I've been going through the process of applying for a refinance home loan via a broker I first saw on this site and he sent me a link to upload financial information via the website https://www.bankstatements.com.au/ .
All seemed legitimate until I clicked through to the portal and it asks for me to input my bank client reference number and password!
This is incredibly insecure as for all I know this could be just a middleman attack to get my details but the broker seems to think its OK. Its really made me think if this broker is trustworthy now.
Anyone ever used it or got thoughts on it?
Insecure Docs for a Home Loan through Broker?
caleb2003 on 18/06/2023 - 09:33
Comments
That illion service is legitimate and is even used by some banks - and that's despite it technically being a violation of their own product terms and services.If you're not comfortable with it, you should still be able to manually provide exports of your statements.
My two cents on the matter is that providing your documents through that illion service will likely be far more secure than your broker, who will have no clue on basic information security practices.
If you know the destination of the refinancing (the bank or institution) , contact them direct for guidance.
Or enquire at or visit AFCA site there may be some relevant FAQs.I went through this dilemma about two years ago.
I gave access to the portal for my bank details to scrape the required information then immediately after changed my banking password.
With all the issues around cyber security and identity theft the Government could provide guidance around this and enforce some sort of API or standard for this use case.
We have had Open Banking APIs for a couple of years now, it's disappointing to see those APIs have not been integrated with these kinds of services.
i think ubank …. using them
The website is legit and a lot of mortgage brokers use and banks endorse them. The website scrape and generates reports and certify that they are not tampered with.
Some brokers don’t accept printed statement and rely on third party apps like these.
I would recommend talking to your mortgage broker and express your concerns and see if there is any other way to provide this information. If not, like CommanderCrumbcake said, provide bank statements through this website and change your passwords and logout of all devices to remove session cookies.
Yeah they said I could just email them but now i'm having to scour the internet to make sure they are who they say they are. No way banking passwords should be used outside of a bank, even best to keep your client ref number to yourself. my bank Westpac passwords requirements are already insecure imo . Anyone could be spoofed by this, just pretend your a broker and put up an amazing rate and voila.
Geeez
The risk of going through 3rd party / mortgage broker, presents additional point of data breach.
https://www.ozbargain.com.au/node/752395
Lesson learnt the hard way.
Sounds like there's a case to stay put & renegotiate.
My broker did the same; of course, I refused and sent the information manually. He's been my broker for a few years and know he's legit.
Requiring a customer's bank login is terrible practice, why can't these third party companies access via API calls?
eg customer creates a secure private key specific to bankstatements that gives them readonly from inside their internet banking and sends it to bankstatements, something like that. Big4 like cba and westpac spending hundreds of mil on their tech and they couldn't think of a better way to do this?
There's no way I would agree to having a third party have direct access to banking details. That's ridiculous. Offer to provide manual bank statements or go elsewhere.