Are you potentially exposed to the risk of screen scraping?

Posted on

In 2020, the South African Reserve Bank (SARB), the Payment Association of South Africa (PASA) and the Financial Sector Conduct Authority (FSCA) issued a joint statement warning consumers about the risks associated with instant online EFT (electronic fund transaction) payments, particularly in relation to screen-scraping. (Read: Instant EFT – Payment option can lead to online crime)

Earlier this week they re-published the statement – has there been an increase in the occurrence of this online crime? Are businesses targeted as well?

“While this scenario is more relevant for retail consumers, the risks are also significant for businesses that sign over authority to a third party to access their banking and client information,” according to a BusinessTech article published earlier this week. According to Nadiah Maharaj, chief risk officer at FNB Business, there are various examples of screen-scraping, but possibly the most common exposure from a business perspective would be when businesses use software that are authorised to access banking transactions. “This effectively means that you are inadvertently sharing information such as your online banking login details which you should not be sharing with any third-party,” she emphasized.

She highlights that one of the basic tenets of the POPI Act, that will be fully effective from 1 July 2021, relates to data privacy and any businesses has the right to

  • identify where its clients’ personal information is stored
  • how it is processed
  • who has access to it; and
  • why it is being stored or used.

“Therefore, the onus is on businesses to check what consent they are giving regarding the use of their information by carefully reading and understanding the T&Cs.”

FNB provides tips on how to protect your company data:

  • Be vigilant when it comes to reading through any terms and conditions on any software or website before you click “accept”.
  • Make use of an application security testing tool before you sign any agreements authorising access to your company data. If any high risks are identified, engage the supplier to address your concerns and find out if they have alternate solutions for your business.
  • Remember that cloud-based software is not without its own risks. Insist on having both testing and sandbox environments. Sandboxing technology uses virtual servers to test software in an isolated environment. Running testing on the sandbox will provide the closest to real-world analysis for security gaps.
  • Find out from your third-party software vendors if they use open-source tools in their product. How they deal with open source can be a high risk if not done properly. The vendor must have a way to track and identify open-source code in their product so if any vulnerability is identified, they can quickly correct it and develop a patch.
  • Customers can protect themselves against the risks of screen-scraping by firstly not sharing their login credentials with any third parties and to never enter these into any 3rd party websites other than their own bank’s legitimate platforms. Where customers suspect any risk of being compromised, we would strongly urge customers to reset their login credentials.

The recently released Banking Ombud Annual reports highlighted that a common thread was that the majority of the consumers unfortunately fell victim to fraudulent scams. The Ombudsman explained that the reason why  the majority of these matters were found in favour of the banks was that after a full  investigation was conducted, the OBS was forced to conclude that  the fraudsters managed to manipulate the consumers into transferring funds into their account or to  give them their confidential banking details which then enabled the fraudulent transactions.