I’ve recently seen a few examples of services that ask customers to type in their online banking usernames and passwords so the service can access their bank accounts on their behalf. The applications are fairly broad and definitely useful — making payments, ID verification and analyzing data, for example.
This is a security anti-pattern. This is bad news. Banks regularly email their customers to say they will never ask for your password in an email and that attempts to do so should be reported as phishing. I’m a Metro Bankcustomer and the footer of each of their emails says: We’ll never send you an email, text or a website link asking you to enter your Internet Banking or card details. If you’re suspicious […] contact us immediately and we’ll get our security team on the case. Phishing is a serious security issue for banks. Industry data suggests that losses from online banking fraud were up 64 percent to £133.5 million in 2015 from £81.4 million in 2014. A Google search for “bank phishing” turns up results from all the major high-street banks, with titles like “Recognising & Preventing Phishing” and “Phishing & email scams.” Barclays has even started producing videos on the subject. So if the industry is, rightly, concerned with educating people about the risks of phishing, why on earth are they happy for their customers to put their login details into any other website than their bank’s website?Unintended consequences of legislation I’ve spoken to the service providers about how they are able to offer this service to customers, as my first assumption was that it would be against the terms and conditions of the various online banking services. Having checked a few online banking terms and conditions, customers are not protected against fraud if they have not kept their passwords safe. Lloyds even references information “aggregators” explicitly — Lloyds can close your online banking account if you give your security details to the service provider. Be vocal in demanding safe and secure access to your bank account.The response from the service providers is interesting — and unnerving. All the service providers quoted “PSD2,” the revised Directive on Payment Services, a European law that came into force in November 2015. This is timetabled to pass into U.K. law in January 2018 (although Brexit…) and requires that banks open digital access to customers’ bank accounts to other companies. This is a huge deal. One of the people I spoke to about this said that the “banks could see the writing was on the wall with PSD2,” so they did not put up any objection to the service provider taking the username and password of the bank’s customer. But access is not the only thing PSD2 is meant to promote. Commissioner Jonathan Hill said at the launch of PSD2 that: European consumers want to know that their payments are safe when they shop or make a payment online. The new Payment Services Directive will ensure that electronic payments in Europe become more secure and more convenient for European shoppers. Of course, the arrival of PSD2 in early 2018 is providing a stimulus for companies to build services on bank accounts. If early adopters use a method of customer login that is indistinguishable from phishing, the problem that currently looks limited to a handful of services will burst into a million pieces when access to bank accounts is not only encouraged, but legislated for.Hang on, we’ve seen this before When Twitter first took off, it was not uncommon for a new website to ask for your Twitter username and password in order to, say, tweet on your behalf. Back in 2006, Blaine Cook, Twitter’s architect at the time, started working on an alternative that allowed you to grant access to certain information or capabilities, such as tweeting as you, without giving away the keys to your whole account. What Blaine and his collaborators worked on eventually became the OAuth standard and now powers all the “login with” Facebook/Twitter/LinkedIn/Google buttons you see on websites all over the internet. Spear-Phishing Could Enable Cyberterrorism Attacks Against The U.S.Regular Facebook Users Are More Likely To Fall For Phishing ScamsSo why not OAuth for banks? The Open Bank Project advocates for OAuth, but, unfortunately for us U.K. customers, its adoption has been limited so far to German banks (however, this in itself is a great success). The U.K. government commissioned the Open Banking Working Group (OBWG) in late 2015, to explore the question of opening up data held by banks. The OBWG published their findings as the Open Banking Standard in August this year. Happily, they have also recommended the use of OAuth*. The only U.K. bank that has taken up the OAuth gauntlet so far is Monzo. So the outlook at this point is mixed. The Open Banking Standard is not expected to be implemented in its full glory until 2019, although initial services that only read information are expected in 2017. If you’re reading this as a consumer, be vocal in demanding safe and secure access to your bank account. If you are responsible for building an online product, make a point of not making poor choices for your customers. Between now and 2019, there is still plenty of time for keen fintech startups to open services that train bad habits into people and leave them vulnerable to fraud.
1 Comment
GROUND CONTROL THE PAYMENT’S GONE: NATIONWIDE MAKES HIGHEST EVER CONTACTLESS PAYMENT ON THE EDGE OF SPACE
Nationwide has completed the world’s highest ever contactless payment – more than three times higher than Mount Everest and as cold as Antarctica - as a poll names ‘tap and pay’ technology as one of the most convenient innovations of the 21st Century1. It is predicted that the number of contactless cards in circulation in the UK will break 100 million for the first time later this year, with over £1.8 billion spent on contactless cards during June 2016 - a year-on-year increase of more than 230 per cent2. Research from Nationwide shows the use of ‘tap and pay’ has truly taken off. This is despite more than half (57%) of Brits being surprised that contactless payment technology caught on in the first place. The survey of 2,000 people captured the rising popularity of contactless, putting it among the top five most convenient innovations of the 21st Century, alongside Smartphones, GPS, tablets and e-books. Almost a third of Brits (30%) say that tap and pay technology is the best time-saving innovation since the year 2000. Moreover, around three quarters (72%) believe personal finance innovations take the lead when it comes to making life easier, beating entertainment (51%), travel (30%) and even developments within social media (28%). Contactless payments, online banking and mobile banking were all highlighted as developments which had saved time, made everyday life more convenient and helped people manage their money more effectively. Almost a fifth (19%) of consumers stated their spending habits had changed since the introduction of contactless cards. The research reveals that a quarter (25%) say contactless encourages us to buy the little things or micro-transactions such as a coffee, chewing gum and a newspaper with card rather than small change. And it appears many are wanting to see more shops and establishments offering the technology. Nearly two thirds (63%) say that contactless payment technology makes paying for everything easier and quicker and more than one in ten (11%) say they even automatically ‘tap’ when paying for things and are surprised when the technology isn’t available. At over 100,000 feet, and minus 30 degrees Celsius Nationwide’s Visa contactless card faced inhospitable conditions and working in partnership with First Data, the technicians had to develop a specially designed Clover™ Mobile terminal to process a transaction at this altitude. Paul Horlock, Head of Payments at Nationwide Building Society said; “Each day Nationwide members make over £5 million worth of contactless payments, showing just how popular tap and pay has become. We wanted to celebrate this quick, easy and convenient way to pay and highlight how technology has transformed our day-to-day lives. Making a contactless payment at 100,000 feet presented unique challenges to our team, but it seemed a fitting celebration of this remarkable technology and our plans to roll out contactless capabilities to our credit cards later this year. “Nationwide is committed to providing a range of quick, easy and secure ways for customers to pay. This choice is important because, for our members payments are more than just transactions they are enabling millions of convenient everyday interactions with contactless, supporting our members aspirations as they save with standing orders, and helping them split the bill through Paym. We will continue to invest in and celebrate technology which makes life as easy and convenient for our members as possible.” The payment on the edge of space was made on the 12 October 2016, taking off in rural Shropshire, ascending at over 15 meters per second to reach a final altitude of 101,050 feet. Nationwide now processes over 2.9 billion transactions each year, and has over 2.6 million active digital users, an increase of over 12% over the past year. This growth is perhaps unsurprising as the Society has recently introduced a number of new digital initiatives including a new banking app, and Paym alongside a roll out of wearable banking to Apple Watch. This means that members can quickly, easily and securely manage their money on the go, anywhere and anytime. |
Archives
March 2018
Categories |