Why Don’t Banks/Credit Card Companies Offer OAuth?

by Eric Posted on January 9, 2012

Why don’t banks or credit card companies offer OAuth/API functionality for the growing amount of apps and sites that are emerging each day?

For sites like Mint or any other sites powered by the likes of Yodlee, when you go to the site to add your bank / credit card information, you’re prompted to fork over your user name and password. Now, knowing on a high-level how Yodlee works, I know that the data is being passed through a secure way to the banks to authorize the site; but I am (and I’m sure many others are) uncomfortable with handing over my very important and sensitive information!

As more applications like Mint emerges, it is time for banks to seriously re-evaluate the way that they allow customer information to be accessed. Why can’t banks develop OAuth-like functionalities, like Twitter, that allows for a more secure authorization?

Today, for most sites that says “use Twitter to login”, or “Login w/ Facebook”, what happens is you’re taken from a third party site back to say, a Twitter, to login and authorize the app. Twitter then sends a token back to the third party site to authenticate you, removing the need for you to exchange sensitive info such as name and passwords directly w/ the third party site. Knowing that my verification is being done at Twitter, where the information is being held anyway, means much more security to me than entering the information directly on the site. By opening up more APIs, banks will be able to allow developers to come up w/ innovative solutions – who knows what else can be created?

Innovate or go bust! I wonder when banks will wake up and realize that in this day and age, information mobility is king, and just you wait – when there’s a new “bank” (and there will be, I’m counting on you, Simple) that has taken all the best practices of the “web 2.0″ world and integrate all that into their operation, it will take off easily. Look at what ZocDoc is doing w/ making appointments w/ doctors – it’s the oldest tasks in the book, but they’re doing it in an innovative web 2.0 way that is making their sites super awesome. I am predicting that whichever bank go down this route will shape the future of banking.

I like the answer on this Quora thread:

Q: Why don’t banks offer oauth? Why do they instead let their users give their passwords to Yodlee?
A: Answers suggest, in a very humble and politically correct fashion, that banks are retarded.

About Eric

I like eating yummy food and watching movies. Co-founder of @HuskyLaboratory, @FoodSkipper, @8893Project.
This entry was posted in Thoughts. Bookmark the permalink.
  • http://www.sgclark.com/ Stephen Clark

    Banks are going to get “wal-marted” by nimble start ups and organizations like Simple unless they do what you suggest.  I would guess banks are not comfortable with the sensitive data flying around via an API with all the hacking going on out there.  Building an API directly from a bank gives a hacker a nice window into how the systems work and that probably has bank leaders a little skittish.

    • http://helloericho.com/ Eric Ho

      Agreed – it’s just frustrating how slow they move when compared to even say, a PayPal, who’s had a dev platform for a good few years now.  I guess we’ll see where this will all go in the next year or two..!

  • http://twitter.com/yodleefinapp Yodlee FinApps

    The Yodlee platform can handle it if a bank supports OAuth for aggregators.  There are just no examples of that in the market yet.
    The good news?  There are some banks that are working on setting up this type of system where you can “authorize” an external application to access so your data and manage that access through the online banking channel.  Hopefully we start seeing these features rolling out over 2012.

    ..Jordan (@yodleefinapp), Yodlee Product Management

    • http://helloericho.com/ Eric Ho

      Jordan – that’s great to hear! Never questioned Yodlee’s flexibility, but rather banks’ ability to react and set up these kind of systems.  It will be interesting to see what level of information they will choose to open up vs. locked down.

  • Todd Neilson

    Oauth is simply not secure enough to pass DSS/PCI standards.  No authorization management, no comprehensive secure logging, no 2FA support, no session management and no protection from impersonation.    Banks can use Oauth IF they have a secure WAM product behind it, like CA Siteminder or Oracle OAM

    • http://helloericho.com/ Eric Ho

      Thanks Todd – I figured there would be a bunch of security issues on the back-end that banks will have to address before anything similar to oAuth could be implemented… I wonder if something as simple as a “yes/no” would require DSS/PCI compliance? Something like “check to see if user owns a bank account at Chase”, etc.