It's been a year since I've written a blog post. It doesn't seem like I have the time anymore to write anything longer than a 140 character tweet. All that time gets eaten up with work, and then play :) So what better way to get in a post than to just copy an email I crafted earlier today. I'll have to find something fun that I'm playing with to create the next post.
I work in self-service banking. Security is a major part of our jobs. So here's my response to an employee who was questioning why we don't allow account aggregators to screen scrape our member's data from their online banking site. (Besides the obvious answer of "Because screen scraping is BAD"!)
"The scenario described in the attached emails is described a screen scraping interface which we do not allow for security reasons. We do however support OFX (Intuit) and that is how other system aggregators are able to access our data.
The practice commonly known as “screen scraping” or “information aggregation” whereby so-called “information aggregators” make available to their customers a web site on which the customers may view information obtained from other web sites. For example, a Credit Union member, John Doe, might have brokerage accounts, credit card accounts, bank accounts, insurance accounts and loans with a number of entities that provide online access to Mr. Doe. For each entity with which Mr. Doe has online account access, Mr. Doe might have a separate user ID and password, and he would have to log in separately to each entity’s web site to view account information or perform a transaction in a particular account. An information aggregator, or “screen scraper,” instead gives Mr. Doe the option to view and manage all of his online accounts held by the various securities, insurance, banking and lending entities in one place - on the aggregator’s web site.
Often, the composite information from the various entities is reformatted to the information aggregator’s standards. To make this possible, the information aggregator will ask for the user ID and password for the various online accounts to view the information aggregator’s web site. If the information aggregator is given this information, the member does so at their own risk. The Credit Union cannot verify the identity of the person gaining access to the account with the user ID and password, whether that person is the member, another individual to whom - despite the Credit Union’s warning – the member has given the password, or if they have shared with an information aggregator.
The Credit Union is not liable for the consequences if password and account information is shared with others. Members agree that if they use an automatic check writing service operating through use of a personal computer or otherwise, the treatment of each item presented against their account through that service and the Credit Union's rights and obligations regarding the items presented will be the same as if the item were signed or initiated personally by that member. The Credit Union’s privacy policies protect members’ nonpublic personal information. If members choose to give their password and account information to a screen scraper or information aggregator, they should understand that the person or company may not protect your nonpublic personal information to the same extent the Credit Union will. They should read carefully the screen scraper’s terms and conditions of service before they subscribe for any services.
All that being said, the best advice we can give this member is an explanation of screen scraping and encouragement for them to protect their data. If they choose to do business with a screen scraper, our MFA will not allow the screen text to be scraped and the data pull will not work. However the vendor in question now has full access to their account and non-public information. If they choose to use an account aggregation service that reads OFX data in a secure environment it will work as we are a registered FI in the OFX database (ex: this is how mint.com and other OFX aggregators work)."