Already right now in Germany there are a lot of banks that share a common API format which is why there are a lot of banking apps where you can just log into your bank and don't need bank specific apps. It's called HBCI / FinTS (https://en.wikipedia.org/wiki/FinTS) and it's great to have that possibility without doing some web-scraping to get your data out.
PSD2 and “open” banking is bullshit. I wish this myth would die - it is anything but “open”.
If you want to gain access to APIs, you need to become an “AISP” (as they are called in the UK), this requires a certification and a load of other nonsense akin to PCI-DSS. This is for read-only access - for “write” access including the ability to edit payees or make payments you need to become a “PISP” which I assume requires even more paperwork.
I also said APIs because the regulation does not mandate any kind of API format, so every bank has their own with different capabilities as far as what data is returned and in which format. Some of them are truly awful.
And finally, “open” banking still does not allow you to get a personal access token for your own account.
> If you want to gain access to APIs, you need to become an “AISP”
It's more complicated than that.
Banks can give unregulated entities access to their APIs, but they don't because IMO providing API access is directly opposed to their interests. If you want to be statutorily entitled to API access you need to be a registered AISP or PISP.
Unfortunately what an AIS is is very specific, i.e. showing the account owner aggregated information, before or after processing, about one or more payment accounts. If your product doesn't do this, e.g. credit scoring using the user's bank transactions instead of credit bureaux, then you're not performing a regulated activity, therefore the regulator has nothing to authorise, and you can't enjoy the resulting entitlement of API access.
This means there are whole classes of (unregulated) applications that won't be allowed to exist by banks if they adopt the position of granting access only to regulated entities.
> this requires a certification and a load of other nonsense akin to PCI-DSS
AIS and PIS have become regulated activities as a result of PSD2. This is not the same as PCI-DSS. Becoming a (P|A)ISP means becoming supervised by the local regulator as an authorised financial institution. This involves a lot of paperwork, a £1,500 application fee, insurance, fees for any professional services you needed to complete the application (lawyer), and 3 months (longer if your application is incomplete or has other issues).
> for “write” access including the ability to edit payees or make payments you need to become a “PISP” which I assume requires even more paperwork.
And €50,000 own capital requirements.
> I also said APIs because the regulation does not mandate any kind of API format, so every bank has their own with different capabilities as far as what data is returned and in which format. Some of them are truly awful.
This is true at the moment for Europe but notionally incorrect for the 9 largest banks in the UK, which are subject to parallel domestic measures ordered by the Competition and Markets Authority. There is a spec, but there are many problems with the governance, implementation, etc.
I've only just joined so this isn't exactly a recommendation, but Monzo looks super exciting because of two features: instantly reporting transactions, and an API that lets you access your own transactions. If you've only ever used a shit bank, look how amazing this looks: https://docs.monzo.com/#list-transactions (caveat: I haven't tried it yet!)
So you take issue with the fact that there's a high bar when dealing with personal data and real money? Especially when this gives you access to do it en-masse?
It's open, just not the "open" you imagine. Like anyone from the street being allowed to do it.
I absolutely do not want any old hacker to be building software that can talk to bank accounts. I want a minimal level of regulation and insurance, to make sure that they aren't doing terrible things with it, and that they are easy to track down and deal with when they mess it up.
Is this new initiative strictly for an API between the official banks or there's a chance that a regular company or, let's say a private person, can use it to access its own data & submit transfers?
In a related note, I do hope that the German "lastschriftmandat"/direct debit gets also replaced with something more transparent and with a better control. Similar to an e-invoice concept used by a few other countries like Estonia.
It's not completely public, but it's open to all companies and people. Your application needs to meet certain requirements and needs to be approved etc.
In the UK the fintech (Financial Tech) scene is becoming more prevalent, for the better.
Recently I switched to a new online-only bank called Monzo. It's fully licensed and all accounts are insured up to a certain amount by the UK government. It's great. They're in the top charts for apps in the UK now on the iOS App Store. There's a few other alternatives like Starling Bank and Revolut too.
They're very good. They're open about their tech stack with developer blogs and it's a modern stack which lets them iterate in a quick and agile manner unlike the legacy banks.
You get push notifications on every payment (usually you get the notification before the payment has even processed on the vendor's end!). Tells you exactly how much you've been spending every day.
