Screen scraping can be used by criminals to steal data, but financial services companies are increasingly making legitimate use of this too. Angelique Ruzicka investigates what the process entails and how consumers can protect themselves.
Screen scraping can be hugely beneficial, if used legitimately. Put simply, it allows third-party companies to access financial transaction data when a consumer logs into a digital portal and allows this portal to access their banking and other personal information.
Plenty of financial services companies make use of this technique. These include lenders, financial management apps, personal finance dashboards, and accountancy service providers. Budgeting apps commonly use screen scraping tech to show consumers, in real time, where their money is coming from and going to.
There are typically security measures in place. With an online payment platform like Ozow, for example, consumers will log in using their online banking credentials which are encrypted and passed directly to the bank. Ozow then automates any payments via EFT for the consumer to approve.
Thomas Pays, co-founder and CEO of fintech startup Ozow, adds: “A key step in the process is the two-factor authentication (2FA) for which the bank communicates directly with the consumer to authorise the payment. 2FA or multi-factor authentication (MFA) is an essential step of the process, sent outside of Ozow by the consumer’s bank and approved in-app, over USSD, or in the form of a one-time pin.”
Digital overlay services have been used since the 1980s across a variety of industries. Some of the largest digital companies are built on these overlays, including international tech giants like Google, Yodlee and Quickbooks.
The practice can make online banking and transacting more accessible, as Pays points out: “With the rise of cashless payments, peer-to-peer payments and eCommerce over the last year, enabling consumers to transact with convenience, ease and trust is imperative. This is particularly important for the 49 million South Africans with a bank account, as well as the millions who are currently unbanked and underserved.”
Not all financial institutions back the practice of screen scraping.
When approached for his view, Ravi Shunmugam, CEO: EFT product house for FNB, says: “FNB does not support the practice of screen scraping and is strongly opposed to third-party service providers requesting access to customers’ bank login credentials via non-bank websites or applications.
“FNB is working closely with the country’s payments industry bodies to highlight the potential risks of these practices to consumers, banks and merchants alike, to fast-track stronger regulatory oversight.”
Shunmugam admits that the process of screen scraping itself was not specifically developed for fraudulent or criminal purposes but warns that consumers still need to be aware of the risks involved.
He adds: “No matter how reputable the retailer or app may be, the simple fact is that when you share your login credentials with a third party, even in a secure environment, you expose yourself to financial crime and privacy risks, not least because your account security and data privacy can easily be compromised.”
Protecting your data
It’s important to arm yourself with as much information as possible to distinguish between a legitimate scraping transaction and a criminal one.
If you’re in any doubt about whether to use a service that implements screen scraping, talk to your bank about it or read up about it using financial education tools such as Money Smart Week, which regularly briefs consumers about banking scams and fraud.
How to protect your money from criminal screen scraping
Don’t share your login details. Never enter these in any website or app other than your own bank’s legitimate platforms. Your login credentials are highly sensitive and should never be divulged.
Shop on secure websites. This means the site should have SSL (secure sockets layer) encryption installed. The URL for the website should start with “https” rather than just “http”.
Choose your payment process carefully. Choose to pay securely via virtual card, scan-to-pay, or with your credit or debit card rather than making an instant EFT payment.
Read through the terms and conditions carefully. Money Smart Week advise consumers to use a security testing tool before accepting the terms and conditions. It adds: “Make sure that no high risks are identified. If anything is highlighted, immediately let the website host know so that they can make the necessary adjustments.”
Ask questions about open-source tools and products. Money Smart Week explains: “Find out how third-parties deal with open source, and what precautions they have taken to avoid risks. Make sure that the third party has a way to track and identify open-source codes, so that they can develop patches quickly if their product is identified as vulnerable.”
Improve your security. If there’s been a breach, reset your login details and use a password that’s hard to guess. Don’t use the same password across multiple accounts.
This article first appeared in City Press.