back to article Banking association calls for end of 'screen-scraping'

The European Banking Federation (EBF) has asked the EU Commission to support a ban on "screen scraping". Screen-scraping services, seen as a first-generation direct access technology, allow third parties to access bank accounts on a client’s behalf using the client's access credentials. The Revised Directive on Payment …

  1. Anonymous Coward
    Anonymous Coward

    Credibility problem

    Perhaps the Commission just doesn't believe a damned thing that bankers tell them. They wouldn't be alone.

  2. diadomraz

    API vs Screen-scraping

    Well, I'm actually agreeing with the banks on this one. Screen-scraping is just a waste of bandwidth. A good API will be more efficient, can be made more secure and allow better control over the data for the clients, and can be done without actually sharing access credentials to your bank account.

    1. Anonymous Coward
      Anonymous Coward

      Re: API vs Screen-scraping

      If the banks made a proper API, nobody would be using screen-scraping anymore. There is no point to banning the use of scraping. They want to ban it and _not_ provide an API.

      1. diadomraz

        Re: API vs Screen-scraping

        Yes of course, but if the EC can force them to accept screen-scraping, why not agree on a common API standard and force the banks to use it instead.

        1. Bronek Kozicki

          Re: API vs Screen-scraping

          I agree than common API is a good idea, but it will be probably decades before it is agreed - and proven to work well. In the meantime screen scraping should be allowed, IMHO

        2. Zakhar

          Re: API vs Screen-scraping

          Some countries already promote common API standards: UK (Open Banking), France, Poland.

      2. Robert Helpmann??
        Childcatcher

        Re: API vs Screen-scraping

        They want to ban it and _not_ provide an API.

        So when they say, "Both banks and new entrants in financial services technology are actively engaged in an industry-wide effort to develop common processes and standards," what is really going on is the effort is being referred to committee?

        1. GBE

          Re: API vs Screen-scraping

          > actively engaged in an industry-wide effort to develop common processes and standards

          Yea, I've been involved in efforts like that. They consist largely of everybody involved vetoing anything that they think might give a leg up to anyone else or that might allow new competitors into the market. The result is almost always a giant, unworkable mess authored by a committee comprised of foot-draggers who's secret motivation is to accomplish nothing of any practical value for as long as possible.

          OTOH, they alays seem to meet at rather nice hotels in cities that are pleasant to visit (when it's on somebody else's dime).

          I'm reminded of a colleague who spent a lot of time on standarization efforts. He used to refer to the ISO as the "International Sightseeing Organization".

          1. Zakhar

            Re: API vs Screen-scraping

            In this case it is the exact contrary.

            The one promoting the continuation of screen scraping want to protect there existing market. Indeed making screen scraping a mandatory fallback of the API will mean more banks won't do the double investment and won't do APIs, protecting only those who already master this technique: the existing third parties!

            On the contrary, with a clean API initiative, all banks are willing to be in this new market of aggregation and payment initiation since there is now a clear legal framework.

            So, when you build an API that you plan to use yourself, you don't make it "unworkable"!..

        2. Zakhar

          Re: API vs Screen-scraping

          It is referred to API standards initiatives. The Open API in the UK already went public that they spent several million pounds specifying a standard. They have already published detailed documentation up to swagger files describing the API.

          The level of detail is the same for France, not yet there for Poland.

          There are also several pan-European standardisation efforts: Berlin Group, CAPS.

      3. Zakhar

        Re: API vs Screen-scraping

        Do you have inside information from banks or are you just doing a trial of intent.

    2. Jason Bloomberg Silver badge

      Re: API vs Screen-scraping

      I am not however convinced by the 'overloaded plane' analogy; I don't see how having screen-scraping would truly adversely affect any API or other provision.

      I can understand not wanting to do it, wanting to even ban it so they don't have to, but it doesn't seem to me they have proven any real justification for not allowing it.

    3. yoganmahew

      Re: API vs Screen-scraping

      Green screen data entry followed by screen scraping is quite secure - you allow a very limited character set (no escape characters), command set (you can only do what the input screen lets you) and there's no active page that can be hacked by a bug in a third party's interface or some childishly written webpage.

    4. Anonymous Coward
      Anonymous Coward

      Re: API vs Screen-scraping

      Agreed. They're off a bit with the plane analogy. It's more like I want to see the current airspeed, and rather than develop a read-only interface of flight information, the solution is that I have to go sit in the co-pilot's seat and promise not to touch anything.

