Wednesday, September 06, 2006

Please give me your banking login and password...

This morning I was setting up an account on Etrade to enable ACH funds transfers to my banking account at Wachovia Bank, NA.. I was truly flabbergasted when I received the following prompt:

Note the first option for "Instant gratification" which subsequently requires that the user enter their banking provider's web site login and password to Etrade so that Etrade can verify that they (the user) owns the account.

I am totally amazed that in this day and age, with rampant identity theft via spoofing sites, that one of the frequent targets of said spoofs would do anything that would encourage behavior that makes their customers more susceptible to said theft. The entire concept just gives me the heebie jeebies. And when you think further about it, my account number isn't published on my banking site's web pages (the only show a portion of the account on a particular page), so I even question how useful the security check is.

I have setup ACH transfers at many places, some incoming, some outgoing (including places like UBS and Fidelity which should be on a par with Etrade) and NONE of them have required verification of the destination account and NONE of them have asked me for my banking providers web site login credentials. Paypal, which does do an account verification, uses the verification as a reputation factor and even so doesn't attempt to get your credentials to do the verification.

Someone should take Etrade out back and teach them a lesson or two. If they really feel the need for verification of their user's account info, they should look at some of the federation solutions out there such as SAML or Liberty which provide reasonable solutions for secure account linking without requiring that the user give up their credentials.

I strongly recommend that users NOT take advantage of the instant gratification model and instead use the model where Etrade sends them some money (they pay you to do the verification this way) that you later report back how much you got. Yes, it takes a few days to receive the deposits, but your stock trade takes a few days to settle anyway.

UPDATE: Following Erik's comment re: Am I sure, I went back and stepped forward through the "instant gratification" path and found the following in their Instant Verification User Agreement (hidden behind a link on the verification page, of course):

THIRD PARTY ACCOUNTS. By using the service, you authorize E*TRADE Bank and/or E*TRADE Securities and Yodlee to access third party sites designated by you, on your behalf, to retrieve information requested by you. For all purposes hereof, you hereby grant E*TRADE Bank and/or E*TRADE Securities and Yodlee a limited power of attorney, and you hereby appoint E*TRADE Bank and/or E*TRADE Securities and Yodlee as your true and lawful attorney-in-fact and agent, with full power of substitution and resubstitution, for you and in your name, place and stead, in any and all capacities, to access third party internet sites, servers or documents, retrieve information, and use your information, all as described above, with the full power and authority to do and perform each and every act and thing requisite and necessary to be done in connection with such activities, as fully to all intents and purposes as you might or could do in person. YOU ACKNOWLEDGE AND AGREE THAT WHEN E*TRADE BANK AND/OR E*TRADE SECURITIES OR YODLEE ACCESSES AND RETRIEVES INFORMATION FROM THIRD PARTY SITES, E*TRADE BANK AND/OR E*TRADE SECURITIES AND YODLEE ARE ACTING AS YOUR AGENT, AND NOT THE AGENT OR ON BEHALF OF THE THIRD PARTY. You agree that third party account providers shall be entitled to rely on the foregoing authorization, agency and power of attorney granted by you. You understand and agree that the service is not endorsed or sponsored by any third party account providers accessible through the service.

So it is clear that they are accessing your account.

Tags : / / / / / / / /


Erik said...

Are you sure that the "instant verification" option results in you entering your Wachovia credentials on E*Trade's website?

Here in Canada, we have a similar situation with e-mail money transfers. I can send a money transfer to an email account from online banking. The recipient receives a link to a 3rd party site, where they are asked to click the logo of their bank.

They are then taken to a site operated by the bank, which verifies the identity before sending the user back to the 3rd party site, where the deposit is completed.

From what I understand, it is a classic case of identity federation. Whether or not it is built on SAML or another standard, I don't know.

From the content of your post, it seems feasible to me that the E*Trade scenario operates similarly.

Erik said...

I'll refrain from suggesting that this somehow proves northern superiority ;)

You are right, there is clearly no reason for the "instant verification" option to require ceding one's credentials to a 3rd party.

As a side note, the other option reminds me of a recent post on Eve Maler's blog:

Token mapping by the USPS

Another example of token-mapping in practice?