Connecting a Credit Card - Is It Secure?

As far as I’m aware TrueLayer is an API - the data isn’t stored by TrueLayer - they just got in to allow the talking between all of the separate entities.

The URL thing may just be a way in which the data is encrypted and then sent across.

At the end of the day its your call - for me they have all the relevant regulators looking at them - the majority of the banks support them and from what I have read it isn’t much more than the middle man who holds the phones between the two providers.

1 Like

I’m sure people who use Facebook hadn’t heard of a breach until the news broke either, so no news of a breach doesn’t mean it’s secure :wink:

As you say, each individual has to view risk/benefit and decide.

TrueLayer are using ‘screen scraping’ rather than ‘Open Banking’ for credit card data which is why they (TrueLayer) require your full login details.

5 Likes

Think that has to stop by September according to the reg. although deadline could be extended. I think there is a deadline around about now to prove your OB API will work by Sept

1 Like

They don’t need to cover money as they don’t hold any. They provide the API for the data connection.

The problem with that is your credentials are stored somewhere in some form, not directly sure, but with their system they are able to access your account time and time again.

The concern I have is if they are compromised, that facilitates someone else getting access.

Sure you could say that if your banking account gets hacked it’s the same thing, but limiting who you provide your credentials to limits the potential exposure.

I’d much prefer signing an online agreement that says TrueLayer can access my data on behalf of Monzo and then some API being setup from the bank for them rather than entering my credentials onto a page they control which is then captured and processed and used everytime to access my account.

Yes the credentials are encrypted in some form and it’s that which is used to access the account, but they are having to capture the credentials in the first place.

Hope that makes sense.

1 Like

The way I think it works now:

-Banks do not yet provide APIs to access customer data.
-Banks are required to allow access to customer data.
-Banks therefore permit third party “screen scraping” to access this data.
-TrueLayer store your credentials in an encrypted form somewhere.
-These are used to access your account data when required by Monzo.

The way it ought to work from September:

-All banks provide an API for reading customer data.
-Credentials for this access may be shared with whoever the customer authorises to access the data.
-Bank login credentials should no longer be shared.
-TrueLayer should modify their implementation to use API access only.

So we’re in a difficult place at the moment where access needs to be provided but the mechanisms to do so safely don’t exist yet. Thus the whole “screen scraping” thing has been authorised reluctantly.

I’ve already had new terms and conditions from BarclayCard stating the from September I should no longer share my login details with anyone. This presupposes that they’ll have an API available by then but that ought to be the case.

Future issues will arise where a bank doesn’t have an API available in September. I don’t know what happens then.

For the moment, then, it’s your choice whether you share your login detail but I believe that such sharing is currently allowed because it has to be.

(This is purely my understanding, I have no direct knowledge of the legal workings around this area so could be wrong.)

6 Likes

I can think of one that does… :zipper_mouth_face::wink:

An API is under no circumstances meant to use a users actual login details, this is a security nightmare.

If truelayer are asking for your personal login details then they are not using open banking for that particular bank.

If you give truelayer your login details you are giving them access to your bank account, its as simple as that. In some cases you have an extra layer of security (Barclays requiring PINSentry for making payments out of the account), but this isnt always the case, and doesn’t protect you from malicious use inside within the bounds of your account.

Sure maybe truelayer will keep your details secure. That’s up to yor to decide. Personally i think its idiotic. Not to mention Monzos little fib about this feature when they announced it which seems to becoming increasingly common from Monzo.

But they don’t though…

I also like the nice touch by truelayer on the monzo app “Login Securely” its a common tactic by malicious actors as well, i don’t know who they hired thought that was a good idea :smile:

The whole thing including Monzos handling of it just oozes inexperience.

Further to the above, I think the big question is when/whether TrueLayer start using the APIs and whether Monzo continue with TrueLayer at all or go for an API implementation of their own.

Only time will tell on that one. I’m assuming TrueLayer will have to move over but that’s not a ‘done in a day’ type job.

Just to add to what others have said…

Your banking terms and conditions should not prevent you from sharing your credentials with regulated AIS or PIS providers. Your bank cannot hold you responsible for unauthorised transactions just because you have shared your credentials with regulated AIS and PIS providers.

Taken from:

Truelayer is an authorised AIS & PIS provider: NewRegister

4 Likes

Tell that to the majority of services which does :wink:

Some of the more stupid ones I’ve seen require a username/password with a bearer token… but you get the bearer token with the same username/password so its an additional step for no reason :confused:

This is simply not true. User credentials is a common OAuth flow, used across the Internet. The important part is that your device calls the API, not that you provide your details to a third-party who call the API.

I assume what you mean is that software should never store your credentials and post them to an API on your behalf.

If your bank is providing a proper API then you’ll likely be calling their API from the client and TrueLayer will just be provided with an access token they can reuse.

Otherwise it’ll be implemented with TrueLayer storing your credentials and then using screen scraping to get the details. This is frowned upon as an approach (and it’s been previously speculated that it breaches your bank’s Ts&Cs) but realistically is quite safe (obviously quite is entirely subjective to your own personal risk preference).

2 Likes

Out of curiosity, how do we know TrueLayer are screen-scraping/ storing credentials?

Their “Security” webpage seems to suggest that they don’t store credentials but encrypted Tokens/Keys. Wouldn’t the ICO/ FCA have a field day if they were?

Just taking what I can understand from here: https://truelayer.com/security/

Step 4 is TrueLayer storing the credentials :slight_smile:

The key for the encrypted credentials is sent back to Monzo however the creds remain with TrueLayer

So they don’t really have the details - at least in the way that if someone got a hold of them, they’d have no chance of getting into anything? (Unless Monzo was attacked at the same time and they could get access to the Key).

Not in their store… correct

However while they are being used, they can be intercepted.

2 Likes

This is why I say it’s up to you. The information should be clearer and its not been presented that clearly. If it’s asking for credentials then it’s not open banking, credentials might be encrypted but we don’t know what they’re doing, who has access, how keys are actually managed, how the key generation is secured, how they are destroyed, etc.

The good news is when open banking is fully rolled out there shouldn’t really be any need for 3d parties to manage access, so truelayer will likely cease to exist in its current form.

2 Likes

It just weird because they claim (and are) regulated and part of all the entities you’d expect from someone operating under Open Banking - FCA, Open Banking, PSD2. The difficulty comes with the fact they have a number of products (they call them all APIs) - but agreed everything is that clear on what actually happens with everything.

1 Like

The FCA approval you can probably give some credit to… maybe. So that might reduce the risk. What annoys me is the lack of being clear about whats happening. Monzo didn’t present it very well when they announced it, and its generally not well discussed. credentials are different from using the open banking api, it has its risks and people should understand that. The risks aren’t huge, but they exist, and that’s something people should just keep in mind so they can take responsibility for their financial decisions.

1 Like