Länsförsäkringar Bank – API hack & documentation

It’s been a year since I released the first and only swedish multi-bank app for iPhone. It’s been pretty successful with some ~45.000 downloads and it’s being downloaded at a rate of 80-100 times per day. When I built the first version I used (and still use today) scraping techniques to authenticate and fetch information from banks. My hope was that it would be more work for banks to try to keep me out by making changes than it was for me updating the app. Looking back it holds true or banks just don’t care about me and my app. I’ve only been in contact with one bank and they actually like my app. Other banks have publicly commented in media on my app saying that using it is comparable to “leaving your home with the keys in the door”.  I do think people should be cautious with giving out personal information, but it’s impossible for me to steal money from my users. In fact, I don’t spy on them in any way, and I think that 1 year on the appstore demonstrates this. If I was up to no good by now someone would have investigated and found out.

But this post is about bank API’s and Länsförsäkringar bank in particular. Why are banks not providing real public API’s and let users access their own data? I strongly believe that clever APIs would spawn more smart services that help people get a grip on what they are spending their money on and why they need to stop buying things on credit. Because no bank is currently publicly publishing API’s I decided it’s time to publish some private API’s.

Congratulations Länsförsäkringar bank, you are the FIRST swedish bank with a public API!

Länsförsäkringar bank has built a native smartphone application and it needs an API to provide the data. They have spent some extra time trying to keep you and me for utilizing their API. Todays hacking session resulted in figuring out their API-key algorithm that provide access to the functionality and I’ve documented vital parts of the API.The documentation is available here.

API Token algorithm explained

To call the URL’s that make up the API a special token is required. The way it works is that https://mobil.lansforsakringar.se/appoutlet/security/client returns a number and a “number pair”. The returned JSON-object looks like this:

{"number":178263227,"numberPair":"7ff1c2cfd1cfb21ee2b9a4b31394abef"}

The number is just a large random number and the number pair is a GUID, most likely the back-end keeps track of issued numbers together with the GUID. By posting to https://mobil.lansforsakringar.se/appoutlet/security/client we get the token back. This is an example of what the API expects to get back:

{"originalChallenge":178263227,"hash":"c07389232dd98901d017f05b14de63a66d185042,"challengePair":"7ff1c2cfd1cfb21ee2b9a4b31394abef"}

The hash is the secret that gives us the token. I managed to figure out that the hash is a SHA-1 hash and the value being hashed does not include the challengePair value. The way the algorithm works is:

  1. Add 4112 to the challenge number. 178263227 + 4112 =  178267339.
  2. The result is then converted to a string using hex format. 178267339 => aa024cb. The string must be in lower case.
  3. Hash the hex string using SHA-1 aa024cb =>  c07389232dd98901d017f05b14de63a66d185042

Simple when you know the secret (4112)! The documentation include a javascript implementation of the API-hash.

What’s next?

I hope Länsförsäkringar won’t get too upset about this and instead think about the possibilities in making this API public. Länsförsäkringar is the first bank with a somewhat documented API now but they won’t be alone on the throne for very long. I have already started working on getting into other bank APIs and I will publish documentation on them when I have enough time.

Disclaimer

I want to make it clear that I provide information about an API that exist as of right now and that has never been publicly announced. I can not guarantee that everything is correct or that things will not changed. I have only documented what I’ve found out today and I have no affiliation or association with Länsförsäkringar or anyone working there.

3 thoughts on “Länsförsäkringar Bank – API hack & documentation

  1. Sorry about the rant here… I think we are mostly on the same side. APIs FTW! But:

    I think that the reason the banks are keeping the API information from their customers is the fear that a lot of apps will pop up where the banks can not guaranty the security of their customers. You know… it is pretty much like “leaving your house with the keys in the door” if I create a really simple app that saves all your passwords and lets you transfer money between accounts with no hassle. And your phone gets stolen.

    Or how about someone creates an online app that keeps track of all your spendings from your different bank accounts and shows you graphs and stuff and then it turns out it was the biggest scam ever?

    Normal people would not understand the difference between giving their info to handelsbanken.se or allyourmoney.se, especially if the banks sponsored the APIs and made them public.

    When things like mint.com started popping up in the states my first two thoughts were:

    1. Cool! I want that!
    2. How is that possible without breaking the security?

    And it turns out it was not possible, it works because a lot of banks in the US only require a simple user / pass combo for access. I would not like to have my money there.

    You could argue that it is up to the customer to choose to use such an app and choose not to have a password on such an app. The banks choose not to produce the app instead. I would tend to be on the “information wants to be free” side here, but with all the non security and weak passwords reported lately I actually don’t know if “normal people” should be trusted with their own money ;-)

  2. I believe the reason banks don’t want to provide an API is because they want to own our information. Providing an API will likely help their clients save money, which means they (banks) loose money. Regarding security, and correct me if I’m wrong, but currently no bank allow money to be transferred to external accounts using the lower security level. The absolute nightmare scenario is someone collecting logins with the evil plan of moving peoples money around their own account. Definitely not something you would like to happen but it’s not the end of the world either.

    I believe banks can do much better. How about adding an additional security level that allows read-only access to account information such as balance and transaction history. Customers could issue keys that allow different services to access their information, that way they could also block services that they no longer want to share information with.

    By publishing this information I hope banks start thinking about possibilities with open data instead of problems and limitations.

  3. Hey Bjorn

    Just opened a Swedish account today so I’ll finally be able to try your app out now!

    Hope life is good down at Valtech….I’m sure I’ll cya for a beer one day not to long from now.

    Jamie

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>