Let's look at this inflammatory headline:

Woman’s 'spree' after $158k banking error, refuses to return pensioner’s life savings

An Auckland beneficiary is under investigation for an alleged “spending spree” after $158,000 was mistakenly transferred to her account.

[…] pensioner lost his life savings due to an account number error.

The account number provided to Westpac had only 15 digits, not the intended 16, so Westpac added a zero to the suffice [sic] as per its usual protocols.

Newstalk ZB

Wow! That seems pretty bad. Obviously the woman who allegedly received the money and then spent it shouldn't have done that. Spending money that doesn't belong to you is a crime in most parts of the world. But let's focus on the real villain here - the evil bank!!

Why did the bank make the decision to add an extra digit to the recipient's account number?

An NZ bank account number looks like BB-bbbb-AAAAAAA-SSS.

The first two digits are the banking institution and the next four are the specific branch. The seven digit account number relates to the specific account. The three digit suffix is for the type of account. For example, your spending account might have suffix 001 and your savings account might have suffix 099.

However, because all suffices have a leading zero, it is often only displayed as two.

So, adding an extra zero to the suffix itself shouldn't have caused a problem. It would have gone to the correct recipient although it might have either gone to the wrong sub-account. Indeed, WestPac's help page on international transfers says "if your account suffix is 12, enter 012". It sounds like the journalist hasn't quite understood where the insertion happened.

It seems likely to me that the victim meant to type 1234567-001 but missed a digit, causing WestPac to shift things to 1235670-01. That's poorly formatted but technically valid.

But, wait! Don't bank account numbers have checksums? Yes! According to NZ's internal revenue, all bank account numbers have a check-digit. However, when checking an account number's validity:

If less than the maximum number of digits is supplied, then values are right justified and the fields padded with zeroes

Bank account number validation

Having played around with the algorithm, the first few digits of the account number aren't included in the checksum validation. For example, the account number 1234567 and 0234567 both pass checksumming. So it is possible that padding the start of the string wouldn't have been picked up.

Whatever the underlying issue, it is distressing to hear of someone losing a significant amount of money.

What could have stopped this?

Humans make mistakes. As an industry, we know this. It's our job to prevent, rectify, and neutralise those mistake. We need systems in place which reduce the likelihood of errors causing catastrophic failures.

Here are some systemic changes which could have prevented this:

1. New Zealand could adopt the IBAN standard for international transfers.
   • They don't seem keen on doing this.
   • It wouldn't prevent mistyping, but a standardised length makes transferring to the wrong account less likely.
2. Confirmation of Payee asks the user to type in the name of the intended recipient. If it doesn't match the bank account, the payment is rejected or cautioned against.
   • NZ is rolling out CoP but it doesn't yet apply to international transfers.
   • Multi-lingual CoP is complex. I don't know if any cross-border payments do this yet.
3. WestPac should have noticed the name discrepancy.
   • This is the argument I have the most sympathy with.
   • Of course, returning the money (especially to a closed account) may be difficult.

Large systems changes are expensive and time consuming.

What else could have been done? Let's go to the final few sentences of the story:

Unfortunately, the incorrect bank account number provided by Che was a valid account number for another customer, Westpac said.

“As soon as Mr Che alerted us to the issue, we traced the payment and froze the remaining funds.”

But Westpac was unable to recover the rest of Che’s money due to the seven-week delay in reporting his error to the banks.

Emphasis added

I'm not trying to victim blame here, but WestPac seem to have done what was asked for them. The sender provided an ambiguous bank account number which was, nevertheless, valid.

The sender didn't raise an issue for seven weeks. Once notified, the bank froze the recipient account and notified the police.

Yes, big evil banks should be less evil. But they're in a tough spot. People want protection, but they resent banks telling them what they can and can't do with their own money. Big systemic change is difficult but it seems crushingly unfair when an innocent party is caught in the middle.

I don't think anyone comes out of this covered in glory. Banks need to invest in technology which keeps their customers safe. Customers need to take some responsibility for checking whether a bank has done the right thing.

The only tips I can give is that you must always copy & paste financial details from a trusted source, rather than manually type them in. Always send a small amount first to check it is received. If you suspect a mistake, contact your bank immediately.

Stay safe out there.

Nowadays, thieves are not only snatching phones, but forcing their owners to transfer money to the thieves. This is not an isolated incident¹.

How can you protect yourself from such a situation²?

Broadly speaking, there are four ways to protect your sensitive apps. Relying on the regular lockscreen, hiding the apps, using a Private Space, or placing the apps in different profile. Let's look at the advantages and disadvantages of each approach.

Regular Lockscreen

Android's lockscreen controls are pretty good - if you turn them on.

Perhaps you have a super-long and complicated password. Maybe a 10 digit PIN that only you know. Biometrics like facial recognition and fingerprints are reasonably strong and fairly convenient.

But that relies on your phone being locked when it is snatched. If you're using your phone when it is taken from you, the lockscreen might detect it and lock automatically, but you need a modern device and to have specifically enabled the setting.

If a thief has shoulder-surfed your 4 digit PIN, that will be enough to let them enter your phone.

