iTnews

Former ACSC chief MacGibbon blasts calls to legitimise screen scrapers

By Julian Bajkowski on Jan 21, 2020 6:50AM
Former ACSC chief MacGibbon blasts calls to legitimise screen scrapers

“Precisely the wrong message”.

Australia’s high profile former cybersecurity tsar Alastair MacGibbon has waded into the increasingly heated debate over the use of screen scrapers by fintech firms, warning any weakening of security controls under open banking will create an instant target list for hackers.

In a blunt assessment of the adverse consequences lowering existing data security standards would create, MacGibbon’s new cyber protection firm CyberCX cautions if a push for “less rigorous rules” gets up, “any data breaches would undermine consumer confidence and trust” in the forthcoming open banking regime.

The comments are contained in CyberCX’s submission to the Senate Select Committee on Financial Technology and Regulatory Technology and are likely to bolster a push from consumer and financial legal advocates to have screen scraping banned by the government altogether.

A fierce debate has erupted around the persistence of screen scraping technology as a customer migration tool, not least because it usually requires consumers to hand over their user names and passwords to third parties to access their accounts.

The practice is already banned in the UK and Europe.

“At a time when we should be seeking to instil in individuals a greater awareness of the importance of online security, encouraging people to reveal their passwords is precisely the wrong message,” CyberCX’s submission says.

“Our concern is that ‘screen scraping’ legitimises and gets consumers used to handing over their passwords to 3rd parties.”

The public entry of CyberCX into the debate is significant, not least because the company groups together a dozen Australian cybersecurity service providers is helmed by former Optus Business chief executive John Paitaridis.

MacGibbon, who headed the Australian Cyber Security Centre and was until last year the government’s National Cyber Security Adviser, regulator is the firm’s chief strategy officer.

A clutch of mainly smaller fintech firms are pushing the government hard to legitimise the practice of screen scraping, saying much of the nascent fintech and regtech sectors will become essentially unviable if the practice is banned because of compliance costs of between $50,000 to $100,000.

Under standards presently floated by the Australian Competition and Consumer Commission, organisations that want to participate in Open Banking will need to be accredited by the regulator and comply with a raft of data security and protection standards.

Many smaller fintechs feel the compliance bar has been set too high for the Consumer Data Right and have argued cashed-up large incumbents will exploit strict standards to shut out smaller and more innovative competitors.

The Commonwealth Bank has been singled out for criticism by some firms because it issues warnings to its customers about them keeping passwords and credentials confidential when its detects screen scrapers, including warning customers about fraud potential liability in the event of a compromise.

There is palpably little consensus on the issue, with the approach of warning customers having attracted sharp accusations of hypocrisy from once credit card schemes once close to the banks, including American Express.

In particular American Express wants consumers who shop their accounts around through providers who use screen scrapers to be indemnified from losses under the Australian Securities and Investments Commission’s voluntary E-Payments code, which codifies liability.

“We consider it inappropriate for consumers to be held liable by their bank for using RegTech services, particularly when those RegTech services are being used by those banks to acquire new customers,” Amex said in its submission.

While CyberCX isn’t buying into the sectoral mudslinging, the firm does warn starkly that the fallout lowering security standards could derail the whole open banking project if customers lose trust in participants in the event they are compromised.

A major cautionary note is that a two tier security system should not be allowed to develop, especially one where “financial organisations would opt-out of Open Banking in favour of continuing to engage in ‘screen scraping’ unless the costs associated with meeting the ACCC rules are reduced.”

“There also seems to be a suggestion the ACCC may create more than one level of accreditation as the CDR regime matures. CyberCX would not wish to see a less onerous version of the ACCC rules in order to accommodate small or start-up financial organisations,” the firm says.

“Were some financial organisations able to achieve accreditation through less rigorous rules, it would create an incentive for attackers to target those organisations. As stated previously, any data breaches would undermine consumer confidence and trust in the initiative.”

Having a lend of security

Encouragingly, the argument around controlling the cost of security compliance and screen scraping is not a binary equation, Messrs MacGibbon and Paitaridis observe.

The pair believe the government can meet cash-strapped fintechs halfway and still keep a gold standard security regime by essentially extending a line of credit to businesses that need to bring themselves up to scratch to pass muster at the ACCC.

“Rather than resorting to ‘screen scraping’ or rule dilution, it would be preferable for the government to assist small and start-up financial organisations achieve the most rigorous information security and privacy protection standards,” CyberCX argues.

“This could be accomplished through the establishment of either a loan or voucher scheme.

“Loans could be offered to qualifying small and start-up financial organisations in order to invest in strengthening their cybersecurity postures and meeting the ACCC rules,” CyberCX said – without the slightest hint of irony that the government would be lending to the unsecured lending market.

“These could be repaid once the organisation passes a specified revenue threshold. Alternatively, a voucher scheme could be established where government covers part of the costs of achieving a stronger cybersecurity posture.”

Who knows, maybe an enterprising major bank could white label the loans to the government as cyber bonds … well, maybe not.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
acccacscalastair macgibbonasdasicaustralian cyber security centrecdrcybercxfinancefinanceitjohn paitaridisopen bankingscreen scraperscreen scrapingsecuritysoftware

Partner Content

Security "mindset shift" needed to protect organisations
Promoted Content Security "mindset shift" needed to protect organisations
5 essential digital transformation ideas
Promoted Content 5 essential digital transformation ideas
Operationalising net zero to be centre stage at IoT Impact conference
Partner Content Operationalising net zero to be centre stage at IoT Impact conference
Top 5 Benefits of Managed IT Services
Promoted Content Top 5 Benefits of Managed IT Services

Sponsored Whitepapers

Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership
Don’t pay the ransom: A three-step guide to ransomware protection
Don’t pay the ransom: A three-step guide to ransomware protection

Events

  • iTnews Benchmark Awards 2022 - Finalist Showcase
  • IoT Impact Conference
  • Cyber Security for Government Summit
By Julian Bajkowski
Jan 21 2020
6:50AM
0 Comments

Related Articles

  • ACCC's CDR sandbox to ease pressure on banks, vendors
  • Australian customers shortchanged on data access as open banking falters
  • ASIC moves to shut some recourse avenues for scam victims
  • ANZ tries to defuse screen scraping time bomb
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

NBN Co sizes up six-figure customer exodus a year to fixed wireless

NBN Co sizes up six-figure customer exodus a year to fixed wireless

NBN Co to cut 160 applications under $200m IT simplification

NBN Co to cut 160 applications under $200m IT simplification

What to expect from the incoming Labor government

What to expect from the incoming Labor government

NBN Co's 250Mbps and gigabit growth is finally clear

NBN Co's 250Mbps and gigabit growth is finally clear

Digital Nation

Lendlease launches its own metaverse in Milan
Lendlease launches its own metaverse in Milan
Why do DeFi and DAOs matter to business?
Why do DeFi and DAOs matter to business?
CTO Juergen Mueller offers a glimpse into SAP's metaverse play
CTO Juergen Mueller offers a glimpse into SAP's metaverse play
COVER STORY: A Year in the Metaverse
COVER STORY: A Year in the Metaverse
COVER STORY: Data and IoT set digital agriculture on a sustainable future
COVER STORY: Data and IoT set digital agriculture on a sustainable future
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.