Payday lenders ask customers to share myGov and bank passwords, putting them at risk
Payday lenders require applicants to share their myGov login details, as well as their banking password over the internet, which poses a security risk, some experts say.
It also goes against the advice of the government website.
As Twitter user Daniel Rose noted, pawnshop and loan provider Cash Converters asks people with Centrelink benefits to provide their myGov credentials as part of its online approval process. .
A spokesperson for Cash Converters said the company was obtaining data from myGov, the government’s portal on taxes, health and rights, through a platform provided by Australian fintech company Proviso.
This is done online and computer terminals are also provided in-store.
Luke Howes, CEO of Proviso, said a “snapshot” of the last 90 days of Centrelink transactions and payments is collected, along with a PDF of Centrelink’s income statement.
Some myGov users have two-factor authentication enabled, which means they have to enter a code sent to their mobile phone to log in, but Proviso prompts the user to enter the digits into their own system.
This allows the recent benefit entitlements of a Centrelink candidate to be included in their loan offer. It is legally required, but doesn’t need to happen online.
Ensuring data security
A spokesperson for the Department of Social Services said users should not share their myGov credentials with anyone.
“Anyone fearing to have provided their username and password to a third party should change their password immediately,” she added.
According to Justin Warren, chief analyst and managing director of IT consulting firm PivotNine, disclosing myGov login information to a third party is not secure.
Especially since it houses My Health Record, child support and other very sensitive services.
Nigel Phair, director of the Center for Internet Safety at the University of Canberra, also advised against it.
He pointed to recent data breaches, including credit rating agency Equifax in 2017, which affected more than 145 million people.
ASIC Penalized Cash Converters in 2016 for failing to adequately assess applicants’ income and expenses before taking out payday loans.
A spokesperson for Cash Converters said the company uses “regulated and industry-standard third parties” like Proviso and the US platform Yodlee to transfer data securely.
“We do not wish to prevent Centrelink payment recipients from accessing financing when they need it, nor is it in Cash Converters’ best interests to give a client an irresponsible loan,” said he declared.
Discount bank passwords
Not only does Cash Converters request details from myGov, but it also invites loan seekers to submit their online banking connection – a process followed by other lenders, such as Agile and Portfolio assistant.
Cash Converters prominently displays the logos of Australian banks on its site, and Mr Warren suggested that applicants may appear to have the system approved by the banks.
“It has their logo on it, it looks official, it looks cool, there is a little padlock on it that says ‘trust me’,” he said.
The bank selection page looks like this:
Once bank credentials are provided, platforms such as Proviso and Yodlee are then used to take a snapshot of the user’s recent financial statements.
Commonly used by financial technology applications to access banking data, ANZ itself Used yodlee as part of its now closed MoneyManager service.
However, most Australian banks are opposed to the transmission of your banking credentials over the Internet to third parties.
They are keen to protect one of their most valuable assets – user data – from market competitors, but there is also some risk to the consumer.
If someone steals your credit card details and accumulates debt, banks will usually refund that money to you, but not necessarily if you’ve knowingly reset your password.
According to the Australian Securities and Investments Commission (ASIC) Electronic payment code, in certain circumstances, customers may be held liable if they voluntarily disclose their account information.
“We offer a 100% security guarantee against fraud … as long as customers protect their account information and notify us of any card loss or suspicious activity,” a Commonwealth Bank spokesperson said.
ANZ said it does not recommend logging into online banking services through third-party websites.
How long is the data stored?
In the rush to apply for a loan, it might be easy to miss the fine print.
Cash Converters reports in its terms and conditions that the applicant’s account and personal information is used only once and then destroyed “as soon as reasonably possible”.
However, some subsequent “refresh” of the data may take place for a period of up to 90 days.
“It can recover more data for up to 90 days after your application,” Warren suggested.
If you decide to enter your myGov or bank details on a platform like Cash Converters, he advises you to change them immediately afterwards.
Users are prompted to enter their bank details on a page like this:
A spokesperson for Cash Converters claimed it does not store login information for myGov or online banking customers.
Mr. Howes of Proviso said Cash Converters uses his company’s “one-stop” recovery service for bank statements and MyGov data.
The platform does not store any user credentials
“It should be treated with the utmost sensitivity, whether it is bank records or government records, and that is why we only recover the data that we tell the user that we are going to recover,” a he declared.
Still, Mr. Phair advised users not to give out usernames and passwords for any portal.
A safer way
Kathryn Wilkes receives benefits from Centrelink and said she received payday loans from Cash Converters, who provided her with financial support when she needed it.
She recognized the risks of giving out her credentials, but added, “You don’t know where your information is going anywhere on the net.
“As long as it’s an encrypted and secure system, it’s no different than someone working and applying for a loan from a finance company – you always provide all of your contact details. “
Critics, however, argue that the privacy risks raised by these online loan application processes affect some of Australia’s most vulnerable groups.
Mr Warren said all of that could change if banks make it easier to share consumer data securely.
“If the bank had provided an electronic payment API where you could have secured, delegated and read-only access to the [bank] account for 90 days of transaction details… that would be great, ”he said.
Mr Howes agreed, adding that this is a goal the fintech industry is working towards.
The federal government has mandated an open bank review in 2017.
“Until the government and the banks have APIs that consumers can use, the consumer suffers,” Howes said.
Yodlee, Nimble and Wallet Wizard did not return ABC’s request for comment.