Ever since Equifax’s massive data breach in 2017, which exposed the personal information of over 143 million people, security has been on everyone’s mind. I’ve personally noticed even my most care-free clients suddenly asking what they should do to protect their financial data. But Equifax obviously wasn’t the first data breach, and certainly won’t be the last. Before that, Target, Yahoo, eBay, JP Morgan, and Uber are just a few of the bigger names in a very long list of hacks going back to the very first days of the internet. In fact, as I type this, news is breaking of a breach affecting somewhere around 500 million Marriott customers.
However, in spite of the apparent risks, I love banking, paying bills, and investing online. Everything is so much more convenient online, and I can eliminate tedious tasks such as:
- Waiting for a mountain of statements to come in the mail,
- Going through paper statements line-by-line, and
- Hours spent filing those statements in ever-growing filing cabinets.
But, living my financial life online does create new security challenges. And while online banking and bill-pay are convenient, in my opinion, having the ability to track my finances in one holistic system is just as vital to my long-term financial health. Luckily, programs like Mint.com, Personal Capital, and other cloud-based personal finance websites offer exactly that — a 100% automated, 360-degree, holistic view of your financial picture.
However, like everything in life, there are trade-offs to these convenient systems. To use them you have to entrust your login credentials into their hands. So, ever since these systems first appeared about ten years ago, we’ve all been faced with the same question:
Is it safe handing over all your online financial passwords to someone else? Is it worth the risk?
What is Personal Capital?
Personal Capital is a website that collects and organizes all your financial information in one centralized place, including cash-flow, debt, investments, and net worth. It’s been around since 2009, and has grown quite large in the last decade. In fact, as of this writing, Personal Capital reports assets under management of over $8 billion.
Personal Capital is a for-profit business, operating under a “freemium” model, where they give away their personal finance tools for free in exchange for the opportunity to offer their investment services. (There’s much more to say about their software and services, but that’s beyond the purpose of this article. However, I do plan a deep-dive into Personal Capital in the coming weeks.) So the crucial question remains: “is Personal Capital safe?”
How to Know if Personal Capital is Safe
The first step in finding out if we can trust Personal Capital is to understand an overview of the data-flow into the system. Don’t worry; this is not going to get very technical. It’s just a quick overview, but I do think it’s important, because we can use this as a roadmap to identify where vulnerabilities, if any, most likely exist, and what Personal Capital has done to protect against them.
As you can see from the above diagram, Personal Capital does not actually hold your login credentials. Those are passed on to a third-party data aggregation service called Yodlee. More on Yodlee in a moment, but that distinction is important for wrapping your head around the security of Personal Capital.
So, based on the data-flow to and from the website, we can break this issue down into four basic questions:
- How secure is my Personal Capital account?
- What happens if someone does manage to hack into my Personal Capital account?
- How secure is Yodlee, the third-party data aggregation service that holds my bank login credentials?
- What happens if someone manages to hack into Yodlee?
A Little Perspective on Data Security
But first, a little perspective is in order. While it’s great to critically examine the security of Personal Capital, in the real world it’s also helpful to put the risk in context. If you’re going to bank online, you’re going to take some risk … that much is inevitable. So let’s look at how most people approach online security in their everyday lives.
Most people keep track of their passwords in one of two ways:
- Using same or similar password across many accounts, or
- Saving them in their browser, a computer file (such as in a Word doc), or physically writing them down.
(I probably don’t need to tell you how risky it is to use the same password for all your accounts. And saving them on your computer is probably just as bad, if you have the misfortune of downloading malware on your machine. Physically writing passwords down is probably the most secure (unless someone physically breaks into your house), but it’s also the most impractical solution. For all these reasons I prefer to use a password manager, such as Dashlane or Lastpass.)
Now in the “old days” of personal finance programs, Quicken dominated the industry. You bought the program from your local computer store, installed it from a CD or floppy disk, and downloaded your transactions into the program whenever you used it. It worked fine, and millions of people depended on it for tracking their finances (many still do.)
In the Quicken scenario, all your passwords were held inside the program that sat on your local computer. However, if you think about it, that may be even more problematic than trusting a cloud-based company to hold and protect them. Why? Because now you are responsible for maintaining a secure environment for your passwords, and that includes constantly updating your operating system to eliminate vulnerabilities, installing and maintaining a state-of-the-art firewall, hiring a 24/7 security team to continuously monitor your systems, and much more.
