Third-party access to bank accounts

There are sev­eral third party providers offering intra-bank pay­ment and account infor­ma­tion ser­vices for e-banking cus­tomers. And although this may be con­ve­nient, there are some risks involved.

Pro­tect your­self by...

  • not passing on your per­sonal access data (pass­word, PIN, ID number, etc.) for e-banking pur­poses to anyone - i.e. to no other person or any third party providers either.

To access cus­tomer bank accounts, they usu­ally request and use their cus­tomers’ e-banking access data. Passing on your per­sonal access data to third par­ties how­ever can lead to severe secu­rity risks for you as a cus­tomer. In addi­tion, third par­ties can then transfer your bank cus­tomer data from Swiss finan­cial insti­tu­tions’ very strongly reg­u­lated sys­tems (FINMA, banking leg­is­la­tion, etc.) to envi­ron­ments which are less strictly con­trolled.

Please be careful!

Both the use of imper­son­ation and the non-reg­u­lated pro­cessing and storage of bank cus­tomer data har­bour sig­nif­i­cant risks for you.

«eBanking - but secure!» there­fore advises against passing any per­sonal e-banking access data to third par­ties at all.

Fur­ther infor­ma­tion for inter­ested par­ties:

High-risk use of intra-bank online ser­vices

Poten­tial ser­vices by third party providers using cus­tomers’ per­sonal e-banking access data include such ser­vices as accessing bank accounts held with dif­ferent finan­cial insti­tu­tions via just one plat­form. But watch out - by passing on your per­sonal e-banking access data to any such plat­form, you are run­ning severe secu­rity risks.

Imper­son­ation as a secu­rity risk

To access their cus­tomers’ bank accounts, third party providers usu­ally use a so-called imper­son­ation facility (pre­tending to be or acting like someone else). To this end, they ask their cus­tomers for their per­sonal access data (e.g. pass­word and ID number) for their e-banking facility and then use these data to obtain unlim­ited access to these accounts in their role as an inter­me­diary.

If you as a cus­tomer pass on your per­sonal access data in this manner, this is sim­ilar to booking your hol­i­days at a travel agency, then simply log­ging the person sit­ting oppo­site into your e-banking account and then leaving the shop - blindly trusting that this employee will now actu­ally only debit the amount owed by you from your account, and will then log out again straight away. How­ever, this person might as well just have a look how much salary you are paid every year, and might even be tempted to try and finance their own hol­i­days from your account. Tech­ni­cally speaking, the use of imper­son­ation is iden­tical to iden­tity theft - the same approach used in clas­sical phishing attacks - even if the third party provider is a respectable one!

With any inap­pro­priate use of your per­sonal access data, your bank will hardly be able to tell whether it is you as the cus­tomer your­self, a third party provider instructed by you or - in the worst case sce­nario - a crim­inal inter­me­diary they are com­mu­ni­cating with. This means the finan­cial insti­tu­tion can no longer act with due dili­gence, for instance with regard to pro­tecting their bank cus­tomer data to a suf­fi­cient extent. In the event of loss, you as a cus­tomer might even be threat­ened with lia­bility exclu­sions.

Loss of con­trol over bank cus­tomer data

While Swiss finan­cial insti­tu­tions are sub­ject to strict guide­lines to pro­tect their bank cus­tomer data and the secu­rity of their own sys­tems, third party providers can save and process and store your data in envi­ron­ments which are much less well reg­u­lated if you give them your con­sent. These sys­tems are partly nei­ther owned nor con­trolled by such third party providers. This is because they often use so-called cloud solu­tions where the exact storage loca­tion of data is often unknown. And usu­ally, Swiss client secrecy does not apply to such sys­tems either!

The effects of this loss of con­trol over the storage of per­sonal data are incal­cu­lable. And if nothing else, this can make it easier for crim­i­nals to obtain access to per­sonal bank cus­tomer data.

What else would you like to learn about security when e-banking?

Reg­ister for a course now
and learn more:

Basic courses

This basic course will point out cur­rent threats on the Internet and con­veys mea­sures as to how you can pro­tect your­self by taking some simple mea­sures.

fur­ther infor­ma­tion

Prac­tical courses

Learn and prac­tice the most impor­tant mea­sures for your com­puter and e-banking secu­rity on com­puters pro­vided by us.

fur­ther infor­ma­tion

Send this to a friend