As we discussed in the previous post, I have am confidence that Yodlee, CashEdge, Mint and Geezeo have a very high level of security to protect your information. As an individual, you are more at risk from phishing or having your own computer compromised whether by virus, trojan horse, or theft.  Keep in mind though that there is significantly more incentive for someone to compromise the financial websites security than there is for someone to steal just your individual information. Regardless of whether you choose to use an account aggregator, or simply log on to your financial institution’s web site periodically, it is a good idea to put some basic protections in place.

So what are some of the ways that you can protect yourself from all of these threats?

Check Your Account Statements Often

Staying Safe On-line

First and foremost it is important to keep an eye on transactions in your accounts. It seems logical to check bank accounts and credit card statements frequently. But you also need to check brokerage accounts and retirement accounts frequently. With brokerages and retirement accounts, you have no protection from the maintainer of the account if someone were to drain the accounts. Your only real protection is to detect that it is happening quickly and take action before a distribution can be made.

Some financial institutions, of course, have protections on what happens when the address on the account gets changed. They may notify you via e-mail or regular mail if this happens. This helps in the event that a thief attempts to change the address before requesting a distribution. But this protection is inconsistent across different companies.

When you check your accounts, you are really just doing a quick scan to make sure there are no unexpected distributions or transactions. This is a case where account aggregators can actually improve your security. With aggregators you only need to look in one place to view the transactions.

How often should you check your accounts?  Generally you should check them within the window of protection. For instance, credit cards usually give you the most protection from fraudulent activity. Visa and Mastercard Debit Cards carry similar protection to credit cards, but only if you sign for the purchase as opposed to using your PIN.  But with brokerages and retirement accounts you have very little time to react.

My recommendation is that you check your accounts at least every three days to provide enough coverage for any account type.

Use Passwords Wisely

Password safety is very important, but it is easy to get into a system where you use the same password for every account or most accounts. For the ultra paranoid, the only real way to be safe here is to use a different password for every account. That is probably a bit overkill, but I would recommend protecting certain accounts with a strong unique password. For example, your primary bank account with the majority of your cash should be well protected. Some of your lessor accounts like the account aggregator, where you cannot move money around, may have a less strict password.

Here are some of the steps you can take to improve your password usage:

• Remembering unique and strong passwords is always a challenge. You have to make a choice whether you want fewer passwords and you want to memorize them, or whether you want to store them somewhere.
• If you choose to memorize them, a good tip is to use the first letter in each word of a well known phrase. Then you can replace some letters with numbers or capital letters to improve the strength.
• My personal choice is to store them using Keepass.  I have been using the 2.x version (don’t let the beta designation scare you, it is a very stable utility). There is certainly a risk if your Keepass file is stolen, so keep the password to it strong — and make sure you protect the file as much as possible.  Keepass can generate very strong passwords, and make it easy for you to quickly find the unique password for any site.
• Create passwords that are at least 8 characters in length and contain both lower case and upper case letters along with some numbers.  An 8 character password with just lower case letters in it takes only about 5 hours to break. Adding some alternate case letters and numbers into the password increases that time to 25 days.
• Change your passwords periodically, around once every two years if there are no breaches on your accounts.  If one of your accounts is breached, change all of your passwords as soon as possible. Again this is an area where Keepass can help keep track of the passwords.

Freeze Your Credit

I have not made it a secret that I think freezing your credit is one of the best ways to protect yourself.  There are some institutions that still use a Social Security as a user ID. Thankfully these are dwindling.  Although it won’t protect the specific account, freezing your credit will help protect your identity should a site that uses or stores your social security number be compromised.

Protect Your Computer

A complete discussion of appropriate ways to protect your computer and your home network is beyond the scope of this article, though I intend to cover it in the future. In the meantime, here are some high level tips for protecting your computer:

• Always use a router with a firewall for a home connection to the Internet
• For on the road, make sure a software firewall is installed
• Make sure you have up to date antivirus and spyware software
• Also keep the operating system updated, preferably by using the auto update feature
• If you have more than one computer, consider using aggregators or Quicken on the computer that is not used for day to day web surfing.  The computer you use for average daily use is where you are more likely to download and install things into the browser that could compromise your system.

For the Ultra Paranoid

If you really don’t like the idea of using the on-line account aggregators, you can always use Quicken or GNUCash to keep a view on your accounts. However if you are this concerned, I recommend downloading your transactions manually by logging into each site and downloading them from there. This way your credentials are generally kept between you and the financial institution (unless the financial institution itself uses Yodlee or CashEdge).

If want to use an on-line aggregator, Wesabe appears to be the safest of them all with its options to manually upload account data and a FireFox plugin to make that process easier. I am impressed with the flexibility of Wesabe’s security and flexibility — they recognize that not everyone wants to send their credentials to a central location. Also this manual approach and the FireFox plugin both work with ING Direct which has frequently caused problems with other on-line aggregators that don’t allow manual uploads.  Of course, this approach to uploading account information is less convenient than having the aggregator pull account information directly.

