Why You Should Never Use Services Like Yodlee

Most people don’t read their Terms of Service agreements with banks. In fact, I admit that I don’t often if it wasn’t to find out if I was protected in case of a security breach by services such as Yodlee. Now don’t get me wrong, Yodlee has created a great thing and I find that their aggregation business is actually very brilliant. It’s more of the way they do things that worries me since from my perspective, it’s entirely unethical and can get you into trouble if they lose your bank logins.

So basically how it works is that Yodlee aggregates all of your financial data in one place. The way they do this is that you put in your logins and passwords, and they go in and use a technique called “screen scraping” which logs in as you. I don’t know why they didn’t create an API connector where it secures the connection with each of the major banks… well, I know why.. because it’s the long and complicated way even though that’s the right and secure way to run the business. Now, while there are many people that defend what they do as part of the advancement of technology, screen scraping has been around for decades. The problem doesn’t lie in the ethics of screen scraping (although this does bother me), but the legality of allowing some other service to act on your behalf.

You see, some major banks have specific terms of service that say that if you authorize a third party service to act on your behalf, then if there is a breach from that third party service, then the bank is not liable for loss. This translates into … if Yodlee gets compromised, then any loss of funds are your end will not be insured by the bank since you authorized them to act on your behalf. And if you read the legal terms of Yodlee, they basically go and protect Yodlee from lawsuit and not you as a user.

I’m not saying that Yodlee doesn’t practice good security policies or anything, but that clause gives me the willies. I mean, that basically means that on the off-chance that some hacker or script kiddy does get your bank data and comes and empties your accounts, neither the bank or Yodlee would protect you. Thanks but no thanks. Some people are willing to take the risk of their bank accounts being emptied without the bank protecting you, but not I. Not I.

This is also the same reason why I have kept it away from my small business accounting service even though it doesn’t give me quite the range. I have to think about my customer base in both legal and technological fashion for them and protect them as best as I can. If you give users ease of use but go lacks on security, it’ll come back and bite you in the long run. Call me crazy, but I’d rather protect my customers from a potential breach.

Pingback: Xero adds 55 bank feeds, steps into security cesspool AccMan
Anonymous

Ben – how do I find out more about screen scraping? I’ve heard conflicting things on whether Yodlee is actually doing this.

~Logan
http://www.merchantsmirror.com Ben Hwang

Yodlee has been known in the past to implement screen scrapes. It was a huge ethical ordeal as far as how what is now termed as their MoneyCenter operated (I believe that’s what it was called).

It was well known fact because you were required to provide your login credentials instead of an API key, and people reported that Mint would report incorrectly until Yodlee updated certain banking information. Don’t ask how they updated their code without “logging in” as someone.

If they’ve updated recently, then I don’t know, but I doubt it. To create a standard that all of the banks they claim to support would implement would be a monstrous task since the financial industry is very hesitant to adopt new technologies and implement APIs.

General information about screen scraping can be found here:
http://en.wikipedia.org/wiki/Web_scraping

On Yodlee:
http://news.ycombinator.com/item?id=830075
http://news.ycombinator.com/item?id=1537825
http://www.quora.com/How-does-Yodlee-get-its-transactional-data
Anonymous

Ben,

Thanks so much for your helpful, comprehensive response. Very kind of you.

Would you mind if I asked a follow up question? I would like to know the legal status of screen scraping. Presumably it’s not easy to prosecute under contract or IP law, else Yodlee and Mint would have already been targets. (Also, folks I’ve talked to have mentioned that significant litigation risk was never something that the folks who funded Mint worried about.)

~Logan
http://www.merchantsmirror.com Ben Hwang

Sorry, I didn’t see this comment come across. So it’s taken a little bit of time for me to get back. So basically, the issue doesn’t lie in Mint or Yodlee. From a legal standpoint, you as a consumer are allowing the third party to act upon your behalf (depending on how the bank’s TOS is written).

From a TOS as written such as Bank of America, you wouldn’t be protected under FDIC or what not, if that “third party” happened to wipe you out. Now that means that Yodlee and/or Mint would have to be compromised for this to happen.

If you read the terms of service you sign with Yodlee and/or Mint, they only protect themselves.

So basically, the ethics of it come into play on whether or not screen scraping is a legitimate form of transaction that is authorized by the bank itself. According to the bank’s policies in this position, you gave your username/password, so it’s not their problem and thus you’re not protected or insured.

Could you chase Yodlee/Mint? I suppose. I’m not an attorney. But I can say that screen scraping in general is not a very secure method of systems interaction and the only reason Yodlee uses it is because it’s very difficult to get the banking industry to adopt one as such. So either build out quickly and bypass ethical issues and usual channels of gettings systems to talk to each other by shifting that risk onto the user.

In my world, that’s just plain wrong. My disclaimer here is that my company doesn’t use Yodlee because I just can’t sleep at night knowing that I’m subjecting my users to something that they might not know or be aware about. I can’t knowingly do it. Obviously there are others that can though.
http://www.facebook.com/dansherman Dan Sherman

Hi Ben,

Just as a matter of information, you can sidestep this entire dilemma by creating a user within your bank account that has limited permissions (just viewing privileges) and then use that login info for the service you wish to give third party access to your account. That way, if it is compromised, all the offender will get is a view of your transactions and balance. But nothing else. They can’t spend or transfer any money or anything else. That’s what I do and I feel very secure in doing it that way.
http://www.merchantsmirror.com Ben Hwang

Depends on the bank. In that instance from a security standpoint, you’ve also created an entry point for the intruder. It’s a known read only account, but it gives them a way to both probe that bank’s pages since the same interface allows both read and read/write access.

It’s similar to the Lifelock CEO social security story. If you provide an entry point, then you’ve done half the work for the intruder already. Which is why I have yet to see the bads outweigh the goods on Yodlee. It’s a security nightmare waiting to happen.

If I were Yodlee? I’d be pushing more towards solidifying the OFX standard, and pushing that. It’s completely read only via API, but there is no interaction outside of the API handshake. You can’t XSS/inject an API since there’s no page. And all-in-all, it’s the right way to connect two different software technologies.

Ben Hwang

Affiliations

Angel Networks

Events

Media

Venture Capital

Archives

Why You Should Never Use Services Like Yodlee

Recent Posts

Angel Networks

Events

Media

Venture Capital

Meta