Tuesday, September 8, 2009

Another SMS Thing

I keep track of my checking account balance and track all my bills in a sparsely populated spreadsheet, with a row for each calendar day and a column for each category of credit or debit (paycheck, transfer to savings, gas bill, ATM, &c.). The resulting balance is tracked in the rightmost column.

My practice has been, when withdrawing money from an ATM machine, to pocket a paper receipt until such time as I find myself before my computer and may record the transaction.

So I made another App Engine service that lets me enter ATM withdrawals into a database,

Withdrawals web app showing a $101.75 withdrawal on 2009-09-03,

and publishes monthly accounts as XML,

XML listing same withdrawal,

which are then consumed by Google spreadsheets' ImportXML() function:

Withdrawal shown in spreadsheet.

I called it "A.T.Them," and once I had it working, I added an endpoint to handle Zeep operations. Now when I withdraw money, I can decline the offer of a paper receipt, saving some trees, and text "atthem 61.50" or whatever and it will pop up right in my spreadsheet.

I can't figure out how to post the source without Blogger mangling the HTML, but it's all trivial in any case. One note is that ImportXML() doesn't do any kind of authentication, so the monthly lists of all my ATM withdrawals are not protected by anything beyond my keeping the URI's at which they may be found a secret.

Likewise (and this vulnerability, such as it is, applies equally to any Zeep service), someone who knew the URI that handles Zeep requests and my Zeep subscriber ID could impersonate "atthem" messages and populate my spreadsheet with junk. It's easy enough to add some sort of challenge and response to Zeep operations, but I didn't bother.

No comments: