Does Volley use screen-scraping?

Posted by James McCann, 16th May 2024

Summary

Volley only uses secure, contracted Open Banking APIs provided by your bank.
We don't use screen-scraping.
Volley uses one-off payment consents, so you confirm each payment securely in your banking app.
We're expanding to more banks as Open Banking APIs become available.

I’ve received a few questions in the past couple of weeks about how exactly Volley works and what we do to connect with your bank account, so I want to answer those here.

First, a quick recap:

Volley is an app that lets you make and share requests for friends to pay you, like for dinner last weekend or the Airbnb for the ski trip ⛷️
You can send requests as messages to friends or group chats on any social network.
Your friends can pay in just a few taps from their banking app. Your details are copied in automatically, so there’s no need for copy-pasting account numbers.

But behind every fun user experience there’s an utmost need for safety and security - it’s your money after all!

Read on to find out how we do that.

What is screen-scraping?

Screen-scraping involves you giving your bank username and password to a third-party app or website, which they store and then use repeatedly to “act as you” with your bank. This has been the main way for third-party services to access your bank account for the last few years.

One of the oldest and most-well known example of this in New Zealand is POLi, used prominently by Air New Zealand, but there are others too.

The problem with screen-scraping is that it’s not secure

It’s extremely easy for a bad actor (a "hacker", if you like) to build a fake version of your bank’s website and trick you into thinking it’s the real deal. This is called phishing in computer security. When you “log in” to a phishing website, your username and password gets harvested for the attacker to use to access your real bank account and transfer away funds.

Services that use screen-scraping ask you to put your bank's username and password into their website. Sounds sort of like phishing right? Well, it's dangerously similar.

Even if the screen-scraping service has the best of intentions, sharing your account credentials is still risky business. Any time you give your password to another website, you're running the risk that it might be a phishing one instead - and you only need to be wrong once to lose out!

You might be able to spot a fake of your bank’s website that you visit frequently, but how about a fake POLi site? If you’re putting your password into both then they’re both part of the attack surface.

Keeping control in your hands with Open Banking

Open Banking is a new way for apps and services to connect with your account over secure, contractual access using APIs provided by your bank. These APIs are available for third-party apps like Volley to use, once accredited.

Open Banking standards are themselves based on other open standards like OAuth that have been part of the modern web for many years. If you’ve used things like “Login with Facebook” or “Login with Google”, then you’ve used a lot of what underpins Open Banking, too.

In Open Banking, third-party apps request access for certain actions on your bank account, without getting full control. You approve the action by reviewing and confirming in your banking app, without needing to share your login details to the service.

The different permissions you can give to an app range from “just this one payment” through to “read all my transactions for the next 90 days”. In the case of ongoing payments, additional protections like “only to this recipient” or “only up to this total limit” or “only X times per year” all make it harder for an attacker to somehow re-direct your money to their own account.

In either case, there isn’t a big database full of passwords or long-lived access tokens than an attacker might be able to steal and do whatever they wanted to thousands of accounts.

So does Volley use screen-scraping?

You’ve probably guessed by now - the answer is no. We’re committed to partnering with banks using only secure and contracted Open Banking APIs. We don’t accept the risks posed by using screen-scraping or reverse engineered APIs that would lessen the security of your money.

Better still, Volley works using one-off payment consents, without ongoing access to your account. You confirm each Volley payment you want to make in your banking app and once it’s done, it’s done! Volley can’t make any other payments without you consenting again.

Going all in on Open Banking is not an easy decision as it means that we’re unable to provide all of Volley’s features to users on banks that don’t currently provide Open Banking APIs. However, we believe that the open standards published by Payments NZ and the API Centre represent the best possible future for consumers from a trust and security perspective.

We’re banking on that.

James McCann

Founder, Volley