[GNC] AqBanking help for Citi CC (cont'd again)

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[GNC] AqBanking help for Citi CC (cont'd again)

Jonathan Stickel
As with messages in January and August, I too would like AqBanking to
work with a Citi credit card account. I've followed the recommend
settings described here:

https://lists.gnucash.org/pipermail/gnucash-user/2018-October/080548.html

but still no luck.

I did find a feature when logged in to my citi.com account to "manage
access" for third party software applications ("like Quicken® or
Quickbooks®"). This is through Profile->More Settings. Clicking on Add
Access then gives 10 minutes to make a connection. I've tried running
AqBanking during this 10 minute window, but it still does not retrieve
an account list or download transactions. So I am at a loss. If anyone
is currently being successful using a Citi cards connection, please post!

Thanks,
Jonathan
_______________________________________________
gnucash-user mailing list
[hidden email]
To update your subscription preferences or to unsubscribe:
https://lists.gnucash.org/mailman/listinfo/gnucash-user
If you are using Nabble or Gmane, please see https://wiki.gnucash.org/wiki/Mailing_Lists for more information.
-----
Please remember to CC this list on all your replies.
You can do this by using Reply-To-List or Reply-All.
Reply | Threaded
Open this post in threaded view
|

Re: [GNC] AqBanking help for Citi CC (cont'd again)

John Ralls-2


> On Oct 20, 2019, at 7:46 PM, Jonathan Stickel <[hidden email]> wrote:
>
> As with messages in January and August, I too would like AqBanking to work with a Citi credit card account. I've followed the recommend settings described here:
>
> https://lists.gnucash.org/pipermail/gnucash-user/2018-October/080548.html
>
> but still no luck.
>
> I did find a feature when logged in to my citi.com account to "manage access" for third party software applications ("like Quicken® or Quickbooks®"). This is through Profile->More Settings. Clicking on Add Access then gives 10 minutes to make a connection. I've tried running AqBanking during this 10 minute window, but it still does not retrieve an account list or download transactions. So I am at a loss. If anyone is currently being successful using a Citi cards connection, please post!

That 10-minute window makes it seem like it's OFX Web Connect, where you authenticate via the web and then connect with your financial software. AQBanking and therefor GnuCash doesn't support that. It supports only OFX Direct Connect where the financial software handles the authentication.

Regards,
John Ralls

_______________________________________________
gnucash-user mailing list
[hidden email]
To update your subscription preferences or to unsubscribe:
https://lists.gnucash.org/mailman/listinfo/gnucash-user
If you are using Nabble or Gmane, please see https://wiki.gnucash.org/wiki/Mailing_Lists for more information.
-----
Please remember to CC this list on all your replies.
You can do this by using Reply-To-List or Reply-All.
Reply | Threaded
Open this post in threaded view
|

Re: [GNC] AqBanking help for Citi CC (cont'd again)

Jonathan Stickel
On 10/20/19 22:13, John Ralls wrote:

>
>
>> On Oct 20, 2019, at 7:46 PM, Jonathan Stickel <[hidden email]> wrote:
>>
>> As with messages in January and August, I too would like AqBanking to work with a Citi credit card account. I've followed the recommend settings described here:
>>
>> https://lists.gnucash.org/pipermail/gnucash-user/2018-October/080548.html
>>
>> but still no luck.
>>
>> I did find a feature when logged in to my citi.com account to "manage access" for third party software applications ("like Quicken® or Quickbooks®"). This is through Profile->More Settings. Clicking on Add Access then gives 10 minutes to make a connection. I've tried running AqBanking during this 10 minute window, but it still does not retrieve an account list or download transactions. So I am at a loss. If anyone is currently being successful using a Citi cards connection, please post!
>
> That 10-minute window makes it seem like it's OFX Web Connect, where you authenticate via the web and then connect with your financial software. AQBanking and therefor GnuCash doesn't support that. It supports only OFX Direct Connect where the financial software handles the authentication.
>
> Regards,
> John Ralls
>

Thanks for the observation. Perhaps that part is a red herring.

My main question remains:  is anyone successfully running AqBanking with
Citi Cards? If so, how did you make it work?

