Hacker News new | past | comments | ask | show | jobs | submit login

I'm not sure exactly what you mean. If it's a web API request from a web client that says "transfer $1,000 between account A and account B," then what choice do you have but to "trust" that number? Obviously you have to check whether the request is authenticated and is authorized to transfer between those accounts, and check if account A has $1,000, but what about the client origin of the request do you need to check?



> and check if account A has $1,000

It was a convoluted example for examples sake, but I'm pretty much referring to them missing this important check here.


I mean since we're talking about banking:

- Generate a transaction number and associate that number with the respective transaction details

- Send this number to the customer's mobile phone with all those details, or other configured device

- the transfer is only authorised if the customer has entered the transaction number

That way, the customer is very likely to have verified the details of the transfer.


Do you really mean that?


Yes of course.

This is the standard way online banking has been operating in, I believe, much of Europe since practically forever (although it used to be physical lists before smartphones were popular).


They're just saying to validate user input.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: