Hack of the day: enhancing Eastern Bank deposit notification emails

By | December 25, 2021

I have my Eastern Bank account configured to email me notifications about checking deposits. There are three problems with these notifications:

  1. They include only the amount of the deposit, not whom it’s from.
  2. They only put the deposit amount in the body of the email, not in the subject.
  3. They email me about every deposit, including the ones I already know about since I’m the one who made them. I want to be notified about direct deposits, but I really don’t want to be notified about check deposits. Eastern Bank’s online banking platform doesn’t support this distinction.

(Century Bank’s online banking platform had the same problem. I was hoping things would approve in this area after the acquisition by Eastern Bank, but alas no.)

This finally annoyed me enough today that I decided to do something about it. After implementing the hack described below, each deposit notification email is handled in one of three ways:

  1. If the deposit is already in my bookkeeping system (GnuCash), the email is simply discarded; I don’t need to see it!
  2. Otherwise, an attempt is made to log into Eastern Bank online banking automatically to fetch a description of the deposit from the list of recent transactions in my checking account. If successful, then the deposit amount and description are appended to the Subject of the email before it is put in my inbox.
  3. If step 2 fails for whatever reason, the email is put in my inbox as is.

All that sounds pretty straightforward, but there are actually a lot of moving parts under the surface.

Logging into Eastern Bank online banking automatically requires storing my username and password somewhere I feel comfortable with and enabling automatic capturing of the multi-factor authentication (MFA) code sent by Eastern Bank when it decides that MFA is required to log in.

I am certainly not going to do all this on my mail server in the cloud, because wow holy cow that is not a good idea! So instead I do the actual processing on my home server in my basement, which is protected by enough layers of paranoid security that I’m OK with it. (The risk calculus I’ve done to conclude this is interesting, but that’s a topic for another blog posting.)

So let’s talk about the nuts and bolts of how all this works. The first rule below from my procmailrc file on my mail server (I explain the second rule below) forwards the incoming deposit notification email to my home server and waits for it to process the email and return either the modified email or nothing:

(Notice that in this gist and others I have replaced sensitive or site-specific strings with “fillmein”. You will need to do the needful if you want t use any of this stuff!)

If the script on my home server returns a non-empty response, the procmail rule assumes that it is a filtered version of the message and uses it; otherwise the filter fails and the message is preserved as-is.

After filtering the message the procmail rule above checks if the script has added the “X-In-GnuCash-File” header to it. If so, it discards that message because that means I already know about the deposit and don’t need to see the notification about it.

On my home server, the CGI script called above looks like this:

The directory this script lives in is protected by a .htaccess file which restricts access to it so only my mail server and a few other local machines and networks can talk to it:

This brings us to the “meat” of this whole endeavor, the script that parses the notification email, checks my GnuCash file, and logs into Eastern Bank to fetch the deposit description if necessary:

It’s worth noting that this script assumes that the GnuCash data file is uncompressed, since that’s how I have GnuCash configured. You’d have to modify the script to uncompress the file when reading it if you keep yours compressed.

If you don’t use GnuCash you could modify script so that instead of parsing a GnuCash file, it fetches the deposit description from online banking and add “X-In-GnuCash-File” to the header if it’s “Mobile Check Deposit” or a similar description that you don’t care about.

The function add_description_from_web is where the logging-into-online-banking magic happens, using Selenium. The tricky part there is handling MFA. That requires more infrastructure! If the site asks for MFA, the script asks it to send a text message, which is not terribly secure (I wish Eastern Bank MFA supported TOTP!) but more secure than email.

Originally, the bank was sending this code to my phone, and then I was capturing the code there with Tasker + AutoNotification. However, as of Android 15 that doesn’t work anymore because the text message containing the code is considered “sensitive” and Android won’t let AutoNotification see it. Therefore, I have changed my account profile at my bank to send the MFA code to my Google Voice number instead of my phone. I have Google Voice configured to forward text messages by email, so the code gets sent via email, and then the second procmailrc rule above captures it and sends it to the script below just like I had Tasker doing before Android 15. I’ve included the Tasker + AutoNotification implementation below for reference, in case it starts working again at some point or you’re using an older Android version so you can still use it.

(Note: I’ve heard that you might be able to use the Tasker + AutoNotification solution by using adb to force AutoNotification to have the ability to read sensitive messages. In the adb shell, you would do something like cmd appops set AutoNotification RECEIVE_SENSITIVE_NOTIFICATIONS allow and then restart your phone or revoke and restore notifications access to AutoNotification. I haven’t tried this myself so I don’t know if it will work.)

Obsolete Tasker MFA capture implemention

This causes a text message to be sent to my Android phone. There, Tasker + AutoNotification intercepts the message, extracts the MFA code from it, and sends it to my home server. Here’s the Tasker description (the XML is here; it’s too ungainly and ugly to be worth embedding, so you can just download it):

This is the mfacode.cgi script that the MFA code is posted to on my home server:

Share

Leave a Reply

Your email address will not be published. Required fields are marked *