Skip to content

Shape Security Blog

Highlighting breaking news, events, and analyst commentary on cyber security from around the world

  • LinkedIn
  • Twitter
  • LinkedIn
  • Twitter

Tag: Mint

Another Take on Aggregators: Banks Are Right to Block Scraping

In  recent weeks, major US banks have prevented automated logins from aggregators like Mint and Digit, which use client-provided credentials to log in to user accounts and scrape out financial data. The Wall Street Journal’s coverage (article behind paywall) implied that banks have acted primarily out of competitive motivations, but that isn’t the case.

For these account aggregators to present competitive risk to banks, they would have to offer substitute services – ATMs, cash withdrawal, credit cards, savings accounts, etc. Yet the majority of these aggregators offer services that are complementary to banks. For example, Mint makes it easier for bank clients to consume their financial data, and the application HelloWallet encourages financial health through personalized guidance.

In fact, after briefly mentioning competitive threats, the WSJ article then spends far more time on the real issue, security concerns, than on competition. The article states:

[There is] growing concern within the banking industry that rising use of such sites will overload bank servers, on top of worries that customer data could potentially be vulnerable to hackers….In addition, it isn’t clear if consumers’ finances would be protected if they willingly handed over their confidential information to a site that was later hacked…[The aggregators] could present growing risks to consumers because of the detailed financial information the sites require from users.

Historically, Mint and Yodlee have been the dominant aggregators, but lately newer aggregators have emerged. These newer account aggregators present two considerable risks. First, unlike Intuit-owned Mint and established aggregator Yodlee, these small start-ups cannot provide a comparable level of security and protection to clients as the banks. Second, with new aggregators popping up everyday, banks have a harder time detecting fraudulent activity when aggregators log in and scrape out data because automated attackers and aggregators are hard to tell apart. The bank’s security team then has two options – restrict all automated logins, or expend resources trying to distinguish safe aggregator bots from all other nefarious bots. The latter is expensive, so it appears that the banks highlighted by the WSJ have chosen the former path of action.

It is not in banks’ long term interests to block account aggregators. As the customers quoted in the WSJ demonstrate, aggregators provide a valuable service. Banks recognize this fact, which is why they created the FS-ISAC’s Aggregation Working Group. The group was formed specifically to solve the problems outlined above while still allowing account aggregators to operate. They ultimately proposed a token-based authentication system that allows account aggregators to directly access the data they need, eliminating the need for clients to provide their user credentials.

Yodlee publicly announced its support for the API system over a year ago and is working with banks to adopt the win-win solution. It is unclear if other aggregators are also in favor of this method and if the token-based system will become the new standard. What is clear, though, is that banks are taking automated online activity very seriously, and so should you.

References: 
“Banks, at Odds With Personal Finance Sites, Disrupt Service.” The New York Times. 10 Nov. 2015.
Huang, Daniel, and Peter Rudegeair. “Bank of America Cut Off Finance Sites From Its Data.” The Wall Street Journal. 9 Nov. 2015.
Sidel, Robin. “Big Banks Lock Horns With Personal-Finance Web Portals.” The Wall Street Journal. 4 Nov. 2015.
Watson, Colin. OWASP: Automated Threat Handbook: OWASP. 26 Oct. 2015.
“Yodlee Announces Support of FS-ISAC, OAuth as Standard for.” Yodlee. 16 Oct. 2014.

Share this:

  • Twitter
  • Facebook
  • Google

Like this:

Like Loading...
Author Shape SecurityPosted on November 24, 2015September 28, 2016Categories Security TrendsTags account aggregation, banks, financial aggregator, MintLeave a comment on Another Take on Aggregators: Banks Are Right to Block Scraping

Recent Posts

  • How Big Banks Fight Online Fraud
  • Key Takeaways: Using a Blacklist of Stolen Passwords [Webinar]
  • Introducing Unminify
  • Complying with NIST Guidelines for Stolen Passwords
  • Key Takeaways: Retail Threat Briefing Webinar with R-CISC

Categories

  • account takeover (3)
  • Announcements (2)
  • application security (1)
  • automated attacks (1)
  • Bots (1)
  • conferences (6)
  • Content Aggregators (1)
  • credential stuffing (7)
  • Financial Aggregators (1)
  • Man-in-the-browser (1)
  • Manual Fraud (1)
  • Security Trends (24)
  • Shape Engineering (16)
  • Threat Briefing (1)
  • Webinar (3)

Authors

  • Chris Fuller
    • Complying with NIST Guidelines for Stolen Passwords
  • Dan Woods
    • 2017 Credential Spill Report
  • michaelficarra
    • Introducing Unminify
    • Shift Semantics
    • Announcing SuperPack
  • Nick Flont
    • How Cybercriminals Bypass CAPTCHA
  • Paula Skokowski
    • The Right to Buy Tickets
  • Shape Security
    • Key Takeaways: Using a Blacklist of Stolen Passwords [Webinar]
    • Key Takeaways: Retail Threat Briefing Webinar with R-CISC
    • Biggest Threat to Retail? (hint: it’s not Amazon)
  • Shuman
    • World Kill the Password Day
    • Don’t Let Stolen Credentials Ruin Your Holiday Gift Giving
  • Sergey Shekyan
    • Contributing to the Future
    • Salvation is Coming (to CSP)
    • Detecting PhantomJS Based Visitors
  • Sumit Agarwal
    • Introducing Blackfish, a system to help eliminate the use of stolen passwords
    • The Half-Day Attack: From Compromise to Cash with Sentry MBA
  • Tafara Muwandi
    • How Big Banks Fight Online Fraud
  • Tim Disney
    • Announcing Bandolier
  • xinranshape
    • A look at Sentry MBA – the most popular cybercriminal tool for credential stuffing attacks

Archives

  • April 2018
  • March 2018
  • February 2018
  • November 2017
  • July 2017
  • May 2017
  • January 2017
  • December 2016
  • November 2016
  • September 2016
  • August 2016
  • March 2016
  • February 2016
  • December 2015
  • November 2015
  • September 2015
  • August 2015
  • May 2015
  • April 2015
  • February 2015
  • January 2015
  • December 2014
  • June 2014
  • April 2014
  • January 2014
We Are Security Attacks Solutions Customers About Us Jobs Contact
  • LinkedIn
  • Twitter
  • LinkedIn
  • Twitter
Shape Security Blog
Cancel
%d bloggers like this: