views:

18

answers:

1

We're working on a site that will make use of the OFX standard to provide access to customer financial data. However, for security we make use of secret question/secret answer, machine tagging, etc. Does the OFX standard provide any mechanisms for security beyond just the simple username/password? I've taken a look at the schema and some sample data, but haven't seen anything that looks like it would fit our needs. Anyone with any experience in this area?

A: 

4.1.5 Channel level: Generally transparent to a client or server, channel-level security is built into the communication process, protecting messages between two ends of the “pipe.” To secure messages during HTTP transport, client and server applications use the Secure Sockets Layer (SSL) protocol. SSL transparently protects messages exchanged between the client and the destination Web server. SSL authenticates the destination Web server using the Web server’s certificate. Additionally, it provides privacy via encryption, and SSL-record integrity, i.e. the block of data sent in each transmission cannot be altered without detection.

Application level: Transparent to and independent of the transport process, application-level security protects the user password sent from the client application all the way to the server application that handles the OFX messages. The server application typically resides beyond the destination Web server, secured behind an Internet firewall. Application-level security requires channel-level security.

They have 2 levels of security. You probably would not need more than that. You put in extra security, you would delay sending your financial data. There is ample leverage to check and verify messages with OFX and it probably should suit your application.

DumbCoder