> Where do you think banks got the idea? They just copied an existing shady business model.
Tracking user input methods is not a shady business model. I was doing this for web forms back in 2003/4 to fight fraud, improve the user experience, and find problems.
> If my boss got a contract with a bank that said I had to track users against their will
But they aren't being tracked against their will, so you would have done this.
>I heard Oracle is deep into really shitty kinds of user tracking/spying.
Absolutely not defending Oracle, but who isn't into shitty user tracking and spying? It's a central part of most business models, because they give the service away for free.
>>>I routinely generate images of checks which I then snap a picture of right off the monitor in order to remote deposit. Of course this is always done with the written and signed consent of the account holder.
This is clever on your part, but holy cow there should be a better system than this.
> They better be tracking logins or how do they investigate fraud? If they don't have a database of every login tied to an IP, I would assert they're negligent with regard to blocking fraud.
Look there are limits to what I'm able to talk about, but consider that a fraud subsystem functioning in transaction-time is running much more slowly than something running in request time.
> A lot of the measures taken to prevent fraud also block proxies and the like.
When was the last time you couldn't use your banking website over a proxy? Only a few mobile apps actually make the decision to do this (mine did) and it's not popular.
> I don't know how many of them had mandatory 2FA then, but I think many more have now.
Which national bank has mandatory 2fa? Not that this would matter. We dealt with 2FA at level via Intuit, that wasn't great at it. Plaid got incredibly good at it. It became pedestrian when we experimented with Plaid.
> I can understand banks using client fingerprinting for fraud detection
Why? What is it about banks that somehow legitimitizes this malware? They shouldn't get to pull out all the stops in order to prevent fraud just because it exists. There are some lines we can't let them cross. It doesn't matter how much money they lose.
Some context: Patio11 wrote a bit about how businesses can use virtual account numbers this week:
> This is generally done via a mechanism called Virtual Bank Accounts (VBAs), which are a product available from the banking industry in Japan, the U.S., Mexico, Brazil, and many other countries. You contract with your financial institution of choice to reserve a block of bank account numbers corresponding to a far smaller number of actual bank accounts. You give out those numbers to your customers rather than giving out your “real” bank account number. You then take action based on which account number your customers use.
> Due to technical and social issues within the financial industry, the banks offering VBAs generally expect you to bring your own implementation work at this point. Should you e.g. re-use VBAs within your block? They probably don’t have a straightforward answer to that question; up to you. Should you treat them as secrets? Up to you. Should you share them between customers? Up to you. What should you do once you know one of your VBAs has received a transfer? The bank will give you your money, what you do with the data is up to you.
> Stripe does basically the simplest thing that works: give each customer/business pairing a unique VBA, shared across all invoices for that pairing (to avoid e.g. a customer not updating their supplier management system with the new bank account number on the second month’s invoice). Use ability to introspect invoices (and their open/closed/etc state) and inferences to tie incoming payments to the invoice they’re most likely associated with. Kick all the exceptions to a human or computer system, whichever the user specifies.
>TL;DR; If you rely on this to 'identify' someone, you are doing it wrong.
Which is why the system is set up so that if I go to the bank with this information and take money as you, I have stolen your identity and thus you are the victim and are responsible for the losses unless you fight back. Identity theft was created so financial institutions could be lax with their verification process thanks to the blame being shifted.
In reality, identify theft doesn't exist. In my example I stole from the bank, no you, and you shouldn't at all be involved in the process.
> I also don't have a problem with monitoring of internet communications so long as its done by computers with security protocols to prevent misuse of the information, and robust court supervision of the use of the resulting evidence.
"Security protocols" to prevent misuse, huh? Why would you think they'd be concerned with something like that?
What do you think is the idea behind NSA's massive spy center in Utah? "Hey guys, let's capture all traffic on the Internet, and then make damn sure we'll never do anything with it that might compromise someone's privacy, ever!"
> robust court supervision of the use of the resulting evidence
As robust as the supervision on mortgages in the past few years, perhaps?
Case in point: With all those hundreds of thousands of mortgages the bank bought, it simply stopped filing basic paperwork – even the stuff required by law, like keeping chains of title. A blizzard of subsequent lawsuits from pissed-off localities reveals that the bank used this systematic scam to avoid paying local fees. Last year, a single county – Dallas County in Texas – sued Bank of America for ducking fees since 1997. "Our research shows it could be more than $100 million," Craig Watkins, the county's district attorney, told reporters. Think of that next time your county leaves a road unpaved, or is forced to raise property taxes to keep the schools open.
