The Search for a Safer Way to Share Consumer Data with PFM Sites
It's the equivalent of handing car keys to a perfect stranger, but users of personal finance management sites have been doing it for years.
To get sites like Mint or BillGuard to give them help with their finances, consumers have been forking over their online banking passwords and user names. This allows the sites to collect the users' financial data so they can, say, get alerts from a mobile app that specializes in spotting transaction fraud. While the major aggregation providers use encryption, anonymization and other security elements, there is still inherent risk in sharing the sensitive data that can unlock a bank account.
"[Banks] don't want consumers to give out the credentials they use for online banking to anyone," said Shirley Inscoe, a senior analyst with Aite Group. "The more places they are housed, the greater likelihood they will be compromised."
The consensus is that there is no going back to a time before Mint. People have come to expect the ability to see their data where and how they want to in order to better manage their money. But there is a movement afoot to strengthen the security of credential-sharing at a time when startups are entering the data aggregation market, joining seasoned veterans like Yodlee, Intuit and Fiserv's CashEdge.
The Financial Services Information Sharing and Analysis Center, an industry organization that does cyber and physical threat intelligence analysis, called attention to the security deficiencies and potential remedies in a white paper distributed during its conference in October.
The document, which calls for the days of sharing credentials with aggregators to come to an end, was drafted by bank executives and aggregation service providers and it requests comments from members before the group publishes final recommendations.
The attention comes at a time when cyberattacks are mounting while consumers continue to give out more credentials to access their own data on the mobile or web app of their choosing.
To date, no major data aggregator has been hit by a breach. But the added scrutiny from FS-ISAC could help spur actions to get in front of a potential accident before it happens.
Fifteen-year-old Yodlee, which sells data aggregation services to banks and fintech companies, said in October it supports FS-ISAC's efforts to make the bank the credential custodian.
Such an authentication model, according to the tech company, could offer benefits like decreasing operational risk and opening up services in international markets where regulation has stalled aggregation abilities.
Some countries like Poland have forbidden the use of screen scraping, which is what lets a bank act on behalf of the customer to grab data from another account, for example.
One of Yodlee's preferred authentication methods, but certainly not only one, is OAuth 2.0. The token-based authentication technology, which FS-ISAC also highlighted in its document, lets banks keep ownership of the customer log-in data so third-parties like Yodlee would only see the token.
The OAuth specification has been standard for companies like Google and Twitter, but it has yet to make inroads with banks.
Financial institutions could use OAuth tokens to ensure that credentials are never shared or stored outside of the bank's walls. They could also revoke access if needed.
Still, the specification would require money, time and a degree of more openness from financial institutions that may view the capability as helping rivals.
"Personally, I am all for more secure ways to do this, but that is because I feel we have a very strong, competitive PFM platform that relies on aggregation," said John Schulte, who is the chief information officer of Mercantile Bank in Grand Rapids, Mich. The bank uses MX, (formerly known as MoneyDesktop). "I am sure some banks won't like the idea of giving 'fast pass' access through their security to their customer data without getting something in return, especially if it just benefits their competitors."
Already, Yodlee said it is helping to pilot the OAuth approach with a top five bank and is in conversations with others on ways to make the credential process less risky.
"We are actively working with many of the large banks to implement more of an OAuth approach," said Eric Connors, senior vice president of products at Yodlee. "It puts the bank in control of the credentials."
Some have been saying for years that banks should embrace OAuth.
Andrew Parker, a general partner at VC firm Spark Capital, is one of them. Parker said the advantage of a bank integrating OAuth lies in how it would stop aggregator services from asking for usernames and passwords, "which is a very bad security practice."
OAuth would require a bank to make available an application programming interface in exchange for the authentication security benefits.
Already, there is some precedent with OAuth in financial services.
Tesobe, a young fintech company in Europe that has run pilots with banks, takes an OAuth 1.0 approach on its so-called Open Bank Project so banks remain the gatekeeper for authentication when consumers choose to use third-party apps.
To be sure, OAuth is but one of multiple ways to enhance authentication that aggregators are researching.
Fiserv, which owns data aggregator CashEdge and participates in FS-ISAC's working group, said it is looking to improve security with real-time account verification, tokenization and enhanced identification and authorization of financial institutions.
"We do envision the token approach as significantly improving both client and end-consumer security and fraud protections while removing friction from access and improving payment speeds," said Marc West, president of digital channels at Fiserv, in an email.
Still, West said Fiserv is also looking at how to use key features within its internal platforms to manage identification and authorization across financial institutions.
Yodlee, for another, said it plans to support more than OAuth as it acknowledges it is not something that every bank will want and/or need to invest in. It hopes to appeal to banks that have had reservations on aggregation services because of the risks associated with the practice.
Yodlee said it wants to get ahead of published guidance by raising awareness to the importance of decoupling authentication from data exchange protocols. It published a white paper that spells out its stance; namely, what matters most is consumers' warm embrace of non-bank apps to view their transaction data when and where they want which often requires multiple data collection methods.
"We felt the bigger picture needed to be told," said Connors.