But here we are concerned with someone threatening you. Basically, if someone has a knife pointed at you, you're probably going to unlock the phone for them³. So, let's assume we want to protect our banking apps from someone who has access to your unlocked device.

Launcher Hiding

Some Android phones let you hide apps. When an attacker is scrolling through the list of installed apps, they won't be able to see any apps which are hidden.

This, I think, is a reasonable way to hide your banking apps. You can show the thug that there aren't any installed. That may or may not be enough to mollify them. They might still nick your device, but you won't be forced to transfer your savings elsewhere.

This, of course, presents a problem for the regular user. How do you launch your apps if you can't find them? Most launchers will let you type in the name of the app to find it - the app is merely hidden from the default list.

So an attacker would have to try typing "HSBC" or "Barclays" or "Chase" or a dozen different names until they find your app. Will they be angry if you've lied to them? Is that a risk you want to take?

Some launchers will let you change the name and icon of your sensitive apps. You can rename "Midland Bank" to "Calculator" and change its icon. Not every launcher supports this sort of hiding though. It also places a cognitive load on you that you need to remember what you've hidden your apps as. Will you remember than Bank 1 is calendar and Bank 2 is Bumble?

Private Space

Android 15 has introduced the concept of a Private Space. It is like a digital lock-box for your apps. If someone has your unlocked phone, they need to pass through authentication in order to use apps which are locked.

There are two main drawbacks with this approach.

Firstly, locked apps don't run in the background. That means you won't get alerts from them. If you rely on push notifications to tell you if someone is using your card fraudulently, this could be a problem.

Secondly, the Private Space shows up at the bottom of your app list like this:

So an attacker can easily see it and demand that you open it up. You can set the Private Space to be hidden. But then you're in the same position as above - typing in "private space" will show it in your launcher.

Work Profile

Android has the concept of "Work Profiles". They're designed to segregate your work apps and your personal apps. Your work admin can wipe your work profile without touching your personal stuff, and you can't copy confidential emails to your personal area. Nifty!

If you don't have work apps on your phone, you can use an app like Shelter to make your own Work Profile.

You can stick your banking apps in the Work Profile and have them locked away from prying eyes.

The Work Profile button is more subtle than the Private Space.

But it still has the disadvantage that, once locked, the apps are suspended and won't receive any alerts.

Secondary Profile

Finally, modern versions of Android support multiple profiles. They're generally designed so that multiple people can use your device - but there's nothing stopping you from putting your banking apps in there.

The immediate advantages of multi-user profiles are:

• The profile can be protected by a separate password.
• The profile switcher is generally more subtle than the Work Profile switcher or Private Space toggle.
• Apps can run in the background while in a separate profile.

The disadvantage is that, because it is a completely separate profile, you'll need to sign in again using your Google account in order to install apps from the Play store. If you use a password manager and MFA app, you may need to install them in both your main and secondary profile.

Because the apps can run in the background, there may be some (minor) impact on battery life - you're effectively running Google's Notifications Service twice.

If you are being held at knifepoint and a notification from your bank comes through - you may find it socially awkward to explain.

Which is right for me?

It is complicated. I think I can distil it down to the following:

• If you need alerts from your banking apps - put them in a secondary profile.
• There are some reports of banking apps not working in secondary profiles - if yours don't work in a profile then hiding apps is your best defence.
• If you're not using Work Mode and don't need alerts - put them in Work Mode.
• If you're using Work Mode and don't need alerts - put them in a Private Space and set the space to be hidden.

Remember, you can't fling technical solutions at social problems and expect them to solve everything. In general, crime in England and Wales is at its lowest level but certain crimes, like phone theft, are on the rise. Despite all the technology thrown at the problem, people are still walking around holding machines worth hundreds of pounds. Each of those machines is a gateway to potentially thousands of pounds. Phones and banking apps are incredibly lucrative targets.

The aim of this exercise isn't to solve the problem of crime. It isn't even to make you a less attractive target. It is to allow you to hand over your phone safe in the knowledge that your banking apps are somewhat protected from miscreants while still being useful to you.

If you have any tips on how to keep banking apps hidden, please leave a comment.

Currently, if a customer falls for an Authorised Push Payment (APP) scam, they may be eligible for up to £415,000 back from their bank. The proposal is to limit this to a maximum of £85,000.

What does this mean and is it a bad thing?

APP fraud is when a fraudster convinces you to send them money. This isn't about a bank being tricked, or identity theft, or robbers storming the building. It can be as simple as someone sending you a text saying "You owe HMRC £10,000 - please send it to ...". Or it can be as complex as someone sending you a fake email, supposedly from your solicitor, saying "Our bank details have changed. Please send your mortgage deposit to..." In some cases, it can be scammers building up a fake dating profile, or fake investment account, or similar.

Whatever the reason, you were scammed. You sent money to a scammer. Now you would like it back. Please.

