SCREEN SCRAPING CAN LEAVE YOUR BUSINESS VULNERABLE TO FRAUD
Businesses are often unaware that, by giving a third-party or software programmes access to their financial information, they are potentially being exposed to the risk of screen scrapping.
Screen-scrapping happens when those purchasing online are prompted to provide their internet banking login details to enable the payment to a site which is not their banking website.
You may not be aware that in the process a third-party logs onto to your internet banking using the details you provided to make the payment to the store/merchant on your behalf which exposes you to potential risks of fraud and financial crime as well as transgression of data privacy legislation.
In 2020, the South African Reserve Bank (SARB), the Payment Association of South Africa (PASA) and the Financial Sector Conduct Authority (FSCA) issued a joint statement warning consumers about the risks associated with instant online EFT (electronic fund transaction) payments, particularly in relation to screen-scraping. While this scenario is more relevant for retail consumers, the risks are also significant for businesses that sign over authority to a third party to access their banking and client information.
Nadiah Maharaj, Chief Risk Officer at FNB Business says there are various examples of screen-scraping, but possibly the most common exposure from a business perspective would be when businesses use software that is authorised to access banking transactions.
“This effectively means that you are inadvertently sharing information such as your online banking login details which you should not be sharing with any third-party,” she says.
Screen-scraping may also leave your business vulnerable to third parties accessing your company data and even that of your clients. The Protection of Personal Information Act (POPIA), which is aimed at protecting the rights of businesses, came into effect in July last year.
Companies were given a one-year grace period to ensure that they were compliant and the end of this leeway period is around the corner.
One of the basic tenets of the Act relates to data privacy and any businesses has the right to (a) identify where its clients’ personal information is stored (b) how it is processed (c) who has access to it and (d) why it is being stored or used.
Therefore, the onus is on businesses to check what consent they are giving regarding the use of their information by carefully reading and understanding the terms and conditions associated with any transaction.
While companies that use screen-scraping to facilitate transactions on your behalf may have no intention of compromising your account or committing fraud, the risk remains. So, if your business is sharing data with a third-party service provider, there are obligations on the third-party service provider to take steps to protect that data.
How to protect your company data:
- Be vigilant when it comes to reading through any terms and conditions on any software or website before you click “accept”.
- Make use of an application security testing tool before you sign any agreements authorising access to your company data. If any high risks are identified, engage the supplier to address your concerns and find out if they have alternate solutions for your business.
- Remember that cloud-based software is not without its own risks. Insist on having both testing and sandbox environments. Sandboxing technology uses virtual servers to test software in an isolated environment. Running testing on the sandbox will provide the closest to real-world analysis for security gaps.
- Find out from your third-party software vendors if they use open-source tools in their product. How they deal with open source can be a high risk if not done properly. The vendor must have a way to track and identify open-source code in their product so if any vulnerability is identified; they can quickly correct it and develop a patch.
- Customers can protect themselves against the risks of screen-scrapping by firstly not sharing their login credentials with any third parties and to never enter these into any 3rd party websites other than their own bank’s legitimate platforms. Where customers suspect any risk of being compromised, we would strongly urge customers to reset their login credentials.
Lastly, there are many other convenient, easy and much safer ways to make payments online and we would encourage our customers to make use of our convenient Scan to Pay functionality available on our banking App, as well as our safe and secure credit, debit and recently launched virtual cards, which are the ideal way to transact digitally, limiting your risk and threat of compromising your security, says Maharaj.