Elusive Wealth

Get Your Ducks in a Row

As a follow on to Tom’s post about security, let’s look again at the weakest link in your security – You… and the little scraps of paper that contain your user names and passwords.

As noted earlier in this forum, accumulating wealth can be quite simple: buy a lottery ticket, get lucky, voila! you’re wealthy. But even with that simple, albeit  unlikely scheme, you still have to remember where you stored the lottery ticket.

Using Tom’s ( and Smith-Barney’s)  “old fashioned way” of accumulating wealth takes more time, patience and a lot more remembering.  You have to remember more than just user names and passwords.  There are  account numbers, safe combinations, pin numbers, life insurance policies, spouse’s SSN, etc., ad nauseum, ad infinitum.  Now, if you’re twenty-something, have only a few accounts spread around and most of your brain cells are still in tact, you’re thinking “How bad can it be?”  However, if,  like me, you’re a (way) bit older and haven’t  organized this information, you’re most likely rocking in the fetal position, hoping your  memory will return.

Of course, you can organize data on a sheet of paper, put it in a drawer and like the lottery ticket simply remember where it is so you can constantly keep it up to date.  You just have to hope your 7 year old daughter doesn’t take it to school for financial “show and tell” or the new puppy doesn’t rearrange a few figures when you forget to put it back in the drawer (the paper, not the puppy!).

A better solution is a simple and, preferably secure, database.  There are several solutions out there ranging from cheap to free.  Unless you’re reading this article at the library (you’ll need your own computer), the cheapest digital solution is a text file or spreadsheet with a few columns for description, user name, password, URL and account number(s). Although I would contend, it’s better than nothing, this solution has some serious security issues and is not as easy to use as a dedicated program.

The database I have used for the past 5 years is Passwords Plus.  It’s under $30, is extremely easy to use and syncs with any device running the Palm OS.  This last feature saved my butt a couple of years ago when my wife and I, while vacationing in Maine, discovered the rustic little cabin (read “hellhole”) we were staying in didn’t take credit cards.  Because my PDA  contained my checking account number, we were able to quickly secure cash at the local bank without resorting to masks.

KeePass, mentioned in Tom’s post,  is another program that I tried recently just for comparison.  It’s friendliest feature is that it’s free!  It also appears to have another layer of protection that Passwords Plus doesn’t have, that being a “disk key” that you generate yourself.  So, if super security is one of your requirements, it may be the better choice.  Also, for you Mozilla Firefox users (like myself), KeePass allows you to import any usernames and passwords you’ve captured in your browser.  However, I think I will still stick with Passwords Plus just because it’s so darned easy to use.

In conclusion, there are several other similar solutions out there, but it’s not so important which one you use as that you organize your important data…now!   If you’re currently using Passwords Plus, KeePass or another similar program, let us know; we’d love to hear from you.

The Mint.com and On-Line Account Aggregator post has been a popular post. Many people are concerned about identify theft, and want to know how to protect themselves. We are going to address some of the ways to keep your on-line accounts safe here. The reality is that it is difficult to always keep track of where your account information is going. With Mint.com using Yodlee, Geezeo using CashEdge, and Quicken being somewhat of a black box, it is understandable that people are concerned.

As we discussed in the previous post, I have am confidence that Yodlee, CashEdge, Mint and Geezeo have a very high level of security to protect your information. As an individual, you are more at risk from phishing or having your own computer compromised whether by virus, trojan horse, or theft.  Keep in mind though that there is significantly more incentive for someone to compromise the financial websites security than there is for someone to steal just your individual information. Regardless of whether you choose to use an account aggregator, or simply log on to your financial institution’s web site periodically, it is a good idea to put some basic protections in place.

So what are some of the ways that you can protect yourself from all of these threats?

Check Your Account Statements Often

Staying Safe On-line

First and foremost it is important to keep an eye on transactions in your accounts. It seems logical to check bank accounts and credit card statements frequently. But you also need to check brokerage accounts and retirement accounts frequently. With brokerages and retirement accounts, you have no protection from the maintainer of the account if someone were to drain the accounts. Your only real protection is to detect that it is happening quickly and take action before a distribution can be made.

Some financial institutions, of course, have protections on what happens when the address on the account gets changed. They may notify you via e-mail or regular mail if this happens. This helps in the event that a thief attempts to change the address before requesting a distribution. But this protection is inconsistent across different companies.