They've got RESTful JSON APIs you can integrate with if you want to and they also have the option in the app to easily export your data into CSV or Quickbooks format. They even have IFTTT integration.
Revolut are a nightmare. After using it for several months and fully verified I apparently entered a CVV incorrectly on one transaction. Revolut blocked the card but with no notification, and no inapp indicators, all showed normal in app, all toggled enabled for maximum flexibility. It took ages to figure out, but swiping the card or using online was now returning to the merchant 'FRAUD/STOLEN' marker rather than just insufficient funds, this lead to Ayden blocking me from merchants and other hell. Best of all support kept telling me my account was fine and all enabled, it was only after Twitter escalation I learnt about a backend block their support staff couldn't see. Ridiculous, weeks to sort, dozens of tickets, suggestion to train support staff or provide in app indicator of block was ignored.This shit still happens today, avoid Revolut. Fintech can be rough, it ain't all great, tread carefully. Oh and they delete feedback from forums if not positive lol
No bad experiences so far with Revolut, but will admit the customer support is pretty terrible. I had to enquire to the CS team about the top-up limit and ended up getting all of my answers from forums instead of the CS team.
I had a similarly disastrous experience with Revolut. I signed up with my US passport and everything went downhill from there. I was able to lodge €50 in to the account but couldn't verify myself (Revolut don't accept US passports as policy) and found myself in a awful situation trying to recover the €50. Revolut took two months to return the money to me.
I'm a massive fan of these apps though -- I use N26 personally . It works and I like that it's German (savings are guaranteed by German gov)
I actually had some issues with my old Revolut Mastercard with TfL. I asked them to check whether this was the case also with others, but no answer. I let this slip as I have plenty of other cards, but still.
After a couple of months, they acknowledged the issue and provided me a free new Revolut Visa. It still took about 2 months to get it in my hands, after having sent a couple of messages via Twitter.
This is, on one hand, great. I made the switch to a similar bank myself a few years back.
What I failed to realise at the time was how exposed I became to the vulnerabilities associated with being cashless. Cash is not just an ancient relic. Cash is an ancient relic and a fundamental component of a free society.
My country has, in practise, become nearly cashless and I used to be proud to be one of the very early adopters of that mindset. Now I lament how hard it is to deal in cash.
I am planning to switch to the only bank left in my country still providing personal cash services. The only one. That should be scary, not relieving.
A new-ish bank like Monzo mentioned above still allows you to withdraw cash like any other bank. You can't yet pay it into the account, but my understanding is that this will be provided pretty soon (based on their public roadmap https://trello.com/c/k2zy6WyU/98-cash-deposits-)
Cash is important, but I don't think it's going away any time soon.
The actual secret API of banks-and by the way this is the initial strategy Plaid pursed if rumor is to be believed (essentially without the consent of the banks)-is by reverse engineering mobile app APIs. Most of these bank APIs try to use cheesy secret token vending to prevent casual API traffic on their endpoints, but the reality is that a sufficiently instrumented Android kernel (or rooted iOS device) will let you reverse engineer those protocols and masquerade as legitimate users.
Why don't banks sell API access at a rate s/similar/lower than Google Maps API access? This is starting to feel like music and video piracy all over again.
Because the value is in not being commodified. Not giving API access is worth more than charging for it.
If all of your credit lines, checking, savings, and investment accounts were an API call away, the institutions providing those no longer build relationships that can be profitable; they're simply utilities you could swap out interchangeably. As such, they're not a fan of this idea.
Because they know they can't compete on a technical level with Amazons and Google's even dumping a billion dollars into tech growth, and disintermediation is a fast road to becoming a utility.
That rumor sounds far from plausible though. If they were to attempt to use the reverse-engineered API from their own servers without consent, banks would find out (in a matter of hours) and shut them down when they discover a huge spike in traffic from a relatively small pool of IPs. If they were to access it directly from customers' phone/browser via their (web-)apps, I expect that it would've caused a huge media storm by now when someone finds out they are storing/transmitting the password in plaintext (or its equivalent) to be used for authentication.
As for this instance specifically, I believe Chase grants Mint (and few other whitelisted companies) account access via OAuth. It's a step in the right direction, although it's not clear to me what their long term goal is.
Hi, I founded Level Money, was one of Intuit's earliest aggcat customers and one of their last customers, and did this for a lot of people until Capital One bought my company and we did it for them.
