Elusive Wealth

The Mint.com and On-Line Account Aggregator post has been a popular post. Many people are concerned about identify theft, and want to know how to protect themselves. We are going to address some of the ways to keep your on-line accounts safe here. The reality is that it is difficult to always keep track of where your account information is going. With Mint.com using Yodlee, Geezeo using CashEdge, and Quicken being somewhat of a black box, it is understandable that people are concerned.

As we discussed in the previous post, I have am confidence that Yodlee, CashEdge, Mint and Geezeo have a very high level of security to protect your information. As an individual, you are more at risk from phishing or having your own computer compromised whether by virus, trojan horse, or theft.  Keep in mind though that there is significantly more incentive for someone to compromise the financial websites security than there is for someone to steal just your individual information. Regardless of whether you choose to use an account aggregator, or simply log on to your financial institution’s web site periodically, it is a good idea to put some basic protections in place.

So what are some of the ways that you can protect yourself from all of these threats?

Check Your Account Statements Often

Staying Safe On-line

First and foremost it is important to keep an eye on transactions in your accounts. It seems logical to check bank accounts and credit card statements frequently. But you also need to check brokerage accounts and retirement accounts frequently. With brokerages and retirement accounts, you have no protection from the maintainer of the account if someone were to drain the accounts. Your only real protection is to detect that it is happening quickly and take action before a distribution can be made.

Some financial institutions, of course, have protections on what happens when the address on the account gets changed. They may notify you via e-mail or regular mail if this happens. This helps in the event that a thief attempts to change the address before requesting a distribution. But this protection is inconsistent across different companies.

When you check your accounts, you are really just doing a quick scan to make sure there are no unexpected distributions or transactions. This is a case where account aggregators can actually improve your security. With aggregators you only need to look in one place to view the transactions.

How often should you check your accounts?  Generally you should check them within the window of protection. For instance, credit cards usually give you the most protection from fraudulent activity. Visa and Mastercard Debit Cards carry similar protection to credit cards, but only if you sign for the purchase as opposed to using your PIN.  But with brokerages and retirement accounts you have very little time to react.

My recommendation is that you check your accounts at least every three days to provide enough coverage for any account type.

Use Passwords Wisely

Password safety is very important, but it is easy to get into a system where you use the same password for every account or most accounts. For the ultra paranoid, the only real way to be safe here is to use a different password for every account. That is probably a bit overkill, but I would recommend protecting certain accounts with a strong unique password. For example, your primary bank account with the majority of your cash should be well protected. Some of your lessor accounts like the account aggregator, where you cannot move money around, may have a less strict password.

Here are some of the steps you can take to improve your password usage:

• Remembering unique and strong passwords is always a challenge. You have to make a choice whether you want fewer passwords and you want to memorize them, or whether you want to store them somewhere.
• If you choose to memorize them, a good tip is to use the first letter in each word of a well known phrase. Then you can replace some letters with numbers or capital letters to improve the strength.
• My personal choice is to store them using Keepass.  I have been using the 2.x version (don’t let the beta designation scare you, it is a very stable utility). There is certainly a risk if your Keepass file is stolen, so keep the password to it strong — and make sure you protect the file as much as possible.  Keepass can generate very strong passwords, and make it easy for you to quickly find the unique password for any site.
• Create passwords that are at least 8 characters in length and contain both lower case and upper case letters along with some numbers.  An 8 character password with just lower case letters in it takes only about 5 hours to break. Adding some alternate case letters and numbers into the password increases that time to 25 days.
• Change your passwords periodically, around once every two years if there are no breaches on your accounts.  If one of your accounts is breached, change all of your passwords as soon as possible. Again this is an area where Keepass can help keep track of the passwords.

Freeze Your Credit

I have not made it a secret that I think freezing your credit is one of the best ways to protect yourself.  There are some institutions that still use a Social Security as a user ID. Thankfully these are dwindling.  Although it won’t protect the specific account, freezing your credit will help protect your identity should a site that uses or stores your social security number be compromised.

Protect Your Computer

A complete discussion of appropriate ways to protect your computer and your home network is beyond the scope of this article, though I intend to cover it in the future. In the meantime, here are some high level tips for protecting your computer:

• Always use a router with a firewall for a home connection to the Internet
• For on the road, make sure a software firewall is installed
• Make sure you have up to date antivirus and spyware software
• Also keep the operating system updated, preferably by using the auto update feature
• If you have more than one computer, consider using aggregators or Quicken on the computer that is not used for day to day web surfing.  The computer you use for average daily use is where you are more likely to download and install things into the browser that could compromise your system.

For the Ultra Paranoid

If you really don’t like the idea of using the on-line account aggregators, you can always use Quicken or GNUCash to keep a view on your accounts. However if you are this concerned, I recommend downloading your transactions manually by logging into each site and downloading them from there. This way your credentials are generally kept between you and the financial institution (unless the financial institution itself uses Yodlee or CashEdge).

If want to use an on-line aggregator, Wesabe appears to be the safest of them all with its options to manually upload account data and a FireFox plugin to make that process easier. I am impressed with the flexibility of Wesabe’s security and flexibility — they recognize that not everyone wants to send their credentials to a central location. Also this manual approach and the FireFox plugin both work with ING Direct which has frequently caused problems with other on-line aggregators that don’t allow manual uploads.  Of course, this approach to uploading account information is less convenient than having the aggregator pull account information directly.

Conclusion

How safe you are with on-line banking really depends on the degree to which you do all of these things. If you are dilligent about checking your accounts, but don’t pay as much attention to your passwords or your home computer safety, then work to improve in those areas even if it isn’t an immediate change. The bottom line is that if you follow the practices outlined above regarding watching your accounts, using strong passwords, and keeping your computers safe, you should be able to use Quicken, GNUCash, Mint.com, or Geezeo with enough confidence.