2012-04-07T22:42:44-07:00 http://davedash.com/ Dave Dash dd+atom1@davedash.com 2011-03-02T00:00:00-08:00 http://davedash.com/2011/03/02/data-anonymous <p>I wrote a simple database <a href="https://github.com/davedash/mysql-anonymous">scrubber script</a>. It takes a <code>yaml</code> file that describes what scrubbing needs doing and then outputs <code>sql</code> that you can send to <code>mysql</code>. It's dreadfully simple and I'd like to see if others can make use of it.</p> <p>At Mozilla we have a lot of contributors and would like them to have access to realistic data since many of our bugs are based on certain states within the data.</p> 2008-12-16T00:00:00-08:00 http://davedash.com/2008/12/16/dear-banks-stop-encouraging-bad-security <p>I use an online personal finance site that connects to all my financial accounts and aggregates my transaction history. I love it, it's very useful, and it keeps me financially organized.</p> <p>The part that annoys me is that most of these personal finance sites require you to supply your username and password for all your bank accounts. For some banks it also requires your social security number, the last five people you've slept with, your home town, your favorite color, etc, etc. Basically all the pesky sign in questions your bank might ask you when you log in.</p> <p>This is a cruel necessity for companies like <a href="http://geezeo.com/">Geezeo</a>, <a href="http://mint.com/">Mint</a>, Ameriprise and Quicken Online in order to provide this aggregation service and a scary proposition for people like us who use these services. You're giving full unfettered access to companies you may not have ever heard of to all your finances.</p> <p><strong>Security questions, and personalized security questions are the wrong way to fix bank security.</strong></p> <!--more--> <p>People want online personal finance sites. They want all their data in a single place without having to jump through a bazillion hoops for each and every 401K, savings account, checking account, online stock trading system and mortgage account. They will gladly sacrifice security for a chance to better their financial management capabilities.</p> <p>Banks need to create APIs so third-party software can access transaction data. The authentication for this should be secure, limited and revokable. Meaning, I may authorize <a href="http://mint.com/">Mint</a> to see my Bank of America account, but at any time I can log on to BoA and deny Mint's ability to see my transaction data. OAuth may be one mechanism to achieve this.</p> <p>This will achieve a few things: * People won't give out their passwords online to anybody but their bank. * Getting data into these aggregating sites will be reliable and secure. * At any time you can see who has access to your transaction data and revoke it.</p> <p>Please banks, do your part to keep the internet secure. <a href="http://mint.com/">Mint</a>, <a href="http://geezeo.com/">Geezeo</a> and anybody else, please do your part of turning up the pressure on financial institutions and when the time comes... please start using these APIs.</p>