[GNC-dev] New OFX Requirements For USAA FSB

Sun Feb 7 16:29:24 EST 2021

On Sonntag, 7. Februar 2021 18:00:36 CET Jean L wrote:

> Wow! That's dedication!
> I have to admit, the same thing happened with my Credit Union (Patelco) 
> and I didn't have the dedication to do what you did!
> Kudos to you. It's really maddening, like you say, that apparently the 
> only clients that our banks think have the right to download their data 
> are Quicken customers.
> In any case, thanks for posting the "recipe" and the details of how you 
> got to your final success. I'm impressed!
> One thing though: I would have imagined that the communication between 
> Quicken and your bank was encrypted, how were you able to decrypt that, 
> not knowing any of the keys they probably use?

As Scott mentioned in his mail:

So I decided to give the devil his due and temporarily got a Quicken
subscription and setup an SSL man-in-the-middle.

> Jean
> 
> 
> On 2/6/2021 8:45 PM, Scott McRae wrote:
> > I got this working in my software with some help for the info on this list.
> > Here is a write-up:
> >
> > USAA's changes to their OFX interface
> > -------------------------------------
> >
> > On 2020-01-26, USAA's previous OFX interface (
> > https://service2.usaa.com/ofx/OFXServlet) stopped working. It seems like
> > they switched to a new interface through a tech provider to replace their
> > previous login method (with your website credentials) to an app-specific ID
> > and password. This is a good move for security, but it was done without
> > notice, it seems, to anyone but Quicken.
> >
> >  From some internet searches, I found some people on the right track to
> > fixing this on the GNU Cash development mailing list:
> >
> > https://lists.gnucash.org/pipermail/gnucash-devel/2021-January/045664.html
> >
> > They were able to determine that USAA was:
> >   - using a new OFX endpoint:
> > https://df3cx-services.1fsapi.com/casm/usaa/access.ofx
> >   - using a new OFX Org ID: USAA Federal Savings Bank
> >   - using a new OFX FID: 67811
> >
> > Additionally, someone on the USAA forums was about to extract and post the
> > link to generate an App ID and PIN:
> >
> > source:
> > https://communities.usaa.com/t5/Finances/USAA-Creates-Quicken-Monopoly/td-p/243850/highlight/false
> > Authorization link: https://df3cx-services.1fsapi.com/casm/usaa/enroll
> >
> > However, with a lot of trial and error I still wasn't able to hit this new
> > endpoint successfully. So I decided to give the devil his due and
> > temporarily got a Quicken subscription and setup an SSL man-in-the-middle.
> >
> > The new OFX interface is *very* finicky, so you basically have to input
> > everything exactly the way it expects it. Here is an example of an account
> > listing query that works:
> >
> > echo -en
> > "OFXHEADER:100\r\nDATA:OFXSGML\r\nVERSION:103\r\nSECURITY:NONE\r\nENCODING:USASCII\r\nCHARSET:NONE\r\nCOMPRESSION:NONE\r\nOLDFILEUID:NONE\r\nNEWFILEUID:NONE\r\n\r\n<OFX>\r\n<SIGNONMSGSRQV1>\r\n<SONRQ>\r\n<DTCLIENT>20210207031942\r\n<USERID>XXXXX\r\n<USERPASS>NNNNN\r\n<LANGUAGE>ENG\r\n<FI>\r\n<ORG>USAA
> > Federal Savings
> > Bank\r\n<FID>67811\r\n</FI>\r\n<APPID>QMOFX\r\n<APPVER>2300\r\n<CLIENTUID>1955A543-B071-455E-A31E-73CC7C493D68\r\n</SONRQ>\r\n</SIGNONMSGSRQV1>\r\n<SIGNUPMSGSRQV1>\r\n<ACCTINFOTRNRQ>\r\n<TRNUID>e39add7d-2085-4504-b9ee-be37927de39c\r\n<ACCTINFORQ>\r\n<DTACCTUP>19900101\r\n</ACCTINFORQ>\r\n</ACCTINFOTRNRQ>\r\n</SIGNUPMSGSRQV1>\r\n</OFX>\r\n"
> > | curl -isS -X POST -H "Content-Type: application/x-ofx" -A InetClntApp/3.0
> > --data-binary @- https://df3cx-services.1fsapi.com/casm/usaa/access.ofx
> >
> > Note you have to change the XXXXX and NNNNN to the App ID and PIN you get
> > from the link above.
> >
> > Some things I've found through trial and error:
> >   - The OFX elements must be separated with "\r\n". This is dumb, but true.
> > No spaces. No simple "\n". Exactly "\r\n".
> >   - The APPID "QMOFX" and APPVER "QMOFX" work. Others I tried did not.
> >   - The CLIENTUID "1955A543-B071-455E-A31E-73CC7C493D68" works for me. It
> > must be uppercase. This might be particular to your account. If so, you can
> > find it looking at the OFX logs from Quicken.
> >   - TRNUID must be present, but an UUID will do.
> >   - DTACCTUP: The value "19900101" works. The value "19700101" does not. The
> > value "19900101000000" does not.
> >   - You need the "Content-Type: application/x-ofx" header
> >   - You need the User-Agent "InetClntApp/3.0". This is what Quicken for Mac
> > sends.
> >
> > It also seems their gateway will under some conditions put your IP on a ban
> > list. If you are testing, you may want to spin up an AWS instance or
> > something. When you get on it, you'll start seeing an empty HTML page
> > response, like:
> >
> > <html>
> > <head>
> > <META NAME="robots" CONTENT="noindex,nofollow">
> > <script
> > src="/_Incapsula_Resource?SWJIYLWA=5074a744e2e3d891814e9a2dace20bd4,719d34d31c8e3a6e6fffd425f7e032f3">
> > </script>
> > <body>
> > </body></html>
> >
> > Valid queries will work from different source IPs when this happens.
> >
> >
> > Thanks to Bob White on the GNU Cash list and RDD! on the USAA Forums for
> > the breadcrumbs. No thanks to USAA for swapping out their functional
> > interface with absolutely no notice or documentation and pretending like
> > Quicken users are the only customers of any importance. Please just don't
> > break our software again... at least for awhile.
> >
> > - Scott McRae
> > _______________________________________________
> > gnucash-devel mailing list
> > gnucash-devel at gnucash.org
> > https://lists.gnucash.org/mailman/listinfo/gnucash-devel
> 
> _______________________________________________
> gnucash-devel mailing list
> gnucash-devel at gnucash.org
> https://lists.gnucash.org/mailman/listinfo/gnucash-devel
> 
> 

-- 

Regards

Thomas Baumgart

https://www.signal.org/       Signal, the better WhatsApp
-------------------------------------------------------------
Please don't send me proprietary file formats,
use ISO standard ODF instead (ISO/IEC 26300)
-------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 868 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.gnucash.org/pipermail/gnucash-devel/attachments/20210207/ee407d36/attachment.sig>