[Cryptography] Bad and good patterns at my financial vendor

Wed Jan 5 15:35:25 EST 2022

-----Original Message-----
From: John Levine 
Sent: Jan 5, 2022 10:20 AM
To: 
Cc: 
Subject: Re: [Cryptography] Bad and good patterns at my financial vendor

It appears that Henry Baker said:
>I wanted to hook one of my financial vendors up with another one so that I could easily make wire transfers from one to the other.

Do you mean wire transfers or ACH transfers? They use the same
identifiers but they are different processes with different security
models. Each needs a nine-digit bank routing code assigned by the
Federal Reserve and the variable length bank account number. Most
banks use the same routing number for ACH and wire, a few large
ones have different ones.

The semi-automatic linking you're describing is invariably for ACH.

>Bad pattern: one of my financial vendors wanted my *password* information, which I thought was pretty cheeky. Yes, I trust them pretty significantly already, but giving them a password to a second financial institution seemed a
>step too far.

Aggregation providers like Yodlee are in the business of scraping
account info from bank sites with user provided credentials and
providing it via an API. In this case, if you can provide credentials
to log into the other bank, they can check the account number in real
time. The fact that nobody has ever heard of Yodlee even though
they've been doing this for 20 years suggests that their security is
very good, but I don't blame you for being sceptical.

>Good pattern: this same financial vendor provided another 'manual' method to hook up the accounts, that I thought was pretty clever. I give this vendor my account info for the other vendor (but not the password), and the first
>vendor will wire transfer a *small random* amount of money -- e.g., $3.14 -- to the second vendor. I must now notice this amount, and confirm with the first vendor the exact amount of money that was transferred to prove to the
>first vendor that I have access to my account at the second vendor.
> 
>Actually, the first vendor will process *two* transactions -- providing 6 decimal digits of information, at a total cost of  

At all the banks I've used, it's two deposits of under a dollar, so
it's four digits. But for this purpose, that should be plenty.

Back in the day, they left the small deposits in the other account but
now they usually do a third withdrawal to reverse them. I wonder why.

R's,
John

---

Re: reversing the coded deposits

I can think of some reasons for *reversing the deposits*:

* The IRS isn't amused if you 'make a deposit' -- no matter now small -- into a Roth IRA when you aren't allowed to -- possibly triggering penalties far in excess of the deposit.
* Ditto for 'regular' IRA's
* A 'distribution' is often a taxable event -- no matter how small -- and it may trigger an IRA *basis calculation*, which you will then have to keep track of *forever*.

I'm not certain, but if the deposits are considered 'reversible errors', then perhaps "there's no harm, no foul, no 1099 forms, no penalties".