Wednesday, October 10, 2007

Financial aggregate sites

The Simple Dollar featured an article on financial aggregate sites yesterday, and the primary concern was regarding the issue of security. The way these sites work is that they require their users to share their login information to various financial institutions, which is then used to collect the users' financial data and present the information on one screen, with some useful analysis tools thrown in.

Now I have no problem banking online, and I feel pretty safe I as long as I exercise reasonable precautions (not saving/sharing passwords, running anti-spyware & anti-virus software, keeping my computer updated, and only using trusted/nonpublic computers). I'm pretty confident that my bank would give me my money back if a hacker steals my login data and empties my bank account.

The problem with third party aggregate sites is that I have to share my sensitive user IDs and passwords. I'm not so sure that banks would be willing to cover my losses if these sites were to become hacked, since I voluntarily gave them my login data. It's kind of like giving a friend or family member my credit card or ATM card; I am still liable for any charges and withdrawals that they incur. Also, many of these financial aggregate sites are backed only by venture capital, so I'm not super confident that they would be able to restore my losses in a timely manner--if at all. A commenter of the Simple Dollar article mentioned the lack of regulation, and we've all heard of nightmarish experiences that some users of PayPal (which is not regulated like a bank) have had to deal with, such as frozen funds, blocked accounts, etc.

If you insist on using these sites, you can minimize your risks by setting up alerts, and monitoring your accounts closely. Bank of America offers an optional feature called SafePass where sensitive transactions require a unique 6 digit code sent to your mobile phone; other financial institutions may have something similar.

To truly put my mind at ease, however, I suggest that financial aggregate sites work with financial institutions to come up with a more secure solution. For example, if I had a "view only" password from my bank that I could provide to the aggregate sites, it would make me feel much safer. To perform an actual transaction such as transferring funds or paying a bill, the aggregate site would redirect me to my financial institution's web site where I'd be required to enter my "full access" password in order to complete the transaction. This would limit the liability that the aggregate sites have to face, since they would only have the ability to look at my financial information, and not touch it. I am not sure how willing financial institutions would be to cooperate with financial aggregate sites on something like this, but I would think that they'd at least consider it in the interest of their customers, and from a loss prevention perspective.

1 comment:

peight said...

Thanks for the link to your blog - I'll probably be visiting often to see what your blog is all about!