Boards.ie uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Click here to find out more x

Ask KBC Representatives

47 hrs
Response Time
71%
Response Rate

We're online:

Monday to Friday: 9am - 5pm

“Other” banks

16.01.2019 20:53 #1
Registered User
Lads how in the hell has this “Other banks” functionality been approved by the regulator in relation to consumer privacy? If I want to see my AIB balance in my KBC app, I basically have to handover the login details to my AIB account?

Attached Images

16.01.2019 20:56 #2
Registered User
It's part of the PSD2 regulation introduced last year. Though I was surprised that they just use your regular login details, I expected there to be some token based authorisation system where you had to enable it through the other bank.
16.01.2019 20:59 #3
Registered User
Why would a bank facilitate seeing the balance from another bank account in their app anyway? Is there not an AIB app?
1 thank
16.01.2019 21:08 #4
Registered User
Originally posted by Patww79
Why would a bank facilitate seeing the balance from another bank account in their app anyway? Is there not an AIB app?

mandated by the PSD2 directive. all EU based banks need to implement by end of 2019 AFAIK or face fines.
1 thank
18.01.2019 09:35 #5
Registered User
A workmate has just shown me the KBC Mobile app (on Android) and I'm totally floored. I came on here to write about it and I found this thread with thankfully other people noticing this. Seeing other bank accounts sounds brilliant and it's the type of thing that will be great with PSD2.

In order to set it up, I expected to see something along the lines of a Google authorisation prompt. That is, proper security using a token system where I don't hand my security details out to another app/site i.e. KBC requests access from AIB in the background for the account number specified and I then log into the AIB site or app to approve it. Instead, I see that that KBC asks people to hand over their AIB login ID, Personal Access Code, and the answers to a bunch of security questions.

The level of security risk of doing that is unreal. It boggles my mind about how many people in KBC and whoever developed this feature thought that this was a good idea.

First of all, this is purportedly available now because of PSD2 but it doesn't sound so much like an integration as it does "give us all your IDs, passwords and security questions, we'll store them for you and we'll effectively open a browser on our side, log in on your behalf and tell you the results". Like, that could have been done without PSD2 really.

Secondly, if KBC ever gets compromised, people are going to have to assume now that ALL of their bank accounts are compromised, not just the KBC account because you're storing credentials.

Lastly, and most importantly, KBC is now making it an expectation that people should be handing out their bank account login ID, passwords and PINs to other websites/apps. When somebody gives that info to a scam app or webpage, I'm sure they'll be told "why would you hand over your login ID or password to another site/app"? It's just as stupid as bank staff cold-calling customers and then expecting customers to give them their security information over the phone. It's training people to be scammed by cold-callers and now KBC is training people to be scammed by dodgy apps/sites.

I generally think quite highly of KBC and they've been brilliant for the Irish market but frankly, this is embarassing. I would advise any KBC user to stay well away from this.
10 thanks
22.01.2019 11:31 #6
Seriously? I agree that it’s not a great way to ‘integrate’ into your bank account, but third party apps are plentiful in the UK - checkout onedox - utilities and banking together in one app! Our reserved thinking will hold us back here. The banks have had to be forced to open their doors by PSD2!
22.01.2019 11:42 #7
Also - yolt is another in the UK - but it’s owned by ING! At least KBC are being upfront here and allowing you to add your accounts to their already trusted app
22.01.2019 13:02 #8
Registered User
I don't think anyone above is against the idea of having access to other banks in your KBC app, but they have concerns on how the data is stored.

in a fully perfect PSD2 world, a secure token would be created when the user grant access (which they can revoke at any time). if that token gets compromised, you revoke it and create a new one. done and dusted in about 2 minutes.

in the current scenario (I'm just speculating here, don't know how it's stored) KBC will have your banking details of another bank, if they get compromised on KBC servers then the other bank pretty much has to create a new bank account for you.