      There are a lot of financial advisory sites out there that would like me to enter in all my financial institution account information to automatically update my consolidated portfolio view. They insist "we cannot make any changes to your account". Bullshit, if I give you my login information to $BROKERAGEFIRM or $BIGBANK you can log in there. Your software may not have the native capability to do so, but you do have the necessary access information. If I had a secure way to delegate view only information, that would be useful.

  3. Your alien overlord - fear me

    Why screen scrape someones security details because if they genuinely are allowed access, surely the users could just enter the details into the unofficial banking app directly?

    1. Anonymous Coward
      Anonymous Coward

      They don't scrape the credentials, the credentials for all your different accounts are entered into the app. These are then encrypted and held securely (you would hope) and are used by the app to log in to your bank accounts silently and scrape the page for all the financial details and then present a unified view of your finances along with extra features that your normal banking experience doesn't provide.

      However these same credentials if leaked could also provide access to your account and allow someone to do some bad stuff. It would be better if each financial institution allowed access using an authentication token and user agreement and then only published information in a read-only way. This limits the abuse an attacker could do if they stole that authentication token.

      Hence API vs Screen Scraping.

      1. frank ly

        "... along with extra features that your normal banking experience doesn't provide."

        I'm busy so I'll let somebody else say it.

  4. Caff

    partially agree with the banks

    Forcing the banks to support screen scraping could prevent them from fully securing their banking applications. However if screen scraping is banned they should be forced to provide a common open API that would allow 3rd parties to access banking information with a clients permission.

  5. Anonymous Coward
    Anonymous Coward

    I keep getting the feeling this cannot end well. I mean, third-party access of any sort is ripe for abuse and exploitation, either externally (some fourth party usurps the third) or internally (the third party goes rogue).

    1. Anonymous Coward
      Anonymous Coward

      Not if a clear API allows the account holder to authorize (and de-authorize) third parties (explicitly, and with different credentials) for a a subset of operations and maybe up to certain sums. Screen scraping basically gives blanket access.

      I may understand accounting software being able to perform operations on my behalf, but I may not happy if the access and scrape information they should not access (i.e the full list of my operations and beneficiaries).

      Vulnerabilities would still be an issue, but that's another matter.

      1. Charles 9

        Unless the third party tricks you into giving MORE access than it needs. In today's world, you MUST work on the assumption the user is stupider and more gullible than you think.

        1. Anonymous Coward
          Anonymous Coward

          You could get tricked by anyone all the time. A piece of software that you download that also tricks you by installing a keylogger and stealing all your banking passwords etc.

          Two things would mitigate it and are in common use today

          1) Trust. A big company who earns its money from the software or services is less likely to risk all of that by trying to defraud you, when it would be obvious they have done it, they would be prosecuted and the money would probably be recovered.

          2) The app should not be able to trick you - you authorise the permissions it wants from the bank's end. Therefore if you install "See my account details app", connect it to your bank using the API, your bank would then ask you for permission to allow the services it has asked for (View Account Details). If your bank says it is also asking for a permission for "Transfer funds to foreign countries" then you know it is a wrong 'un and you refuse that permission. For higher permissions such as "Transfer Funds" the software may need to be audited first, either by the bank or a third party - similar to how PDQ machines or Third Party ATMs need to be certified.

          1. Charles 9

            1) Explain Microsoft, then.

            2) Point there, but it could be patient as well and wait for a permission it needs to come legitimately and then just abuse that. Like an app that can access your contacts because it rummages through them legitimately say to update pictures of details but it copies them on the sly.

  6. Mr Humbug

    I am confused

    Why is there a suggestion that banks should be forced to _support_ screen scraping. Isn't screen scraping what we do if there is no API to get the data? And surely nobody actually supports screen scraping - would you even know that the https request that purports to come from Chrome running on Android is actually from Chrome or is from another app?

    1. scrubber
      Paris Hilton

      Re: I am confused

      I would guess that 'supporting screen scraping' involves not moving fields around and changing names of elements, or making users actively enter pins or passwords on virtual keyboards. But that's just an assumption.

      The question is whether APIs, or more specifically the granularity of access that OAuth allows, is going to lead to safer services than the global access screen scraping software currently requires. One would normally assume yes, but given the number of apps that require blanket access to contacts, camera etc. that people happily install and the recent Google Docs debacle I'm not so sure anymore.