When you check your accounts, you are really just doing a quick scan to make sure there are no unexpected distributions or transactions. This is a case where account aggregators can actually improve your security. With aggregators you only need to look in one place to view the transactions.

How often should you check your accounts?  Generally you should check them within the window of protection. For instance, credit cards usually give you the most protection from fraudulent activity. Visa and Mastercard Debit Cards carry similar protection to credit cards, but only if you sign for the purchase as opposed to using your PIN.  But with brokerages and retirement accounts you have very little time to react.

My recommendation is that you check your accounts at least every three days to provide enough coverage for any account type.

Use Passwords Wisely

Password safety is very important, but it is easy to get into a system where you use the same password for every account or most accounts. For the ultra paranoid, the only real way to be safe here is to use a different password for every account. That is probably a bit overkill, but I would recommend protecting certain accounts with a strong unique password. For example, your primary bank account with the majority of your cash should be well protected. Some of your lessor accounts like the account aggregator, where you cannot move money around, may have a less strict password.

Here are some of the steps you can take to improve your password usage:

• Remembering unique and strong passwords is always a challenge. You have to make a choice whether you want fewer passwords and you want to memorize them, or whether you want to store them somewhere.
• If you choose to memorize them, a good tip is to use the first letter in each word of a well known phrase. Then you can replace some letters with numbers or capital letters to improve the strength.
• My personal choice is to store them using Keepass.  I have been using the 2.x version (don’t let the beta designation scare you, it is a very stable utility). There is certainly a risk if your Keepass file is stolen, so keep the password to it strong — and make sure you protect the file as much as possible.  Keepass can generate very strong passwords, and make it easy for you to quickly find the unique password for any site.
• Create passwords that are at least 8 characters in length and contain both lower case and upper case letters along with some numbers.  An 8 character password with just lower case letters in it takes only about 5 hours to break. Adding some alternate case letters and numbers into the password increases that time to 25 days.
• Change your passwords periodically, around once every two years if there are no breaches on your accounts.  If one of your accounts is breached, change all of your passwords as soon as possible. Again this is an area where Keepass can help keep track of the passwords.

Freeze Your Credit

I have not made it a secret that I think freezing your credit is one of the best ways to protect yourself.  There are some institutions that still use a Social Security as a user ID. Thankfully these are dwindling.  Although it won’t protect the specific account, freezing your credit will help protect your identity should a site that uses or stores your social security number be compromised.

Protect Your Computer

A complete discussion of appropriate ways to protect your computer and your home network is beyond the scope of this article, though I intend to cover it in the future. In the meantime, here are some high level tips for protecting your computer:

• Always use a router with a firewall for a home connection to the Internet
• For on the road, make sure a software firewall is installed
• Make sure you have up to date antivirus and spyware software
• Also keep the operating system updated, preferably by using the auto update feature
• If you have more than one computer, consider using aggregators or Quicken on the computer that is not used for day to day web surfing.  The computer you use for average daily use is where you are more likely to download and install things into the browser that could compromise your system.

For the Ultra Paranoid

If you really don’t like the idea of using the on-line account aggregators, you can always use Quicken or GNUCash to keep a view on your accounts. However if you are this concerned, I recommend downloading your transactions manually by logging into each site and downloading them from there. This way your credentials are generally kept between you and the financial institution (unless the financial institution itself uses Yodlee or CashEdge).

If want to use an on-line aggregator, Wesabe appears to be the safest of them all with its options to manually upload account data and a FireFox plugin to make that process easier. I am impressed with the flexibility of Wesabe’s security and flexibility — they recognize that not everyone wants to send their credentials to a central location. Also this manual approach and the FireFox plugin both work with ING Direct which has frequently caused problems with other on-line aggregators that don’t allow manual uploads.  Of course, this approach to uploading account information is less convenient than having the aggregator pull account information directly.

Conclusion

How safe you are with on-line banking really depends on the degree to which you do all of these things. If you are dilligent about checking your accounts, but don’t pay as much attention to your passwords or your home computer safety, then work to improve in those areas even if it isn’t an immediate change. The bottom line is that if you follow the practices outlined above regarding watching your accounts, using strong passwords, and keeping your computers safe, you should be able to use Quicken, GNUCash, Mint.com, or Geezeo with enough confidence.

This site being Elusive Wealth, I felt it important to cover some of the various ways to become wealthy. Certain ways may be rather unorthodox, but perhaps that means they are the road less traveled and as a result there is more opportunity in them!  Or maybe it means that a particular approach is really harder than it seems. When its all said in done, maybe you won’t have learned much from this post — but hopefully it is fun nonetheless

So here we go…

1) Win the Lottery!

