Screen scraping a ‘time bomb’: Up Bank

Screen scraping should be prevented and institutions that don't act on it should be considered complacent

security access / authorization / login credentials / username / password / mobile phone
Tero Vesalainen / Getty Images

Melbourne-based neobank Up has told a Senate committee screen-scraping is akin to a ticking time bomb.

Mike Morris, head of technology at Ferocia, which builds Up's core systems, told the Senate Select Committee on Financial Technology and Regulatory Technology that there is no regulation ensuring organisations using screen-scraping – whereby an organisation employs customer-provided online banking login details to retrieve account data – are not sharing or using that data in an improper manner.

Morris said that financial institutions typically state in their terms and conditions that this is not permitted.

“[Firstly] you have these organisations that amass a bunch of customer credentials. Secondly it encourages bad customer practice to start typing your username and password into lots of different websites which can lead to financial crime or breaches of privacy,” Morris said.

“We should not be promoting [or] endorsing that,” he told the committee.

It was put to the Ferocia exec that some submissions to the inquiry had argued open banking will end of screen scrapping. He argued that, regardless of the impending debut of open banking in Australia, organisations should be held accountable if they are not doing anything to prevent screen scraping.

“You cannot screen scrape Up,” he said. “We've designed it in such a way that it is not possible for a customer to give away the credentials that would allow them to compromise themselves. So you cannot do it. It's in our terms and conditions that you can't do it. But actually, even technically, it's not possible.

“Personally, if I was responsible for security at other financial institutions then you wouldn't have it there either. So, I don't accept that that's what we have now until we have open banking. It's what organisations choose to allow now. But we certainly don't. And I would question strongly other organisations that do allow their users to do screen sharing,” Morris said.

The Senate committee was established on 11 September 2019 to inquire into the current state of Australia's fintech and regtech industries, and investigate opportunities for government to promote effective and sustainable growth in these sectors in order to enhance Australia's economic competitiveness.

A joint submission of the Financial Rights Legal Centre and the Consumer Action Law Centre called for “the outmoded and dangerous practice of screen scraping” to be “prohibited”.

It argued there were numerous problems with the practice, including that consumers using such services would not be protected by the E-payments Code if they suffered fraud because they had willingly disclosed their login details to a third party service.

The submission added that screen scraping is slow, unstable and prone to errors. Because screen scraping scans the existing consumer-facing web portals of financial providers, if there is a small change to a website it can create stability issues for tools that employ the practice.

The joint submission also stated that screen scraping could undermine the success of Consumer Data Right: The underlying legislative regime for open banking that is intended to provide a fast, safe, and secure process to access personal and financial data.

It also argues that the continuity of it places Australian fintechs at a disadvantage, whereas banning it could allow fintechs to develop consumer trust.


Copyright © 2020 IDG Communications, Inc.

Shop Tech Products at Amazon