据我在使用 Yodlee 相当长一段时间后了解到的情况,他们以两种主要方式处理网站:与他们有正式合作协议的网站和与他们没有正式协议的网站。对于第一类网站,他们通常会就用于获取数据的 API 达成一致。对于第二类网站,他们对第 7 层通信协议和数据结构(又名屏幕/html 抓取)进行逆向工程。
I'm pretty sure they don't simulate clicks, etc. In the end, any data that ends up on a user's page is transmitted in a response to a request. If you can figure out how to construct a valid request and then how to parse the response, you'll have the data you want.
As far as I could gather after using Yodlee for quite a while, they deal with sites in two major ways: the sites they have official agreements to work with and the sites they don't have official agreements with. For the first category of sites they, most often, have agreed upon APIs for getting the data. For the sites in the second category they reverse-engineer layer 7 communication protocols and data structures (a.k.a. screen/html scraping).
For the banks that don't implement OFX, they use custom screen scrapers, which must constantly be updated when banks change the information that's displayed on their site.
I don't know Yodlee so i simply assume it's like "sofortüberweisung.de" where you give a 3rd party your bank login data (and depending on what you do even a valid TAN) and thus trust them not to abuse it and additionally break your bank's security regulations ("NEVER GIVE YOUR YOUR PIN/TAN").
They most likely simulate what a browser would do. As web-based banking interfaces are usually just HTML/JavaScript everyone can look at the client-side code and do whatever it does with a custom program. Since those actions are not done in a malicious way, actions which require e.g. a TAN or a CAPTCHA to be solved can be simply forwarded to the legit user who will then enter the necessary TAN or solve the CAPTCHA.
Nonetheless to say, it is really bad to use services like that. While they most likely won't do anything bad you cannot know it for sure. And your bank is damn right if they don't refund you anything if you ever get scammed by such a service.
Another solution which would be perfectly safe (as long as you are not concerned about a 3rd party knowing about your financial status etc.) would be the yodlee company making contracts with major banks allowing them to access your data after you've authorized it through some way (you can already do that on pages like Twitter - I'd never do that for bankign though but technically it wouldn't be hard to realize something like that). That would be clean and secure as it would not involve "screen-scraping" or customers entering their banking login data anywhere but on their bank's website. But I believe no bank does something like that and in my opinion that's good as there are way too many people out there who are far too trustworthy and we all know how many information they give out on Facebook & Co. Now imagine a facebook<->bank integration... M.Zuck.'s wet dreams which hopefully never become true... And even if it's not Facebook.. There'll always be companies who want people's personal data and enough people giving them out; especially if it's easy and looks secure ("I have to confirm it on MY BANK's page. so it MUST be safe - it's supported by MY BANK").
发布评论
评论(3)
我很确定它们不会模拟点击等。最后,最终出现在用户页面上的任何数据都会在对请求的响应中传输。如果您能够弄清楚如何构造有效的请求,然后如何解析响应,您将获得所需的数据。
据我在使用 Yodlee 相当长一段时间后了解到的情况,他们以两种主要方式处理网站:与他们有正式合作协议的网站和与他们没有正式协议的网站。对于第一类网站,他们通常会就用于获取数据的 API 达成一致。对于第二类网站,他们对第 7 层通信协议和数据结构(又名屏幕/html 抓取)进行逆向工程。
I'm pretty sure they don't simulate clicks, etc. In the end, any data that ends up on a user's page is transmitted in a response to a request. If you can figure out how to construct a valid request and then how to parse the response, you'll have the data you want.
As far as I could gather after using Yodlee for quite a while, they deal with sites in two major ways: the sites they have official agreements to work with and the sites they don't have official agreements with. For the first category of sites they, most often, have agreed upon APIs for getting the data. For the sites in the second category they reverse-engineer layer 7 communication protocols and data structures (a.k.a. screen/html scraping).
