For your banking script, are you able to use an API with a limited access token? Or does it use your normal credentials. I don't save my various banking credentials anywhere, not even 1password, as they're so sensitive, curious how you do this.
Your banking password isn't that sensitive, because banks are used by regular people who don't have any conception of good security practices. The worst case scenario of your bank login credentials leaking are really not that bad.
Your personal email account is probably a million times more sensitive. It contains enough personal information to get your identity stolen a thousand times over, and once your email has been compromised there is no way to ascertain the damage.
Couldn't agree more. See my comment above. My online bank only provides readonly access with a password. Anything else requires a one-time-password anyway.
I'd be much more worried about my email getting hacked though.
Your banking password isn't that sensitive, because banks are used by regular people who don't have any conception of good security practices. The worst case scenario of your bank login credentials leaking are really not that bad.
Huh? The worst case scenario of your bank login details is... someone depositing all your money to their account, surely.
Nope, the login in (some? many?) banks is just a first step, to actually perform transactions they require a second stage auth. Most they can do is transfer money to some of my family members (I've disabled the second stage for a few specific destinations).
I don't hear often about banks providing API access. Only big companies on special contracts may get something like that, but it is usually very limited - talking from my personal experience, but what I learnt from the internet - it's the same everywhere.
But... In Europe thanks to just another EU laws we should have every bank offering an API access for everyone starting from September 2018 IIRC. That would help a lot with automation, I hope generating few api keys with different access permissions would be possible with that.
PSD2 is not what you think it is. It has API access, but not for the end user. Only 'integrators' will have access to these APIs. You will need to request permission to write/deploy software using the APIs. This involves massive bureaucratic overhead and in some cases permission from your country's national bank.
There is a system for integrating with larg(er) corporate banking software, but here it seems to require a smartcard, likely with a PIN, and no way to restrict it to be readonly.
It's horrible XML protocol stuff though.
My bank gives only readonly access by default with the username/password. Any transaction (transfer, operation) requires a one-time pin (TAN) anyway. So I'm not particularly worried about leaking my password.
I wish they had an API but I just use a selenium script essentially. Luckily(?) logging in to this particular account only requires user/password and no fancy codes etc. I guess when the system is built with readonly default and OTP for anything else, then the login can be kept simple.
