Sometimes when signing up with a company they allow you to input your online bank login/password, and then they instantly verify that this is your account/you have funds. How does that work?
First, a criminal uses some false pretense to trick you into giving them your online banking credentials. Then they claim to have “verified” your account, when in fact what they have really done (or intend to do) is to use your credentials to transfer money out of your account and into theirs or that of a confederate.
No, these are reputable companies like PayPal or Charles Schwab.
No, they are pretending to be legitimate companies like PayPal or Charles Schwab. No reputable company is going to ask for your login/password for your bank account.
If you have given out this info, change your password immediately.
Not only that; you should very carefully examine your transaction records for any unauthorized activity, and possibly also contact your bank personally to check if there are any pending transactions which don’t appear in your online statement yet. If there is any unusual activity you should report what happened to the bank immediately. You may not get your money back, since it was almost certainly against your account terms and conditions to disclose your credentials to a third party, but at least they may be able to trace the thieves.
No, this is a for-real-totally-legit feature offered by some banks. My bank offers such a service, and I’ve used it to monitor accounts I have with other institutions.
In practice the bank is probably acting as man-in-the-middle-that-happens-to-be-friendly, and perhaps that’s not the best security practice and perhaps you also violate the external-account TOS by providing your info to a third party.
(And yes, everyone should be very careful as similar looking things are also common attacks).
Listen, I’m not a moron. Scottrade does this, and it can access my bank account balance through their site. You don’t know what you’re talking about. Fuck off.
Legitimate or not, the way it works is the same for everybody. You give somebody your login credentials to the bank, and the computer on the other end logins to the bank on your behalf using your credentials. Which part of how this works is not clear to you in the first place?
Moderator Note
treis. Not a warning, just a note that you’re in General Questions and telling someone to fuck off isn’t done. Go and sin no more.
samclem Moderator
[moderator warning]
After ten years on the SDMB, you should realize that telling someone to “fuck off” is out of line for the General Questions forum. Do not do this again.
[/moderator warning]
Simul-moderation! 
Pay no attention to the man behind the curtain. I was never here.
The part where this is how it works.
Besides, you didn’t really explain the process. When I go to log in to my accounts I have to select the account type and click on some links from the homepage. So is there some program running on Bank A’s machine that knows how Bank B’s website works? Does Bank B have public APIs for this?
Totally worth it. I’m tired of people who don’t know the answer to a GQ guessing some bullshit.
Anyone who has your bank account number and password can access your bank account. Anyone who can access your bank account can see how much money is in it. What’s the mysterious part?
Technical question though: Most bank web sites only present your account information in human-readable form. Does Instant Verification (when non-fraudulent) interpret the HTML emitted by the banking website to find the account value number, or just know the layout for a bunch of banks, or is there a more structured access available?
How is the mysterious part. Obviously everyone can go through the website and access it that way. But that’s not typically how computers do things. The how is what I am wondering. Is there an API, a clearinghouse, or what?
Some banks have an API, but mostly, yeah, you do actually have to screen scrape.
Mint and Yodlee both have their own system to do this sort of thing. I believe that Yodlee is used as the backend of a number of services. Not sure if Mint contracts theirs out or not.
Clearly the right thing to do for this sort of thing is for banks and other services to give out a “read only” login and password, or to use an authentication method that goes directly through them and hands out temporary credentials with limited access. But I guess we can hardly expect financial institutions to handle security as well as Twitter.
PayPal does this to verify your checking account.
They send you two very small deposits from their account into your checking account using PayPal , and you have to go to your bank account and tell PayPal what they sent you. If it matches, you are verified. You don’t give PayPal your bank passwords or anything.
Actually, ING Direct has done exactly this. They now allow you to set up what they call a “Personal Finance Access Code” that is separate from your regular password specifically for use by the aggregation services.
Unfortunately, I don’t know of any other bank that does this (which doesn’t prove that there isn’t one).
A quick search didn’t turn up any mention of it on PayPal’s website, but according to some third-party articles, apparently the OP is correct, and PayPal, probably the most-phished website in history, is (or was) actually doing this unbelievably stupid thing: