Credential sharing — the real problem with screen scraping

  • Debit card — the numbers on the debit card are a set of credentials that are issued to end users specifically to make payments via third parties whether at a physical location, online, or via phone.
  • Online banking credentials — for the end-user to get account information and make payments via the bank’s online banking interface or mobile app.
  • Telephone banking credentials — for the end-user to get account information and make payments via a phone
  1. No strong customer authentication. The use of the numbers on a debit card when making an online payment doesn’t give a strong assurance that the owner of the debit card is making the payment, hence the persistent levels of fraud associated with card payments.
  2. No “dynamic linking” or “incremental auth”. The same debit card number can be used to pay for a holiday of £10,000 and a coffee of £3.
  3. Cost to use these credentials. This is due to the fact that there are multiple parties in the chain between the end-user and the bank (e.g. card networks, acquirers, processors, merchant accounts, etc.). In addition there is a higher risk of fraud due to the fact that there is no strong customer authentication — this in turn increases the cost of accepting card payments.

What are the problems with the re-use of online banking credentials?

  • Those credentials are issued for the sole use of the user on the bank’s online banking or mobile interface.
  • Sharing login credentials is inherently bad security practice.
  • It removes non-repudiation, i.e. if I have given my credentials to someone else then that person can impersonate me. The bank doesn’t know if it is dealing with me or someone I’ve shared my credentials with.
  • It increases the chances of phishing attacks — if customers get used to entering sensitive credentials on multiple sites they will become desensitised to phishing attacks
  • Passwords should be unique per site and not re-used: entering the same set of credentials on multiple sites is bad practice
  • There is a greater risk that the credentials are compromised
  • There are a large number of capabilities available via online banking interfaces, a user will rarely, if ever, want to give a third party access to. However by sharing their credentials they have done so.
  • It is impossible for the end-user to revoke access to a single third party they’ve shared their credentials with. If they want to revoke access they need to change their password
  1. Many fintechs already use a redirect model themselves. For example when a user pays with Sofort they are redirected away from the merchant to Sofort and then back to the merchant. A redirect based API approach will support a similar user experience, except that the user is redirected straight to the bank rather than to Sofort. Paypal have been succesful and there service works with a redirect model.
  2. The success of “Login with Google” or “Login with Facebook” demonstrates that redirection based user experiences can work well and in many cases are far superior to the continual re-entering of different sets of credentials.
  3. Redirection can provider a better user experience if the user is already “logged in” to the bank. For example if I have a banking app on my phone where I’m already logged in — then I don’t have to re-enter all my credentials, I can simply authorise the request.

--

--

--

CTO at Moneyhub, FAPI Co-Chair

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Polygon is launching on yiToken

{UPDATE} Just Jigsaws Hack Free Resources Generator

Users can trade, earn, and gain on HakuSwap.

RouterOS Post Exploitation

How coders will kill us

Do You Need a Permit for a Home Security System? | New Generation Home Pro Inc.

STEPS TO JOIN KYVE’S Incentivized Testnet: Mission Korellia

TryHackMe- Pickle Rick CTF Writeup (Detailed)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dave Tonge

Dave Tonge

CTO at Moneyhub, FAPI Co-Chair

More from Medium

Benefits of Tracking Customer Satisfaction with a Help Desk

SAAS Compliance Requirements

The Neobank Trends that Traditional Banks Should Adopt in 2022

Farming’s Digital Evolution: How Agtech Startups Are Building a Sustainable Future