[Cryptography] Bad and good patterns at my financial vendor

John Levine johnl at iecc.com
Wed Jan 5 13:20:48 EST 2022 

It appears that Henry Baker <hbaker1 at pipeline.com> said:
>I wanted to hook one of my financial vendors up with another one so that I could easily make wire transfers from one to the other.

Do you mean wire transfers or ACH transfers? They use the same
identifiers but they are different processes with different security
models. Each needs a nine-digit bank routing code assigned by the
Federal Reserve and the variable length bank account number.  Most
banks use the same routing number for ACH and wire, a few large
ones have different ones.

The semi-automatic linking you're describing is invariably for ACH.

>Bad pattern: one of my financial vendors wanted my *password* information, which I thought was pretty cheeky. Yes, I trust them pretty significantly already, but giving them a password to a second financial institution seemed a
>step too far.

Aggregation providers like Yodlee are in the business of scraping
account info from bank sites with user provided credentials and
providing it via an API. In this case, if you can provide credentials
to log into the other bank, they can check the account number in real
time. The fact that nobody has ever heard of Yodlee even though
they've been doing this for 20 years suggests that their security is
very good, but I don't blame you for being sceptical.

>Good pattern: this same financial vendor provided another 'manual' method to hook up the accounts, that I thought was pretty clever. I give this vendor my account info for the other vendor (but not the password), and the first
>vendor will wire transfer a *small random* amount of money -- e.g., $3.14 -- to the second vendor. I must now notice this amount, and confirm with the first vendor the exact amount of money that was transferred to prove to the
>first vendor that I have access to my account at the second vendor.
> 
>Actually, the first vendor will process *two* transactions -- providing 6 decimal digits of information, at a total cost of  

At all the banks I've used, it's two deposits of under a dollar, so
it's four digits. But for this purpose, that should be plenty.

Back in the day, they left the small deposits in the other account but
now they usually do a third withdrawal to reverse them. I wonder why.

R's,
John

More information about the cryptography mailing list