The upside of this approach is simply outstanding! Basically being handed millions of dollars for almost no work at all, how much better can it get? Some lotteries get into the hundreds of millions.  If you are considering this route, the basic approach to achieving your dreams is to go to a store, typically with a “Quick” “E” and “Mart” somewhere in the name. Once there, ask the person behind the counter for a ticket and hand them money.

There is a lot about the upside, but are there any drawbacks to this approach to financial freedom?  Well a few to keep in mind:

• You have to pick the winning numbers for the big lotteries. It turns out they don’t just give you a check.
• If you win the money, you have to do some math to figure out if you should take the lump sum or receive money over many years.
• You might have to share if someone else wins! Yuck…
• Things don’t always turn out well for the winners. Many times they end up worse off after winning than before. Maybe it was all about the experience!

Oh and one more thing… The chance that you become wealthy with this approach is somewhere around one in 195,249,054.

So for winning the lottery, Elusive Wealth says:

Don’t play the lottery unless you are also equally willing to set the dollar that would pay for the ticket on fire.

2) Sue Someone into Oblivion!

So winning the lottery isn’t for you, you need other options. Another way to score some fast cash is to sue someone.  You can either take the “easy” way by falling on someone’s sidewalk, suing them, and hoping they have a lucrative umbrella policy. Or you could go the more ethical route of accidentally spilling hot coffee on yourself and bringing litigation against McDonalds for not stopping it somehow.  Yes, this can be quite an attractive approach to wealth building!  However, with this there are also a few caveats:

• The odds of winning a baseless lawsuit probably are not much better than winning the lottery.  I couldn’t find any good statistics on this, I am sure it depends on the lawyers and the particular case.
• Some lawsuits may require actual physical injury before they can seriously be considered.
• If you are considering this, have you ever heard of ethics?

Well, you can also consider a combo play by actually suing the lottery.  This especially comes in handy if you play an instant lottery game where the last winning ticket was already played somewhere.

Elusive Wealth says:

Stick to suing only when you have a legitimate gripe that seriously caused a financial loss.  If that is the case though, go for it!

3) Get a Scam Named After You

Financially this one may rate above both suing someone and winning the lottery, if you have got what it takes.  Once you get a scam named after you, you know you have it made!  Madoff, Ponzi, and Stanford (Group) all know what I am talking about. Not only does this path to wealth come with riches, it is matched equally by fame!  Unfortunately there are some downsides:

• You can’t actually get the scam named unless you get caught.
• This is a touch less ethical than suing someone for no reason.

Elusive Wealth says:

Don’t even try scamming, unless you can make the scam both legal and official sounding, like “credit default swaps.”

4) Get a Job, Save Your Money

This option may look a bit out of place on this list, because it is the only one that results in actual, legitimate earned wealth. However, before I encourage anyone to go this route, I have to honestly lay out all of the downsides:

• To get wealthy with this approach, you might just need an education. The good news is, this isn’t always true. In fact many people do quite well without a college degree.
• To get a job, you have to apply for them and compete for them.
• Once you have a job you have to work.
• Saving money means not spending some of it.

Seems like getting a job has as many negatives of anything else on this list! Maybe it is not the best way to go. But consider this: people have done amazing things with the U.S. average household salary ($50,000) and even less. The truth is that by staying away from debt and making good choices, you stand a better chance of getting wealthy this way than any of the above options. Sure there can be some serious road bumps along the way, especially health issues and healthcare. If you think it can’t happen though, then that may be a major part of the problem. This IS how most people become wealthy.

Elusive Wealth says:

This is really the only option worth considering… what did you expect?

Store Front

If you’re like me, you’ve been conditioned to be at least a little suspicious when you’re approached by a salesperson in a retail store.  You KNOW they’re going to try to sell you something.  However, you may not always understand what it is they are trying to sell!

In a Target, Wal-Mart or Macy’s, you’ve already been sold before you walk in the store – by the brand name.  The clerk is simply there to take your order…and your money. But at Bob’s Bait and Bagels or Sally’s Hutch Hutch, the owners are trying not to simply, or even primarily, sell bait, bagels or hutches.  They want to sell you on the same thing that Target already has – their store.

