Much concern has been raised by consumers about online bank security risks - specifically using 3rd party money aggregators, such as Mint.com and Yodlee, which automatically connect to your bank and try to track all for your accounts in one place. People are asking questions like, "is mint.com safe?" If we ignore the reliability issues (which are many), and look only at the security concerns, here's the problem in a nutshell:
When you sign up for one of these services, you have to give them your online banking username and password (credentials) so they can go and collect the information from your bank for you. Budget security all of a sudden becomes a serious issue.
Once they have this information you are at risk because - although these aggregator services typically only read your information and don't actually move any money... the possibility exists that they could. Worse, although these services take precautions, if a security breach ever happened - your actual money in your bank accounts could be affected (ie. vanish) and you would have NO RECOURSE for the action.
Sounds a little scary huh?
Now, granted that the security measures in place at mint.com and other online tools are very good, the potential still exists for a rogue employee or expert hacker to break into these services and steal your information and thus gain access to your money. So... what do banks have to say about this? Here's what my bank says:
Protect your Scotia OnLine Password.
Your Scotia OnLine password is confidential and must never be shared with any outside person or company, including:
- Account aggregation services that consolidate and display all of your financial information in one place.
- Software that records your password so that you don't need to enter it the next time you access a website.
- Services that collect your card number and password, or any other confidential information, to perform transactions on your behalf or to collect payment from you.
- Any other agreements you may make or services you accept which include your consent to having your Internet activity monitored. In divulging your password, you contravene the terms of your ScotiaCard Cardholder Agreement and you will be fully liable for any unauthorized access to your accounts and all associated losses arising from these disclosures.
(Taken from Scotiabank's website)
Using other aggregation websites
Other companies offer aggregation websites and services that allow you to consolidate your financial account information from different sources (such as your accounts with us or with other financial institutions) so that you can view all your account information at one online location. To do this, an aggregation provider may request access to Personal Information, such as financial information, usernames and passwords. You should use caution and ensure that the aggregator company has appropriate policies and practices to protect the privacy and security of any information you provide or to which they are gaining access. We are not responsible for the use or disclosure of any Personal Information accessed by any company or person to whom you provide your Site username and password.
If you provide your Site username, password or other information about your accounts with us to an aggregation website, we will consider that you have authorized all transactions initiated by an aggregation website using access information you provide, whether or not you were aware of a specific transaction. If you decide to revoke the authority you have given an aggregation website, we strongly recommend that you change your password for the Site to ensure that the aggregation website cannot continue to access your account.
(Taken from Bank of America's website)
Still - many people use these types of services either accepting the risk in exchange for the convenience... but more likely than not - they simple aren't aware of the risk they are taking. Michael Marion, senior vice president of Citi Internet & Mobile, describes the risk this way:
Third-party aggregators may ensure your anonymity by not asking for certain data (such as your name or account number), but you're ultimately giving third parties -- who are potentially not regulated by the Fed, FDIC, or the same kind of controls your financial institution would be subject to -- access to your personal financial information.
(Taken from an article on Huffington Post)
The reason so many people are willing to take this risk, or are lured into a sense of security, is the automation that these services provide. They automatically go to your bank account and download your transaction history, and make it easy for you to see your money and (hopefully) make better financial decisions when you see your spending patterns in the past.
However, MANY are looking for a secure way to stay on top of their personal finances, but still have some form of automation -- the best of both worlds, as it where.
That's where a secure budget tool like CalendarBudget excels. CalendarBudget does not automatically connect to your bank account - in fact you never give any bank details. Instead, CalendarBudgets's money calendar allows you to import your transaction history from a file, which you get from your online bank. Then, you can use the transaction history from this file to reconcile your financial plan with what's actually happened.
It takes more time than the automated services, yes, but not a lot more... and IT'S TOTALLY SAFE. CalendarBudget also has the feature that NO OTHER TOOL HAS - a detailed future plan. An automated service would not be able to handle this since it would overwrite your important plans as time rolled on. Instead, CalendarBudget has you reconcile your plan with reality - putting you in control and giving you MUCH DEEPER UNDERSTANDING of your money
As access to services becomes more and more prolific and ubiquitous, it's important that we understand the risks associated with the services we use so we can have our eyes wide open as we try to simplify and improve our lives.
What's your opinion of the security of online personal finance services?