Banks could be opening up your data to cyber-criminals


Tomorrow will bring a new era of banking that experts warn could put people at greater risk of online scams and identity theft.

From 13 January, banks and building societies in Europe will be legally required to give any regulated third party access to all their customer data.

The initiative is known as ‘open banking’ and aims to give people the choice to use services from a variety of providers.

But these third parties could be vulnerable to cyber attack, which means private customer details are at greater risk of falling into the wrong hands.

The ‘open banking’ initiative also gives fraudsters more opportunities to pose as a third party provider to steal your identity and financial details.

Stuart Poole-Robb, chief executive of internet security company KCS Group, and a former MI6 intelligence officer, has outlined four ways to make sure your financial details are safe.

With open banking, information will increasingly be passed on to third parties, meaning your personal data is more widespread.

This will expose people to identity theft, explains Mr Poole-Robb, who says the level of vulnerability is ‘off the scale’.

He recommends people don’t give their banks information over the phone, unless they can validate who they are talking to.

It is better practice for a bank to ask people to write a letter confirming their details, to ensure sensitive data ends up in the right hands.

If people have to give information over the phone, the former MI6 intelligence officer says they should call their bank directly from a secure landline.

If your bank claims your account has been compromised and wants to ask security questions, decline to answer and then call your branch and speak to someone you know.

‘Open banking means people will contact you asking for access to your information and if you cannot provide suitable checks to their identity you are going to be exposed’, said Mr Poole-Robb. 

‘It might take longer to write, but I am going to be a much more secure individual.’

With social media strangers can obtain more information about you than you might think, including who you’re friends with and where you go on holiday.

This makes it easier for them to pretend to be someone they are not. 

Mr Poole-Robb said it was ‘just too easy’ for scammers and fraudsters to use and abuse the significant data already floating around on the web to perpetrate identity theft.

‘Gradually, little by little over several phone calls they build a picture all by asking seemingly innocuous questions,’ he added.

‘Much of the early information employed is open source data or data leaked from third parties.’

Fraudsters are likely to start employing new techniques to win your trust and get your data.

This means using more creative forms of subterfuge to win over your confidence such as going to your house.   

‘Hackers are going to start coming at it from the left side of the court’, Mr Poole-Robb says. 

‘They come as barristers, police men, investigative journalists, members of the royal family and politicians – it’s amazing’, he said.

He recommends people politely refuse anyone coming to their house asking for personal information.  

‘The IDs they produce are never particularly sound, although it could appear to be so’, he said. 

‘Close the door – if they’re genuine they won’t mind – and call their office to ask who they are’, he said.  


‘Change your password every 28 days – you cannot expect to sit idly by and hope you won’t get hacked, always assume and plan for the worst’, said Mr Poole-Robb. 

He recommended using passwords at least 8 characters long with a mix of words and numbers.

‘Or you take the bible, go to genesis, go to the first line, and then choose a different line for each month’, he said.   

Equally, ensure that when filling out forms in banks, nobody – not even staff – can see what you are writing. He also says people should avoid using ATM machines on outside walls. 

Experts now believe long passwords that contain perhaps four words are harder to break than shorter ones with a mix of letters, characters and numbers. 

Although people might think their choice of password is original people usually end up using the same combinations time and again – things like Pa$w0rd or Monkey1!.   

Mr Poole-Robb says it also important to find out if your details have already been compromised – and this should become easier in May when new legislation comesinto force.  

In August more than 700 million email addresses and a number of passwords were leaked in what was believed to have been the biggest spambot dump ever seen. 

The information was leaked after cyber criminals allowed visitors to their servers to download their database without needing a username or password. 

You can see if your email has been compromised by going on the Have I been Pawned website. 

Under new legislation coming in May, reporting of personal data breaches will become mandatory for companies within 72 hours of becoming aware of them. 

This will make it easier to find out if your email or account has been compromised. 

If a breach poses a high risk to individuals, for example relating to personal data that has not been encrypted, those individuals must be informed ‘without delay.’

This is part of the European Union General Data Protection Regulation (GDPR).

GDPR aims to give control of personal data back customers – and it could be good news for data breaches. 

Julian Saunders, CEO and founder of data management company said GDPR will raise the standard of marketing, customer service and product personalisation by making organisations ‘work harder to win the trust of customers’.

‘Every organisation will need to prioritise data security – especially those seeking to use sensitive financial information’, he said.  

It will introduce stricter rules on how firms and organisations handle and use our personal data. 

In particular, the new directive takes aim at how sensitive customer information is processed, stored and exchanged among businesses.  

‘Breaching GDPR carries the risk of big fines, but the larger, long term risk is the damage to brand reputation’, said Mr Saunders. 

‘Failing to act responsibly with personal data will be punished by a loss of trust and, consequently, business’, he said. 



Leave A Reply