
SD Curator of Critters
Moderator
Join Date: Oct 2000
Location: Panama
Posts: 37,618
Moderator Note

Quote:
Originally Posted by treis View Post
Totally worth it. I'm tired of people who don't know the answer to a GQ guessing some bullshit.
Quote:
Originally Posted by treis View Post
I thought "Fuck off" was strong enough to get rid of the posters who don't know what they are talking about, but apparently not.
Moderator Note

treis, that's enough. Since you can't seem to keep your responses civil, I'm closing this thread. You're lucky I don't issue you an additional warning.

Colibri
General Questions Moderator
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 07:36 AM.

Send questions for Cecil Adams to: [email protected]

Send comments about this website to:

Terms of Use / Privacy Policy

Advertise on the Straight Dope!
(Your direct line to thousands of the smartest, hippest people on the planet, plus a few total dipsticks.)

Publishers - interested in subscribing to the Straight Dope?
Write to: [email protected].

Copyright 2017 Sun-Times Media, LLC.

Copyright © 2017
Best Topics: dispose microwave motifs motives paula rader melanie oesch origin of fires artificial speciation burrito etymology sambo picture usps mailbox pickup keel breast flushing hair igot junk bubba jail are oysters alive spy code phrases does drowning hurt fbi cjc meaning fahrvergn?gen sticker crooked floors sleeve stripes snowden band kebab vs kabob uk squash drink heat gfa punjabi knight rider pop seeds drug orgasm triple indy dentures young adults coca light australia cork hat what is eshakti welsh characteristics avatar svu unlicensed psychologist pulling someone up conceptual drawing shock collar for cats difficult airway medic alert bracelet what is wrong with brick from the middle why does aluminum foil not get hot why do cats like milk so much use within 7 days of opening upstairs neighbor follows me around white on the outside brown on the inside king cobra attack elephant how to take apart a couch to throw away how does grecian formula work is a spider plant poisonous to cats king dong ding dong potty training australian shepherd puppy real mouse hole in wall american marrying an irish citizen yellow jacket sting pain duration can you drive after laughing gas home depot linoleum roll flooring no am reception on car radio no reflexes in knees causes what does it mean when a duck wags its tail does staph infection smell come se come sa do other countries have a pledge of allegiance bartending jobs near me no experience barbara jean on reba how deep is a league how much does sheetrock weight is toenail removal painful cat moaning at night where to sell fur coats carlo rossi paisano review jamie foxx bacon number