Can we stop having to hand over internet banking logins?
Screen-scraping pay services usually terribly unsafe and better options exist
When’s payment by internet banking not quite what you think it is, and potentially a really unsafe thing to use? When it’s done through “screen scraping” by third-party services. I wrote about this in 2016 when a reader noted that Auckland Transport the Payment Express Account2Account system for traffic infringement penalty payments.
It’s now 2020, AT still uses Account2Account. and Phil wrote in last week to say the service pops up at the Companies Office site when you click on the “internet banking” payments link.
The banks are pretty clear that you should not use screen-scraping services. ANZ says it does not support third-party services like POLi, Account2Account, PaymentExpress (now rebranded as Windcave) and Kindo.
A Kiwibank spokesperson similarly told me that: “Although third party services like POLi can work with our internet banking, we currently don’t endorse any non-Kiwibank payment system that requires users to share their internet bank username, security questions, and password.”
It doesn’t take a genius to understand what can happen if customers disclose internet banking credentials and even the multi-factor authentication codes or security questions to unknown third-parties.
If you allow others, be it people or machines, to poke around your bank account, chances are high that there’s no compensation for fraud; you’re on your own.
Phil works with IT and suggested to the Companies Office that they don’t use a service which leaves people high and dry if something goes wrong. His feedback was noted by the Companies Office, and Phil had a laugh when he contacted Windcave which operates Account2Account, and they hung up on him.
I too contacted Windcave, to ask
If you allow others, be it people or machines, to poke around your bank account, chances are high that there’s no compensation for fraud; you’re on your own.
where the internet banking login details are stored and for how long, ditto if the transaction details are logged and what account information if any is captured. So far my experience matches that of Phil’s, in that there’s been no response from Windcave.
The thing is, when you use a service like Account2Account, there’s no way to limit what the provider can do or for how long. They are logging in as you and anything you can do and see, they can do too.
In fact, the risks are acknowledged by the Ministry of Business, Innovation and Employment in a recent discussion paper:
“For example, some are using ‘screen scraping’ where a consumer effectively logs into an online account (eg online banking) via a third party’s interface. This could pose a risk to consumers as it does not limit the use of the data, and may also be a breach of the bank’s terms and conditions.”
Blocking third-party payments services is difficult for the banks, as they appear to be customer transaction sessions. There are ways to do it, but since the third-party providers are officially endorsed by government and council agencies, it would be a struggle for the banks to keep them out. IT security is notoriously difficult to get right, partly because people do unsafe things like reusing passwords and authentication codes that aren’t complex enough. There’s been many “don’t do that!” education campaigns to prevent that sort of risky behaviour.
Yet here we are in 2020, training people who use government sites to hand over the keys to the internet-accessible bank accounts to entities that few know who they are, or how to verify that they are who they claim to be.
Some people don’t have credit cards for whatever reason, or don’t want to use them especially if there are surcharges. They should have access to other ways to pay.
That’s totally fair enough, but the alternative shouldn’t be to penalise them with systems that do financial transactions in a hair-raisingly insecure fashion where information is shared with third parties.
Because it is 2020, there’s no need to use screen scraping for payments. Things have moved forward and there really are payments technology solutions for this problem. For example, banks can offer secure access via application programming interfaces, and you could even use Apple, Google and Samsung Pay apps and web browser integration. (And no, the answer here isn’t anything “crypto currency” or “blockchain based”, sorry.)
While there’s definitely justification for butting heads with banks over fees, charges and cumbersome systems, screen scraping is just dumb and not the right way. Government and council agencies need to stop using them now.