Using one of the popular personal finance apps intended to help you manage your money requires a step that causes some people to pause: when the app or site asks you for the passwords to your bank accounts and credit cards.
How safe is it really to turn over the password to the Bank of You? Aren’t we all constantly advised to do just the opposite, as in, don’t ever give anyone your password to anything or you will be inviting digital death and destruction?
We live in an era of data breaches, identity theft and online fraud. Heck, we’ve even cautioned against posting something as innocuous as your mother’s maiden name on Facebook because you’d be giving away the answer to a popular bank security question.
But platform developers and managers of these personal finance apps say they need your confidential information in order to help you manage your money. They promise they can find ways to reduce your bills, help you pay off debt, sock more away in savings, and learn how to invest wisely. Plus, they promise to protect your private data with multiple layers of encryption and security best practices.
Online security experts have strong thoughts about the wisdom of giving out your personal security information to third parties. It’s a game of “who do you trust?” they say. And, as with every online platform we use, it’s a matter of balancing the risk you’re taking against the potential reward.
And yes, there is undeniably a risk.
Find the sweet spot.
If a platform is claiming it is unhackable, well, just run, said Stephanie Carruthers, a “white hat” or ethical hacker known as Snow, whose clients include Fortune 100 companies as well as startups. Nothing is unhackable, she said.
While Snow recommends against any money-management platform that asks for your security information, she told HuffPost that “most of these apps have value and can be beneficial.”
The trick is to find the sweet spot, where the benefit justifies the risk. Carruthers suggested reading an app’s terms of service agreement to know how the information you provide will be used and the responsibility of the data collector. In other words, if the information you provide is compromised, what risk is there to you and your money?
Ilian Georgiev is a co-founder of HiCharlie, a relative newcomer to the personal finance management-by-app niche. He compares using his platform to the level of trust we already show when we shop on Amazon or anywhere else online. “Each time you hit the order button and implicitly believe that what you ordered will actually be delivered, you are showing trust,” he said.
For a business like his, Georgiev told HuffPost, a security breach would be the kiss of death ― an end to the company. Financial management platforms use multi-level security protection steps, he said, because to do otherwise would flirt with disaster.
So when you give HiCharlie your bank information, no live person ever actually sees it, he said. The service cannot move your money or transfer it out of your control to another account. The real-world equivalent, he said, is that someone gets into your trash can and finds a bank statement that doesn’t have your name on it. They would see a transaction record, but not know whose it is.
Georgiev said that a user’s bank credentials (e.g., username and password) never go through HiCharlie’s system, which only gets a list of a user’s transactions that is stored using bank-level 256-bit end-to-end encryption, in anonymized encrypted databases, with very strict access controls.
When you enter your bank credentials, you are actually doing so on a form provided by a third-party bank data aggregator called Plaid. It’s a system used by most personal finance apps, like Venmo, Robinhood and Acorns. Plaid, in turn, is trusted by a long list of banks and credit unions. HiCharlie never sees your bank credentials; Plaid does. HiCharlie simply gets bank transaction logs from Plaid, Georgiev said.
But some apps do store user credentials. Acorns, which rounds up your spending transactions to the nearest dollar and banks the difference for you, does get permissions to move money on behalf of the customer.
Still, trust is hard, Georgiev acknowledged. He and his co-founders posted their photos on HiCharlie, as well as the names of the investors who backed them with a list of other ventures those investors previously were associated with.
It’s intentional, Georgiev said. “We want people to trust us. And so we put our faces out there.”
Read the fine print.
Zouhair Belkoura, founder of the privacy protection suite of apps known as Keepsafe, suggests that before using a personal finance management platform, people should take a hard look at how far the platform is willing to go to stand behind its safety claim.
“Does the service apply the same rigor as a bank to ensure that if fraud or a breach does occur, it will ensure customers are made whole?” Belkoura asked.
The short answer to that last part is probably not. Most don’t. If the platform is hacked and your money misappropriated, the third-party platform will likely not replace it for you. And it’s a point of debate whether your bank will, because the terms of service agreement for your checking account most likely admonishes against giving third-party sites access to your account information. Banks discourage the use of these apps, although some consumer advocates argue that’s because banks just want to be able to market products to you directly and don’t appreciate another business getting between them and their customers.
Banks themselves are protected by the FDIC, which means that if your bank collapses, the federal government insures the money you held in your accounts up to $250,000. Apps and digital platforms, on the other hand, have no such government-backed protection unless it’s an investing app.
Eva Velasquez, president and CEO of the Identity Theft Resource Center, boiled it down to this: “Anytime you share your sensitive PII [or personally identifiable information] with new entities/organizations, you increase your risk surface. The more information you share, and the more organizations you share it with, increase your chances of that information being compromised in some manner.”
Velasquez noted that who you deal with matters. “There are plenty of bogus apps and sites that exist solely to collect your PII and steal your identity, as well as legitimate sites that offer a useful service and have best practices in place,” she said, suggesting that people check third-party reviewers like the Better Business Bureau, organizations such as the National Cyber Security Alliance and her Identity Theft Resource Center for information to help them decide if the risk is worth it.
Know what apps can actually do with your data.
But the internet and e-commerce is filled with risks, isn’t it? Doesn’t this come with the turf?
Catalin Cimpanu, who covers security news for Bleeping Computer, says that as a blanket rule, “giving your password to any third-party is a seriously bad idea.”
“And if I’ve learned anything, it’s that finance management apps are really bad at security,” Cimpanu told HuffPost.
Still, since most banks use multi-factor authentication, your information isn’t stored within the third-party’s interface, and there can be no money transfers without permission, would a data breach really be the end of the world?
Understand what happens if you’re hacked.
By federal law, your maximum liability for credit card fraud is $50. If you report your card lost or stolen, the credit card company generally will close the account pronto and not hold you liable for any fraudulent charges. So you are pretty much safe if someone starts to charge up a storm with your card.
Similarly, money stolen directly from a bank account via a bank transfer is also covered, by Federal Reserve Regulation E, which implements the Electronic Funds Transfer Act. If you indicate that you never authorized a transfer, you will get your money back. Georgiev noted that in practical terms, this type of “hacking” ― stealing money from a bank account ― is a very bad idea.
“Thanks to KYC and AML regulations, there is a detailed paper trail on a global scale. The people responsible will get caught and/or lose access to the funds,” Georgiev said, adding, “That’s why you never really hear of hacks where massive amounts of people lost their bank account funds.”
If funds are stolen from your bank account, would you just have to eat the loss? Chase, Capital One, and Fidelity state on their sites that if you share your information with a third party, you may be on the hook for stolen money. But others disagree. One legal expert told Reuters that the law releasing banks of liability when customers deliberately give power to transfer funds to a third party, such as a family member or business partner, is different from giving credentials to Mint or another money management site that will use it simply to monitor and record the account activity.
Plus, there are laws that limit your liability from theft from your bank account if you report it in a timely fashion. All of which is to say welcome to 2018, where everyone needs to check their bank account every day to protect against fraud.