How bad is the situation

The payment systems regulator have very detailed report about the state of APP fraud. It says:

Based on data provided by the 14 largest banking groups […] £341 million was lost to APP scams in 2023

Authorised push payment (APP) scams performance report July 2024

Yikes! That's a lot of money. They estimate 252,626 fraudulent transactions. I don't know if that's 252k victims or total transactions.

How much do people actually lose though?

2% of cases were higher value scams with losses over £10,000. […] Lower value scams involving sums of under £1,000 accounted for over 80% of all APP scam cases sent in 2023.

Here's the data in handy tabular form:

An astonishing 2% of cases make up 52% of losses!

In the consultation briefing they mention that more than 400 cases of APP scams were over the proposed £85k limit, with roughly 18 being over the current £415k limit.

If those 18 were all, say, £500k - that would be about 2.7% of the total value!

If we assume the ones over £85k were worth on average £100k each, the total value of >£85k fraud is worth about £49 million. Approximately 15% of the total amount scammed from people. That's bonkers! 0.2% of fraudulent cases costing 15%.

Would a lower limit make a much of a difference to customers?

For the vast majority of customers, lowering the limit would make no difference.

But take a look at these two statistics:

In 2023, 67% of the money lost to APP scams was reimbursed.

In 2023, 80% of reported APP scam cases were fully or partially reimbursed.

Frustratingly, the data aren't broken down further. While it shows that some banks provide a full refund in over 90% of cases, there's no information on whether those were all low value scams.

It could be argued that having a lower absolute limit, but higher enforcement, would be better for customers in aggregate.

Wouldn't it be better to have a greater number of scam cases refunded - even if it meant some high value scams got nothing? Or to have even more of the total refunded - but have a tiny amount of people lose out?

Hell, you could lower the limit to £10k and easily afford to give 97% of victims a 100% refund.

Would that be worth it? It has a certain utilitarian charm - but perhaps isn't acceptable.

What are the downsides of keeping a higher limit?

There's a comprehensive cost benefit analysis from last year, which contains several comments from banks.

Briefly, there arguments against a higher limit are:

• Only 5% of fraudulent funds are recovered - so there is a huge cost to the banks and their customers.
• Increasing friction might stop some fraud, but would annoy and disrupt customers performing legitimate transfers.
• Banks might be tempted to refuse the custom of vulnerable people.
• There's a "moral hazard" in letting people know they'll always be refunded; they'll take fewer precautions.

Frankly, I find it hard to disagree with those arguments. Compensation is expensive - and that ultimately gets passed on to all customers. It is annoying when I have to jump through hoops to make a normal payment. Here's a story about how a bank refused a legitimate transaction saying they thought it was a scam.

How would you feel if you or your parents were kicked out of your bank because they thought you were likely to fall for (another) scam?

And, I do seriously wonder if people will be more lackadaisical when confronted with scams if they know they'll get refunded.

But there's a major issue left undiscussed. Are banks really to blame here?

Why is this the bank's responsibility?

For some scams, like ID theft, I agree that banks are probably liable. But the "A" in APP stands for "Authorised". You have told the bank you want to do something with your own money. Do they have the right to stop you?

Let's consider purchase fraud.

If you take cash out of an ATM and hand it to some guy who then fails to give you the promised goods, that's not the bank's fault. Right? Why is it different when you send it electronically? The bank shows you a Confirmation of Payee screen to help you make sure you're sending it to the right people. They ask you to confirm that you understand you might not get the money back. They even monitor the amount of complaints about the receiving bank. I'd argue they go beyond their duty to protect their customers.

Of course, it isn't just purchase fraud - although that's the largest by volume - this is how the different scams are categorised, and their values.

Have a read of this account of an investment scam. The bank did everything they could to stop the customer from being scammed. How did the customer react?

[the bank] even questioned whether the money was being invested in cryptocurrency but because [the scammer] had warned this may happen, she lied and said no.

Or read about this romance scam. Was the bank negligent in letting an elderly man send £153,000 to scammers?

The bank blocked a number of transactions, it spoke to [the victim] on the phone to warn him and even called him into a branch to speak to him face-to-face.

Obviously the cases which make the news aren't necessarily representative of the many and varied ways people can get scammed.

Is this a consumer choice problem?

One of the most interesting graphs in the report is this "Percentage of reported APP scams losses refunded by volume". Which bank are you with?

If you're with Monzo and get scammed... you're probably not getting your money back! Nationwide members get excellent customer service.

Perhaps banks should be required to prominently display their scam refund likelihood. Would you switch to a different bank if you knew they were more likely to refund you in the event of a scam?

Final Thoughts

One day, I am going to be successfully scammed. As I get older, I'll get more trusting. Or I'll be distracted. Or I'll be aggressively targetted. Or my email and phone will be hacked.

I want my money to be safe. I want it protected from scammers and - if necessary - from myself.

Fraudsters are terrifyingly good at what they do. They are manipulative, persistent, and organised.

I want my bank to be equally aggressive in chasing down scammers, publishing warnings, and protecting me.

But I genuinely don't know if it is their responsibility to refund me for any mistakes I make up to £415,000.

If you have strong feelings about this, I encourage you to reply to the consultation.

