ofx direct connect

Thu Nov 9 03:01:58 EST 2006

Jon Hamkins wrote:

>David Reiser wrote:
>
>  
>
>>Bad news with respect to MSMoney ofx logs. Once set up (and it takes  
>>a registry modifier every time you  open MSMoney >2006, and it takes  
>>the 5/16/2006 version of the modifier for the Money 2007 trial  
>>version...) you only get the ofx data stream, not any address info. I  
>>guess for MSMoney, one needs to run something like ethereal and mess  
>>with those logs. Not for the faint of heart.
>>    
>>
>
>More bad news about MS Money 2006 and OFX logs.  I installed ethereal 
>and sniffed all the traffic.  At some point Money directs my computer to 
>connect to the OFX server, and ethereal will sniff it out.  Right? 
>Wrong!  I'm a neophyte with a packet sniffer, but the capture file 
>clearly indicates that the only IP addresses that I connected to during 
>an online banking update were ones on my internal network and 
>65.54.150.19 (msnmoney.com) port 443 (https).  In other words, my 
>computer connects to msnmoney.com, msnmoney.com connects to the B of A 
>OFX server, and my computer gets the data relayed from msmoney.com, NOT 
>directly from the bank OFX server.  This is consistent with Money's 
>insistence that my banking data live on their servers if I want to do 
>OFX downloads.
>
>The bottom line is, MS Money is useless for identifying an OFX server 
>address, because it generates no direct traffic to an OFX server.
>
>      ----Jon
>
>
>  
>
Wow, does that ever ring the alarm bells!
It raises questions I can't answer:

How does one know that the network traffic between msn money and your 
bank is also encrypted?  If yes (and it most likely is yes), what 
strength of encryption are they using?  One can set such things on one's 
own computer, but you have no control over theirs.

Your computer opens an encrypted connection to msn money, theirs opens 
an (assumed) encrypted connection to the bank.  What reason is there to 
believe that your personal financial data remain encrypted as they pass 
through the msn money "anonymizer"?  Can the https key negotiation be 
simply passed through to the bank?  (And I don't mean this in the sense 
that a firewall or router simply passes packets through.  The encrypted 
connection was apparently opened to msn money, and not to the bank.)  If 
it can, did they do it that way?  (If yes, it would relieve them of a 
lot of encryption/decryption overhead.)

It occurs to me that you might be able to answer this question by 
examining the trust certificates on your computer.  Is there one from 
your bank's OFX server?  (If so, this should answer your original 
question too.)  Or one from msn money? (which could be there for other 
uses of msn money, and therefore, by itself, would not tell much.)  How 
to do this would be specific to your OS/browser combination.

Using MS Money means you've trusted Microsoft to build the software to 
keep track of your money.  Fair enough.  The same could be said of any 
software.  Given the connections you observed, do they have access to 
your personal financial information?  That's a much higher level of 
trust than one expected when buying the software.  (On the plus side, it 
would be an enormous amount of information to deal with.  However, these 
days, that could simply mean buying more servers for the farm.)

In my opinion, this architecture raises serious privacy questions.  I 
can see a benefit for the banks: only dealing with known servers helps 
with security (theirs).  Connections from other IP addresses could then 
simply be rejected.

Mark