Mr. FIRE Power

Menu
Breaking
3 Ways to Keep Exercise Costs Low 4 FIRE Powered Cars Mr. FIRE Power Goes to Washington Are Financial Aggregators Secure? 4 Ways to Aggregate Financial Accounts
Uncategorized 0

Are Financial Aggregators Secure?

by Mr. FIRE Power

There are a number of budgeting and personal finance applications on the market today that aggregate financial account information in one place to offer users a holistic picture of their finances. Many do not cost money, and can be helpful for those unwilling or unable to create personal spreadsheets or data bases to track financial information.

The service is convenient, but how secure is the data you share with them?

How do personal finance applications work?

Applications like Personal Capital and Mint collect financial account information details from users. These details include account credentials, passwords, security questions, transactions, balances, assets held, statements and other account information.

https://www.personalcapital.com/privacy-policy/

Yep, that is a lot of information. Sensitive information. But this is the trade off. In exchange for confidential information, Personal Capital offers a method to track and aggregate accounts.

Data protection?

While it is nice to keeps you account balances to yourself, the potential red flag is sharing user name and password information. Does that mean that Personal Capital or Mint have the ability to make transactions in my name? Could I wake up one day to see that one of these services has emptied my account?

The answer, thankfully, is probably not. According to Personal Capital, credentials are encrypted in transit and at rest, using AES-256 with multi-layer key management standards that are equal or better to than what is used at top-tier financial service companies.

That means that if someone was able to access your data they could not read it. If they wanted to break the encryption, a direct brute-force attack on AES-256 would require 2^256 guesses and would not complete before the end of the universe.

Many aggregators leverage third parties to store credential information. Your bank and brokerage credentials are only stored at Yodlee, not in Personal Capital’s database. This provides an added layer of safety between an individuals data and anyone who would want to access your account information.

A layman’s view

When you initially add a financial account to any of the financial aggregators, you enter a username for that account. The aggregator connects to the financial firm to say, “Whats up financial institution, I’m Personal Capital and Mr. FIRE Power gave me permission to access this account. Here’s his user name and password to prove it.” Your financial firm responds with, “Word. From now on, though, let’s interface using username 93HKSIW87302948JN73J830HK and password 920JBWPFNB9729028HUB66528J. I will give you read-only access to transactions and balances but nothing else, including account numbers.”

If some nefarious hacker intercepts your communications when you log into the financial aggregator and it syncs with all your accounts, you are just sending those encrypted usernames and passwords. If someone obtains them, they can see all your transactions but can’t do much else. When you log into the account directly, you send your username and password through the internet (yes, it’s encrypted but you’re still sending the actual account username and password). Someone who obtains those can do a lot more damage.

What about if someone obtains your PC username and password? Well, that wouldn’t be a great situation, but again — they only have read-only access to your accounts.

Is it safer than a direct login?

In chatting with a pal who looks at cybersecurity, he shared some useful perspectives. When you log into your financial accounts directly from your home browser, you should be concerned with the following:

  • Browser-side attacks
  • Interception of the data in transit

When using Personal Capital, conversely, you should be concerned that

  • All passwords are conveniently located in one place (Yodlee) for hackers, and
  • Passwordsare still transmitted from Yodlee, which provides an opportunity to intercept.

Personal Capital and Yodlee may be well defended, but it presents a tempting target for hackers. If somebody obtains those credentials, Personal Capital’s read-only nature and lack of fund transfer ability won’t matter. 

Conclusion

Information security is a balance between ease-of-use and security. Aggregators are not perfectly secure, but these services go out of their way to guarantee that personal information I protected. This is their main source of revenue and core to this business model.

The benefits of using the service are likely higher than the probability of a successful hack. I would encourage people to use the service, but do not portray it as “more secure.” That is misleading.

Previous Article

4 Ways to Aggregate Financial Accounts

 Next Article

Mr. FIRE Power Goes to Washington
Mr. FIRE Power

Mr. FIRE Power

Related articles

Uncategorized 0

3 Ways to Keep Exercise Costs Low

by Mr. FIRE Power

Exercise is an important part of any healthy routine. It is a guard against chronic diseases. It stimulates happiness inducing brain chemicals. And its a great way to keep weight in check. Getting the minimum 150 minutes of moderately vigorous exercise a week will leave you feeling happy, healthy, and mentally sharp. In case you’re curious, thats 30 […]

Uncategorized 0

4 Ways to Aggregate Financial Accounts

by Mr. FIRE Power

The hard work of financial independence begins with a budgeting exercise. To develop more sustainable savings habits, we first need to understand what we spend.  The next step is the sometimes-painful adjustment to a more frugal lifestyle. That usually means more dinners at home, rethinking entertainment, and limiting major purchases. I went from 10 percent […]