Are Financial Aggregators Secure?

There are a number of budgeting and personal finance applications on the market today that aggregate financial account information in one place to offer users a holistic picture of their finances. Many do not cost money, and can be helpful for those unwilling or unable to create personal spreadsheets or data bases to track financial information.

The service is convenient, but how secure is the data you share with them?

How do personal finance applications work?

Applications like Personal Capital and Mint collect financial account information details from users. These details include account credentials, passwords, security questions, transactions, balances, assets held, statements and other account information.

https://www.personalcapital.com/privacy-policy/

Yep, that is a lot of information. Sensitive information. But this is the trade off. In exchange for confidential information, Personal Capital offers a method to track and aggregate accounts.

Data protection?

While it is nice to keeps you account balances to yourself, the potential red flag is sharing user name and password information. Does that mean that Personal Capital or Mint have the ability to make transactions in my name? Could I wake up one day to see that one of these services has emptied my account?

The answer, thankfully, is probably not. According to Personal Capital, credentials are encrypted in transit and at rest, using AES-256 with multi-layer key management standards that are equal or better to than what is used at top-tier financial service companies.

That means that if someone was able to access your data they could not read it. If they wanted to break the encryption, a direct brute-force attack on AES-256 would require 2^256 guesses and would not complete before the end of the universe.

Many aggregators leverage third parties to store credential information. Your bank and brokerage credentials are only stored at Yodlee, not in Personal Capital’s database. This provides an added layer of safety between an individuals data and anyone who would want to access your account information.

A layman’s view

When you initially add a financial account to any of the financial aggregators, you enter a username for that account. The aggregator connects to the financial firm to say, “Whats up financial institution, I’m Personal Capital and Mr. FIRE Power gave me permission to access this account. Here’s his user name and password to prove it.” Your financial firm responds with, “Word. From now on, though, let’s interface using username 93HKSIW87302948JN73J830HK and password 920JBWPFNB9729028HUB66528J. I will give you read-only access to transactions and balances but nothing else, including account numbers.”

If some nefarious hacker intercepts your communications when you log into the financial aggregator and it syncs with all your accounts, you are just sending those encrypted usernames and passwords. If someone obtains them, they can see all your transactions but can’t do much else. When you log into the account directly, you send your username and password through the internet (yes, it’s encrypted but you’re still sending the actual account username and password). Someone who obtains those can do a lot more damage.

What about if someone obtains your PC username and password? Well, that wouldn’t be a great situation, but again — they only have read-only access to your accounts.

Is it safer than a direct login?

In chatting with a pal who looks at cybersecurity, he shared some useful perspectives. When you log into your financial accounts directly from your home browser, you should be concerned with the following:

  • Browser-side attacks
  • Interception of the data in transit

When using Personal Capital, conversely, you should be concerned that

  • All passwords are conveniently located in one place (Yodlee) for hackers, and
  • Passwordsare still transmitted from Yodlee, which provides an opportunity to intercept.

Personal Capital and Yodlee may be well defended, but it presents a tempting target for hackers. If somebody obtains those credentials, Personal Capital’s read-only nature and lack of fund transfer ability won’t matter. 

Conclusion

Information security is a balance between ease-of-use and security. Aggregators are not perfectly secure, but these services go out of their way to guarantee that personal information I protected. This is their main source of revenue and core to this business model.

The benefits of using the service are likely higher than the probability of a successful hack. I would encourage people to use the service, but do not portray it as “more secure.” That is misleading.

Related articles

Know the Costs of your Real Estate Investment Side Hustle

Real Estate Investing Real estate investing can be a great side hustle and offer a near immediate revenue stream. While buying the house that you live in offers great tax benefits and can be a good option for building equity, real estate is ONLY a side hustle if it generates revenue. As a general rule, a […]

8 Tips for Throwing a Successful Warehouse Party

Side hustles are great because with time and effort they can grow into a sustainable business.   That DJ side hustleyou started because you liked music can lead you to connections with other DJs and a following of dedicated fans. Next thing you know, you’re renting out empty warehouses, inviting your DJ pals to town, and charging […]