Thanks,
Jonathan
_______________________________________________
gnucash-user mailing list
[hidden email]
To update your subscription preferences or to unsubscribe:
https://lists.gnucash.org/mailman/listinfo/gnucash-user
If you are using Nabble or Gmane, please see https://wiki.gnucash.org/wiki/Mailing_Lists for more information.
-----
Please remember to CC this list on all your replies.
You can do this by using Reply-To-List or Reply-All.
Reply | Threaded
Open this post in threaded view
|

Re: [GNC] AqBanking help for Citi CC (cont'd again)

GnuCash - User mailing list

> On Oct 21, 2019, at 12:13 PM, Jonathan Stickel <[hidden email]> wrote:
>
> On 10/20/19 22:13, John Ralls wrote:
>>> On Oct 20, 2019, at 7:46 PM, Jonathan Stickel <[hidden email]> wrote:
>>>
>>> As with messages in January and August, I too would like AqBanking to work with a Citi credit card account. I've followed the recommend settings described here:
>>>
>>> https://lists.gnucash.org/pipermail/gnucash-user/2018-October/080548.html
>>>
>>> but still no luck.
>>>
>>> I did find a feature when logged in to my citi.com account to "manage access" for third party software applications ("like Quicken® or Quickbooks®"). This is through Profile->More Settings. Clicking on Add Access then gives 10 minutes to make a connection. I've tried running AqBanking during this 10 minute window, but it still does not retrieve an account list or download transactions. So I am at a loss. If anyone is currently being successful using a Citi cards connection, please post!
>> That 10-minute window makes it seem like it's OFX Web Connect, where you authenticate via the web and then connect with your financial software. AQBanking and therefor GnuCash doesn't support that. It supports only OFX Direct Connect where the financial software handles the authentication.
>> Regards,
>> John Ralls
>
> Thanks for the observation. Perhaps that part is a red herring.
>
> My main question remains:  is anyone successfully running AqBanking with Citi Cards? If so, how did you make it work?
>
> Thanks,
> Jonathan

Not anymore. I used aqbanking for many years to download Citicard transactions. A couple years ago the connections started failing about half the time. And a couple hours later, whether I got the data or not, I’d get an email from Citi saying they had detected suspicious activity on my account and I was required to change my password. Kinda weird for them to cough up all the transaction data, and then decide the connection was suspicious. But this is not the first disagreement I’ve had with Citi over weird security policies. Eventually I gave up on directconnect downloads. If I need Citi transactions (not often recently), I log in via the web interface, download the qfx file, and import that into Gnucash.

https://community.quicken.com/discussion/7859184/new-8-27-19-citi-cards-returning-ol-301-error#latest <https://community.quicken.com/discussion/7859184/new-8-27-19-citi-cards-returning-ol-301-error#latest>
indicates that Citi has further modified their permitted third part access, and even Quicken users are having problems.

I tried the old aqbanking connect attempt last night, and got no response. The ofx.log showed the outgoing commands, with nothing coming back. I had activated Citi’s 10 minute window, to no avail. I also got no notice that anyone had tried to break in. I’d love to see the ofx.log and conn.log from a successful download in Quicken of Citi transaction data. There’s a chance the old ofx server just drops the connection on any attempted login.

Citi’s description of the third party authorization (once an app is authorized, changing your password won’t prevent access by the app…) leads me to believe there is some additional handshake/authentication going on during that logon in 10 minute window that is outside the ofx spec. If so, there’s no way for aqbanking to handle that. I seriously doubt we’ll ever see published-standard ofxdirectconnect transaction downloads from Citi again. The banking regulators are making it hard to accomplish, Quicken would just as soon the handshake be totally proprietary, and the banks don’t want to bother with software development if they can help it.

Good luck.

--
Dave Reiser
[hidden email]




_______________________________________________
gnucash-user mailing list
[hidden email]
To update your subscription preferences or to unsubscribe:
https://lists.gnucash.org/mailman/listinfo/gnucash-user
If you are using Nabble or Gmane, please see https://wiki.gnucash.org/wiki/Mailing_Lists for more information.
-----
Please remember to CC this list on all your replies.
You can do this by using Reply-To-List or Reply-All.
Reply | Threaded
Open this post in threaded view
|

Re: [GNC] AqBanking help for Citi CC (cont'd again)

xngin
Greetings everyone,

I'm happy to report a working Citi CC OFX Direct Connect through AqBanking.
It took quite a bit of tinkering to figure out. For a while I was stuck on
the fact that <TRNUID> had to be a UUID4, which AqBanking cannot produce,
but it seems that Citi changed something and now it works as is.

It may be helpful for me to mention that I first discovered the correct OFX
request, and then got AqBanking working. A working OFX request is included
at the bottom of this message. Unfortunately, it has been a while since I
stumbled upon it and I vaguely recall that the request alone was not enough.
I am speculating now, but I think I had to enable that 10 minute window
mentioned in the thread and during it send a simple signon request (with no
transaction/statement request field). Only after it returned a success was I
able to request data.

