Why is Qantas asking for your Internet banking password?
An example of incompetence and poor judgement
Someone in my LinkedIn connection wrote about this experience with Qantas:
As a consumer with a mortgage, I decided to explore the market to see if I could get a better interest rate on my home loan. I was surprised to find that comparable loans from other banks were significantly less than what I was currently paying. I was prompted to look at the market by an offer from Qantas regarding new lowered rates, plus 100,000 points per year for the life of the loan. Great, I love flying Qantas so I started the application.
Everything was going great in their application process until they asked for my internet banking details, including login credentials. As a cyber security professional, I know this is a dangerous practice that can leave consumers vulnerable to fraud and it goes against all the things the banks teach their customers. After looking at the fine print (included in the image below), it looks like Qantas outsourced this function to a third-party, which raises even more concerns for me about privacy and cyber security. I wonder what the legal consequences are for consumers who provide their Internet banking login details if fraud occurs.....as I expect it would break the banks T&C? Are NAB, Commonwealth Bank, ANZ, Westpac and Bendigo Bank aware of this practice?
What are your thoughts on this practice and Qantas defaulting to using this as a way to access details? They do provide a fall back method which is payslips, but it isn't offered as the preferred choice by Qantas, which states the application will be faster if you provide Internet banking credentials (user name and password). I can see scammers using this for their next campaign.
Below is the screenshot he provided:
Below is the fine print from Qantas:
Notice that Envestnet Yodlee is the company that Qantas outsources the function to. That is, Yodlee is the company that is going to receive your internet banking password.
Qantas is not the only company guilty of this brain-dead practice of asking for their customer’s internet banking password.
For example,
Companies like Zoho Books has a feature where they can sync your accounting books with your bank account. To do that, it asks you to give them your banking password. For Zoho Books, they outsource this function to Yodlee too!
I heard other fin tech services that also ask for your banking password so that they can provide you with some cool new features.
I have spoken to a representative from a bank before. The bank confirmed that giving away your banking password like that WILL VIOLATE the terms and conditions of your internet banking service!
So, this begs the question: why is Qantas asking their customers to violate the terms and conditions (T&C) of their banking service?
Let’s say you give away your internet banking password to Yodlee via Qantas. You will be violating the (T&C) of your banking service. Then let’s say your bank account got hacked and you lose all the money in your bank account. Since you violated the T&C of your banking service, you will NOT get back a cent of money back. The bank will not cover your loss for unauthorised transactions.
Qantas don’t need to ask for your banking password
There is already a technology to solve this problem. It is called “Open Banking", which is
Open banking is a banking practice that provides third-party financial service providers open access to consumer banking, transaction, and other financial data from banks and non-bank financial institutions through the use of application programming interfaces (APIs).
Through the use of APIs, the non-bank entity does NOT need to know the user’s banking password.
There is another technology that solves this problem. It is called “OAuth”, which
enables an end user's account information to be used by third-party services, such as Facebook and Google, without exposing the user's account credentials to the third party.
OAuth is not widely supported by banks.
However, all of the Tier 1 banks in Australia supports Open Banking. Many, if not most, Tier 2 banks support Open Banking too.
So, there is absolutely no need for Qantas to ask for your internet banking password to provide you the feature. That problem is already solved.
Why is Qantas still doing that?
The only explanation is that there is a certain level of incompetence and poor judgement when they came up with such brain-dead practice.
One of my LinkedIn connection asked these pertinent questions:
Have to wonder who at Qantas came up with this requirement. Who made the decision to implement it? Who are the people in the organisation behind it? Which division? Which team? And which senior executive signed off on it and why?
Good questions.