AMA, I guess.
But to answer the implicit question: shutting that off can be harder than it sounds. And because it's a mobile API and iOS's store has fairly slow update cycles, it can be very hard to simply rotate your API spec fast enough without interrupting customer service: a difficult thing for a bank to get away with (lol, I'm joking they're down all the time).
If it's in the binary Simple ships I can take it or modify it to not need it. It's a huge pain in the ass, but it's not "hard."
And while I know I did a cert pin and you did a cert pin, not everyone does it (or does it bidirectionally). Nor is that the only way folks would get an API spec.
This is very clever but makes me sad. It’s 2018 and the best, cleanest way of monitoring and storing my own transactions programmatically is by scraping an email.
Banks provide an API in Europe. In fact it's a legal requirement that's coming into force in 2019, and there are a lot of 'mobile-first' banks like Monzo and Revolut which make this entirely un-needed in the first place (providing spending exports, decent analytics, push notifications, etc etc).
Welcome to the future. Contact your local politician if you want to join us. Maybe also ask about chip and pin while you're at it!
> Banks provide an API in Europe. In fact it's a legal requirement that's coming into force in 2019
That's simply not true. You're probably referring to PSD2, which is not an API in the sense that anyone technical would use the term. And it's not meant for you or I. The requirements for gaining PSD2 API access are insane, and at least in some areas require permission from the national bank. Which you won't get unless you're a large corp with big bucks and lots of insurance.
Sure, but as other users like Rjevski have pointed out the PSD2 API is going to be nearly impossible for the common person to use. Unless you want to become pretty much PCI-DSS certified.
Looking here[0], it seems the future is fake, and the EU is no better than the US in this regard. Even after 2019, I'll still have to scrape bank's website and manual exports to get my own data out in usable format.
I talk to (about) a person a week who wants to create a new US bank. Some are pursuing a de novo charter, some are buying a bank, and some are a quasi bank on top of another bank.
The real blocker here is the Fed won't grant new charters and often won't transfer charters. I'm hoping this will change in the next few years and we can get some real competition.
What's your take on new entrants at the processor level?
When I worked for a debit card startup (stripe's new feature, but worse, and years earlier), it seemed like the "bank account" parts were mostly boring money buckets, and all the interesting features existed at the processor level.
FIS was tragicomic to interface with, and they control something like 50% of card swipes in the US if i understand correctly?
Seems like if you want to make a really major play, you do to FIS what stripe did to paypal, right?
I was expecting this to outline how you could actually use various APIs from different banks, but was still pleasantly happy with the actual content of the article. This is a clever idea I had never thought about doing. Kudos to OP!
Uber is popular everywhere, including throughout Europe.
And as for banking, well, it's somewhat worse in the USA than elsewhere but it's not like Europe is overflowing with awesome hi-tech banks. Yes there are a few "startup banks" in the UK and one in Germany that I know of, and that's about it for the entire continent. Moreover the vast majority of people don't use them and bank with the existing set of firms, many of which have legacy and decaying IT estates. Look at what happened with TSB recently. Total meltdown. Major IT outages in the UK banking sector have become commonplace; you don't hear about that happening in the US.
TBF in Europe (or specifically the UK) the new regulations seem to have come up with a plethora of new banks -Starling, Monzo, Revolut, Tide, etc.
Both my personal and business accounts are with these, and it's awesome. Starling for my personal account and Tide for the business one. I get notifications of payments usually before the in-store machine has finished sorting itself out. Also get nice things like being able to use Google Pay before the card arrives. I've just got married, and our joint account will be one of these.
I assume these banks have popped up from these EU regulations, as they didn't exist 3 years ago.
No, the financial services industry needs some serious disruption. Banks need to be MORE conservative. Not less. "Disruption" in banking is whats caused previous financial crisis.
Managing user interfaces to sell financial products is not the same as running a bank. This is why API's are so important. They allow innovation in the sale of financial products while keeping the actual risk calculations on deposits and loans heavily regulated.
Of course, banks don't like them. In the same way internet providers don't like net neutrality. Nobody wants to be commoditised. But this segregating of responsibility is the only way you can ensure positive change for consumers/businesses without introducing a bunch of risk into a critical piece of the economy.
