Disclaimer

The content of this blog is my personal opinion only. Although I am an employee - currently of Nvidia, in the past of other companies such as Iagination Technologies, MIPS, Intellectual Ventures, Intel, AMD, Motorola, and Gould - I reveal this only so that the reader may account for any possible bias I may have towards my employer's products. The statements I make here in no way represent my employer's position, nor am I authorized to speak on behalf of my employer. In fact, this posting may not even represent my personal opinion, since occasionally I play devil's advocate.

See http://docs.google.com/View?id=dcxddbtr_23cg5thdfj for photo credits.

Saturday, December 27, 2008

Financial websites - why not read-only access?

I've been thinking about switching from Quicken on my PC, to a web-based financial tracking site.

Something like
  • Quicken Online - lousy features compared to Quicken PC, mainly for beginners
  • Yodlee MoneyCenter
  • Mint - apparently professional, but a bit fascist, doesn't make it easy to have user defined categories
  • Wesabe - emphasizing social networking

There are many, many, others.

Motivation:

  • I have too many computers. I want o be able to access from work, and from home, and from my phone, and...
  • I'm tired of having to re-set things up when I switch PCs. And, no, the migration tool seldom works, usually because I can't power up the dead machine to migrate from.
  • I want my wife and I to be able to simultaneously access
  • Basically, I have just about given up on having a personal computer. Or is that "a single personal computer". If my company IT allowed me to use my personal machine at work, then maybe; but they don't, so I am being pushed away from the PC-centric model to the web-centric model.

The security implications are scary: one website, with access to all of your passwords and accounts for other financial websites.

Wesabe makes a point of its security model: apparently they store the passwords, etc., on your PC, and never put the passwords onto their server. I imagine they run some client side code that accesses your other financial sites, and then filters it to upload to Wesabe.

  • But, then Wesabe may not allow the sort of ubiquitous access I desire. Does it?

Mint emphasizes that their access to your financial data is read-only. They also emphasize that the actual passwords, etc., are stored. not at the Mint site, but at Yodlee - which apparently provides such services to many banks already.

  • One poster points out that this is all well and good, but if the hacker is inside Mint or Yodlee, then... Well, this poster says that they should at least be bonded to indeminfy the user against that risk.
  • Wesabe says the developed their own screen-scraping approach to accessing finanicial websites, in part to allow them to be free as long as possible, and not to have to pay fees to Yodlee.

OK, okay, so security is an issue.

So, the thought occurs to me: why can't I give this "aggregating" sites like Mint and Wesabe read-only access to my other financial websites? Read-only access to my bank, my 401K, etc.?

Most of the things that I want to do on such a site are read-only - track my investments, look at my asset allocation and ensure that it is balanced across all of my investment accounts at different sites, etc.

I'm reasonably happy NOT to be allowed to make changes to my investments from the central site - to have to log in to my stockbroker or 401K site separately.

Sure, even read-only access to my various fnancial account websites would be a treasure trove for the ID thief. Account numbers, maybe even SSNs (although one might hope those could be filtered out). Things that a social engineering attacker could use on the customer support phone line. Nevertheless, such read-only access would be a lot less risky than allowing read-write access, with the ability to change mailing addresses, etc.

Trouble is, all of my financial services web.accounts give me one account login, and one password, that provides full access to the entire account.

It seems that this could be changed... Let's start writing letters...

---

This is just yet another example of the Principle of Least Privilege. Of how it should be possible to split a particular security role into smaller pieces.

No comments: