Payday lenders ask customers to share myGov passwords, putting them at risk
Payday lenders are asking applicants to share their myGov login details, as well as their internet banking password — posing a security risk, according to some experts.
It also goes against the advice of the government website.
As spotted by Twitter user Daniel Rose, the pawnbroker and loan provider Cash Converters requires people receiving Centrelink benefits to provide their myGov access details as part of its online approval process.
A Cash Converters spokesperson said the company gets data from myGov, the government's tax, health and entitlements portal, via a platform provided by the Australian financial technology firm Proviso.
This occurs online, and computer terminals are also provided in-store.
Luke Howes, CEO of Proviso, said "a snapshot" of the most recent 90 days of Centrelink transactions and payments is collected, along with a PDF of the Centrelink income statement.
Some myGov users have two-factor authentication turned on, which means they must enter a code sent to their mobile phone to log in, but Proviso prompts the user to enter the digits into its own system.
This lets a Centrelink applicant's recent benefit entitlements be included in their bid for a loan. This is legally required, but does not need to occur online.
Keeping data safe
A Department of Human Services spokesperson said users should not share their myGov credentials with anyone.
"Anyone who is concerned they may have provided their username and password to a third party should change their password immediately," she added.
Disclosing myGov login details to any third party is unsafe, according to Justin Warren, chief analyst and managing director of IT consultancy firm PivotNine.
Especially given it is the home of My Health Record, Child Support and other highly sensitive services.
Nigel Phair, director of the Centre for Internet Safety at the University of Canberra, also advised against it.
He pointed to recent data breaches, including the credit score agency Equifax in 2017, which affected more than 145 million people.
"It's great to outsource certain functions, but you can't outsource the risk," he said.
ASIC penalised Cash Converters in 2016 for failing to adequately assess the income and expenses of applicants before signing them up for payday loans.
A Cash Converters spokesperson said the company uses "regulated, industry standard third parties" like Proviso and the American platform Yodlee to securely transfer data.
"We don't wish to exclude Centrelink payment recipients from accessing funding when they need it, nor is it in Cash Converters' interest to make an irresponsible loan to a customer," he said.
Handing over banking passwords
Cash Converters prominently displays Australian bank logos on its site, and Mr Warren suggested it could appear to applicants that the system came endorsed by the banks.
"It's got their logo on it, it looks official, it looks nice, it's got a little lock on it that says, 'trust me,'" he said.
The bank selection page looks like this:
During the online loan application process, Cash Converters asks the customer to select their bank.
Cash Converters website screenshot
Once bank logins are supplied, platforms like Proviso and Yodlee are then used to take a snapshot of the user's recent financial statements.
Commonly used by financial technology apps to access banking data, ANZ itself used Yodlee as part of its now shuttered MoneyManager service.
Nevertheless, Australian banks mostly oppose handing over your internet banking credentials to third parties.
They are eager to protect one of their most valuable assets — user data — from market rivals, but there is also some risk to the consumer.
If someone steals your credit card details and racks up a debt, the banks will typically return that money to you, but not necessarily if you've knowingly handed over your password.
According to the Australian Securities and Investments Commission's (ASIC) ePayments Code, in some circumstances, customers may be liable if they voluntarily disclose their account information.
"We offer a 100% security guarantee against fraud…as long as customers protect their account information and advise us of any card loss or suspicious activity," a Commonwealth Bank spokesperson said.
ANZ said it does not recommend logging into internet banking through third party websites.
How long is the data stored?
In the rush to apply for a loan, it could be easy to miss the fine print.
Cash Converters states in its terms and conditions that the applicant's account and personal information is used once and then destroyed "as soon as reasonably possible."
However, some subsequent "refreshing" of the data may occur for a period of up to 90 days.
"It may scrape more of the data for up to 90 days after you've applied," Mr Warren suggested.
If you decide to enter your myGov or banking credentials on a platform like Cash Converters, he advised changing them immediately afterwards.
Users are prompted to enter banking details on a page like this:
Cash Converters asks online loan applicants to provide their internet banking details.
Cash Converters website screenshot
A Cash Converters spokesperson claimed it does not store customer myGov or online banking login details.
Proviso's Mr Howes said Cash Converters uses his company's "one time only" retrieval service for bank statements and MyGov data.
The platform does not store any user credentials
"It needs to be treated with the highest sensitivity, whether it's banking records or it's government records, and that's why we only retrieve the data that we tell the user we're going to retrieve," he said.
Still, Mr Phair advised that users should not give out usernames and passwords for any portal.
"Once you've given it away, you don't know who has access to it, and the fact is, we reuse passwords across multiple logins."
A safer way
Kathryn Wilkes is on Centrelink benefits and said she has received loans from Cash Converters, which provided financial support when she needed it.
She acknowledged the risks of disclosing her credentials, but added, "You don't know where your information is going anywhere on the net.
"As long as it's an encrypted, secure system, it's no different than a working person going in and applying for a loan from a finance company — you still provide all your details."
Critics, however, argue that the privacy risks raised by these online loan application processes affect some of Australia's most vulnerable groups.
Mr Warren said this could all change if the banks made it easier to safely share consumer data.
"If the bank did provide an e-payments API where you could have secured, delegated, read-only access to the [bank] account for 90 days-worth of transaction details … that would be great," he said.
Mr Howes agreed, adding that this is something the financial technology industry is working towards.
The federal government commissioned a review of open banking in 2017.
"Until the government and banks have APIs for consumers to use, then the consumer is the one that suffers," Mr Howe said.
"That's why the choice is there for technologies like this, and people can use it if they want to."
Yodlee, Nimble and Wallet Wizard did not return the ABC's request for comment.