The Big Banks’ Plan Would Weaken Cybersecurity of Consumer Bank Accounts

You know how vital it is to have easy access to your financial data in order to run your financial life. So important, that Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act requires banks and brokers to provide their customers with electronic access to their own financial data.

J.P. Morgan, Wells Fargo and other big banks and brokers have proposed a plan that would have the effect of restricting their customers’ data access. In his annual letter to shareholders, J.P. Morgan CEO Jamie Dimon emphasized how concerned he is about protecting the security of his customers:

“One item that I think warrants special attention is when our customers want to allow outside parties to have access to their bank accounts and their bank account information. Our customers have done this with payment companies, aggregators, financial planners and others. We want to be helpful, but we have a responsibility to each of our customers, and we are extremely concerned… We are now actively working with all third parties who are willing to work with us to set up data sharing the right way.”

Contrary to Mr. Dimon’s intention, this “right way” would actually decrease customer access to their data and weaken the cybersecurity protecting the money in customer accounts at his bank. The existing ecosystem of data aggregation operates at huge scale with high security connecting 14,000 financial institutions with tens of millions of consumers. It isn’t broken. Let’s be careful not break it.

The banks propose to use a cybersecurity protocol called OAuth, a recognized framework that would be a good choice to solve a different problem. OAuth requires a central “Identity Provider.” Some banks want to be that Identity Provider, in order to shift control of the data from the consumer to the bank, and to decide who gets what information when. In his shareholder letter, Mr. Dimon stated why he wants to determine who gets access to which data: “Far more information is taken than [his customer and the software she uses] needs in order to do its job.” Personal Capital believes each customer should have the right to determine which data they want.

“Malware and phishing are constant security hazards for consumers. The most vulnerable moment for a hacker to steal your password is when you type it into your own browser,” said our Chief Technology Officer, Fritz Robbins. “Minimizing the number of times that bank passwords are entered on your browser helps keep online banking safe. When you use a data aggregation service like Personal Capital, you enter your bank password once and only once. Never again do you need to enter your bank password to see your bank data.”

The current ecosystem of data aggregation uses a combination of four methods to securely collect the data: Secure Channel, OFX, Server-Side Scraping and Client-Side Scraping. “Using any of these methods, you enter your bank password only once,” said Robbins. “Using OAuth, you’d have to enter your bank password any time the bank chose to expire your OAuth token – potentially daily. And you’d typically have to type it into a pop-up browser window similar to that used in phishing attacks.”

Widespread use of OAuth would weaken the cybersecurity protecting consumer bank accounts. OAuth is less secure than the current methods of data aggregation. Surprising as it may be, the least secure way to look at your bank data is to log into your bank website.

The following diagram is from Personal Capital’s response to the Consumer Financial Protection Board (CFPB) Request for Information Regarding Consumer Access to Financial Records. See the full report at personalcapital.com/rights – it’s a bit of a snoozer, but not bad if you’re trying to nod off.

Not only is data aggregation a more secure way to look at your bank data, it’s also the best available means to protect your accounts against fraud of all types. We recommend everyone monitor their accounts twice a week. With an aggregation service, you can see all transactions in all accounts at all banks and brokers in 30 seconds.

I’m a bit of an expert on cybersecurity. I founded three different cybersecurity companies – one of which built the online authentication system used by the majority of the bank websites in the U.S. – and served on the board of directors of RSA Security, the largest cybersecurity company in the world.

And I’ve previously commented on the banks’ campaign to require OAuth before granting customer access to their own data. Over one thousand Personal Capital customers have expressed their opinions by email, post or video, too.