It's the ambiguity of the solution that is confusing people who have some knowledge of how this should work 
2 thanks
22.01.2019 13:29 #9
On other KBC security checks I have my concerns about some of their other processes. I hate when they ring you to discuss anything because they ask you the same security questions needed to access your account if you ring them. They make their customers perfect targets for vishing. Unless I was actually expecting a call related to a specific issue I always hang up and ring them back. Which in itself is a pain as you can't always get talking to the person who rang you.   
1 thank
22.01.2019 14:34 #10
Registered User
Originally posted by fran426ft
On other KBC security checks I have my concerns about some of their other processes. I hate when they ring you to discuss anything because they ask you the same security questions needed to access your account if you ring them. They make their customers perfect targets for vishing. Unless I was actually expecting a call related to a specific issue I always hang up and ring them back. Which in itself is a pain as you can't always get talking to the person who rang you.   

I know this doesn't excuse it, but they're not alone in this practice.
1 thank
22.01.2019 15:51 #11
Registered User
Originally posted by madfella65
Seriously? I agree that it’s not a great way to ‘integrate’ into your bank account, but third party apps are plentiful in the UK - checkout onedox - utilities and banking together in one app! Our reserved thinking will hold us back here. The banks have had to be forced to open their doors by PSD2!

If everyone did it the KBC way and you start by giving your entire bank account login and security question details to KBC, then OneDox, then want to try out Mint (if they ever open here) and then a bunch of other apps, at what point do you become worried that maybe your bank account login details are in too many places?

Onedox looks good. It does ask for people's login credentials but only to utility companies from what it looks like. That's not as much of a security risk although it's not ideal. They offer "proper" integrations with Starling Bank, Dropbox and Google which are more in line with how the security SHOULD be done for both bank and utility companies:

https://help.onedox.co...he-starling-bank-app

I agree PSD2 will be great. I don't think it's being reserved or conservative to say that if these integrations are to be done, they should be done right and not put customers at risk for the sake of being the fastest to market or the laziest/cheapest solution to comply with PSD2.
2 thanks
23.01.2019 19:46 #12
I heard about it and went to set it up in the mobile app out of curiousity (don't think it's a useful feature on its own but integration offers more down the road) but stopped when I saw what it was asking for.

Who did the threat analysis in  KBC to conclude it was okay to request and probably store third party credentials?

Who did the threat analysis in AIB for their open banking API authentication?

Even ignoring the implementation issues, I didn't see T&C's on if or how KBC might use my external balance information for their own purposes. (E.g. credit scoring). It's probably covered somewhere, but IMO should be presented to the user before they select a bank to add.
Last edited by MugsGame: 25.01.2019 at 13:45.
2 thanks
24.01.2019 21:28 #13
Registered User
Any response KBC?  Its been a few days since these concerns were raised?
25.01.2019 22:59 #14
I would agree with only one concern: it’s not clear how KBC will use information about your other accounts. The other concerns must be addressed to respective banks: Bank of Ireland (the most technology dead bank in Ireland), AIB and etc.

In accordance with already mentioned PSD2, all EU banks should start providing some sort of API (Application Programming Interface) to work with data. For example, it can be API to get account balance, last transactions and etc. This API can be used by 3rd party web, mobile and desktop applications. When you (as a software developer) would like to use such API for your application, you have to contact respective bank (BOI, AIB and etc.).

The authontification and authorization machanisms are fully under responsibility of the owner of API, i.e. who provide data. Token-based authorization (or support of tools like Google Authenticator) must be implemented by BOI or AIB in this case.

I believe that KBC Mobile Development Team and KBC in principle contacted BOI and AIB, and requested this information. Since you see a request to put your real username and password of BOI account, I guess, the discussion was in the way of “we (BOI) don’t have capacity to implement proper authorization mechanisms, we don’t care about data of our customers, we trust you and we don’t want to pay penalties because of PSD2, so let’s allow authorization with real username and password”.

And again... The authorization and authentication mechanisms under responsibility of banks which provide data. The responsibility of consumer (KBC Mobile App and KBC as organization) is just store and use in secure way.
25.01.2019 23:17 #15
Registered User
No way you should be sharing your account details for login with another company.
This should be token based where you grant access at one bank and given a key that you then share with the other bank so that they can then access that data. I mean this isn't rocket science and API driven data has been around for years using token authorisation

KBC way (and as mentioned above I assume is an issue with the other banks more so in not having proper systems in place to facilitate this) is so open to abuse and other issues.
1 thank
Reply to thread
Bold
Italic
Underline
Strikethrough
Align left
Center
Align right
Bullet list
Insert an image
Insert an emoticon
Insert a YouTube video
Remove Formatting
View source
Please Log In or Sign Up to join the discussion