You'd certainly better hope so. A national bank going down is national news. You're gonna end up sending some muckety muck out to the press to bob their heads and apologize. They'd don't take kindly to that.

My prior investigations suggest that this strategy is ineffective. You suss out a ratelimit then pick a CSP and start spawning instances. Bonus points if it's a CSP that has a contract with that bank, they'll be petrified to try blocking you. Even well run consumer orgs can get tripped up with that.

But you're also suggesting that banks can use that data in that way or that that the relevant parties had the necessary capability at the time in question. Both are propositions you can make your own judgement on.

Here's another question: what happens when customers complain that you're cutting off their aggregtion service? You have your customer service reps say, "Sorry we locked you out of getting your own data?" Sounds like if you do that enough we have another press row. Thank goodness the CFPB was gutted, they loved 3rd party resale-to-consumer aggregtion services.

My belief is that organizations that can be gamed as easily as you describe have less than 1 fulltime person dedicated to preventing scraping. Or equivalently, 1 fulltime person should be sufficient to make it difficult to scrape at scale.

What do you think of the canary account I suggested?

> What do you think of the canary account I suggested?

I don't know how such a canary account would ever end up as a target for financial aggregation. It'd probably be a lawsuit from the aggregator for TOS violation if it was a sting operation.

You'd submit it manually.

>lawsuit

You really think an aggregator who's blatantly violating bank TOS is going to sue?

Yes! There's only upside.

Well you then become worth it for the bank to counter-sue and get discovery on exactly how you broke their ToS.

They better be tracking logins or how do they investigate fraud? If they don't have a database of every login tied to an IP, I would assert they're negligent with regard to blocking fraud.

A lot of the measures taken to prevent fraud also block proxies and the like.

Re customer service: they say "here's how you can download your statements in pdf format", or for many banks in quickbooks/excel/etc format as well

I don't know how many of them had mandatory 2FA then, but I think many more have now. It would be far less risky to invalidate cookies on those high-volume IPs and force a new 2FA validation. Then legitimate users could reverify.

> They better be tracking logins or how do they investigate fraud? If they don't have a database of every login tied to an IP, I would assert they're negligent with regard to blocking fraud.

Look there are limits to what I'm able to talk about, but consider that a fraud subsystem functioning in transaction-time is running much more slowly than something running in request time.

> A lot of the measures taken to prevent fraud also block proxies and the like.

When was the last time you couldn't use your banking website over a proxy? Only a few mobile apps actually make the decision to do this (mine did) and it's not popular.

> I don't know how many of them had mandatory 2FA then, but I think many more have now.

Which national bank has mandatory 2fa? Not that this would matter. We dealt with 2FA at level via Intuit, that wasn't great at it. Plaid got incredibly good at it. It became pedestrian when we experimented with Plaid.

>Look there are limits to what I'm able to talk about, but consider that a fraud subsystem functioning in transaction-time is running much more slowly than something running in request time.

I was suggesting checking one day snapshots of access counts by IP to see what the distribution looks like to then determine what to block.

2fa: I know that chase asks me for 2fa every time I change IP, and I don't think there's a way to stop that. Should be easy for them to require 2fa on every login for any IP with a high rate of requests.

CSP?