据我了解,Yodlee 使用 OFX 规范来访问银行的财务信息。
http://www.ofx.net/
对于未实施 OFX 的银行,他们使用自定义屏幕当银行更改其网站上显示的信息时,抓取工具必须不断更新。
The way I understand it, Yodlee uses the OFX specification to access banks' financial information.
http://www.ofx.net/
For the banks that don't implement OFX, they use custom screen scrapers, which must constantly be updated when banks change the information that's displayed on their site.
我不认识 Yodlee,所以我只是假设它就像“sofortüberweisung.de”,您向第三方提供您的银行登录数据(取决于您所做的事情,甚至是有效的 TAN),因此相信他们不会滥用它并另外破坏您银行的安全规定(“切勿透露您的 PIN/TAN”)。
它们很可能模拟浏览器的行为。由于基于网络的银行界面通常只是 HTML/JavaScript,因此每个人都可以查看客户端代码并使用自定义程序执行任何操作。由于这些动作不是以恶意方式完成的,因此需要例如TAN或CAPTCHA来解决的动作可以简单地转发给合法用户,然后合法用户将输入必要的TAN或解决CAPTCHA。
尽管如此,使用这样的服务确实很糟糕。虽然他们很可能不会做任何坏事,但你无法确定。如果你被这样的服务骗了,你的银行不会退还你任何钱,那你的银行是对的。
另一种完全安全的解决方案(只要您不担心第三方了解您的财务状况等)是 yodlee 公司与主要银行签订合同,允许他们在您授权后访问您的数据某种方式(你已经可以在 Twitter 等页面上做到这一点 - 虽然我永远不会为 Bankign 这样做,但从技术上讲,实现类似的事情并不难)。这将是干净和安全的,因为它不会涉及“屏幕抓取”或客户在银行网站以外的任何地方输入银行登录数据。但我相信没有银行会做这样的事情,在我看来,这很好,因为有太多人太值得信赖,我们都知道他们在 Facebook 和 Facebook 上发布了多少信息。现在想象一下 Facebook<->银行整合...M.Zuck. 的梦想永远不会成真...即使不是 Facebook..总会有公司想要人们的个人数据有足够多的人分发它们;特别是如果它很简单并且看起来很安全(“我必须在我的银行的页面上确认它。所以它必须是安全的 - 它受到我的银行的支持”)。
I don't know Yodlee so i simply assume it's like "sofortüberweisung.de" where you give a 3rd party your bank login data (and depending on what you do even a valid TAN) and thus trust them not to abuse it and additionally break your bank's security regulations ("NEVER GIVE YOUR YOUR PIN/TAN").
They most likely simulate what a browser would do. As web-based banking interfaces are usually just HTML/JavaScript everyone can look at the client-side code and do whatever it does with a custom program. Since those actions are not done in a malicious way, actions which require e.g. a TAN or a CAPTCHA to be solved can be simply forwarded to the legit user who will then enter the necessary TAN or solve the CAPTCHA.
Nonetheless to say, it is really bad to use services like that. While they most likely won't do anything bad you cannot know it for sure. And your bank is damn right if they don't refund you anything if you ever get scammed by such a service.
Another solution which would be perfectly safe (as long as you are not concerned about a 3rd party knowing about your financial status etc.) would be the yodlee company making contracts with major banks allowing them to access your data after you've authorized it through some way (you can already do that on pages like Twitter - I'd never do that for bankign though but technically it wouldn't be hard to realize something like that). That would be clean and secure as it would not involve "screen-scraping" or customers entering their banking login data anywhere but on their bank's website. But I believe no bank does something like that and in my opinion that's good as there are way too many people out there who are far too trustworthy and we all know how many information they give out on Facebook & Co. Now imagine a facebook<->bank integration... M.Zuck.'s wet dreams which hopefully never become true... And even if it's not Facebook.. There'll always be companies who want people's personal data and enough people giving them out; especially if it's easy and looks secure ("I have to confirm it on MY BANK's page. so it MUST be safe - it's supported by MY BANK").