Businesses are often unaware that by giving a third-party or software programmes access to their financial information, they are potentially being exposed to the risk of screen scrapping.
Screen-scrapping is part of a process when purchasing online and are prompted to provide your internet banking login details to enable the payment, to a site which is not your banking website. You may not be aware that in the process a third-party logs on to to your Internet banking using the details you provided to make the payment to the store/merchant on your behalf which exposes you to potential risks of fraud, financial crime and data privacy risks.
In 2020, the South African Reserve Bank (SARB), the Payment Association of South Africa (PASA) and the Financial Sector Conduct Authority (FSCA) issued a joint statement warning consumers about the risks associated with instant online EFT (electronic fund transaction) payments, particularly in relation to screen-scraping. While this scenario is more relevant for retail consumers, the risks are also significant for businesses that sign over authority to a third party to access their banking and client information.
Nadiah Maharaj, chief risk officer at FNB Business, says there are various examples of screen-scraping, but possibly the most common exposure from a business perspective would be when businesses use software that are authorised to access banking transactions.
“This effectively means that you are inadvertently sharing information such as your online banking login details which you should not be sharing with any third-party,” she says.
Screen-scraping may also leave your business vulnerable to third parties accessing your company data and even that of your clients. The Protection of Personal Information Act (POPIA), which is aimed at protecting the rights of businesses, came into effect in July last year and the one-year grace period to ensure your business is compliant is around the corner.
One of the basic tenets of the Act relates to data privacy and any businesses has the right to: identify where its clients’ personal information is stored; how it is processed; who has access to it; and why it is being stored or used.
Therefore, the onus is on businesses to check what consent they are giving regarding the use of their information by carefully reading and understanding the T&Cs.
While companies that use screen-scraping to facilitate transactions on your behalf may have no intention of compromising your account or committing fraud, the risk remains. So, if your business is sharing data with a third-party service provider, there are obligations on the third-party service provider to take steps to protect that data.
Maharaj recommends ways to protect company data:
* Be vigilant when it comes to reading through any terms and conditions on any software or website before you click “accept”.
* Make use of an application security testing tool before you sign any agreements authorising access to your company data. If any high risks are identified, engage the supplier to address your concerns and find out if they have alternate solutions for your business.
* Remember that cloud-based software is not without its own risks. Insist on having both testing and sandbox environments. Sandboxing technology uses virtual servers to test software in an isolated environment. Running testing on the sandbox will provide the closest to real-world analysis for security gaps.
* Find out from your third-party software vendors if they use open-source tools in their product. How they deal with open source can be a high risk if not done properly. The vendor must have a way to track and identify open-source code in their product so if any vulnerability is identified; they can quickly correct it and develop a patch.
* Customers can protect themselves against the risks of screen-scrapping by firstly not sharing their login credentials with any third parties and to never enter these into any 3rd party websites other than their own bank’s legitimate platforms. Where customers suspect any risk of being compromised, we would strongly urge customers to reset their login credentials.