The ‘Screen Scraping’ Threat and What to Do About It

November 24, 2023

The term “screen scraping” refers to a method of collecting data from a display screen. This can be done automatically through software designed to recognize the various elements of the user interface. Screen scraping can also be performed by taking an image of the text and using optical character recognition (OCR) to translate the image into text. Simply copying down what appears on the display is a manual form of screen scraping.

Screen scraping has a number of legitimate uses. However, it also creates serious security and regulatory compliance risks, particularly in the banking and financial services, healthcare, and government sectors. Mobile devices used in a bring your own device (BYOD) model can be a significant source of malicious screen scraping. Organizations should take steps to prevent malicious actors from using screen scraping to steal user credentials and sensitive information.

Interested In Learning More?

Legitimate Uses of Screen Scraping

Programmers may use screen scraping to transfer data from legacy software to newer applications. Because these applications tend to be formatted for older terminals, the data appears in fixed positions on the screen. The screen scraping tool can locate each onscreen element and capture data from the various fields so that it can be reformatted to meet the new application’s requirements.

There are also tools that can capture information from web browsers, making it possible to transfer data to a third-party application if an API is not available. This technique was widely used in the banking industry but has been phased out in recent years due to security concerns.

More controversial uses of screen scraping include compiling data from public sources and tracking the activities of users on social media sites. Screen scraping can also simulate a user’s actions on an application or website for testing or more nefarious purposes.

The BYOD Threat

Screen scraping can become an insider threat in a BYOD environment. Employees, contractors or third-party business partners may use their access to sensitive applications to steal data or intellectual property. Stopping a determined insider is virtually impossible, but there are steps organizations can take to reduce the risk.

An organization could prohibit user-owned devices. Corporate-owned devices can be locked down so they can’t be used for screen scraping or even taking pictures of interfaces. This can be costly, however, and isn’t always feasible.

In a BYOD environment, organizations should start by implementing least privilege access policies. Users should be given access to the resources they need to do their jobs and nothing more. Access to sensitive data should be carefully controlled. Context-aware policies should also be used to restrict user actions such as copying, pasting and printing. Application protection tools can be used to reduce the risk of screen capture.

How DeSeMa Can Help

DeSeMa can prevent screen scraping at the device level by setting policies on user-owned devices that make it impossible to capture data. This enables organizations to see the cost savings of a BYOD environment, even if they’re in an industry that requires higher levels of security and compliance.

With our approach, an individual would have to bring in a third-party device to take pictures of the screen. At that point, the organization would have to use physical security controls such as video surveillance to detect and prevent such activities.

Some users will be motivated to steal sensitive data for revenge, espionage or personal gain, and they may use methods such as screen scraping and screen capture to achieve these ends. While it’s impossible to fully prevent these threats, DeSeMa can help you reduce the risk and meet regulatory compliance requirements.