Screen scraping is an automated process that uses bots, tools, or web crawlers to extract data or output from a web application, read parameter values or data fields, perform reverse engineering to learn about application operations, and more.
Screen scraping exists for two main reasons. As information in the digital era is the new gold, screen scraping grabs as much information as possible from websites. Second, it automates processes, improving the user experience when third parties access corporate websites on behalf of users that authorize them to do that.
Even if screen scraping is not an illegal practice, it can be used for fraudulent purposes, exposing digital businesses and their customers to several security risks. Here some examples:
- Content sites with premium subscriptions. Screen scraping can copy and public the premium content on others sites with lower subscription prices.
- E-commerce sites. Pricing and discount strategy on e-shops can be quickly overtaken by scraping product catalogs and related prices.
- Social media and digital ecosystem. Screen scraping could lead to spear-phishing attacks leveraging the personal information shared online.
- The online banking system and payment gateway. Here Screen scraping brings to the opposite of most essential security rule: do not share credentials with others.
The last point was the main reason that drove the European Banking Authority (EBA) to ban Screen scraping within the Payment Services Directive Two (PSD2) security requirements and to push for a more secure communication environment based on the Open Banking paradigm.
The PSD2 approach turned out to be far-sightedness. The growth of the digital business in the pandemic context led to a consistent increase of fraudulent activities in various market segments. Screen scraping plays a prominent role in this scenario. Here’s why worldwide, from the USA to Australia, or South Africa, discussions are in place between financial ecosystems and local central authorities to follow EBA PSD2 way and avoid the use of screen scraping.
However, PSD2 and similar laws only focus on payment services, leaving any other market segment unregulated. Critical financial services like lending and assurance are not in the PSD2 perimeter too.
It’s essential to consider detecting and preventing screen scraping activities in any fraud protection framework deployed to increase the security of critical digital services.
XTN Cognitive Security Platform® helps customers address and face screen scraping risks, featuring in-app behavioral protection capabilities to detect BOT activities and discriminate legitimate browsing of users from the crawling of automatic tools.