jrgns.net

My name is  
Jurgens du Toit.
Systems Developer.
Problem Solver.

About Me

Technology and Solving Problems are my passion. I'm a South African that loves my wife, life, and coding.

I'm writing a book!

The Logstash Config Guide

Buy it now on Leanpub

28 January 2012

22seven.com - Folly, or Genius?

By Jurgens du Toit

##Promising Product

Last week Christo Davel, founder of the now defunct twenty20 bank, released an online personal accounting service called 22seven.com. It looked like a great product. Something I was looking for for quite a while: A simple online interface that automatically imports my transaction details, and reports on how much I’m spending on what.

I will never use it, though. Why? The app asks for your online banking login details.

##But…

In case you don’t know. This is “not a good thing”(tm). As tweeted by Micheal Jordaan, CEO of FNB, you’re taking a big risk by doing so. Once you’ve given it to them, it’s out there, somewhere. Yes, they secure the information, but to use it, it needs to become readable at some point. If it can become readable, someone can steal it. From a dishonest employee, to a hacker that found his way on to their servers.

The question is, why did they decide to go the route of asking for a user’s banking login details? The banks have been struggling to educate users so that they don’t enter the online banking sites from any other place than the bank’s site, and that they don’t give their login credentials to any third party. As far as I know, the South African banks will refund any money you lost because of online fraud, except if they can prove that you gave your credentials to someone else. And this service is asking for it, wholesale.

##The Problem

The problem is that this isn’t the only company that went this route. Sidpayment, a product from Setcom, gives merchants the ability to do online EFTs. The problem is that it’s a Java app that looks over the customer’s shoulder while he’s doing a once off payment through his internet banking. The opportunity for hacks and attacks abound. I’m sure both these knew the risks and were aware of the potential backlash, but why did they knowingly proceed with it?

There’s a simple answer: They had no choice. The banks in South Africa are walled gardens, with all of your information locked up in it. There’s no way to access it, except through their portals: the branch and online banking. Even FNB, who seems to be embracing newer technologies, doesn’t have anything that even looks like an API. All they have is an accounting app that looks like it was written by (no offence) accountants. So how are third party applications supposed to access a client’s transaction details?

Is there even a need for third parties to access people’s transaction information? Of course there is! In a number of other countries you see innovation in personal finance because they have access to information. There’s a number of services that track your credit card and spending patterns. These services depend on (sometimes read-only) data they get from banks and financial institutions.

##Come on, Banks!

If we are to see innovation and progress in personal accounting in South Africa, the banks need to lead the way by not walling everything off, but by giving accredited and approved third party developers and companies access to API’s. Perhaps 22seven.com’s play was to force the hand of the big banks, and not as stupid as it seems.

blog comments powered by Disqus

The postings on this site are my own and don't necessarily represent my employer’s positions, strategies or opinions.