Rolands Mesters, co-founder and CEO of Nordigen, weighs in on the secure methods of obtaining financial data and why screen scraping is a major cybersecurity risk.
This year, we celebrate the 4th anniversary of open banking. Over the last few years open banking has revolutionised the financial industry, bringing users more control over their finances, creating opportunities for new, enhanced services and products with open data sharing, and adding layers of security to customer bank information. In Europe, regulated and secure bank connections can only be achieved through real bank APIs. PSD2 regulations required banks to standardise their APIs in order to provide secure and private access to financial data.
Despite the clear benefits of open banking, another way of obtaining financial data – screen scraping – is still being used and promoted today. The practice has been gathering criticism from experts, highlighting potential worrying use cases, as well as the risk it poses for data breaches. It has been referred to by regulators as being “unsecure, inefficient, unregulated, and an unreliable method of data sharing,” according to their findings.
When it comes to financial data sharing, security is paramount, and screen scraping simply cannot deliver the degree of safety and stability required for this type of data transmission. Furthermore, its continued use can lead to virtual disasters due to the risk of data breaches that could harm the whole industry.
While open banking uses secure methods, such as APIs, to safely share customers’ financial data with third-party services with their consent, screen scraping resorts to simply obtaining bank login credentials from customers. Naturally, sharing valuable credentials makes users vulnerable, with the security of their financial information being reliant on the security practices of the third party.
Since data is stored in plain text, the trust level has to be high as the risk level is high as well, with numerous usernames and passwords stored in plain text on simple servers, making the data vulnerable to hacker attacks. Data breach examples from recent history have shown that the escalating hacker activity is bound to hit the most vulnerable technology, making screen scraping a ticking time bomb.
The rise of screen scraping
Screen scraping has evolved over many years and can be used within a range of fields, both ethical and unethical. The practice isn’t specific to finance, however it became widely used because of the value and functionality that can be obtained through online banking data. One of the reasons this practice became so prominent was due to the lack of legitimate banking APIs years ago.
Developers used the tools at their disposal to create financial technology programs and applications, and generated as much as possible with what they had. While the fintech industry grew and evolved due to their efforts, nowadays, with the rise of open banking, developers can continue to develop and create with the use of a more secure innovation.
These days screen scraping is still used as a workaround or as a means to allow open banking connectivity, more often in countries that have no open banking regulation.
Risk to cybersecurity & user experience
While screen scraping can be used for lending and budgeting applications, data aggregation, client monitoring, and to translate data from a legacy application into a modern one, it can also be used to steal data. Screen scraping has no fixed standards, and each third-party provider has its own approaches to and levels of security, which are not regulated. A user signing up to a screen scraping service has no true way of verifying whether their chosen platform is protecting their data to the highest degree.
Data connection through screen scraping to the bank is unreliable seeing as the practice is more of a “hack”, rather than a fully operational practice. Screen scraping relies on the bank platform that it is connecting with to remain unchanged. If the platform changes, even slightly, the service may experience trouble connecting and re-establishing the link, resulting in an inconsistent experience for the end-user.
Additionally, some screen scraping platforms deliberately mislead their customers, by mimicking established bank institutions through the use of similar logos, colour schemes and trademark designs, to confuse customers into believing they are imputing their login credentials into their online bank platform. Clients will input their data, without even realising their mistake. On top of that, these solutions can also be used by data thieves as a validation point for checking stolen credentials.
How to stay safe in the digital world
For regulated and secure bank connections the only safe option is open banking through the use of real bank APIs. In Europe, PSD2 regulations mandated that banks develop their APIs to facilitate access to financial information in a way that guarantees security and privacy. Security efforts are backed by features such as Consent Management and Strong Customer Authentication (SCA) that are set in place for identity verification, data protection and to ensure that the customer’s information is never shared without their knowledge or consent. Most banks also have established anti-fraud systems set in place, which act as an additional level of security when connecting.
When using real bank APIs, third-party financial service providers can only access user bank accounts if they can demonstrate necessary data security standards, which means that when using a service provided by a licensed Account Information Service Provider (AISP), the customer can be confident that their data security procedures have been approved by a regulator. There is no need to share valuable login credentials with any legitimate third-party service provider and these institutions will never see this information.
While screen scraping helped the fintech market develop in its early years, nowadays there is no need to continue the practice as it is unsecure, unregulated and lacks the necessary quality of user experience. Open banking has elevated the process of financial data sharing, making it quicker, more secure and more reliable. Now that open banking is growing and developing around the world, it is time to stop lauding screen scraping as the “unofficial standard” for bank connections, instead putting data security at the forefront.