At the end of the day, all it takes is you accidentally downloading malware onto your system once, and your credentials may be compromised. So that’s why I think it’s not just about how strong and secure Personal Capital’s security protocols are. It’s also about how good they are in comparison with your alternatives.
How Secure is My Personal Capital Account?
Let’s start with a look at Personal Capital security capabilities to see how they stack up. Here are some highlights:
- AES-256 encryption – the highest standard of encryption available
- Two-factor authentication – quickly becoming a standard for banks and brokerages, two-factor authentication requires you to authorize each new device separately, usually by text or email
- Strict internal access controls – no employees have access to your credentials
- Highest-rated – rated A+ by Qualys SSL Labs for encryption standards
- Enforced server-client integrity – Personal Capital servers require clients to use most secure TLS v1.2 protocol
- Certificate verification – uses highly trusted Extended Validation certificate, Certificate Transparency, OCSP stapling and Strict Transport Security (HSTS) technology
- Perfect Forward Secrecy – implements ECDHE key exchange to allow for Perfect Forward Secrecy (PFS)
Don’t worry if you don’t know what half (or any) of this means. The point is they have done a LOT to protect your data; it’s clearly very important to them, as it should be. Does this mean that it’s 100% secure and hack-proof? Of course not, nothing is. But it does mean they’ve done as much as anyone, more than most in fact, to protect your data.
What if Someone Hacks my Personal Capital Account?
But what if, somehow, someone manages to break those barriers and hack their way in? What happens then?
One important thing to remember is that Personal Capital is a read-only service. What that means is that no one can actually transfer money, pay bills, or transact business of any kind through Personal Capital. Not you, not anyone else.
Therefore, it’s “read-only” in the sense that you can read all about your financial life, but nothing else. It’s just a reporting system at the end of the day.
So, that means that even if a hacker somehow did manage to get into your account, he or she could only see your financial data, nothing more. As I discussed in my review of Mint.com’s security, while that’s a terrible invasion of your privacy, it doesn’t actually cost you any money.
How Secure is Yodlee, the Company that Holds my Account Credentials?
Personal Capital believes in sticking to their core competency (personal finance tools and investment advice) and leaving the security stuff to the experts. That’s why, when they could have chosen anyone in the data aggregation business, they chose Yodlee. And while Yodlee has a playful-sounding name, they are anything but a small player in the business. On the contrary, a good argument can be made that they are the biggest and most respected name in the industry.
Here’s a little history. Yodlee was founded in 1999 as one of the first data aggregation services on the internet. At the time their only competitor was ByAllAccounts, but now that list includes Quovo, Mint, and several others. (For comparison, check out my review of Mint.com’s safety.) In fact, in its early days Mint.com licensed data aggregation tech from Yodlee to provide its services, but when Intuit purchased Mint in 2009, Yodlee’s services were replaced by Intuit’s in-house technology.
In 2015, Yodlee was purchased by Envestnet, in one of the largest data aggregation deals at the time. Since that time, Yodlee has continued to grow and become an important part of Envestnet’s business, which is one of the largest technology companies in the world of FinTech.
But just because Yodlee is a large, established player in the data aggregation world, that doesn’t automatically make them secure. So here are some of the highlights of their security standards:
- Bank-level security – Banks have to maintain the absolute highest standards of online security, because they are on the hook if they get hacked. Yodlee also maintains the same standards, which means they incorporate military-grade 256-bit encryption, 24/7 guarded facilities, no human access to unencrypted data, and third-party unscheduled security audits, as just a few examples.
- Banking industry oversight – Yodlee willingly accepts banking industry regulatory oversight, something very few of their competitors do. That means they are subject to regular inspections by the authorities and are regulated by the Graham-Leach-Bliley Act and the FFIEC. Why? The reason for this is part of Yodlee’s “secret sauce;” they have direct data feeds from most of the largest financial institutions, instead of relying solely on “screen-scraping” like most other providers. To get access to that data directly, they had to prove to the banks that they had the highest level of security. Further, the FFIEC conducts regular audits of Yodlee and provides reports to financial institutions that provide it with direct data feeds. This allows the FIs to verify the security of Yodlee’s platform.
What if Someone Hacks Yodlee?
Ok, now for the most unpleasant considerations. What if the unthinkable happens, and someone is able to breach Yodlee’s safeguards. Here are some things to keep in mind. (Please note: much of the next few paragraphs is adapted or copied directly from my post on “How Safe is Mint.com?” The information is essentially the same, so I’ve repurposed it here.)