So what do I do with that information?  I engage the store owner (or knowledgeable clerk) in conversation.  I ask questions. Although they certainly want to make a sale, even more, they want me to come back again…and again…and again.

Bob or Sally, being smart retailers, want me to feel that I received the best value I possibly could on that bait, bagel or hutch.  I might learn from Bob that pink worms aren’t any good unless the Bass are spawning or from Sally that solid oak is once again preferred for firewood, not furniture and that hickory veneer looks better and cost half as much.

Saving real money is more than clipping coupons, it’s being informed and that “evil salesperson” may be your best source of information.

Recently on Consumerism Commentary, Flexo posted about the upcoming discontinuation of Microsoft Money.  First and foremost, this was a great post and important information for consumers of either Money, Quicken, or one of the similar on-line options. Unfortunately on the desktop, Quicken will no longer have significant competition (unless you like the free alternative, GNUCash). Quicken has been my personal choice for the past 5-6 years, despite its relatively higher cost.

Because of the removal of MS Money from the market, the discussion of alternatives such as Mint.com and Quicken On-line came up. These tools are considered on-line account aggregators because they typically connect to your accounts at various institutions and download statements. Below is a list of common account aggregators:

• Mint.com
• Wesabe
• Yodlee
• Geezeo
• Quicken On-Line

The most common concern of using these on-line account aggregators is security. How safe are these on-line account aggregators?

Mint

Current Security Measures

First let’s take a look at the security the sites do provide, before we get into the possible weaknesses. We are going to focus on Mint.com, though all of the sites provide similar security. Mint.com’s security features can be viewed here. But here is a basic rundown of those features:

• Anonymimity
• 128-bit SSL encryption
• Secure facility protected by biometrics palm scanners and 24/7 security guards
• Bank-level data security standard (encryption, auditing, logging, backups, and safe-guarding data)
• The site has the VeriSign seal.
• Mint has anti-phishing protection provided by RSA

So what does all of this mean? Well, first, anonymimity means that Mint does not ask for personally identifying information, for the most part. This includes data like name, social security number, etc. However, they do ask for e-mail. The point here, though, is that the data that they have on you (financial account balances and transactions) cannot easily be traced specifically to you.

The 128 bit SSL means that the data you submit from your browser to Mint’s network is encrypted in a fairly difficult to decrypt manner. This is the web standard SSL that you see when you use a bank or a web site that has the security lock on your browser. This is good, it protects your data as it travels to Mint. The VeriSign seal primarily validates that this SSL encryption is in place between your computer and Mint’s servers. Once it gets to Mint, they can encrypt your data using SSL as they pass it around internally so that no one at Mint can see it. And when they send it to your bank or other service providers it can be and likely is encrypted with SSL.

The bank level data security helps give some assurances about what happens with your data, including your bank log on credentials, while it is inside Mint’s network. If encryption of your credentials and data is maintained always while in Mint’s network, then only a security breach of the encryption key could compromise the data. Usually it takes more than just having the key, you also have access to the devices that have the data stored on it. The bottom line is that once it reaches Mint’s servers, we have to take their word for it that it remains encrypted, and I will give them the benefit of the doubt on this based on what they have stated here.

Of course physical security like biometric palm scanners and security guards means they don’t just let anyone into their facility. That is a good thing.

Where Are the Issues?

Mint handles two types of sensitive data. One type of information it holds consists of records of your account balances and transactions that it has aggregated from various sources. This information is valuable to you, but has limited valuable to anyone else. As long as the login information for your bank is not stored along with the account data, you cannot do damage just knowing the location and amount of the account. That brings us to the second type of information, your login information, or credentials.

According to Mint.com, the credentials information is not stored within their network. From their site:

“We need your online banking user name and passwords so that we can help you organize and manage your accounts, that information is encrypted and transferred in a secure manner. We store only the information needed to save you the trouble of updating, syncing or uploading financial information manually. Your banking login credentials are securely stored by our online financial service providers. Your Mint login credentials are not shared with these providers.”

This is reassuring, the bank user names and passwords are not stored by Mint. Instead those credentials are stored by their online financial service providers. Basically after the first time that you enter your credentials for a financial institution, Mint connects to their online service provider to retrieve the account data, and also received an ID or token at the same time. That token allows them to retrieve, read only, account balance and transaction information in the future to keep Mint in sync with your accounts. Although it isn’t stated directly, on-line financial service providers seems to imply banks. In fact, banks could provide this service. However most of them do not. Most banks and financial institutions require your login information, including possibly additional information like answers to your “secret” questions.