Fraud victim gets surprise £153,000 refund despite rules BBC News

In the story, the heartless bank refused to refund the fraud victim due to an absurd technicality - the money was sent to a foreign account rather than a UK account. Once again, big business bending the rules in order to protect their profits from a defenceless pensioner. Only after protests did they reimburse him. What a disgrace!

Except, of course, that's not what happened.

Terence Eden is on Mastodon

@edent

I can't remember who told me this, but it is a truism.
Ignore the headline and read the *penultimate* paragraph. That's where the real story is.

---

Let's scoot down the article, past the sensationalism, and see what we find:

It emerged that, in this case, Lloyds had done a really good job of not only spotting the potential fraud but alerting James to it. The bank blocked a number of transactions, it spoke to James on the phone to warn him and even called him into a branch to speak to him face-to-face.

Ah.

The bank kept his money as safe as possible but, ultimately, it was his money. He can choose to do whatever he wants with it. If he'd decided to blow his life savings on fast cars and loose women should he have been stopped?

Ultimately, this man was scammed, and the fault lies with the crooks who swindled him. But, realistically, what more could the bank have done to protect him? I suppose they could have dropped him as a customer. If they'd said he was too risky for them and told him to find a new bank, we'd see headlines of "Fury as cold-hearted bank tells pensioner to piss off".

I'm sure we've all had a friend who has driven themselves into drink, drugs, or gambling. You can intervene. You can counsel them. You can beg, plead, and threaten. But people are entitled to make their own choices in life. And sometimes they make bad choices which end up hurting them.

Perhaps this victim's family should have been more proactive in setting up a Power of Attorney. Perhaps the media consumed by older people should be flooded with scam warnings. Perhaps the victim should have heeded the bank's repeated warnings. Perhaps scammers should reconsider their life choices. Perhaps the bank should have forced him to take his business elsewhere.

Do we want banks to safeguard or money, or to gatekeep it?

This is a sad story with no happy ending and no easy answers.

After writing about how to use MoneyDashboard's unofficial API, the good folk at Moneyed told me about their officially supported API! So here's a quick review & howto guide.

Moneyed is a slightly strange service. I think it is designed for companies to give as a benefit to their employees. But you can sign up as an individual. The first month is free - but I don't see a way to tell how much subsequent months are. Although it is presented as an app for Android and iPhone, you can log in on the website.

It is a read-only account aggregator. This allows you to see all your credit cards, current accounts, and savings accounts in one place.

There are a good range of OpenBanking API accounts which you can add.

There's also investment accounts, credit cards, and pensions.

You can download your data as CSV - but that's not the exciting part!

In the settings screen, you can generate an API key. That gives you JSON access to your accounts and transactions.

Once done, there's a quick guide to downloading your data.

You need your API key sent as a header, and your account's unique ID.

curl --header "Authorization: Api-Key 123456" https://app.moneyed.co.uk/v1/capi/assets/abc123

Here's a sample JSON output from my credit card, it shows me buying groceries and getting a refund from eBay. At the bottom is the total balance on the card.

{
  "id": "ABC123",
  "name": "American Express",
  "transactions": [
    {
      "category": "GROCERIES",
      "label": "Morrisons Bradford",
      "pending": false,
      "timestamp": "2020-10-16T00:00:00",
      "value": {
        "amount": "-99.99",
        "currency": "GBP"
      }
    },
    {
      "category": "INCOME",
      "label": "Ebay O Luxembourg",
      "pending": false,
      "timestamp": "2020-10-19T00:00:00",
      "value": {
        "amount": "12.34",
        "currency": "GBP"
      }
    }
  ]
  "type": "CREDIT_CARD",
  "valuations": [
    {
      "date": "2020-10-24",
      "value": {
        "amount": "-123.45",
        "currency": "GBP"
      }
    }
  ]
}

That's not as detailed as the MoneyDashboard API - but it covers everything I need. It would be nice to have more accurate timestamps. At the moment, it only seems to give the last month of spending. But it's a beta project and should improve as time goes on.

You can sign up to Moneyed for one month free - no credit card details required.

Yesterday, I wrote up how to use the MoneyDashboard Classic API. Read that blog post first before reading this one.

MoneyDashboard have launched a new "Neon" service. The API is a bit more simple, but authentication is harder.

Here's a quick guide to the bits of the API that I found useful. I've lightly redacted some of the API responses for my privacy.