I want my bank to offer me the ability to generate Access Control Lists, with generated accounts. I want to make an account with read-only access to all of my financial information. I want to monitor all of my assets in real time, with alerts going to my phone for suspicious activity.
That's MORE conservative. But it's only enabled through intelligent APIs, which banks in the US don't have. With Mint, you passed over your full banking credentials, which was absurd.
I'd also like to remove the ability to PULL money from my credit / debit cards. I want only to PUSH money from my bank. Allowing companies to pull is what allows the vast majority of identity theft.
That's the kind of disruption I want.
Give ME the control to organize, monitor, and control access to my funds.
I guess it's not popular or all that well-known anymore, but for quite a while there's been a Quicken-led banking interface for some banks. Known as OFX or Direct Connect, it provides at least one-way (download) access to banking transactions. I think there's a way to upload as well but have never used it nor had a bank that supports it for upload.
My bank has a separate enrollment - it was free - offering download-only access to my transactions. I haven't used it in awhile (just too much on my plate) but it worked well as recently as 2016.
It's often called "Quicken Direct Connect" (NOT "web connect", that's a bastardization trying to push the login flow through the proprietary web interface), and often has to be specifically enabled for your account (Bank of Slum-merica is the only place I've heard charging for the functionality though).
Setup a cron or human cron to pull and save the raw OFX (QFX) query every day/week/month, and then run whatever reports/analytics you want from that. This way you'll have history to use with whatever program/scripts you move to, and can also straightforwardly integrate legacy banks that make you use the web interface (just at a much lower polling rate).
I used OFX for quite a while. Had a home-grown pile of scripts that did my budgeting/record keeping, and even reverse-engineered their payment submission system, and had nearly everything semi-automated to my personal satisfaction for a while.
And then they revamped everything, sprinkled security (and "security") pixie-dust around, and I gave up after locking myself out repeatedly trying to jump through the new hoops.
Readit News
https://thenextweb.com/worldofbanking/2018/06/27/openbanking...
Already right now in Germany there are a lot of banks that share a common API format which is why there are a lot of banking apps where you can just log into your bank and don't need bank specific apps. It's called HBCI / FinTS (https://en.wikipedia.org/wiki/FinTS) and it's great to have that possibility without doing some web-scraping to get your data out.
One example of another german bank API would be:
https://api-docs.fidor.de/v1/introduction/welcome-text
If you want to gain access to APIs, you need to become an “AISP” (as they are called in the UK), this requires a certification and a load of other nonsense akin to PCI-DSS. This is for read-only access - for “write” access including the ability to edit payees or make payments you need to become a “PISP” which I assume requires even more paperwork.
I also said APIs because the regulation does not mandate any kind of API format, so every bank has their own with different capabilities as far as what data is returned and in which format. Some of them are truly awful.
And finally, “open” banking still does not allow you to get a personal access token for your own account.
It's more complicated than that.
Banks can give unregulated entities access to their APIs, but they don't because IMO providing API access is directly opposed to their interests. If you want to be statutorily entitled to API access you need to be a registered AISP or PISP.
Unfortunately what an AIS is is very specific, i.e. showing the account owner aggregated information, before or after processing, about one or more payment accounts. If your product doesn't do this, e.g. credit scoring using the user's bank transactions instead of credit bureaux, then you're not performing a regulated activity, therefore the regulator has nothing to authorise, and you can't enjoy the resulting entitlement of API access.
This means there are whole classes of (unregulated) applications that won't be allowed to exist by banks if they adopt the position of granting access only to regulated entities.
> this requires a certification and a load of other nonsense akin to PCI-DSS
AIS and PIS have become regulated activities as a result of PSD2. This is not the same as PCI-DSS. Becoming a (P|A)ISP means becoming supervised by the local regulator as an authorised financial institution. This involves a lot of paperwork, a £1,500 application fee, insurance, fees for any professional services you needed to complete the application (lawyer), and 3 months (longer if your application is incomplete or has other issues).
> for “write” access including the ability to edit payees or make payments you need to become a “PISP” which I assume requires even more paperwork.
And €50,000 own capital requirements.
> I also said APIs because the regulation does not mandate any kind of API format, so every bank has their own with different capabilities as far as what data is returned and in which format. Some of them are truly awful.
This is true at the moment for Europe but notionally incorrect for the 9 largest banks in the UK, which are subject to parallel domestic measures ordered by the Competition and Markets Authority. There is a spec, but there are many problems with the governance, implementation, etc.
