Australian FinTech companies collect your bank customer registration number and your password to access your bank accounts; and they keep that access even if you no longer use their services. Cyber security expert Manal al-Sharif explores privacy rorts.
Their star may be fading as stock market darlings, but the FinTech companies continue to challenge the big banks, using aggressive data-collecting techniques that not only flouts privacy principles, but seem highly unethical. And the big banks look the other way.
An anonymous whistleblower who works for a FinTech start-up recently told MWM of the common practice to request and access personal data (such as the Customer Registration Number – CRN) from potential new customers in order to assess, say, a credit application. They use the data to be able to quickly process the application, but they then keep that private and sensitive data regardless of the outcome of that initial interaction.
We keep accessing those accounts to screen scrape all transactions and we keep access until the customer changes the password or sometimes the bank itself blocks our screen scraping as it shows up as malicious activity. This could happen months after the initial access to the customer’s bank details
The whistleblower then went on to say that they sell that data to third parties. He maintained this is a widely used practice among the ‘Buy Now, Pay Later’ sector as well as most non-bank lenders and brokers. He singled out Zip Pay [Note below], Ezidebit [Note below] and Tiger Brokers as examples of companies doing it.
MWM found many other FinTech companies openly requesting private login data from customers on their website.
Micro investment provider RAIZ is one typical example, asking for your CRN and the login credentials to your bank account.
This means they capture and store those credentials which give them access to any bank account connected to these credentials, such as your savings account, business account, joint account and superannuation.
Small business payment messaging service, Eftsure, does the same. MWM asked their Customer Support about the privacy risks involved, and was assured that they use ‘Open Banking’ protocols and that they don’t see the password.
That may be so, but not ‘seeing’ it doesn’t mean their systems can’t use it.
This practice used by RAIZ, Eftsure and many more is the same used for so-called ‘phishing’ by scammers, luring you into giving away sensitive details and then losing control over what it is used for.
This is what ANZ bank’s privacy policy has to say about the limitations of the Open Banking protocol:
ANZ will never ask you to share your Customer Reference Number (CRN) or password with Accredited Data Recipients requesting data using Open Banking
Yet, the evidence is clear that they do allow it. Such access by third party companies is not possible without it being explicitly allowed by the custodian of your data – in this case ANZ.
Pocketbook – “Australia’s most loved personal finance app” according to its website – is quite blatant about what access users have to give them:
Hidden in the fine print under ‘Other Information’, it states:
“Due to the nature of Pocketbook, from time to time, we may collect and hold additional Personal Information or other information about You. This information may be secured [and] shared with a third party if required or necessary and can include:
- Your address, date of birth and contact details;
- information about Your financial circumstances and objectives, including Your assets, liabilities, income, expenditure, taxation information, insurance, superannuation and investment preferences;
- the type of operating system and/or other software or firmware used by Your computer or Mobile Device;
- the Data You send and receive by using Pocketbook, as well as the type and quality of that Data;
- your GPS location;
- the dates on which and the times at which You use Pocketbook, including the duration of such use; and
- the IP address and the MAC address of Your computer or Mobile Device.”
And just to cover all the bases, a footnote states that “this is not an exhaustive list.”
This is, of course, all done in the interest of expediency and customer service. FinTech companies flourish around the fringes of the traditional banks because they are nimble and innovative. They are not encumbered by the large and unwieldy computer systems of the big banks, nor by banking regulations and the regulators.
It is in the big banks interests, too, collecting fees from the FinTech’s in the process, which is why they do look the other way and allow it to happen. They have the means and the power to stop it – such as making secure two-factor authentication mandatory and terminating the Open Bank access once completed for its initial purpose. But they chose not to.
—
Editors Notes:
Zip Pay has been in contact with MWM denying that this has ever been their practice, Global COO, Peter Gray, stated: “The only data retained is the data required to provide our services. At no time have we ever sold customer data.”
Ezidebit has been in contact with MWM denying they sell personal data, Communications Partner of Ezidebit owner, Global Payments Oceania, Luke Gilpin, states: “Ezidebit does not sell any personal information as that contravenes our Privacy Statement.”
Eftsure CEO Mark Chazan has also contacted MWM claiming “we do not capture and store any bank credentials ever and never have” and that “we do not and have never sold any data that we hold to any parties”.
—
Manal al-Sharif is an author, speaker, human rights activitist and a regular contributor to international media. She has written for the Time, the NY Times and Washington Post. Her Amazon bestseller memoir, Daring to Drive: a Saudi Woman's Awakening, is an intimate story of her life growing up in one of the most masculine societies in the world.
Manal is a cybersecurity expert and host of the tech4evil.com podcast that discusses the intersection of technology and human rights.