List of all supported institutions

MoneyDashboard only supports a limited number of OpenBanking Institutions. Here's a list:

https://neonapiprod.moneydashboard.com/v1/institutions

{
    "0": {
        "id": "44306c61-9fb9-4221-b4d9-f91cd711f665",
        "name": "AIB (NI)",
        "active": 1,
        "paymentsEnabled": false,
        "logo": "https://media.moneydashboard.com/logos/providers/firsttrust.jpg",
        "isAvailableFeatureFlagName": null,
        "primaryColour": "#7F2B7B"
    }
}

List of the User's Accounts

You can add multiple accounts to MoneyDashboard. Here's a list of everything you've added:

https://neonapiprod.moneydashboard.com/v1/accounts

{
    "0": {
        "cognitoId": "1234",
        "accountId": "4567",
        "providerId": "7891",
        "connectionsUserId": "8910",
        "accountType": "CREDIT_CARD",
        "accountNumber": null,
        "sortCode": null,
        "balance": "-123.45",
        "accountName": "Platinum Cashback Credit Card",
        "currency": "GBP",
        "description": null,
        "logo": "https://media.moneydashboard.com/logos/providers/amex.jpg",
        "providerName": "American Express",
        "primaryColour": "#016FD0",
        "created": "2020-09-13T12:34:56.533+00:00",
        "lastUpdateSuccess": null,
        "lastUpdateAttempt": null,
        "deactivated": null,
        "alias": "Platinum Cashback Credit Card",
        "lastRefreshStatus": 0,
        "paymentsEnabled": false,
        "isOffline": false,
        "tokenCreatedDate": "2020-09-13T12:34:56.533+00:00",
        "tokenRefreshDate": "2020-09-13T12:34:56.533+00:00",
        "tokenExpiryDate": null
    }
}

BABS - Balance After Bills

MoneyDashboard can predict what your balance is after bills:

https://neonapiprod.moneydashboard.com/v1/analytics/babs

{
    "babs": -1234.56,
    "predictedBalance": -2345.67,
    "unpaidSeries": 0,
    "dailyFlexSpend": 50.99,
    "daysRemaining": 19,
    "daysElapsed": 0,
    "predictedSpending": 123.45
}

Transactions

A full list of every transaction you've made - including tags:

https://neonapiprod.moneydashboard.com/v1/transactions/filter

{
    "6": {
        "id": "ABCDEFG",
        "created": "2020-10-03T00:00:00",
        "accountId": "4567",
        "customerId": "7891",
        "isPredicted": false,
        "providerTransactionId": null,
        "amount": {
            "amount": 168.35,
            "currency": "GBP"
        },
        "sourceAmount": {
            "amount": 168.35,
            "currency": "GBP"
        },
        "status": "Booked",
        "deactivated": null,
        "type": "Debit",
        "description": "MORRISONS               BRADFORD",
        "seriesId": null,
        "savedDate": "2020-10-13T12:20:23.176183",
        "merchant": "Morrisons Supermarket",
        "transactionBatchId": "ABC123",
        "excludeFromSpendCalculations": false,
        "originalTransactionDate": "2020-10-03T00:00:00",
        "originalTransactionDescription": "MORRISONS               BRADFORD",
        "ProprietaryProviderDetails": null,
        "categorisation": [
            {
                "id": 324978238,
                "certainty": 100,
                "source": "CategorisationService",
                "tag": "Supermarket",
                "level": 2,
                "created": "2020-10-13T12:20:33.678358"
            },
            {
                "id": 324978239,
                "certainty": 100,
                "source": "CategorisationService",
                "tag": "Groceries",
                "level": 1,
                "created": "2020-10-13T12:20:33.678356"
            }
        ],
        "bookedTransactionId": null,
        "merchantLogo": "https://media.moneydashboard.com/logos/merchants/morrisons_supermarket.png"
    }
}

Categories

Get your spending broken down by category. For example, how much do you spend on takeaways?

There are some weird JSON handling of floating point numbers in here. Beware!

https://neonapiprod.moneydashboard.com/v1/analytics/spend/category

{
    "1": {
        "categoryName": "Eating Out",
        "amount": 76.29666666666667,
        "transactionCount": 8,
        "transactions": [
            {
                "id": "ABCDEFG123793",
                "created": "2020-07-22T00:00:00",
                "accountId": "4567",

                "customerId": "7891",
                "isPredicted": false,
                "providerTransactionId": null,
                "amount": {
                    "amount": 22.47,
                    "currency": "GBP"
                },
                "sourceAmount": {
                    "amount": 22.47,
                    "currency": "GBP"
                },
                "status": "Booked",
                "type": "Debit",
                "description": "JUST EAT.CO.UK LTD      LONDON",
                "seriesId": null,
                "merchant": "Just Eat",
                "merchantLogo": "https://media.moneydashboard.com/logos/merchants/just_eat.png",
                "deactivated": null,
                "savedDate": "2020-10-13T12:20:23.176338",
                "ProprietaryProviderDetails": null,
                "categorisation": [
                    {
                        "id": 324978297,
                        "certainty": 100,
                        "source": "CategorisationService",
                        "tag": "Takeaway",
                        "level": 2,
                        "created": "2020-10-13T12:20:33.679618"
                    },
                    {
                        "id": 324978298,
                        "certainty": 100,
                        "source": "CategorisationService",
                        "tag": "Eating Out",
                        "level": 1,
                        "created": "2020-10-13T12:20:33.679617"
                    }
                ]
            }
        ],
        "cycleStartDate": "2020-06-01T00:00:00Z",
        "cycleEndDate": "2020-08-31T00:00:00Z"
    }
}

Authentication

OK, this is where it gets horrible and I get confused. MoneyDashboard uses Amazon Cognito. It does a complex authentication dance, passing along lots of different SRP_A tokens until, eventually, it gives you an IdToken. You can grab that by opening Developer Tools in your browsers. It will be a very long string.

