Have you ever counted how many online accounts you have? Do you listen to music on Spotify, upload your pictures to the cloud or hold your savings in an online bank account? If the answer is yes to any of these questions you should consider what happens to these […]
Your estate plan isn’t complete without accounting for all your digital assets: from bank accounts and investments to even your Facebook page. Here are five steps to get you started. Getty Images An estate plan is a cornerstone of any comprehensive financial strategy. On a practical level, it can […]
Using one of the popular personal finance apps intended to help you manage your money requires a step that causes some people to pause: when the app or site asks you for the passwords to your bank accounts and credit cards.
How safe is it really to turn over the password to the Bank of You? Aren’t we all constantly advised to do just the opposite, as in, don’t ever give anyone your password to anything or you will be inviting digital death and destruction?
We live in an era of data breaches, identity theft and online fraud. Heck, we’ve even cautioned against posting something as innocuous as your mother’s maiden name on Facebook because you’d be giving away the answer to a popular bank security question.
But platform developers and managers of these personal finance apps say they need your confidential information in order to help you manage your money. They promise they can find ways to reduce your bills, help you pay off debt, sock more away in savings, and learn how to invest wisely. Plus, they promise to protect your private data with multiple layers of encryption and security best practices.
Online security experts have strong thoughts about the wisdom of giving out your personal security information to third parties. It’s a game of “who do you trust?” they say. And, as with every online platform we use, it’s a matter of balancing the risk you’re taking against the potential reward.
And yes, there is undeniably a risk.
Find the sweet spot.
If a platform is claiming it is unhackable, well, just run, said Stephanie Carruthers, a “white hat” or ethical hacker known as Snow, whose clients include Fortune 100 companies as well as startups. Nothing is unhackable, she said.
While Snow recommends against any money-management platform that asks for your security information, she told HuffPost that “most of these apps have value and can be beneficial.”
The trick is to find the sweet spot, where the benefit justifies the risk. Carruthers suggested reading an app’s terms of service agreement to know how the information you provide will be used and the responsibility of the data collector. In other words, if the information you provide is compromised, what risk is there to you and your money?
Ilian Georgiev is a co-founder of HiCharlie, a relative newcomer to the personal finance management-by-app niche. He compares using his platform to the level of trust we already show when we shop on Amazon or anywhere else online. “Each time you hit the order button and implicitly believe that what you ordered will actually be delivered, you are showing trust,” he said.
For a business like his, Georgiev told HuffPost, a security breach would be the kiss of death ― an end to the company. Financial management platforms use multi-level security protection steps, he said, because to do otherwise would flirt with disaster.
So when you give HiCharlie your bank information, no live person ever actually sees it, he said. The service cannot move your money or transfer it out of your control to another account. The real-world equivalent, he said, is that someone gets into your trash can and finds a bank statement that doesn’t have your name on it. They would see a transaction record, but not know whose it is.
Georgiev said that a user’s bank credentials (e.g., username and password) never go through HiCharlie’s system, which only gets a list of a user’s transactions that is stored using bank-level 256-bit end-to-end encryption, in anonymized encrypted databases, with very strict access controls.
When you enter your bank credentials, you are actually doing so on a form provided by a third-party bank data aggregator called Plaid. It’s a system used by most personal finance apps, like Venmo, Robinhood and Acorns. Plaid, in turn, is trusted by a long list of banks and credit unions. HiCharlie never sees your bank credentials; Plaid does. HiCharlie simply gets bank transaction logs from Plaid, Georgiev said.
But some apps do store user credentials. Acorns, which rounds up your spending transactions to the nearest dollar and banks the difference for you, does get permissions to move money on behalf of the customer.
Still, trust is hard, Georgiev acknowledged. He and his co-founders posted their photos on HiCharlie, as well as the names of the investors who backed them with a list of other ventures those investors previously were associated with.
It’s intentional, Georgiev said. “We want people to trust us. And so we put our faces out there.”
Zouhair Belkoura, founder of the privacy protection suite of apps known as Keepsafe, suggests that before using a personal finance management platform, people should take a hard look at how far the platform is willing to go to stand behind its safety claim.
“Does the service apply the same rigor as a bank to ensure that if fraud or a breach does occur, it will ensure customers are made whole?” Belkoura asked.
The short answer to that last part is probably not. Most don’t. If the platform is hacked and your money misappropriated, the third-party platform will likely not replace it for you. And it’s a point of debate whether your bank will, because the terms of service agreement for your checking account most likely admonishes against giving third-party sites access to your account information. Banks discourage the use of these apps, although some consumer advocates argue that’s because banks just want to be able to market products to you directly and don’t appreciate another business getting between them and their customers.
Banks themselves are protected by the FDIC, which means that if your bank collapses, the federal government insures the money you held in your accounts up to $250,000. Apps and digital platforms, on the other hand, have no such government-backed protection unless it’s an investing app.
Eva Velasquez, president and CEO of the Identity Theft Resource Center, boiled it down to this: “Anytime you share your sensitive PII [or personally identifiable information] with new entities/organizations, you increase your risk surface. The more information you share, and the more organizations you share it with, increase your chances of that information being compromised in some manner.”
