Ben Hwang - Latest Comments

Re: Why You Should Never Use Services Like Yodlee

Ben Hwang — Wed, 06 Jul 2011 14:45:05 -0000

Depends on the bank. In that instance from a security standpoint, you've also created an entry point for the intruder. It's a known read only account, but it gives them a way to both probe that bank's pages since the same interface allows both read and read/write access.

It's similar to the Lifelock CEO social security story. If you provide an entry point, then you've done half the work for the intruder already. Which is why I have yet to see the bads outweigh the goods on Yodlee. It's a security nightmare waiting to happen.

If I were Yodlee? I'd be pushing more towards solidifying the OFX standard, and pushing that. It's completely read only via API, but there is no interaction outside of the API handshake. You can't XSS/inject an API since there's no page. And all-in-all, it's the right way to connect two different software technologies.

Re: Why You Should Never Use Services Like Yodlee

Dan Sherman — Wed, 06 Jul 2011 12:30:22 -0000

Hi Ben,

Just as a matter of information, you can sidestep this entire dilemma by creating a user within your bank account that has limited permissions (just viewing privileges) and then use that login info for the service you wish to give third party access to your account. That way, if it is compromised, all the offender will get is a view of your transactions and balance. But nothing else. They can't spend or transfer any money or anything else. That's what I do and I feel very secure in doing it that way.

Re: Why You Should Never Use Services Like Yodlee

Ben Hwang — Tue, 29 Mar 2011 23:36:02 -0000

Sorry, I didn't see this comment come across. So it's taken a little bit of time for me to get back. So basically, the issue doesn't lie in Mint or Yodlee. From a legal standpoint, you as a consumer are allowing the third party to act upon your behalf (depending on how the bank's TOS is written).

From a TOS as written such as Bank of America, you wouldn't be protected under FDIC or what not, if that "third party" happened to wipe you out. Now that means that Yodlee and/or Mint would have to be compromised for this to happen.

If you read the terms of service you sign with Yodlee and/or Mint, they only protect themselves.

So basically, the ethics of it come into play on whether or not screen scraping is a legitimate form of transaction that is authorized by the bank itself. According to the bank's policies in this position, you gave your username/password, so it's not their problem and thus you're not protected or insured.

Could you chase Yodlee/Mint? I suppose. I'm not an attorney. But I can say that screen scraping in general is not a very secure method of systems interaction and the only reason Yodlee uses it is because it's very difficult to get the banking industry to adopt one as such. So either build out quickly and bypass ethical issues and usual channels of gettings systems to talk to each other by shifting that risk onto the user.

In my world, that's just plain wrong. My disclaimer here is that my company doesn't use Yodlee because I just can't sleep at night knowing that I'm subjecting my users to something that they might not know or be aware about. I can't knowingly do it. Obviously there are others that can though.

Re: Why You Should Never Use Services Like Yodlee

LoganDavisson — Thu, 17 Mar 2011 12:06:58 -0000

Ben,

Thanks so much for your helpful, comprehensive response. Very kind of you.

Would you mind if I asked a follow up question? I would like to know the legal status of screen scraping. Presumably it's not easy to prosecute under contract or IP law, else Yodlee and Mint would have already been targets. (Also, folks I've talked to have mentioned that significant litigation risk was never something that the folks who funded Mint worried about.)

~Logan

Re: Why You Should Never Use Services Like Yodlee

Ben Hwang — Thu, 17 Mar 2011 01:01:35 -0000

Yodlee has been known in the past to implement screen scrapes. It was a huge ethical ordeal as far as how what is now termed as their MoneyCenter operated (I believe that's what it was called).

It was well known fact because you were required to provide your login credentials instead of an API key, and people reported that Mint would report incorrectly until Yodlee updated certain banking information. Don't ask how they updated their code without "logging in" as someone.

If they've updated recently, then I don't know, but I doubt it. To create a standard that all of the banks they claim to support would implement would be a monstrous task since the financial industry is very hesitant to adopt new technologies and implement APIs.

General information about screen scraping can be found here:
http://en.wikipedia.org/wiki/W...

On Yodlee:
http://news.ycombinator.com/it...
http://news.ycombinator.com/it...
http://www.quora.com/How-does-...

Re: Why You Should Never Use Services Like Yodlee

LoganDavisson — Thu, 17 Mar 2011 00:37:34 -0000

Ben - how do I find out more about screen scraping? I've heard conflicting things on whether Yodlee is actually doing this.

~Logan

Re: Differences Between Purchase Orders and Contracts

Ben Hwang — Sun, 23 Jan 2011 23:13:42 -0000

Right, but you could actually ask for more details from a PO too as a vendor. POs are just as binding as a contract itself, and can have a lot of detail, or no detail at all (again like a contract).

Re: Differences Between Purchase Orders and Contracts

Polinsky — Sun, 23 Jan 2011 23:05:27 -0000

Purchase orders are contracts. They contain the same terms and conditions as a contract (or can). The big difference is that the person sending a purchase order does not expect the vendor to negotiate the terms and conditions. "Contracts" are usually the result of negotiations. Purchase orders are sent by the buyer with the expectation that the vendor will accept it as is, without change.

Re: The Art of War

Dan Vanderboom — Fri, 23 Jan 2009 12:00:44 -0000

There are a lot of business professors who recommend and even mandate Sun-Tzu's The Art of War. It's a timeless classic. Furthermore, there are special editions like "The Art of War for Managers" and so on, specifically reinterpreted for the modern world of business.

Along with more esoteric works like Tao Te Ching, I don't think I'd be the same person without it!