Follow-up on the question I asked in a recent thread (thanks for answering): looking at your video, it seems I have to type the username/password for my bank account into your website. That would qualify as "knowing" them? I realize that doesn't give you full access since most banks now require a card reader and/or 2nd password for any transaction, but it does worry me about additional vulnerabilities.
Great question - and as a side note, sorry to the people on HN I'm going to be bothering about this for the next 6 months. We're building this for Hackers and this is where they live - should be a mutually beneficial relationship though.
Anyway, you don't have to put your username/password into PaidEZ's site - the API can be integrated anywhere. But that said, I don't think that was your point - you're right that the client (browser, app, whatever) KNOWS the username and password while it's oAuthing into the bank, but that's always the case when you login to your online banking. Short of that, we do not know it.
But you're right, that is another layer of vulnerability. No two ways around that, and one that we take very seriously. It's not, however, an added layer of vulnerability compared to entering a Credit Card number - that has the exact same problem, and it's a larger problem because canceling or changing a Credit Card when it's stolen is a BITCH of a process. Changing your password and reversing payments with PaidEZ and your online banking is a breeze.
I should add, nobody has ever had a security issue with PaidEZ up to this point, and we've processed thousands of transactions. I understand that doesn't mean much right now (if it means anything at all), but I don't want to give the impression we've had any security breaches up to this point. We have not.
