Credit Cards with Read-Only Login Credentials?

[seattleite]

Are there any credit cards out there that allow you to create a second, read-only, login/password combo to their website so you can have have automated services poll your info without providing your real login/password combo? Or that implement OAuth2 or something, or anything besides forcing you to give away your master credentials?

[Bajadoc]

Ditch the credit card.

[gimp]

Ditch the credit card.

Useless response.

[chicagomeg]

Cap One 360 has a special setup where you have to provide an access code for things like Mint, but I don't think it exists for their credit card account as, only banking.

[RexualChocolate]

None of the best cards currently offer this yet, no.

They should! Couldn't be that hard to implement. I think technically giving your credentials to a third party such as Intuit (Mint) voids some terms of service, but the ease of budgeting outweighs the tail risk of an Intuit hack.

[OldPro]

Try asking your question in English.

[seattleite]

Try asking your question in English.

Them's fightin' words. Challange accepted.

I would like to be able to use services like Mint or iBank's Direct Access that keep track of all of your financial transactions across different banks. The way they accomplish this is by logging into those bank's websites with your password. This is the same password that allows you to do stuff like transfer money to another bank or send a "bill pay" check to someone. So, by giving Mint your password you are giving them the ability to steal your money. Obviously it wouldn't be in Mint's best interest to steal your money. But they are storing your password in a way that makes it possible for a hacker that gains access to Mint's store of passwords to get your password and steal your money.

Now, this is different from the way that the original bank stores your password (we hope). The best way to implement a login system for a bank or any other website is to store a "hash" of a user's password, but not the password itself. The current best practice changes often and it wouldn't be useful to go into the weeds here, but they best way to think of it is that they transform your password in a way that throws away information from it so it's impossible to ever figure out what the user's real password was. But that transformation is deterministic so if you apply it to the same password over and over you'll always get the same result. So we store that result (the "hash") and when a user attempts to log in we apply that transformation to the password that they just gave and compare the transformed password to the stored transformation in the database.

tl;dr: The bank stores your password in a "secure" way and Mint stores it in an "insecure" way. (There are subtlities that I'm ignoring in that statement)

Now, back to my original question. I'd like to be able to use services like Mint (or write similar software myself) without the security (and financial) risk of having my password stored in an insecure way.

One way to accomplish this would be if the bank allowed me have two passwords: one that gives me full access to all of my money and data and one that only allows me to read the data (i.e. I can't write checks or transfer money). That way if a hacker ever gets that password they will only be able to read the data, never steal anything. As it turns out, Wells Fargo now has this functionality. They call it a "Guest Account".

It surprises me that more banks haven't done this. It seems like it would reduce their liability.

[Thegoblinchief]

The whole "is Mint secure/not" has been debated endlessly. Use the search tool instead of clouding the forum with yet another thread.

I don't like Mint, but that's more a question of its utility versus YNAB, which works far better for me.

But to your question: no, not that I am aware. The banks have no reason to offer this "service" so why would they?

[chillywater]

The whole "is Mint secure/not" has been debated endlessly.

Yeah.  But this question relates to a different debate  -- which is: what cards offer an obviously easy tool to protect their users' privacy and ultimately their own liability to fraud?  I came here via Google and couldn't find a better list of which cards offer read-only login credentials.  Which probably means most don't.  And they may view Mint as a competitor or they may simply be slow.  Or worse they may know the value of the data they collect and don't want to part with that "value".

But it's really inevitable that they all offer it relatively soon.  It makes way too much sense.  It can be viewed as another layer of password security...that also provides a nice benefit to users -- easy automated aggregation of one's own data.  Shit, everyone else has my aggregate data, why shouldn't I?

But srsly -- which effing credit cards allow this?  How do we change that?  #hashtagcampaign?