You need to pass this as an x-auth header in your request, like so:

curl 'https://neonapiprod.moneydashboard.com/v1/accounts'\
 -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0'\
 -H 'Accept: */*'\
 -H 'Accept-Language: en-GB,en;q=0.5'\
 --compressed -H\
 'Referer: https://app.moneydashboard.com/'\
 -H 'x-auth: aBcDeFgHiJkLmNoPqRsTuVwXyZ1234567890'\
 -H 'Cache-Control: no-cache, no-store, must-revalidate'\
 -H 'Pragma: no-cache'\
 -H 'Expires: 0'\
 -H 'Origin: https://app.moneydashboard.com'\
 -H 'DNT: 1'\
 -H 'Connection: keep-alive'\
 -H 'TE: Trailers'

I don't know of any easy way to automated getting the token from your own username and password.

Good luck!

The OpenBanking specification is brilliant. It allows you to aggregate all of your financial accounts in one place. You can give read or write access to apps and services. Magic!

API access is restricted to registered financial institutions. That's good, because it puts up a barrier to entry preventing dodgy companies slurping up your data and sending all your money to scammers.

But, whether by design or not, it means that you as an individual cannot get API access to your bank. Most financial institutions restrict API access to other financial institutions. Grrr!

Luckily, I've found a slightly cheeky hack to let you get Read-Only JSON feeds of all your transactions!

Sign up to MoneyDashboard and authorise it to read your bank and credit card statements.

Once done, they have an API which lists your transactions and other things. I found this by the dark art of... opening developer tools and seeing what the page was requesting. 1337!

Here's my (light) attempt to document it. Note: This uses the MoneyDashboard Classic account. I haven't mapped their "Neon" service yet.

List of Transactions

This gets up to 999 transactions in JSON. You get a reasonable amount of metadata with each one.

https://my.moneydashboard.com/transaction/GetTransactions?limitTo=999

Here's a sample response, redacted for privacy:

{
    "5": {
        "Id": 123456789,
        "Description": "MORRISONS               BRADFORD",
        "OriginalDescription": "MORRISONS               BRADFORD",
        "Amount": -168.35,
        "Date": "/Date(1601683200000)/",
        "OriginalDate": "/Date(-62135596800000)/",
        "IsDebit": true,
        "TagId": 257,
        "MerchantId": 194245,
        "AccountId": 987654,
        "Notes": null,
        "NativeCurrency": "GBP",
        "NativeAmount": -168.35,
        "CurrencyExchange": null,
        "AvailableCurrencyExchanges": []
    }
}

Pretty simple!

• The Date is in UNIX Epoch milliseconds.
• I don't know what OriginalDate is.
• There's a separate API call for folksonomy tags.

That's most of what I want. The ability to list all my transactions. But there are a few other interesting bits of the API

List of Accounts

https://my.moneydashboard.com/api/Account/

Returns all the accounts you have associated with MoneyDashboard:

{
    "2": {
        "Id": 123456,
        "Name": "Platinum Cashback Credit Card",
        "Institution": {
            "RealmId": 0,
            "RealmName": null,
            "DateProviderTypeId": 4,
            "Name": "American Express",
            "IconUrl": "https://media.moneydashboard.com/img/institution/ic_amex.svg",
            "LogoUrl": "https://media.moneydashboard.com/img/institution/ic_amex.svg",
            "Id": 7,
            "ShowAccounts": true
        },
        "Balance": 0,
        "Added": "2019-11-31T11:53:10.9095627Z",
        "LastRefreshed": "2020-01-20T10:20:21Z",
        "AccountTypeId": 2,
        "Colour": "#9e9d24",
        "Overdraft": 0,
        "IsClosed": true,
        "IncludeInCalculations": true,
        "IsIncludedInCashflow": true,
        "Position": 0,
        "IncludeInSidebar": true,
        "NativeCurrency": "GBP",
        "NativeBalance": -123.45,
        "CurrencyExchange": null,
        "AllowAccountMigration": false,
        "ShowAccountMigrationAlert": false,
        "IsOpenBanking": false,
        "OpenBankingMigratedDate": null,
        "LastRefreshStatus": 0,
        "OAuthTokenCreatedDate": null
    }
}

Mostly, I'm interested in the NativeBalance to see how much I've spent on my card.