Conclusion

How safe you are with on-line banking really depends on the degree to which you do all of these things. If you are dilligent about checking your accounts, but don’t pay as much attention to your passwords or your home computer safety, then work to improve in those areas even if it isn’t an immediate change. The bottom line is that if you follow the practices outlined above regarding watching your accounts, using strong passwords, and keeping your computers safe, you should be able to use Quicken, GNUCash, Mint.com, or Geezeo with enough confidence.

Because of the removal of MS Money from the market, the discussion of alternatives such as Mint.com and Quicken On-line came up. These tools are considered on-line account aggregators because they typically connect to your accounts at various institutions and download statements. Below is a list of common account aggregators:

• Mint.com
• Wesabe
• Yodlee
• Geezeo
• Quicken On-Line

The most common concern of using these on-line account aggregators is security. How safe are these on-line account aggregators?

Mint

Current Security Measures

First let’s take a look at the security the sites do provide, before we get into the possible weaknesses. We are going to focus on Mint.com, though all of the sites provide similar security. Mint.com’s security features can be viewed here. But here is a basic rundown of those features:

• Anonymimity
• 128-bit SSL encryption
• Secure facility protected by biometrics palm scanners and 24/7 security guards
• Bank-level data security standard (encryption, auditing, logging, backups, and safe-guarding data)
• The site has the VeriSign seal.
• Mint has anti-phishing protection provided by RSA

So what does all of this mean? Well, first, anonymimity means that Mint does not ask for personally identifying information, for the most part. This includes data like name, social security number, etc. However, they do ask for e-mail. The point here, though, is that the data that they have on you (financial account balances and transactions) cannot easily be traced specifically to you.

The 128 bit SSL means that the data you submit from your browser to Mint’s network is encrypted in a fairly difficult to decrypt manner. This is the web standard SSL that you see when you use a bank or a web site that has the security lock on your browser. This is good, it protects your data as it travels to Mint. The VeriSign seal primarily validates that this SSL encryption is in place between your computer and Mint’s servers. Once it gets to Mint, they can encrypt your data using SSL as they pass it around internally so that no one at Mint can see it. And when they send it to your bank or other service providers it can be and likely is encrypted with SSL.

The bank level data security helps give some assurances about what happens with your data, including your bank log on credentials, while it is inside Mint’s network. If encryption of your credentials and data is maintained always while in Mint’s network, then only a security breach of the encryption key could compromise the data. Usually it takes more than just having the key, you also have access to the devices that have the data stored on it. The bottom line is that once it reaches Mint’s servers, we have to take their word for it that it remains encrypted, and I will give them the benefit of the doubt on this based on what they have stated here.

Of course physical security like biometric palm scanners and security guards means they don’t just let anyone into their facility. That is a good thing.

Where Are the Issues?

Mint handles two types of sensitive data. One type of information it holds consists of records of your account balances and transactions that it has aggregated from various sources. This information is valuable to you, but has limited valuable to anyone else. As long as the login information for your bank is not stored along with the account data, you cannot do damage just knowing the location and amount of the account. That brings us to the second type of information, your login information, or credentials.

According to Mint.com, the credentials information is not stored within their network. From their site:

“We need your online banking user name and passwords so that we can help you organize and manage your accounts, that information is encrypted and transferred in a secure manner. We store only the information needed to save you the trouble of updating, syncing or uploading financial information manually. Your banking login credentials are securely stored by our online financial service providers. Your Mint login credentials are not shared with these providers.”

This is reassuring, the bank user names and passwords are not stored by Mint. Instead those credentials are stored by their online financial service providers. Basically after the first time that you enter your credentials for a financial institution, Mint connects to their online service provider to retrieve the account data, and also received an ID or token at the same time. That token allows them to retrieve, read only, account balance and transaction information in the future to keep Mint in sync with your accounts. Although it isn’t stated directly, on-line financial service providers seems to imply banks. In fact, banks could provide this service. However most of them do not. Most banks and financial institutions require your login information, including possibly additional information like answers to your “secret” questions.

The reality is that Mint’s online financial services provider(s), if there are more than one, are not the banks and financial institutions. Instead it is a third party company, Yodlee. As mentioned earlier, Yodlee also provides its own on-line aggregation service for customers.  While it is difficult to find direct mention of Mint using Yodlee behind the scenes, looking through the forums and some other websites you can find that Yodlee is indeed their provider. Below is Mint’s statement on its liability for any loss with their third party system(s):

“However, it is important to understand that these precautions apply only to our Site and systems. We exercise no control over how your information is stored, maintained or displayed by third parties or on third-party sites.”