First, we already know that credit card fraud is protected by the credit card companies; they will reimburse you for fraudulent charges that you did not authorize. In fact, by law your maximum liability is only $50.
However, it’s direct bank access that’s the real threat here. If funds are stolen right out of your bank account, what recourse would you have? This is bordering on a legal question, which I must confess I’m neither qualified nor able to answer; however, I’ll share what my research has uncovered.
Many banks want to discourage the use of data aggregators such as Mint.com, probably as much to keep customers coming directly to their websites so that they can cross-sell them products and services as anything else. Whatever the reason though, several banks, such as Chase, Capital One, and Fidelity have explicitly stated that sharing your credentials with a third party means you may be “on the hook” for stolen money. (Note: unlike Mint, this doesn’t apply to banks that provide direct data feeds to Yodlee as described above.)
But an article from Reuters reports that this position is not, at least in one legal expert’s opinion, backed by the law. The article interviews Lauren Saunders, associate director and managing attorney for the National Consumer Law Center, and quotes her calling the bank’s position “ridiculous.” This is because although there is a carve-out of the law releasing banks of liability when customers deliberately give power to transfer funds to a third party, such as a family member or business partner, this is obviously not the same thing as giving credentials to Personal Capital or Mint to simply monitor and record the account activity.
She goes on to elaborate:
“When you give Mint your bank password, you don’t give them permission to make transfers. You don’t need to be a lawyer to understand that you are not a consumer who ‘grants authority to make transfers.’ You are … outside the provision about giving someone an access device because you didn’t give the hacker permission [to transfer money on your behalf.]”
Note: an “access device” is legal-speak for your login credentials, in this situation.
So according to Ms. Saunders, if the worst-case scenario (as unlikely as it may be) did happen, you can rely on consumer protection laws to come to your aid. And what do those laws say? Here’s a quick breakdown of your exposure:
- Up to $50 — If you notify the bank within two business days of learning about the theft
- Up to $500 — If you fail to notify the bank within two business days after learning of the theft
- Unlimited Liability — If after receiving a bank statement, you fail to notify the bank within 60 days, you could be liable for all fraudulent charges that happen after that point.
The “official interpretation” on the Consumer Finance Protection Bureau’s website reads as follows (in part):
“If a periodic statement shows an unauthorized transfer made with a lost or stolen debit card, the consumer must notify the financial institution within 60 calendar days after the periodic statement was sent; otherwise, the consumer faces unlimited liability for all unauthorized transfers made after the 60-day period.”
Again, I have to caveat all this with the simple fact that I’m not an attorney, so please do your own research. Still, I think the clear takeaway here is that the key to protecting yourself is careful monitoring of all your accounts. Whether you use Personal Capital or accidentally lose your debit card, the world is full of risks and people who will happily steal your money. However, there are protections out there as long as you report fraudulent activity quickly. In that respect, you could argue that Personal Capital actually makes you more secure, in that it’s a convenient way to keep track of all the activity in your accounts.
How Motivated are Personal Capital and Yodlee to Protect my Information?
As is the case with all online financial service companies, they should be extremely motivated to prevent data breaches. In fact, cybersecurity spending worldwide is set to hit $91 billion in 2018, according to the IDC. Gaining and keeping the trust of their clients is absolutely crucial to their business model, so much so that one major security breach could be the end of either company. So I would imagine they are extremely concerned with security and are devoting tremendous resources to ensuring it.
What Can You do to Further Protect Yourself?
Don’t save your passwords in your browsers. Internet Explorer, Firefox and Safari store your passwords in the browser itself, so if someone can access your device, they have your passwords. Google Chrome is a little better; it stores your passwords online in your Google account. Still, I doubt most people are as careful as they should be with their Gmail password.
In my opinion and experience, it’s far better to use a password manager, such as Lastpass or Dashlane. I’ve personally used Lastpass for a while and I absolutely love it. It allows me to set super-strong, randomized passwords that are essentially unhackable, but I only have to remember one password–the “master” password to Lastpass itself. Once I’m logged into Lastpass, it automatically fills in all my other passwords.
In addition to a password manager, I recommend freezing your credit. That’s a topic for another post, but here’s a quick primer from Clark Howard.
Last, if you do decide to use a personal finance platform such as Personal Capital, set up email alerts that notify you if anything suspicious takes place. That kind of constant oversight will allow you to catch mischievous activity before it harms you financially.