This article was published on Cybernews.com on April 25, 2022. 

“once people provide their credentials externally, they put themselves at risk”

It is a truth universally acknowledged that your bank credentials and other important login information should never be exposed to anyone but you. 

However, we might be doing just that by logging into websites that use screen scraping for smooth login and data retrieval processes. By providing a site that employs screen scraping to view or interact with your financial data, you essentially give away a key to your private information. But there is a way to avoid this, and financial institutions increasingly turn to APIs for retrieval and sharing of financial and other personal data.

Cybernews reached out to Debrah True, the Chief Information Security Officer at Akoya, a leading financial data APIs provider, to discuss the dangers of screen scraping, and new and emerging security threats in fintech industry. 

How did the idea of Akoya come about? What has the journey been like?

Akoya started within Fidelity Investments in 2018 as a way for the company to address the collection of passwords and the screen scraping of customer accounts by data aggregators. Fidelity’s customers provided their login credentials to external parties, logging in on their behalf and copying and storing all customer financial data

Fidelity began to address this problem and realized that other financial institutions were running up against the same issues and trying to figure it out independently. That’s where the idea for Akoya came from. With help from The Clearing House, in February of 2020, Akoya became an independent company jointly owned by 11 North American Banks and Fidelity.

Akoya has signed several agreements with the largest financial institutions in the United States, covering 65 percent of all demand deposit accounts (~411 million), a third of retail brokerage accounts (~31 million), and a quarter of defined contribution accounts (~35 million), as well as over 60 percent of credit cards issued (~401 million) with more data sources coming soon.

Based on this coverage, we offer fintechs API-based, customer permissioned financial data that serves numerous use cases across financial services, including personal and business financial management, lending and credit enhancement, wealth and investment management, payment enablement, account opening, and more.

Can you introduce us to what you do? What methods do you use to protect financial data?

Akoya was created to give people a safe and transparent way to provide access to their financial data. To that end, Akoya replaces screen scraping with application programming interfaces (APIs), which allow people to grant, modify, or revoke access to their financial data directly with their financial institution through their existing online financial institution’s portal. By removing the need for login credentials to be held and stored externally, APIs significantly mitigate the privacy and security risks stemming from screen scraping. 

Additionally, Akoya makes widespread use of APIs scalable by offering a single point of integration for financial institutions, fintechs, and data aggregators and avoids continued maintenance and development efforts. All contractual relationships are handled by Akoya, removing the numerous internal and external costs required to develop and manage multiple third-party relationships. 

Data privacy and security are at the heart of what Akoya does. Akoya maintains a passthrough model that does not copy, store, or hold personal information passed through the network. 

We require that all network participants who receive data pass rigorous security and risk assessment reviewed regularly. We ensure our network meets the highest security standards by completing regular security audits, including the SOC 2 Type 2 attestation, and complying with the security requirements of our financial institutions.

What cyberthreats surrounding online banking do you find the most concerning at the moment?

The dissemination of passwords and screen scraping expose people and their financial institutions to various risks and provides little to no visibility into how the data is protected or shared. This impacts cybersecurity as incidents of credential stuffing, a type of cyberattack where stolen login credentials are used to breach systems through automated login requests, is the #1 type of security incident in the financial sector, according to a September 2020 FBI report

Once people provide their credentials externally, they put themselves at risk, primarily because many use the same usernames and passwords across multiple sites and services beyond the financial sector. According to a SpyCloud report, of the over 1.5 billion recovered credentials in 2020, 60% featured password reuse, and 97% of those were an exact match with breached accounts.

Another cyber threat is account takeovers that are perpetrated by stolen credentials. Former Financial Crimes Enforcement Network (FinCEN) Director Ken Blanco stated, “In some cases, cybercriminals appear to be using fintech data aggregators and integrators to facilitate account takeovers and fraudulent wires. By using stolen data to create fraudulent accounts on fintech platforms, cybercriminals can exploit the platforms’ integration with various financial services to initiate seemingly legitimate financial activity while creating a degree of separation from traditional fraud detection efforts.”

How do you think the recent global events altered your field of work? 

The COVID-19 pandemic facilitated significant growth in fintech. As physical branches of financial institutions closed, people moved to digital tools and other fintech apps, bringing convenience, ease of use, and substantial risk. 

According to the FDIC, since the pandemic began, banks have reported more sophisticated cyberattacks due to bank employees working remotely and more customers accessing digital banking services. More recently, the FDIC has prioritized as specific threats potential cyberattacks stemming from the Russian invasion of Ukraine and the potential hacking into U.S. institutions.

These two events have highlighted the security risks associated with screen scraping and the need for a safer environment for data sharing. There has been considerable congressional and regulatory interest in protecting consumers and their financial data, and Akoya’s approach to API-driven data connections is needed in financial services.

What are some of the worst mistakes you notice companies make when handling sensitive data?

Often companies store private information in an unsecured, non-encrypted way. For instance, storing unencrypted account information for convenient customer service allows successful hackers to access personal information. Also, sending private, unencrypted information across networks will enable calls to be intercepted and used for fraud and other illegal activities.

Which security practices do you think are essential for the financial sector to keep both their workforce and their customers safe?

When outside parties interact with a financial account, masking sensitive information within permissioned data is a much-needed security practice. For example, using tokenized account numbers for payments rather than a person’s actual bank account and routing numbers. 

Another practice is implementing secure login practices such as using multi-factor authentication for users and Single Sign-on (SSO) for a financial institution’s workforce. Without that extra security, hackers can successfully access private information. In addition, implementing secure software development practices, including detection and protection against open-source vulnerabilities, raising developer security awareness through training and hangouts, frequent vulnerability scanning, and system patching, can help the financial sector avoid future issues.

Talking about individual users, what security measures do you think everyone should implement to keep their data safe?

People should not share their passwords with anyone or any entity. Akoya was explicitly conceived to eliminate such practices in the financial services ecosystem and give people a safe, secure, and transparent way to provide access to their financial data. 

Another important and effective measure that people can take to keep their data safe is not to reuse passwords in their personal and business accounts. Unfortunately, reusing passwords is very common among individual users. According to a Google survey, close to 65% of people reuse passwords across multiple sites. Even though users know that there are risks associated with reusing passwords, over half reuse them anyway, according to Dark Reading

What do you think the banking industry is going to look like in the near future?

Over the last few years, the U.S. has seen tremendous growth in Open Banking – sharing consumer bank data with other parties to facilitate such actions as payments and personal financial management. The success of Open Banking is now leading us to Open Finance – the free-flowing, transparent sharing of consumer financial data that extends the third-party access principles of Open Banking into insurance, unsecured lending, pensions, and much more. 

Open Finance is a massive boost for consumers. It provides access to opportunities previously off-limits to many underserved communities who have long been excluded from traditional banking and lending products. The banking industry has found ways to improve credit scores by including non-traditional types of payments such as rent and utilities, helping to allow greater access to credit. This is just one example of the many new product offerings we will see shortly.

And finally, what does the future hold for Akoya?

Akoya will continue to add to the number of financial institutions on our network to increase further the coverage numbers highlighted above. We are also building new APIs to facilitate new use cases that will drive innovation in the financial services industry.

Of course, we know that cybercrime is constantly morphing into new ways to wreak havoc. Akoya was built on safe, secure, and transparent data-sharing principles. We are firmly committed to continuously improving our security, being vigilant, complementing others in the industry, and doing all we can to keep our network safe.