      1. Zakhar

        Re: I am confused

        No, it's not about "not moving fields"...

        And you are right to be confused. Screen scraping as done today is impersonation/identity theft and cannot reliably be banned technically, although some countries have made it illegal (Poland).

        PSD2 mandates that the 3rd party authenticates with the bank. So that will now become "authenticated screen scraping". In the end it is a non-sense since from the moment the bank knows it is a third party and not the customer himself, there are laws that must be enforced such as GDPR too. So the customer must also give his consent, and you end up filtering what the website can reply to requests to comply with the user consent... which in the end provides the exact same result as the API, only more expensively, slower, less reliable (when you move filed around), etc...

  7. Frank Bitterlich

    Isn't there an API already?

    What about EBICS? I know that (here in Germany, at least) banks often make it seem like a big deal, but you can get EBICS access at least for every business account; not a big deal to do it for private accounts, too. (The actual implementation is often lousy, but that's another topic.)

    1. Infernoz Bronze badge
      Facepalm

      Re: Isn't there an API already?

      Obviously not or inconsistently, and EBICS looks like it is only for payments.

      For login security and isolation reasons, only the user and a bank should have access to the unencrypted login details, which is why screen-scaping is stupidly insecure, because third party apps may abuse, leak, or poorly encrypt login credentials.

      All routine logins should be done using a bank supplied private-encrypted, date expiry, login container, with one per app, maybe per device too, with the app name and device stored in it, so that selective locking is possible, rather than the fragility of a single login. A container could even be associated with a restricted set of permitted actions e.g. only being able to request status information like the account balance or the statement lines.

      All banks should provide a _standard_, secure, web-service API over secure HTTPS, using an encrypted container for login, and their website should include customer functionality to create, download, and manage these tokens, and see an audit log of their use.

      1. Frank Bitterlich

        Re: Isn't there an API already?

        Obviously not or inconsistently, and EBICS looks like it is only for payments.

        No, EBICS is for almost everything banking-related - statements, payments, direct debit,card processing, even investment management. The security model seem sound to me (public/private key signature and encryption, key update mechanism etc.)

  8. Anonymous Coward
    Anonymous Coward

    We still have a couple of systems that still do this

    Seemed bonkers when it was introduced to me in an internal training course, a long time ago. Trouble is, even now some of the mainframes don't support any kind of API. They are welcome to ban the practice, as far as I'm concerned, but it will need to take effect over a realistic timeframe.

  9. mwnci

    Screen scraping is Lazy banks not addressing Legacy Technology head-on. Throwing in Middleware or trying to bolt on an API to be PSD2 compliant is not sustainable, sensible or without risk.

    Banks have got to Front up the cash, and sort out the problem, get it to a high level of maturity before rolling it out. The days of bolt-on, bolt-on,bolt-on, patch, botch-it, pseudo-support it, it's not a burning platform don't worry, are long, long gone.

    All that said, the EU needs to be more realistic on timeframes - It also needs to acknowledge it's muddled and wrong headed thinking. The idea that they would address Legacy, by forcing companies to adopt API's and would therefore buy new platforms, is akin to the idea that someone would move house if they didn't have Double Glazing....They don't move house, they just install it. Same with Banks, they don't move or migrate to a new platform, they install, botch or bodgy an API over the top.....

  10. JaseCoulls

    It's a slippery slope...

    ...first it starts with them trying to ban screen scraping and next thing you know, they're going to be telling you that doing MITM attacks is no longer an acceptable way to get data out of a Financial Institution's source system and have it magically transformed for use in a previously incompatible destination system at the customer's end.

  11. FrankMFC

    Frank MFC

    Screen Scraping is just 'bad' pure and simple. In old developer circles who have worked for banks and the like, 'screen scraping' is a dirty word.

    The security requirements governing access is a known requirement for all developers who have worked for banks and developed core systems within (legacy mainframe).

    The start-up revolution has exposed banks, and compromised this control. Hence banks putting a stop to it.

    A real solution is required; a simplified and secure access method without the short-fallings of screen scraping, and without the existing overly complex access method architectures that are causing start-ups to use screen scraping in an effort to be more 'agile'.

    1. Charles 9

      Re: Frank MFC

      But how will they ever AGREE to something sensible without it getting shoved down their throats by something like incompetent governments. Different members of the discussion have different, often-conflicting needs. The problem with trying to get a consensus is that, sometimes, you just can't get there from here.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon