[GNC-dev] Patelco stopped supporting OFX... other options

Fross, Michael michael at fross.org
Thu Jun 18 11:49:55 EDT 2020


Thanks Jean for this...might be a great resource for all of us.  It would
be nice to not have to leverage a webserver on the client side and just
call the API.  Is that possible?  Might be a lot simpler.  Then the only
real task is converting to OFX or CSV.

Michael

On Thu, Jun 18, 2020 at 10:46 AM jean laroche <ripngo at gmail.com> wrote:

> Well, I tested plaid last night. https://plaid.com/pricing
> It worked without a hitch with my bank (Patelco). It works like this:
> - You create an account with plaid and get API keys.
> - Do this once:
> Using python (in my case, but there are other options) you run a local
> web server on your machine (code provided by plaid) which you can then
> go to using a browser. Using this server you log into your bank and get
> an *access token *for that bank. In my case that required two factor
> authentication (password then an email or text to my phone). I believe
> getting the access_token is a one-time thing, but I'm not sure how long
> that access_token remains valid.
> - Back into python, you can make a one line call to the plaid api
> *client.Transactions.get() *passing the access token, start and end
> date, and you get a python dictionary that includes all your accounts at
> that bank, and all the transactions for all accounts between these two
> dates.
>
> In my case, the response was lightning fast and the data seemed right.
> The output returned is a dictionary, so in order to send that to GC,
> you'd need to save that as an OFX or some other format that can be
> imported, which will require a tiny bit of python code.
>
> Apparently, according to plaid's web site, the free API keys allow you
> to have 100 "items", where an item is a "set of credentials at a
> financial institution". The way I read this is you can have up to 100
> simultaneous banks associated with your API keys. That should be more
> than enough!
>
> The way it works, if I'm not mistaken, plaid downloads the data from the
> bank on a regular basis (even if you don't do anything) and when you
> call the API, you don't connect to your bank, but rather you get the
> data that plaid holds. The data includes account numbers, etc, so this
> means that this data is now on plaid's servers, and some of you guys may
> not like that one bit.
> Also, one thing I don't know is how long the access_token is valid for.
> I reused the one I got last night this morning, and it worked. I have to
> guess that the access token remains valid for a while.
>
> So it seems to me that this would be a viable solution for me.
> Jean
>
>
> On 6/16/2020 8:08 PM, John Ralls wrote:
> >
> >> On Jun 16, 2020, at 2:23 PM, Jean Laroche <ripngo at gmail.com> wrote:
> >>
> >> People,
> >> In the past week, my credit union (Patelco) retired their OFX server
> which means it's no longer possible to download transactions using OFX. You
> can still do it manually by logging into your account etc, but it's no
> longer possible to use tools like ofxclient, ofxget and probably aqbank as
> they all rely on the same data.
> >> I've contacted them and asked them to reconsider but I'm not holding my
> breath.
> >> So my question is: What alternative is there?
> >> Are there 3rd party tools, aggregation services that can gather the
> transactions, from which it's possible to download into GC?
> >>
> >> At the moment, I'm using selenium (a tool to automate your browser) to
> do the various clicks required to download my transactions, but that's very
> fragile...
> >> Of course, I can also switch bank.
> > Jean,
> >
> >  From
> https://www.patelco.org/-/media/patelco/pdfs/member-support/digital-banking-services/express-web-connect_windows.pdf
> it looks like they switched to OFX Web Connect. Unfortunately that's been
> the trend for the last 10 years, and I imagine that it's an easy sell to
> the banks considering the weak security offered by OFX Direct Connect. That
> also means that switching banks is at best a short-term solution because of
> that trend: The new bank is likely to do the same thing sooner or later.
> >
> > I think the only really feasible workaround is to reverse-engineer the
> Web Connect authentication. That would mean installing Quicken and setting
> up and using OFX Web Connect while monitoring the traffic with wireshark.
> https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/ might be
> helpful for decrypting the authentication traffic with the browser. No
> doubt the quicken connection will also be encrypted so you'll need to find
> the keys for that too to be able to interpret the traffic--and working out
> the key exchange between Quicken and the bank will also be necessary.
> Frankly I would expect a low probability of success without help from a
> crypto expert.
> >
> > Regards,
> > John Ralls
> >
>
> _______________________________________________
> gnucash-devel mailing list
> gnucash-devel at gnucash.org
> https://lists.gnucash.org/mailman/listinfo/gnucash-devel
>


More information about the gnucash-devel mailing list