The reality is that Mint’s online financial services provider(s), if there are more than one, are not the banks and financial institutions. Instead it is a third party company, Yodlee. As mentioned earlier, Yodlee also provides its own on-line aggregation service for customers.  While it is difficult to find direct mention of Mint using Yodlee behind the scenes, looking through the forums and some other websites you can find that Yodlee is indeed their provider. Below is Mint’s statement on its liability for any loss with their third party system(s):

“However, it is important to understand that these precautions apply only to our Site and systems. We exercise no control over how your information is stored, maintained or displayed by third parties or on third-party sites.”

So, while it is by no means a secret, it is important to keep in mind that if you use Mint, your credentials are stored somewhere. And they are all likely stored in one location at Yodlee. To me it seems clear that Mint.com obscures this fact. You can see in their forums that they use Yodlee, but you see no reference to it on their site directly. Although they don’t directly say it, their wording implies that credentials are not stored by them and are instead stored only by financial institutions. One of the reasons they do not make this obvious may be for security itself, however I do believe they are intentionally vague on this for marketing purposes.

I do not want to give the impression that if you use Mint your credentials are being passed around in numerous e-mails at Yodlee or outside of Yodlee. Yodlee itself is no slouch on security. They provide many of the security precautions that Mint provides, probably quite a bit more. Broke Grad Student provides a good synopsis on Mint Myths Debunked where it is mentioned that Fidelity and Bank of America use Yodlee, for example. So even without using Mint, your credentials may be stored at Yodlee for other financial institutions.

With that said, many people have an issue with having ALL of their account information in a single place. An intelligent, disgruntled employee at Yodlee could find a way to get to that data. It would be difficult, but not impossible. Using the desktop version of Quicken reduces that risk. Desktop Quicken stores your credentials locally on your computer. So unless your computer is compromised, that information is safe. Even if your computer is compromised, someone would have to break Quicken’s security measures. However there are two slight risks, even to the desktop version of Quicken:

• There is nothing stopping Quicken desktop from passing credential information through Quicken’s servers on the way to the financial institution. I don’t believe they do this, and I don’t believe they intend to do it. But it would be difficult to detect if they started. If they did, eventually I would expect this to come out and there would be negative repercussions with Quicken for such a move. But if they chose to do this, it would put Quicken desktop in the same position of every other on-line account aggregator.
• Quicken provides automatic bill pay. So unlike Mint there is the possibility of moving money from within Quicken desktop if someone were to break in. (But if someone breached Yodlee, they would have access to full credentials, not just read only tokens)

The Banks Role

For services like these on-line aggregators and Quicken desktop to work, Banks and financial institutions must provide the mechanism to retrieve account information. For years they have provided the ability to download transactions from their site into desktop software using Quicken and MS Money formats. In the past 5 years or so it has been possible to download some financial institution’s transactions directly from within these tools. Some banks have been supportive of that capability while others have been wary of the security.

Regarding on-line aggregators though, many banks have a firm position. Below is an excerpt from an e-mail from ING Direct to a customer regarding Mint.com:

“I understand that you recently had an issue trying to connect to our website using Mint.com. This service is commonly referred to as an account aggregator. While this service may have worked in the past, most users are finding that their aggregator does not work with our New Sign In Process.

The security of your information is very important to us. Once your personal information leaves ING DIRECT, we have no control over your information or how it is used by third parties. Because we have no way of monitoring how account aggregators address security, privacy or the use of cookies we are unable to support the use of these services.

To best protect your personal information and your funds, we recommend that you do not share your personal information (including your Customer Number and PIN) with any third party.”

Many other banks have the identical position that using account aggregators is at your own risk.

Conclusion

In the end you have to do what you feel comfortable with. Yodlee’s servers are many times more secure than most people’s home computers. Take that into consideration when considering the on-line aggregators versus something like Quicken’s desktop version. Consider your bank’s and other financial institutions position on using such services.

For my own part, I have been using Quicken for many years after giving up on MS Money. Recently I gave Mint a try and I do like its ease of use and slick interface. But I had significant trouble interfacing it with my ING Direct account, which is what led me to research this information. In the end I am going to stick with Quicken.

Ultimately the best thing you can do to protect yourself is to periodicially change your password and use strong passwords. If you choose the desktop Quicken solution, be sure you have a quality firewall and virus protection in place. There are some other best practices here that we can tackle in a future post.