Spend by Merchant

You can see exactly how much you've spent with each company over a specific period:

https://my.moneydashboard.com/api/merchant/getspend?FromDate=2020-09-01&GroupingInstruction=1&ToDate=2020-09-30

{
    "2": {
        "Amount": -38.49,
        "TransactionCount": 2,
        "Id": 123456,
        "Name": "Debenhams Store",
        "ImageFile": "icon_merchant.svg",
        "MobileIcon": "ic_merchant",
        "TagDisplayCategoryName": null,
        "DisplayColour": "#7C3E3E"
    }
}

Spend by Group

MoneyDashboard allows you to tag your transactions. This shows spending by group and tag:

https://my.moneydashboard.com/api/OutgoingsByGroup?fromDate=2020-09-01&includeCredit=true&toDate=2020-09-30

{
    "1": {
        "TagId": 123,
        "Amount": 8.6
    }
}

Balance Over Time

Rather than plotting your own graphs, MoneyDashboard will show you your balances across your accounts:

https://my.moneydashboard.com/api/balanceHistory?EndDate=2020-10-31&StartDate=2019-10-01

{
    "2": {
        "Date": "2019-10-04T00:00:00Z",
        "Balances": [
            {
                "Balance": -8.06,
                "AccountId": 123456
            },
            {
                "Balance": -718.78,
                "AccountId": 789012
            }
        ]
    }
}

List of Tags

If you are interested in how your spend is categorised - arguably the whole point of MoneyDashboard - you can get a list of all the in-built tags and sub-tags:

https://my.moneydashboard.com/TaggingRules/getTags

{
    "0": {
        "TagId": 237,
        "TagName": "Appearance",
        "ParentTagId": 0,
        "ParentTagName": null,
        "ParentTag": null,
        "ChildTags": [
            {
                "TagId": 247,
                "TagName": "Clothes - Designer or Other",
                "ParentTagId": 237,
                "ParentTagName": "Appearance",
                "ParentTag": null,
                "ChildTags": [
                    {
                        "TagId": 120,
                        "TagName": "Accessories",
                        "ParentTagId": 247,
                        "ParentTagName": "Clothes - Designer or Other",
                        "ParentTag": null,
                        "ChildTags": [],
                        "ImageFile": "ic_person.svg",
                        "MobileIcon": "ic_person",
                        "TagDisplayColour": "#039BE5",
                        "IsSystemTag": true
                    }
        ],
        "ImageFile": "ic_person.svg",
        "MobileIcon": "ic_person",
        "TagDisplayColour": "#039BE5",
        "IsSystemTag": true
    }
}

And self-created tags:

https://my.moneydashboard.com/CustomTags/GetListOfTags

{
    "0": {
        "TagId": 3,
        "TagName": "Vehicle insurance",
        "ParentTagId": 0,
        "ParentTagName": null,
        "ParentTag": null,
        "ChildTags": [],
        "ImageFile": "ic_car_bump.svg",
        "MobileIcon": null,
        "TagDisplayColour": "#F57C00",
        "IsSystemTag": true
    }
}

Getting Authorised

OK, so you want to do this? How do you authenticate yourself against the API? This is the tricky bit.

In the source code for the login page, you'll see something like this:

<input
   name="__RequestVerificationToken"
   type="hidden"
   value="cykGysmBr1vpUY1" />

The actual value is much longer.

You will also need the Cookie which is set when you request the login page.

Your username and password are POSTed in a JSON payload, like so:

curl 'https://my.moneydashboard.com/landing/login'\ 
 -H 'User-Agent: Mozilla/5.0'\
 -H 'Accept: application/json, text/plain, */*'\
 -H 'Accept-Language: en-GB,en;q=0.5'\
 --compressed\
 -H 'X-Requested-With: XMLHttpRequest'\
 -H '__RequestVerificationToken: cykGysmBr1vpUY1'\
 -H 'Content-Type: application/json;charset=utf-8'\
 -H 'Origin: https://my.moneydashboard.com'\
 -H 'DNT: 1'\
 -H 'Connection: keep-alive'\
 -H 'Referer: https://my.moneydashboard.com/landing'\
 -H 'Cookie: COOKIEDATA'\
 -H 'TE: Trailers'\
 --data-raw '{"OriginId":"1","Password":"Passw0rd123","Email":"you@example.com","CampaignRef":"","ApplicationRef":"","UserRef":""}'

Once done, you can make API GET calls using the __RequestVerificationToken header.

Or, you can use a Python Library for MoneyDashboard

What Next?

I was thinking of building a passive dashboard to show me the state of my current account.

Or, maybe...

Alexa? Ask MoneyDashboard what the balance is on my credit cards.

Alexa? Ask MoneyDashboard how much I spent at Wagamamas last month?

Too much?

Enjoyed this post?

If you've found this useful, please sign up to MoneyDashboard using my referral link.

Or, you can:

• Buy me a Ko-Fi
• Sponsor me on GitHub
• Get me a birthday present from my Wishlist

Or, just leave a supportive comment.

I needed to close down my business bank account. I hopped on to online banking, provided all my details, went through 2FA with a physical token, remembered my mother's maiden name and began searching the site.

There was no way to close the account.

Oh well, I guess I'll give them a call. After 30 minutes on hold I was told "The account closing team leave at 4pm, sorry." It was 5 past four. They'd successfully held me off!

I rang up the next day and asked to close my account. "You'll need to write us a letter!" came the stern reply. I wasn't sure how a letter would be sufficient proof. "Aha!" they said, "You must write it on headed paper!"

My business is fully online. I simply don't have headed paper. Who does? More to the point, I don't own a printer and I can't be bothered to wander to the post office to buy a single stamp.

"That's silly," I said. "What do your disabled customers do?"