Velasquez noted that who you deal with matters. “There are plenty of bogus apps and sites that exist solely to collect your PII and steal your identity, as well as legitimate sites that offer a useful service and have best practices in place,” she said, suggesting that people check third-party reviewers like the Better Business Bureau, organizations such as the National Cyber Security Alliance and her Identity Theft Resource Center for information to help them decide if the risk is worth it.
Know what apps can actually do with your data.
But the internet and e-commerce is filled with risks, isn’t it? Doesn’t this come with the turf?
Catalin Cimpanu, who covers security news for Bleeping Computer, says that as a blanket rule, “giving your password to any third-party is a seriously bad idea.”
“And if I’ve learned anything, it’s that finance management apps are really bad at security,” Cimpanu told HuffPost.
Still, since most banks use multi-factor authentication, your information isn’t stored within the third-party’s interface, and there can be no money transfers without permission, would a data breach really be the end of the world?
By federal law, your maximum liability for credit card fraud is $50. If you report your card lost or stolen, the credit card company generally will close the account pronto and not hold you liable for any fraudulent charges. So you are pretty much safe if someone starts to charge up a storm with your card.
Similarly, money stolen directly from a bank account via a bank transfer is also covered, by Federal Reserve Regulation E, which implements the Electronic Funds Transfer Act. If you indicate that you never authorized a transfer, you will get your money back. Georgiev noted that in practical terms, this type of “hacking” ― stealing money from a bank account ― is a very bad idea.
“Thanks to KYC and AML regulations, there is a detailed paper trail on a global scale. The people responsible will get caught and/or lose access to the funds,” Georgiev said, adding, “That’s why you never really hear of hacks where massive amounts of people lost their bank account funds.”
If funds are stolen from your bank account, would you just have to eat the loss? Chase, Capital One, and Fidelity state on their sites that if you share your information with a third party, you may be on the hook for stolen money. But others disagree. One legal expert told Reuters that the law releasing banks of liability when customers deliberately give power to transfer funds to a third party, such as a family member or business partner, is different from giving credentials to Mint or another money management site that will use it simply to monitor and record the account activity.
Plus, there are laws that limit your liability from theft from your bank account if you report it in a timely fashion. All of which is to say welcome to 2018, where everyone needs to check their bank account every day to protect against fraud.
I’m the designated nerd in my family, so I handle all of our online accounts. To keep them secure, I use randomly generated, unique passwords and two-factor authentication.
But that means that my wife doesn’t know the online logins for our iTunes account, our bank and retirement accounts, our gas company, our cable company, our water and power company, and so on and so on.
What if I died or was suddenly incapacitated? How would she access our accounts?
- I need a system that’s secure. I don’t want to weaken all my online accounts just for the off chance that I get hit by a bus.
- I need a system that can outlive my hardware. What if my hypothetical death also destroyed my laptop, tablet, and phone?
- I need a system that can be easily understood by my tech illiterate survivors.
- Printed or handwritten letter
- Secure physical location (safe, deposit box, etc)
Step One: Put all your passwords in 1Password
1Password is a password management app available for Mac, Windows, and iOS. It saves your passwords in a secure vault with a master password. Instead of having to remember hundreds of weak passwords, you only have to remember one strong password. The app can generate random, unique passwords for all your online accounts, so if a service gets hacked, your other accounts are safe because each has a unique and unguessable password.
Step Two: Put your 1Password vault in Dropbox
1Password can store your secure password vault in your Dropbox account. That means that by leaving detailed instructions and a few key passwords, all of your online account information can be accessed from one simple file.
Step Three: Write a letter explaining how to access your Dropbox account and 1Password vault
The letter should be stored in a secure location like a safe or safety deposit box in a sealed envelope with the date written on it. And you should tell people important to you about the letter and where to find it. If you have a legal will for your estate, you should mention the letter in that will.
Writing the letter is the hardest step. It should include the following information:
- Your email account username and password. If your family needs to reset any of your passwords, they’ll need access to your email.
- Your Dropbox username and password.
- Your 1Password Master Password.
- Your passcode for your cellphone.
- Detailed instructions for how to access the 1Password master vault.
Here is some example text from my own letter.
Accessing a two-factor authentication protected gmail account:
My Gmail account is protected with two-factor authentication. This means you need both my password and the Google Authenticator app on my iPhone in order to access it. If you can’t access my phone, you can use a special one-time only backup code to get into my Gmail account without using the authenticator. Once you log in with a backup code, you should turn off two-factor authentication so that you don’t get locked out of the account.
Accessing Dropbox and 1Password:
My writing as well as an encrypted archive containing all of my online passwords can be found in my Dropbox account.
Inside my Dropbox is a file called 1Password.agilekeychain. This is an encrypted archive that contains all of my passwords, including those for important accounts like my bank account. It can be opened using a program called 1Password which is available at https://agilebits.com/onepassword.
Bonus: List Your Online Assets
Passing on all of your online accounts to your survivors isn’t useful if they don’t know what’s worth saving. At the end of the letter, write down a list of every online asset that’s important or valuable to you. For instance, web domains, online photo storage accounts, and anything you’ve written online and want preserved.