It's amusing how the article says it's "potentially" in violations of US hacking laws.
That practice is _definitely_ a violation of the Computer Fraud and Abuse Act. No employer's IT is going to have it not be a violation for a user to share their password with someone else, which even in the weakest boilerplate immediately revokes their rights to the account. At that point _any_ use of those credentials is very much a violation of the CFAA.
IT's policy is more for unauthorized credential sharing to a third party that is not legally acting as a designated data transfer agent. what argyle is doing is legal and fine.
The crazy thing about the "paperless office" of the 21st century is that authentication of documents has gone out the window, completely back to the stone age of forgeries.
Didn't we recently see where a landlord attempted to forge a lease document but was caught by the tenant?
Nobody wants to see your authentic ID/DL anymore. Just FAX it in or scan it. Nobody can examine your birth certificate or passport (except for real officials) but you need to scan and present it to all kinds of third parties. It absolutely destroys 80% of the countermeasures that are built in to those types of documents. Wrote a check from your checkbook? Your bank immediately photographs it and the image traverses their network, not the paper thing. They just shred that useless paper thing. The image is, for all intents and purposes, the negotiable document. Most of us pay a premium for "security checks" with a bunch of microprinting and other bullshit. That's utterly useless once you push it through a cellphone cam!
I've drawn a lot of public assistance from entitlements. They often require a stack of paperwork, like bank statements, paystubs. I usually ran Linux and had all the third-party PDF-manipulation tools. They would just accept screenshots from my banking apps! I could've easily forged anything, down to pixel level, or in the HTML itself, print to PDF, undetectable. No checksums or hashes to worry about!
So perhaps this headline is a symptom, a symptom of landlords being skeptical and wary of tenant-side forgeries, that they feel the need to grab the documents straight from the horse's mouth. I can't blame them for being risk-averse and wary of forgery, but this is crazy. Just... figure out a way to authenticate electronic documents. We cryptographers have worked this all out, but it's been ignored for reasons of cost and expedience. You can't ignore it anymore.
> Most of us pay a premium for "security checks" with a bunch of microprinting and other bullshit. That's utterly useless once you push it through a cellphone cam!
If I recall correctly, you can order checks from a check printing company with any account and routing number you specify. Walmart sells them, and it was cheaper than getting more from my bank. So even an authentic check with the security features intact doesn't seem worth much. The only real security feature is the signature.
Sure, I could order plain "insecure" checks, but those aren't the one I'm depositing by image. My checks are written to others and I've got no idea how they deposit them.
I've received checks with watermarks, temp-sensitive ink, you name it, and I almost never walk into a branch anymore. As long as the mobile app works, the image is the negotiable instrument, and I can't change what others give me.
It's amusing how the article says it's "potentially" in violations of US hacking laws.
That practice is _definitely_ a violation of the Computer Fraud and Abuse Act. No employer's IT is going to have it not be a violation for a user to share their password with someone else, which even in the weakest boilerplate immediately revokes their rights to the account. At that point _any_ use of those credentials is very much a violation of the CFAA.
IT's policy is more for unauthorized credential sharing to a third party that is not legally acting as a designated data transfer agent. what argyle is doing is legal and fine.
Was Plaid violating CFAA?
I hope so. Asking for your bank account's login is an absurd requirement and breaks all the lessons we work so hard to teach people.
Twitter invented OAuth around 2010 since people were typing their credentials into third-party clients.
Giving out one's corporate login credentials seems like a surefire way to no longer have paystubs to verify.
https://archive.ph/uv4Yk
The crazy thing about the "paperless office" of the 21st century is that authentication of documents has gone out the window, completely back to the stone age of forgeries.
Didn't we recently see where a landlord attempted to forge a lease document but was caught by the tenant?
Nobody wants to see your authentic ID/DL anymore. Just FAX it in or scan it. Nobody can examine your birth certificate or passport (except for real officials) but you need to scan and present it to all kinds of third parties. It absolutely destroys 80% of the countermeasures that are built in to those types of documents. Wrote a check from your checkbook? Your bank immediately photographs it and the image traverses their network, not the paper thing. They just shred that useless paper thing. The image is, for all intents and purposes, the negotiable document. Most of us pay a premium for "security checks" with a bunch of microprinting and other bullshit. That's utterly useless once you push it through a cellphone cam!
I've drawn a lot of public assistance from entitlements. They often require a stack of paperwork, like bank statements, paystubs. I usually ran Linux and had all the third-party PDF-manipulation tools. They would just accept screenshots from my banking apps! I could've easily forged anything, down to pixel level, or in the HTML itself, print to PDF, undetectable. No checksums or hashes to worry about!
So perhaps this headline is a symptom, a symptom of landlords being skeptical and wary of tenant-side forgeries, that they feel the need to grab the documents straight from the horse's mouth. I can't blame them for being risk-averse and wary of forgery, but this is crazy. Just... figure out a way to authenticate electronic documents. We cryptographers have worked this all out, but it's been ignored for reasons of cost and expedience. You can't ignore it anymore.
> Most of us pay a premium for "security checks" with a bunch of microprinting and other bullshit. That's utterly useless once you push it through a cellphone cam!
If I recall correctly, you can order checks from a check printing company with any account and routing number you specify. Walmart sells them, and it was cheaper than getting more from my bank. So even an authentic check with the security features intact doesn't seem worth much. The only real security feature is the signature.
Sure, I could order plain "insecure" checks, but those aren't the one I'm depositing by image. My checks are written to others and I've got no idea how they deposit them.
I've received checks with watermarks, temp-sensitive ink, you name it, and I almost never walk into a branch anymore. As long as the mobile app works, the image is the negotiable instrument, and I can't change what others give me.
I wanted to rent a place, and I believe they wanted my bank login credentials to verify some details.
It's also quite (maddeningly) common for some websites to collect email service login credentials.
I'd be very surprised if this is anything other than a scam to get your bank login credentials.
So what happened? Did you fork ’em over?