"Errr... Write a letter...?"

"So, you're telling me that you expect your customers with mobility difficulties to painfully write you an physical letter and then hobble down to the post-box?"

"Well. Umm... They could.... Ask a carer for help?"

"Do you think this fulfils your obligations under the Equality Act to provide reasonable adjustments?"

"Let me speak to a manager."

I spent a few minutes perusing other banks' closure policies. HSBC let you do everything online. NatWest is by phone - or minicom if you can't talk.

"Right! On this occaision, we will let you send us an email."

"That's very generous of you. Does it need to be on headed email paper‽"

"No. The email address is F R E D dot ..."

"Hang on... is this your personal email address?"

"Yes. Fred dot Smith at cfs.coop"

"What's cfs.coop? There's no website there."

"It's just our email sir."

... So, I sent an email to this random person - at an address with seemingly no connection to my bank account. All it took was my name, address, and company number (all public information) and my bank details (on every invoice I've sent) - and my money was transferred to a new bank account.

Putting it right

Let people cancel their accounts online. It's that simple.

If your web security is good enough to let people transfer piles of money, or set up an account - it should be secure enough to let people close an account.

Putting it right, part 2

Co-op called me up to apologise. They recognise that their accessibility needs fell far short of what is expected of them. They offered to send me £25 by way of an apology. I told them to send it directly to the charity Scope.

"Oh! I don't think we can do that, sir. But we can post you a cheque."

Give me strength!

I'm not a massive fan of short URL services like bit.ly - but for shrinking the text you want to fit in a QR code, they are invaluable.

I want to take a look at a particularly interesting example from Nat West Bank.

The Poster

Despite having the QR too close to the ground (more of that in a later blog post) this seems like quite a good campaign.

The QR code is large and clear, it's not too dense, and the copy shows the app is available on Android, iOS, and BlackBerry. A single scan on any device should redirect the user to the correct destination.

The Scan

This is where things start to fall apart.

The URL

I know some of the guys behind ScanBuy. It's a good service, but I don't think it's suited to this usage.

http://SCN.BY/9T7N6HN0RDQPUO

1. No "https". Users are being trained not to trust banking URLs unless they go via SSL. I wonder if people will notice on QR codes?
2. It's not a Nat West domain. How does a user know that this goes to the real app and not some mobile-malware?
3. Nonsensical path. At the very least, ScanBuy should let this be customised to scn.by/NatWestApp or similar. That way, people looking through their history will know what the URL is meant to go to. (See scanning while underground).

That said, the code does successfully redirect users to the correct app store to download the app.

What I Would Do

I would use a url like

https://natwest.com/GetApp

It's the same length as the previous, is human readable, and is secure. If Nat West can't run the redirection and analytics service themselves, it could easily redirect to ScanBuy to do the heavy lifting.

The Good

One thing to say, if a non-compatible device scans the code, they get taken to Nat West's mobile friendly site.

Banks are fucking us over.

They gamble with our money, lose it, ask us for a bail out, lose more money, then ask us for yet another bail out!
They are resisting even the very modest changes the government is imposing on them.

No more.

We have a very easy way to stop the banks pissing about with our money. Take our money from them.

I'm not talking about taking out your savings for a few days. I'm talking about a permanent withdrawal of our consent. We take our money and we move it elsewhere. Move our money to somewhere safe, ethical, and local.

I think that it's time to move all our money to Building Societies.

Building Societies Are Better Than Banks

Building societies are owned by their members. If you're a saver or a borrower, you get a vote in how the business is run. That means there are no excessive profits, no fat cat bankers taking extortionate bonuses, and no gouging fees.

Building societies are safer. Banks try to make money by gambling on the stock market and the wholesale money markets. The Northern Rock bank gambled 75% of its customers' money - the average building society has 30% from the money markets. By law, the maximum that a building society can gamble is 50%.

Building societies are friendlier. They're all based in the UK, have UK call centres, and - because they're not beholden to shareholders - dedicated to serving their customers.

Building societies offer the same services as banks.

Quick Comparison

Are There Any Building Societies Left?

Yes!

There are 47 Building Societies in the UK.

Chances are, you have a branch of the Nationwide near you - but there are many smaller, local institutions you can do your banking with.

Most of them offer Internet and telephone banking, all of them let you withdraw your cash from any ATM,

Didn't Lots of Building Societies Become Banks?

Yes, many people thought that turning Building Societies into banks would be a great idea.

They were wrong.

There were several Building Societies which turned into banks. You can judge for yourselves whether they offer superior products or excellent customer services, but of those 10...

• One was acquired by Barclays.
• Two had to be bailed out by the government.
• Three were bought by Lloyds.
• Four were taken over by Santander.

What's Stopping You?

Switching accounts is fast, easy, and free. The FSA has has an excellent guide, but here are the basics.

Your old bank will only have three working days to start to process of moving you to your new building society. Your direct debits and standing orders will be transferred.

Once your application has been approved, the building society will have ten working days to set your new account.

The whole process will take less than two weeks. A fortnight to make a change for the better.

I've done it - what's stopping you?

Make the switch now.