That isn't true. Anybody which wants to be in the UK Open Banking Group (mandatory for the 9 biggest banks) must follow these very strict specs:
https://openbanking.atlassian.net/wiki/spaces/DZ/pages/16385...
Why is this a problem exactly?
It's open, just not the "open" you imagine. Like anyone from the street being allowed to do it.
I absolutely do not want any old hacker to be building software that can talk to bank accounts. I want a minimal level of regulation and insurance, to make sure that they aren't doing terrible things with it, and that they are easy to track down and deal with when they mess it up.
In a related note, I do hope that the German "lastschriftmandat"/direct debit gets also replaced with something more transparent and with a better control. Similar to an e-invoice concept used by a few other countries like Estonia.
Recently I switched to a new online-only bank called Monzo. It's fully licensed and all accounts are insured up to a certain amount by the UK government. It's great. They're in the top charts for apps in the UK now on the iOS App Store. There's a few other alternatives like Starling Bank and Revolut too.
They're very good. They're open about their tech stack with developer blogs and it's a modern stack which lets them iterate in a quick and agile manner unlike the legacy banks.
You get push notifications on every payment (usually you get the notification before the payment has even processed on the vendor's end!). Tells you exactly how much you've been spending every day.
They've got RESTful JSON APIs you can integrate with if you want to and they also have the option in the app to easily export your data into CSV or Quickbooks format. They even have IFTTT integration.
Really makes you manage your money better.
They seem to know what they're doing at least
I'm a massive fan of these apps though -- I use N26 personally . It works and I like that it's German (savings are guaranteed by German gov)
After a couple of months, they acknowledged the issue and provided me a free new Revolut Visa. It still took about 2 months to get it in my hands, after having sent a couple of messages via Twitter.
What I failed to realise at the time was how exposed I became to the vulnerabilities associated with being cashless. Cash is not just an ancient relic. Cash is an ancient relic and a fundamental component of a free society.
My country has, in practise, become nearly cashless and I used to be proud to be one of the very early adopters of that mindset. Now I lament how hard it is to deal in cash.
I am planning to switch to the only bank left in my country still providing personal cash services. The only one. That should be scary, not relieving.
A new-ish bank like Monzo mentioned above still allows you to withdraw cash like any other bank. You can't yet pay it into the account, but my understanding is that this will be provided pretty soon (based on their public roadmap https://trello.com/c/k2zy6WyU/98-cash-deposits-)
Cash is important, but I don't think it's going away any time soon.
Dead Comment
If all of your credit lines, checking, savings, and investment accounts were an API call away, the institutions providing those no longer build relationships that can be profitable; they're simply utilities you could swap out interchangeably. As such, they're not a fan of this idea.
As for this instance specifically, I believe Chase grants Mint (and few other whitelisted companies) account access via OAuth. It's a step in the right direction, although it's not clear to me what their long term goal is.
AMA, I guess.
But to answer the implicit question: shutting that off can be harder than it sounds. And because it's a mobile API and iOS's store has fairly slow update cycles, it can be very hard to simply rotate your API spec fast enough without interrupting customer service: a difficult thing for a bank to get away with (lol, I'm joking they're down all the time).
And while I know I did a cert pin and you did a cert pin, not everyone does it (or does it bidirectionally). Nor is that the only way folks would get an API spec.
Banks provide an API in Europe. In fact it's a legal requirement that's coming into force in 2019, and there are a lot of 'mobile-first' banks like Monzo and Revolut which make this entirely un-needed in the first place (providing spending exports, decent analytics, push notifications, etc etc).
Welcome to the future. Contact your local politician if you want to join us. Maybe also ask about chip and pin while you're at it!
I personally use the API to automatically add flat bill directly to Splitwise.
[1] https://monzo.com/features/ifttt/ [2] https://docs.monzo.com
Since you're so far in the future, can you consider dragging Germany into it as well so I don't have to use cash everywhere I go?
That's simply not true. You're probably referring to PSD2, which is not an API in the sense that anyone technical would use the term. And it's not meant for you or I. The requirements for gaining PSD2 API access are insane, and at least in some areas require permission from the national bank. Which you won't get unless you're a large corp with big bucks and lots of insurance.
