Hide accounts via the API from the App/Online for even more security and not just via the App/Website where it can be quickly changed

[acjcool]

This is an overkil and perhaps dead last on the backlog but perhaps something to think about. As a user, i want to hide my accounts from the App/Website, so that when my device/credentials are stolen, the attackers can't just unhide it since they will need to interact woth investec via an API secured to Mordor and back to get access to those accounts. Reason is that attackers know that people hide their accounts so they just ask them to go to the functionality and unhide it. So all it did was to prolong the traume someone went through. If there is a way to only hide/unhide via API then when the attackers go to the App/Online to view the invisible accounts, it won't be displayed there in the first place. The only way to unhide it is via a secure API call and that can be a very different ball game. Delete this if it's silly

[programmable-banking-community]

Hey @acjcool 👋 Not silly at all! You’re highlighting a real risk. If “hide/unhide” only exists in the web/app, stolen credentials plus device access could expose hidden accounts instantly.

I’ve logged this internally as “security-enhanced account visibility control” so it’s on the radar for the security/product/API teams.

Thanks for pointing this out :)