In terms of submitting the request, I have a few working options:
1) a POST request with the following headers 'Content-Type':
"application/x-ofx", 'User-Agent':"InetClntApp/3.0", "Accept":"*/*"
2) a call to ofxget (part of ofxtools) with the following configuration file
(~/.config/ofxtools/ofxget.cfg):

[citi]
version = 103
appver = 2500
creditcard = # 16 digit credit card number #
org = Citigroup
fid = 24909
user = #username#
url = https://mobilesoa.citi.com/CitiOFXInterface
pretty = true
unclosedelements = true

3) AqBanking v5.7.8 with the following configuration file:
~/.aqbanking/settings/users/uid0001.conf

int  uniqueId="58"
char backendName="aqofxconnect"
char userName="username"
char userId="username "
char customerId="username "
char country="us"
char bankCode="0000000000"
int  lastSessionId="0"

data {
  backend {
    char bankName="Citi Credit Card"
    char org="Citigroup"
    char fid="24909"
    char serverAddr="https%3A%2F%2Fmobilesoa.citi.com%2FCitiOFXInterface"
    char appId="QWIN"
    char appVer="2500"
    char headerVer="103"
    char clientUid="a fixed UUID4 string"
    int  httpVMajor="0"
    int  httpVMinor="0"
  } #backend
} #data



Finally, here is the working OFX request. If you find this information
useful, please consider adding it to the GnuCash wiki.

OFXHEADER:100
DATA:OFXSGML
VERSION:103
SECURITY:NONE
ENCODING:USASCII
CHARSET:1252
COMPRESSION:NONE
OLDFILEUID:NONE
NEWFILEUID:#random uuid4 or just some random large integer, like
20180912052115#

<OFX>
    <SIGNONMSGSRQV1>
    <SONRQ>
        <DTCLIENT>20191020111537.000
        <USERID>#username#
        <USERPASS>#passsword#
        <LANGUAGE>ENG
        <FI><ORG>Citigroup<FID>24909</FI>
        <APPID>QWIN
        <APPVER>2500
        <CLIENTUID>#uuid4, i keep it fixed between sessions, but don't
recall setting it#
    </SONRQ>
    </SIGNONMSGSRQV1>
    <CREDITCARDMSGSRQV1>
    <CCSTMTTRNRQ>
    <TRNUID>20191021211537.000
    <CLTCOOKIE>1
    <CCSTMTRQ>
        <CCACCTFROM><ACCTID># 16 digit credit card number#</CCACCTFROM>
        <INCTRAN>
        <DTSTART>20191012000000
        <DTEND>20191019111537
        <INCLUDE>Y</INCTRAN>
    </CCSTMTRQ>
    </CCSTMTTRNRQ>
    </CREDITCARDMSGSRQV1>
</OFX>




--
Sent from: http://gnucash.1415818.n4.nabble.com/GnuCash-User-f1415819.html
_______________________________________________
gnucash-user mailing list
[hidden email]
To update your subscription preferences or to unsubscribe:
https://lists.gnucash.org/mailman/listinfo/gnucash-user
If you are using Nabble or Gmane, please see https://wiki.gnucash.org/wiki/Mailing_Lists for more information.
-----
Please remember to CC this list on all your replies.
You can do this by using Reply-To-List or Reply-All.
Reply | Threaded
Open this post in threaded view
|

Re: [GNC] AqBanking help for Citi CC (cont'd again)

