[GNC-dev] Patelco stopped supporting OFX... other options

jean laroche ripngo at gmail.com
Thu Jun 18 11:46:33 EDT 2020 

Well, I tested plaid last night. https://plaid.com/pricing
It worked without a hitch with my bank (Patelco). It works like this:
- You create an account with plaid and get API keys.
- Do this once:
Using python (in my case, but there are other options) you run a local 
web server on your machine (code provided by plaid) which you can then 
go to using a browser. Using this server you log into your bank and get 
an *access token *for that bank. In my case that required two factor 
authentication (password then an email or text to my phone). I believe 
getting the access_token is a one-time thing, but I'm not sure how long 
that access_token remains valid.
- Back into python, you can make a one line call to the plaid api 
*client.Transactions.get() *passing the access token, start and end 
date, and you get a python dictionary that includes all your accounts at 
that bank, and all the transactions for all accounts between these two 
dates.

In my case, the response was lightning fast and the data seemed right. 
The output returned is a dictionary, so in order to send that to GC, 
you'd need to save that as an OFX or some other format that can be 
imported, which will require a tiny bit of python code.

Apparently, according to plaid's web site, the free API keys allow you 
to have 100 "items", where an item is a "set of credentials at a 
financial institution". The way I read this is you can have up to 100 
simultaneous banks associated with your API keys. That should be more 
than enough!

The way it works, if I'm not mistaken, plaid downloads the data from the 
bank on a regular basis (even if you don't do anything) and when you 
call the API, you don't connect to your bank, but rather you get the 
data that plaid holds. The data includes account numbers, etc, so this 
means that this data is now on plaid's servers, and some of you guys may 
not like that one bit.
Also, one thing I don't know is how long the access_token is valid for. 
I reused the one I got last night this morning, and it worked. I have to 
guess that the access token remains valid for a while.

So it seems to me that this would be a viable solution for me.
Jean


On 6/16/2020 8:08 PM, John Ralls wrote:
>
>> On Jun 16, 2020, at 2:23 PM, Jean Laroche <ripngo at gmail.com> wrote:
>>
>> People,
>> In the past week, my credit union (Patelco) retired their OFX server which means it's no longer possible to download transactions using OFX. You can still do it manually by logging into your account etc, but it's no longer possible to use tools like ofxclient, ofxget and probably aqbank as they all rely on the same data.
>> I've contacted them and asked them to reconsider but I'm not holding my breath.
>> So my question is: What alternative is there?
>> Are there 3rd party tools, aggregation services that can gather the transactions, from which it's possible to download into GC?
>>
>> At the moment, I'm using selenium (a tool to automate your browser) to do the various clicks required to download my transactions, but that's very fragile...
>> Of course, I can also switch bank.
> Jean,
>
>  From https://www.patelco.org/-/media/patelco/pdfs/member-support/digital-banking-services/express-web-connect_windows.pdf it looks like they switched to OFX Web Connect. Unfortunately that's been the trend for the last 10 years, and I imagine that it's an easy sell to the banks considering the weak security offered by OFX Direct Connect. That also means that switching banks is at best a short-term solution because of that trend: The new bank is likely to do the same thing sooner or later.
>
> I think the only really feasible workaround is to reverse-engineer the Web Connect authentication. That would mean installing Quicken and setting up and using OFX Web Connect while monitoring the traffic with wireshark. https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/ might be helpful for decrypting the authentication traffic with the browser. No doubt the quicken connection will also be encrypted so you'll need to find the keys for that too to be able to interpret the traffic--and working out the key exchange between Quicken and the bank will also be necessary. Frankly I would expect a low probability of success without help from a crypto expert.
>
> Regards,
> John Ralls
>

More information about the gnucash-devel mailing list