Stupidity knows no bounds

By Slow Dad - December 01, 2016

Financial aggregators are convenient, but think about who else may have access to your internet banking login details once they leave your control.

People are stupid (for the most part)

If I came up to you in the street and asked you for the PIN number of your debit or credit card, would you tell it to me? I would hope most people possess enough common sense to say no…. but “Boaty McBoatface” happened, so maybe I am naive.
Keep your internet banking details secure.
How about the username and password that you use to log into your computer at work? Again I’d hope most people would say no. However a field study demonstrated 34% of people willingly do, and that number increased to over 70% if the person was offered a chocolate bar in return.

Lately I’ve observed loads of financial independence and early retirement folks raving about services like financial aggregator services like Mint and Personal Capital... which suspiciously offer attractive affiliate commissions!

The promise of an always up to date financial picture at your finger tips is an alluring one. However pause for a moment to consider how that picture is achieved.

Would you share your internet banking password?

These products ask users to supply their login credentials to their banks, brokers, pension providers, and so on.

Depending on the tool, users authorise those tools to make withdrawals from their accounts, either via a credit card charge, direct debit or as an internet withdrawal.

Stolen internet banking logins

If you read your internet banking terms and conditions, many providers (in the UK and Australia, your mileage may vary elsewhere) expressly forbid the sharing of the internet banking credentials with anyone, and refuse to cover any loses that result from that sharing.

This is a spectacularly bad idea

I’ve worked in and around the technology world for around 20 years now. During that time I have seen many things that were truly disturbing.

A former colleague once visited a Moscow street market. He stumbled upon a DVD with a reasonably unique sounding name scrawled across the front in permanent marker. It was the same name that our client had used for their in-house developed customer relationship management application. For the sake of €5 and a laugh he purchased the DVD. It contained a 4 month old copy of the client’s production database, over 30 million customer records in total.

Sadly this kind of thing is hardly a rare occurrence. Troy Hunt has made a name for himself by running the “Have I been pwned?’ website, where internet users can check whether their personal information has been misappropriated in any one of the hundreds of breaches or hacks that are regularly reported in the media.

You have no control over who has access to your credentials

The point is that once you give your credentials away you have no control over how they are stored, where they are stored, who has access to them, or what other purposes they may be used for.

These days there is a multi-billion dollar industry in the outsourced provision of development, testing, and support services. Many sites supplement their own staff with short term consultants, vendor representatives, freelancers, and so on. These contracts are often awarded to the lowest cost bidder. The winning outfit inevitably seeks to preserve their profit margins by aggressively managing staffing costs and reducing overhead.

Development and test environments are often provisioned via the restoring of production backups… those same backups containing the login credentials to your bank or retirement accounts. Some sites mask or obfuscate this data, but my personal experience suggests this is inconsistently applied at best.

The team behind Moneydance, a competitor to Quickbooks and Mint, have written a well thought out blog post discussing this issue. It is worth a read before you hand over your credentials to anyone.

So what?

I ask you again, would you give me your PIN number if I asked for it? And if not, how is this really any different from what you’ve given up to a personal finance aggregator app or website?

  • Share:

You Might Also Like