Why don’t banks or credit card companies offer OAuth/API functionality for the growing amount of apps and sites that are emerging each day?
For sites like Mint or any other sites powered by the likes of Yodlee, when you go to the site to add your bank / credit card information, you’re prompted to fork over your user name and password. Now, knowing on a high-level how Yodlee works, I know that the data is being passed through a secure way to the banks to authorize the site; but I am (and I’m sure many others are) uncomfortable with handing over my very important and sensitive information!
As more applications like Mint emerges, it is time for banks to seriously re-evaluate the way that they allow customer information to be accessed. Why can’t banks develop OAuth-like functionalities, like Twitter, that allows for a more secure authorization?
Today, for most sites that says “use Twitter to login”, or “Login w/ Facebook”, what happens is you’re taken from a third party site back to say, a Twitter, to login and authorize the app. Twitter then sends a token back to the third party site to authenticate you, removing the need for you to exchange sensitive info such as name and passwords directly w/ the third party site. Knowing that my verification is being done at Twitter, where the information is being held anyway, means much more security to me than entering the information directly on the site. By opening up more APIs, banks will be able to allow developers to come up w/ innovative solutions – who knows what else can be created?
Innovate or go bust! I wonder when banks will wake up and realize that in this day and age, information mobility is king, and just you wait – when there’s a new “bank” (and there will be, I’m counting on you, Simple) that has taken all the best practices of the “web 2.0″ world and integrate all that into their operation, it will take off easily. Look at what ZocDoc is doing w/ making appointments w/ doctors – it’s the oldest tasks in the book, but they’re doing it in an innovative web 2.0 way that is making their sites super awesome. I am predicting that whichever bank go down this route will shape the future of banking.
I like the answer on this Quora thread:
Q: Why don’t banks offer oauth? Why do they instead let their users give their passwords to Yodlee?
A: Answers suggest, in a very humble and politically correct fashion, that banks are retarded.