GnuCash - User mailing list
> On Oct 22, 2019, at 12:33 AM, xngin <[hidden email]> wrote:
>
> Greetings everyone,
>
> I'm happy to report a working Citi CC OFX Direct Connect through AqBanking.
> It took quite a bit of tinkering to figure out. For a while I was stuck on
> the fact that <TRNUID> had to be a UUID4, which AqBanking cannot produce,
> but it seems that Citi changed something and now it works as is.
>
> It may be helpful for me to mention that I first discovered the correct OFX
> request, and then got AqBanking working. A working OFX request is included
> at the bottom of this message. Unfortunately, it has been a while since I
> stumbled upon it and I vaguely recall that the request alone was not enough.
> I am speculating now, but I think I had to enable that 10 minute window
> mentioned in the thread and during it send a simple signon request (with no
> transaction/statement request field). Only after it returned a success was I
> able to request data.
>
> In terms of submitting the request, I have a few working options:
> 1) a POST request with the following headers 'Content-Type':
> "application/x-ofx", 'User-Agent':"InetClntApp/3.0", "Accept":"*/*"
> 2) a call to ofxget (part of ofxtools) with the following configuration file
> (~/.config/ofxtools/ofxget.cfg):
>
> [citi]
> version = 103
> appver = 2500
> creditcard = # 16 digit credit card number #
> org = Citigroup
> fid = 24909
> user = #username#
> url = https://mobilesoa.citi.com/CitiOFXInterface
> pretty = true
> unclosedelements = true
>
> 3) AqBanking v5.7.8 with the following configuration file:
> ~/.aqbanking/settings/users/uid0001.conf
>
> int  uniqueId="58"
> char backendName="aqofxconnect"
> char userName="username"
> char userId="username "
> char customerId="username "
> char country="us"
> char bankCode="0000000000"
> int  lastSessionId="0"
>
> data {
>  backend {
>    char bankName="Citi Credit Card"
>    char org="Citigroup"
>    char fid="24909"
>    char serverAddr="https%3A%2F%2Fmobilesoa.citi.com%2FCitiOFXInterface"
>    char appId="QWIN"
>    char appVer="2500"
>    char headerVer="103"
>    char clientUid="a fixed UUID4 string"
>    int  httpVMajor="0"
>    int  httpVMinor="0"
>  } #backend
> } #data
>
>
>
> Finally, here is the working OFX request. If you find this information
> useful, please consider adding it to the GnuCash wiki.
>
> OFXHEADER:100
> DATA:OFXSGML
> VERSION:103
> SECURITY:NONE
> ENCODING:USASCII
> CHARSET:1252
> COMPRESSION:NONE
> OLDFILEUID:NONE
> NEWFILEUID:#random uuid4 or just some random large integer, like
> 20180912052115#
>
> <OFX>
>    <SIGNONMSGSRQV1>
>    <SONRQ>
>        <DTCLIENT>20191020111537.000
>        <USERID>#username#
>        <USERPASS>#passsword#
>        <LANGUAGE>ENG
>        <FI><ORG>Citigroup<FID>24909</FI>
>        <APPID>QWIN
>        <APPVER>2500
>        <CLIENTUID>#uuid4, i keep it fixed between sessions, but don't
> recall setting it#
>    </SONRQ>
>    </SIGNONMSGSRQV1>
>    <CREDITCARDMSGSRQV1>
>    <CCSTMTTRNRQ>
>    <TRNUID>20191021211537.000
>    <CLTCOOKIE>1
>    <CCSTMTRQ>
>        <CCACCTFROM><ACCTID># 16 digit credit card number#</CCACCTFROM>
>        <INCTRAN>
>        <DTSTART>20191012000000
>        <DTEND>20191019111537
>        <INCLUDE>Y</INCTRAN>
>    </CCSTMTRQ>
>    </CCSTMTTRNRQ>
>    </CREDITCARDMSGSRQV1>
> </OFX>
>

It’s nice to be proven wrong on this…

For me the keys were changing the OFX Server URL in the Bank Settings tab of the Edit User function in the Aqbanking Setup Wizard to:
https://mobilesoa.citi.com/CitiOFXInterface <https://mobilesoa.citi.com/CitiOFXInterface>
Then using a web browser to log into Citicards and setting the 10 minute validation window,
and going back to the Aqbanking setup (same Bank Settings tab in Edit User) and clicking the [Retrieve Account List]

I have the Application Version (<APPVER> in OFX-speak) set to 2700. That shows up as Quicken 2018. The APPVER of 2500 in the example above is close, if not already over, the sunset Quicken puts on downloadable transactions after 3 years. No telling how this all will work when Quicken goes to subscription-only next year.

Hitting the [Retrieve Account List] button may not be necessary vs. just kicking off a normal data connection. But there is some chatter in the Quicken user community that you can’t ask for a transaction download during the connection request with Citi’s 10-minute validation window open. Using the button worked for me. I didn’t need the new account list from Citi, as my old account definition still worked once I got the server address fixed.

I didn’t have to mess with NEWFILEID, as aqbanking’s default works fine for me. (That changes with every connection, so I’m happy not to mess with it.)


--
Dave Reiser
[hidden email]





_______________________________________________
gnucash-user mailing list
[hidden email]
To update your subscription preferences or to unsubscribe:
https://lists.gnucash.org/mailman/listinfo/gnucash-user
If you are using Nabble or Gmane, please see https://wiki.gnucash.org/wiki/Mailing_Lists for more information.
-----
Please remember to CC this list on all your replies.
You can do this by using Reply-To-List or Reply-All.