But the lack of paperwork also presented a problem for the bank: When it needed to foreclose on someone, it had no evidence to take to court. So Bank of America unleashed a practice called robo-signing, which essentially involved drawing up fake documents for court procedures. Two years ago, a Bank of America robo-signer named Renee Hertzler gave a deposition in which she admitted not only to creating as many as 8,000 legal affidavits a month, but also to signing documents with a fake title.
> nobody in their right mind should add a script that fingerprints users
I helped vendor-select and lead implementation on a fraud solution that was an integration with SiftScience (yc-funded, https://sift.com/), which relies on fingerprinting. This was years ago but I still think about the project and how it plays with user privacy etc. I will say that -- fingerprinting as a component in fraud management is/can be highly effective.
The problem is, once you get into payments fraud through bots, I think the conversation becomes way more nuanced. If you're looking for a solution to bots spamming or throwing bad data into your app, maybe that's a little extreme. But if the choice between privacy and becoming a front for credit card fraud and chargebacks, you're in a choice between who the victims of your service are going to be, and how much ill is done.
> While Pertsev added functionality to the web interface that allowed legitimate users to separate their funds from those arriving from known criminal addresses, they characterized the effort as “too little and too late.”
I admit it sounds pretty damning to have a UI affordance for “keep my funds separate from the known criminals this service knowingly serves”.
I have little sympathy for those who intentionally increase crime as some kind of political statement, but it seems like maintaining plausible deniability would be very important to those who do so.
Because banks say: "We're the bank. We're run by Masters of the Universe, we are the smartest people in the room, and you can trust us and our data-handling practices!"
To be serious: Having to disclose the same credentials that give you access to the web UI for your bank accounts to a random third-party in order to use their service is insane.
> Wait til you find out about what other systems you rely on have imperfect fraud detection.
>
> There isn't a platform any large number of people use that is exempt from this.
Okay, but with the other platforms that I can think off[1], my computer and phone still continue working. I can effectively work without those platforms and do not need to purchase a new computer or phone.
[1] Maybe I'm thinking of the wrong ones (Twitter, FB, AMZ, etc). Which platforms were you referring to?
> I do not see why I should entrust anybody but the bank with information about my wealth. This will get abused and I will probably get nudged into this, so that the company selling an unrelated product can sell my information.
Believe or not, many people (consumers) do this. For example: every Mint.com user
> they create a payments profile for you without consent.
And? I create a "profile" in my mind of every new human I interact with, and every human I read about or hear about even without interacting with. It's a basic human function.
When I gain a new business client, I create a profile of them too. This might start with a phone number, but over time, expand to include an email address, knowledge about their location, work hours, bank of choice, etc. Most businesses do this and always have.
>I never asked Equifax to keep me in their database and send my information to creditors.
It seems you can't be expected to take responsibility for reading the fine print in your loan agreements. Quite an interesting bit of cognitive dissonance you have there.
They chose to use tracking tokens in the first place. By default a computer does nothing, someone was tasked to write this. Apparently they did something wrong, maybe it was an honest mistake, but I find it a stretch to just assume or expect they are necessarily choosing what's best for users (and leaving money on the table) without more info than is public.
20 years ago, much of the ToS you blindly accept on many websites, would land the developers and company management in jail. At least in my country. That is for counts of misuse of personal information, defrauding the customer and potentially espionage.
Also if they sold physical devices, lying about the function of the buttons, installing erasure buttons that don't erase anything etc, would also cause a class-action lawsuit and the district attorney to press charges for fraud.
I can totally see companies, especially the ones that don't care much about keeping a good face, like dept collection services, using this kind of service in extremely unethical ways while retaining plausible deniability in court.
> Such as when I rented my most recent apartment and they asked to use open banking to verify our finances
There was a Launch HN recently that did just this, but for people like Uber drivers wanting to borrow money to buy their own car. They handed over their Uber credentials, and the service scraped their Uber history to determine whether they were a good risk or not.
I'm not usually into slippery slope arguments but what your landlord asked of you is just that little bit worse than their service (worse as they have access to your bank account, not just your payroll data).
I think the moral of the story is that as a provider (Uber, a bank), you should be proactive about providing read-only access to data, removing the need for screen scraping and providing better security to your drivers/customers.
>Or do you expect startups to compete on a standardized API?
At least an API. If that's what customers really want, at least now there is chance somebody will provide it.
>why should I have to employ a monk looking through my bank statements to be able to get access to them? Sure that can be a basis for an idiotic hack
Because the banks themselves are completely uninterested in providing API access to you and somebody with a legal team has to shoulder the liability for providing it.
Tracking user input methods is not a shady business model. I was doing this for web forms back in 2003/4 to fight fraud, improve the user experience, and find problems.
> If my boss got a contract with a bank that said I had to track users against their will
But they aren't being tracked against their will, so you would have done this.
reply