Looking here[0], it seems the future is fake, and the EU is no better than the US in this regard. Even after 2019, I'll still have to scrape bank's website and manual exports to get my own data out in usable format.
--
[0] - https://news.ycombinator.com/item?id=17718782
The real blocker here is the Fed won't grant new charters and often won't transfer charters. I'm hoping this will change in the next few years and we can get some real competition.
(Disclosure: my job is making APIs for US Banks.)
When I worked for a debit card startup (stripe's new feature, but worse, and years earlier), it seemed like the "bank account" parts were mostly boring money buckets, and all the interesting features existed at the processor level.
FIS was tragicomic to interface with, and they control something like 50% of card swipes in the US if i understand correctly?
Seems like if you want to make a really major play, you do to FIS what stripe did to paypal, right?
What about doing a state-by-state charter?
One of the ills of VC-mania is the ongoing assumption that a) problems that exist in the US exist everywhere and b) that there are no other problems.
(see also: Uber busting the "taxi monopoly")
And as for banking, well, it's somewhat worse in the USA than elsewhere but it's not like Europe is overflowing with awesome hi-tech banks. Yes there are a few "startup banks" in the UK and one in Germany that I know of, and that's about it for the entire continent. Moreover the vast majority of people don't use them and bank with the existing set of firms, many of which have legacy and decaying IT estates. Look at what happened with TSB recently. Total meltdown. Major IT outages in the UK banking sector have become commonplace; you don't hear about that happening in the US.
- Extremely high starting capital requirements (10-100 million USD)
- Knowledge on security, finance, and law, means you will be needing an expert team of lawyers, accountants, cryptographers, etc.
- An actual location and strictly controlled building to keep the physical money.
There are a lot more requirements but the first 3 make it almost impossible for a lay-man to start their own bank.
A better alternative to starting a new bank is buying a small bank. It may actually be cheaper than starting a new one.
Both my personal and business accounts are with these, and it's awesome. Starling for my personal account and Tide for the business one. I get notifications of payments usually before the in-store machine has finished sorting itself out. Also get nice things like being able to use Google Pay before the card arrives. I've just got married, and our joint account will be one of these.
I assume these banks have popped up from these EU regulations, as they didn't exist 3 years ago.
- Extremely high ($10 billion plus) market opportunity, with a ~0.1% to ~1% capital requirement.
- Recruit a team with the highly diverse skills needed to operate a modern bank.
- Have a secure location? Let us pay you to leverage assets from another startup.
Managing user interfaces to sell financial products is not the same as running a bank. This is why API's are so important. They allow innovation in the sale of financial products while keeping the actual risk calculations on deposits and loans heavily regulated.
Of course, banks don't like them. In the same way internet providers don't like net neutrality. Nobody wants to be commoditised. But this segregating of responsibility is the only way you can ensure positive change for consumers/businesses without introducing a bunch of risk into a critical piece of the economy.
That's MORE conservative. But it's only enabled through intelligent APIs, which banks in the US don't have. With Mint, you passed over your full banking credentials, which was absurd.
I'd also like to remove the ability to PULL money from my credit / debit cards. I want only to PUSH money from my bank. Allowing companies to pull is what allows the vast majority of identity theft.
That's the kind of disruption I want.
Give ME the control to organize, monitor, and control access to my funds.
My bank has a separate enrollment - it was free - offering download-only access to my transactions. I haven't used it in awhile (just too much on my plate) but it worked well as recently as 2016.
https://github.com/aqbanking/aqbanking is one open implementation for the interface.
It's often called "Quicken Direct Connect" (NOT "web connect", that's a bastardization trying to push the login flow through the proprietary web interface), and often has to be specifically enabled for your account (Bank of Slum-merica is the only place I've heard charging for the functionality though).
Check say https://ofx-prod-filist.intuit.com/qb2600/data/fidir.txt to see if your bank is listed (that contains both direct and web connect banks, you'll figure out what the flags mean).
Setup a cron or human cron to pull and save the raw OFX (QFX) query every day/week/month, and then run whatever reports/analytics you want from that. This way you'll have history to use with whatever program/scripts you move to, and can also straightforwardly integrate legacy banks that make you use the web interface (just at a much lower polling rate).
And then they revamped everything, sprinkled security (and "security") pixie-dust around, and I gave up after locking myself out repeatedly trying to jump through the new hoops.