Over in the financial sector, there is a development that has implications that we in the renewable energy space – particularly in the world of electric vehicles – should pay attention to.
It came in this speech by Assistant Treasurer Stephen Jones to the Intersekt conference, in which he foreshadowed a ban on what’s known as “screen scraping”.
The process has started with a consultation opened by Treasury.
What Is Screen Scraping?
Screen scraping is a very rough colloquialism that describes third-party financial apps that sit between a user and their bank. Imagine, for example, an app that consolidates all your account information across different banks into one screen. The simplest way for an app to do this is to borrow your credentials for all your different bank accounts so it can log into CBA, ANZ, NAB, Westpac and so on to check your account balance.
It’s a terrible name for the practice because the login details are generally used to access an API, not scrape your screen. But even that’s a security risk, since if a hacker accesses the third-party app’s data, they get access to stored credentials.
Jones said:
“The practice of screen scraping … cuts against the work we as a Government and many parts of the fintech industry are trying to do to use data more safely, and to store it more safely.”
What’s that got to do with owners of electric vehicles?
A while back, a reader alerted us that the practice is used in apps that use customer credentials to access users’ accounts with their EV manufacturer – for example, a third-party charge management application that needs information from your Tesla app data.
Third-party apps “that use Tesla and any other unofficial API are a ticking security timebomb,” our reader said.
“Many of these apps capture user credentials to access third parties.”
He said one captures the EV owners’ username and password to control the charge rate.
“Those credentials give a party full access to the vehicle including unlocking it and making it driveable (and the location of the vehicle too). All it takes is a malicious actor to wait for an opportunity for someone to make a mistake and they will have access to a large set of assets.”
Change Is Coming
Banks have long opposed the practice of screen scraping for reasons very similar to our reader’s objections to the practice: user information is held by a third party whose data handling may not be as secure as the bank.
It’s also worth noting that while a bank’s data security is heavily regulated, the same can’t be said for an EV charge management app.
As Jones said in his speech, a screen scraping ban was raised last year in a review of the Consumer Data Right (CDR), which governs how consumer data is handled and shared in a handful of industries, including the financial sector.
“Last year’s Statutory Review into CDR … recommended that screen scraping be banned where CDR is a viable alternative”.
So, the government is launching an inquiry:
“Today, we are beginning that consultation process, with a discussion paper on the policy and regulatory implications of screen scraping.”
“I really don’t think that asking people to hand over their online banking passwords to lenders, mortgage brokers, and others is the best we can do. The world has moved on.
“It’s hard to see a big future for any business model that relies on people sending through their log in details.”
Solar, Storage And EV Sectors Take Note
Once this train gets in motion, it seems inevitable someone will notice the practice reaches far beyond the financial sector.
So it would at least be sensible for the EV industry – and, for that matter, inverter and battery manufacturers – to start changing their practices so consumer data is appropriately protected when shared.
And there are alternatives to screen scraping. As SolarQuotes Founder Finn Peacock pointed out, Tesla allows Powerwall users to share data without sharing their login:
“Tesla has a great feature with their Powerwall app – you go into the app and invite people to look at your data – then [you] can revoke at any time. We just need a similar built-in system for API access to EVs, battery and inverter data.”
About Richard Chirgwin
RSS - Posts
These proposed changes could well bring about a complete cyber-security nightmare if they are introduced without ‘appropriate’ safeguards.
However, the likelihood of something ‘appropriate’ being introduced and also being successful seems extremely remote to me. No matter how many assurances I was given by numerous government departments, along with sundry statutory organisations and electricity retailers, my overall confidence in their collective abilities to safeguard any of my personal date at all is zero.
The prospect of eventually needing to undergo a retina scan, fingerprint and palm print scanning and also a voice-print test, so I can just read the meter; let alone change any settings it has, doesn’t appeal at all.
It’s a strange terminology, probably because the typical security API would use Sessions or via Cookies, a temporary authorisation that expires, but is passed onto third parties via redirection.
Scraping the page for tables and iframe blocks seems to be what these banking apps are doing, in order to collate debts and credit card accounts between banks, agencies and institutions, but also brokerages, accountants, firms, BNPL, and Tax/Loan companies.
Likely because they do not have an API, or needed one to exist.
Prior to regulators, banks chose not to adapt to online banking. Until they were being cut out of transactions, ie PayPal and Credit Cards, BNPL/Interest Free payment loans, et al. Including gateways, ATM and B2B transactions once NFC and Apple/Google/Square/X got invested.
Tied to the former oligopoly of Credit Checks, which has led to hidden/undisclosed data breaches, probably including the Optus data breach and the Telstra Data Breach, it turns out that caching credentials has consequences.
But, this only applies to regulation of the FinTech space, because the banks don’t authorise limited session keys.
Solar, PV, EV, are not as highly secured. It’s also not transaction based. Most of the time, it’s notification based or logging/cloud storage, in order to leverage analytics and maintenance/warranty issues.
Tesla does share a considerable amount of API data, Fronius, Solaredge does, and many Utilities have session keys needed to share data/access to a Mobile App, even if the process is hidden to users.
Mostly because it allows notifications.
Apps that receive notifications of events, use an API and session. The same mechanism could be used by FinTech, it’s just that the industry is… Monopolistic by trait/inheritance. It requires a Bully / Regulatory body to implement a single unified framework to allow credit checks and balance/notifications to persist across domains ie private and ‘public facing’ reporting/convenience apps.
Just because a politician misuses a term, doesn’t make that term correct. This was very misleading, as this is just banning third party applications from using credentials of another service, which will cause issues that these politicians are too uneducated to understand anyway.
It’s a much more widespread issue. Most of the IOT devices rely on someone like google passing on your credentials to a 3rd party to allow access to voice commands. it would be a bit exciting if we all lose access to our smart devices.
I would have thought apps like tesla would adopt an oauth2 approach. A quick google and this website https://tesla-api.timdorr.com/api-basics/authentication suggests it does.
This means the user credentials would not be used to authenticate to third party apps.
This is terrifying. The cyber security world is so concerning. amazed that they are now doing “screen scraping.” first it was basic scams. Then they were using Rooftop Inverters to hack home WIFI, now even our EVs are at risk.
Hi Richard, Do you know if the threat is coming out of China?