Banks' Plan Would Weaken Cybersecurity of Consumer Bank Accounts

J.P. Morgan, Wells Fargo and other big banks and brokers have proposed a plan that would have the effect of restricting their customers' data access. In his annual letter to shareholders, J.P. Morgan CEO Jamie Dimon emphasized how concerned he is about protecting the security of his customers:

"One item that I think warrants special attention is when our customers want to allow outside parties to have access to their bank accounts and their bank account information. Our customers have done this with payment companies, aggregators, financial planners and others. We want to be helpful, but we have a responsibility to each of our customers, and we are extremely concerned… We are now actively working with all third parties who are willing to work with us to set up data sharing the right way."

"Contrary to Mr. Dimon's intention, this 'right way' would actually decrease customer access to their data and weaken the cybersecurity protecting the money in customer accounts at his bank," said Bill Harris, CEO of Personal Capital. "The existing ecosystem of data aggregation operates at huge scale with high security connecting 14,000 financial institutions with tens of millions of consumers. It isn't broken. Let's be careful not to break it."

The banks propose to use a cybersecurity protocol called OAuth, a recognized framework that would be a good choice to solve a different problem. OAuth requires a central "Identity Provider." Some banks want to be that Identity Provider, in order to shift control of the data from the consumer to the bank, and to decide who gets what information when. In his shareholder letter, Mr. Dimon stated why he wants to determine who gets access to which data: "Far more information is taken than [his customer and the software she uses] needs in order to do its job." Personal Capital believes each customer should have the right to determine which data they want.

"Malware and phishing are constant security hazards for consumers. The most vulnerable moment for a hacker to steal your password is when you type it into your own browser," said Fritz Robbins, Chief Technology Officer at Personal Capital. "Minimizing the number of times that bank passwords are entered on your browser helps keep online banking safe. When you use a data aggregation service like Personal Capital, you enter your bank password once and only once. Never again do you need to enter your bank password to see your bank data."

The current ecosystem of data aggregation uses a combination of four methods to securely collect the data: Secure Channel, OFX, Server-Side Scraping and Client-Side Scraping. "Using any of these methods, you enter your bank password only once," said Robbins. "Using OAuth, you'd have to enter your bank password any time the bank chose to expire your OAuth token – potentially daily. And you'd typically have to type it into a pop-up browser window similar to that used in phishing attacks." 

"Widespread use of OAuth would weaken the cybersecurity protecting consumer bank accounts," said Harris. "OAuth is less secure than the current methods of data aggregation.  Surprising as it may be, the least secure way to look at your bank data is to log into your bank website." This diagram is from Personal Capital's response to the CFPB RFI.  See the full report at personalcapital.com/rights.

"Not only is data aggregation a more secure way to look at your bank data, it's also the best available means to protect your accounts against fraud of all types," said Harris. "We recommend everyone monitor their accounts twice a week. With an aggregation service, you can see all transactions in all accounts at all banks and brokers in 30 seconds."

Harris is an expert on cybersecurity. He founded three different cybersecurity companies – one of which built the online authentication system used by the majority of the bank websites in the U.S. – and served on the board of directors of RSA Security, the largest cybersecurity company in the world.

He has previously commented on the banks' campaign to require OAuth before granting customer access to their own data. Over one thousand Personal Capital customers have expressed their opinions by email, post or video.

About Personal Capital

Personal Capital is the smart way to track and manage your financial life. Personal Capital combines award-winning online financial tools that provide unprecedented transparency into your finances with personal attention from licensed financial advisors. The result is a complete transformation in the way you understand, manage and grow your net worth.

Marianne Ahlmann | Personal Capital | [email protected]

SOURCE Personal Capital

Related Links

http://www.personalcapital.com