Paranoia around online security is mostly unfounded. Trust of big financial institutions is also misplaced. I have been an IT security consultant for 12 years and have specialised in the financial sector. I have worked at 3 of the top 5 worldwide Banks and 12 of the top 50. I have a couple of comments to make about both personal security and the perception around big financial institutions expressed here.

Firstly companies like Yodlee whom I have had some dealings with over the revent years are very, very secure. Their very existence depends on it. Yodlee have somewhere in the region of 10 million end users at present and aggregate $400m every day. Your credentials are stored with 256 bit encryption. This makes it impossible for anyone to physically view any credentials. The encryption key is split and half stored at Yodlee and the other half stored by the Federal Reserve. The physical and logical security of these establishments is for want of a better word inpenetrable. So in simple terms to get access to an account you would need to get the encrypted credentials from Yodlee. Get access to and steal the correct algorythmic encryption key at Yodlee, Get access to and steal the correct corresponding algorythmic encryption key at the Federal Reserve. Bearing in mind Yodlee have 10 million end users and the levels of securty being employed I would say in my opinion that this is more or less impossible.

Secondly the big financial institutions many of you seem so keen to trust are from my experience of working with them completely untrustworthy. They really dont care a whole lot about your data. I have personally witnessed events around personal data, and internet security which would make you think twice about depositing a dime let alone your life savings. The only saving grace for some of them is that they actually use Yodlee to run their online banking operation for them. A move which makes their web presence infinitely more secure.

Another point to make is that the very last place you should ever store passwords or sensitive data is on your home PC. DO you think that it is easier to break into the federal reserve or into your house? Any laptop/desktop PC will always be a burglars first priority when ransacking your home for valuables.

Thanks for reading, and apologies for the rant.

Once you have a relationship with a business, it is legally permitted to pull your credit report and get it anyway.

When I moved to my current city of residence, I paid hefty deposits to the local utilities rather than provide my SS number for a credit check.

But they pulled my SS number anyway, and they ask for the last 4 digits before they’ll do anything for you over the phone.

Most posters missed Trent’s point – if any of these companies run into trouble, there’s no obligation on the part of their purchasers to observe the previous company’s privacy policies.

Do you really believe you can force a bankruptcy trustee NOT to sell your personal info, if such info is an asset of the business?

This is not the same at all. ATMs are backed by banks (or their associated networks), so if someone actually stole your money, you have assurance from your financial institution that you will get your money back. These aggregate sites, on the other hand, is like giving your ATM card and PIN to a friend, and trusting that friend not to lose it. Banks have no obligation to give your money back if your friend gets robbed and the thieves steal funds from your account.

I have some ideas about how to make these sites more secure, and will post about it on my blog.

These aggregators have to live outside of the financial institutions themselves to be useful.

The ones that remain will probably have their stuff together, especially if they anything to do with banking, more so than the average computer user will keep their own computer system secure.

While I am aware of some recent well publicized hacks of some major sites, my biggest concern is something (a worm, email virus) beating the virus protection (possibly before THEY are able to put out an update it) on my personal computer, installing a key-logger and stealing my passwords that way. Since I do not have dedicated professionals charged with the security of my personal computer, I feel this is a weaker link than most of the threats to third party providers.

The only financial institution that I use that has addressed this possibility is ING Direct (with their little picture keypad thing where you either use your mouse to punch in, or you type an ever changing combination of letters representing those numbers).

I have also used Wesabe, and felt better using the Firefox add-in they provide. If I understand it correctly, it stores your information locally on your computer, and uploads only the financial transaction data within the account, not the actual account data. I liked it when I used to charge everything, but I have since drank the Dave Ramsey Koolaid and have tried to move to using more cash.

While there are some facilities in Wesabe that take care of that, there is a loss of some of the auto-mojo that you get from the service that detracts from its usefulness when you are more cash based.

Sorry for the long post.

I played around with mint yesterday after reading this post, I enjoy it more than wesabe because it’s a bit cleaner to categorize my spending. I like the tags on wesabe more than on mint, but mint still wins so far.

I only wish i could get my data for the entire year to date on there. I’m just too lazy to spreadsheet it all

People resist change, and when it comes to their money, if it’s different than they’ve done it in the past, they don’t trust it. It’s understandable to some degree, but just because you don’t trust it, doesn’t mean it is not trustworthy.

For example, it’s one thing if Bank of America gets hacked and my username or password is stolen, and I’m sure they would reimburse me for any damages. However, if I voluntarily provide my logon info to a third party site and they become compromised, I highly doubt B of A would be so generous.

I work in IT, and I know there’s no such thing as a 100% secure software solution. I am not willing to take the gamble (no matter how small) that my information will be safe from thieves, external or internal. One of the most important rules of safe computing is to never share your password with others.

Security is not really an issue with the softwares because it resides on your PC. It’s up to you to protect it.

Forget these 2.0 machines out there. Trust only yourself and you’ll get more sleep.

If these sites aren’t targets now, they will be. It’s just a matter of time.

http://corporate.yodlee.com/technology/security_overview.htm

I’m a generally believer that people people are safing storing all of their credentials in a trusted 3rd party provider. It allows them to use strong and unique credentials everywhere. It allows them to check all of their accounts every day. It allows them to get fraud-alerts on all their accounts, even at institutions that don’t directly support it.

..Jordan, Yodlee Inc.

As it says on out “How Mint Keeps You Safe” page (http://www.mint.com/safe.html), “your data is yours”. If you’re worried Mint may one day go under, you can purge your account from our system at anytime. This is done upon request now, and we will be adding a way to purge your account online in a few weeks.

Considering startups being in the unregulated “Wild West” you are limited by law to $0 liability on a credit card, and $50 liability on a bank account. You retain that protection when using Mint.com.

Also, remember that Mint.com never asks for your name, address, or SSN. We know about your finances, but not about who you are.

As I’ve said before on other forums, you are _safer_ using Mint.com than not using it. 90% of all fraud actually occurs offline, not online (e.g. someone swipes your card at a restaurant or from your mail). Because Mint sends proactive alerts for low-balance or unusually high spending, you’ll know right away. It’s better than logging into 4-5 different banks every day, or waiting 30 days for a paper statement before finding that something went wrong.

Aaron Patzer
Founder & CEO, Mint.com