So, while it is by no means a secret, it is important to keep in mind that if you use Mint, your credentials are stored somewhere. And they are all likely stored in one location at Yodlee. To me it seems clear that Mint.com obscures this fact. You can see in their forums that they use Yodlee, but you see no reference to it on their site directly. Although they don’t directly say it, their wording implies that credentials are not stored by them and are instead stored only by financial institutions. One of the reasons they do not make this obvious may be for security itself, however I do believe they are intentionally vague on this for marketing purposes.

I do not want to give the impression that if you use Mint your credentials are being passed around in numerous e-mails at Yodlee or outside of Yodlee. Yodlee itself is no slouch on security. They provide many of the security precautions that Mint provides, probably quite a bit more. Broke Grad Student provides a good synopsis on Mint Myths Debunked where it is mentioned that Fidelity and Bank of America use Yodlee, for example. So even without using Mint, your credentials may be stored at Yodlee for other financial institutions.

With that said, many people have an issue with having ALL of their account information in a single place. An intelligent, disgruntled employee at Yodlee could find a way to get to that data. It would be difficult, but not impossible. Using the desktop version of Quicken reduces that risk. Desktop Quicken stores your credentials locally on your computer. So unless your computer is compromised, that information is safe. Even if your computer is compromised, someone would have to break Quicken’s security measures. However there are two slight risks, even to the desktop version of Quicken:

• There is nothing stopping Quicken desktop from passing credential information through Quicken’s servers on the way to the financial institution. I don’t believe they do this, and I don’t believe they intend to do it. But it would be difficult to detect if they started. If they did, eventually I would expect this to come out and there would be negative repercussions with Quicken for such a move. But if they chose to do this, it would put Quicken desktop in the same position of every other on-line account aggregator.
• Quicken provides automatic bill pay. So unlike Mint there is the possibility of moving money from within Quicken desktop if someone were to break in. (But if someone breached Yodlee, they would have access to full credentials, not just read only tokens)

The Banks Role

For services like these on-line aggregators and Quicken desktop to work, Banks and financial institutions must provide the mechanism to retrieve account information. For years they have provided the ability to download transactions from their site into desktop software using Quicken and MS Money formats. In the past 5 years or so it has been possible to download some financial institution’s transactions directly from within these tools. Some banks have been supportive of that capability while others have been wary of the security.

Regarding on-line aggregators though, many banks have a firm position. Below is an excerpt from an e-mail from ING Direct to a customer regarding Mint.com:

“I understand that you recently had an issue trying to connect to our website using Mint.com. This service is commonly referred to as an account aggregator. While this service may have worked in the past, most users are finding that their aggregator does not work with our New Sign In Process.

The security of your information is very important to us. Once your personal information leaves ING DIRECT, we have no control over your information or how it is used by third parties. Because we have no way of monitoring how account aggregators address security, privacy or the use of cookies we are unable to support the use of these services.

To best protect your personal information and your funds, we recommend that you do not share your personal information (including your Customer Number and PIN) with any third party.”

Many other banks have the identical position that using account aggregators is at your own risk.

Conclusion

In the end you have to do what you feel comfortable with. Yodlee’s servers are many times more secure than most people’s home computers. Take that into consideration when considering the on-line aggregators versus something like Quicken’s desktop version. Consider your bank’s and other financial institutions position on using such services.

For my own part, I have been using Quicken for many years after giving up on MS Money. Recently I gave Mint a try and I do like its ease of use and slick interface. But I had significant trouble interfacing it with my ING Direct account, which is what led me to research this information. In the end I am going to stick with Quicken.

Ultimately the best thing you can do to protect yourself is to periodicially change your password and use strong passwords. If you choose the desktop Quicken solution, be sure you have a quality firewall and virus protection in place. There are some other best practices here that we can tackle in a future post.

The article specifically discusses a number of banks (all the “biggies”) that are using this tactic. Three of the banks have policy valuations totalling 12 billion or more.  The kicker is that while the policy is on the employees, the beneficiary is the company itself. This money is then used to fund pensions for executives.

The practice helps the companies avoid taxes because the “proceeds” from the policies when the employee passes are tax free. This results in situations where the family of the employee (or former employee) may get little to nothing in insurance payout, but the company profits. For example, a current lawsuit has been filed over just such a situation. An employee who had survived two brain tumors signed an agreement for $150,000 in supplemental insurance which also acted as his consent for his employer to take out their own policy.  His company later fired him, and he passed away not long after. His family received no life insurance money because he was fired. But a check was mistakenly mailed to his widow for $1.6 million, but made out to his former employer.

New rules in 2006 require companies wishing to implement this to get consent from the employees that they take policies out on. And the rules limit the employees that they can take policies out on to the higher earners.

Having an employer win when you work for them, or win when you die, is a terrible conflict of interest. Certainly companies wouldn’t resort to murder to fund pensions, would they?  Probably not…but the situation described above demonstrates how murky this practice gets. The employer is no longer employed the individual, so his policy was canceled — but theirs remained in effect.  Having survived two brain tumors, the company may have fired him as a result of failing health.  Perhaps they were justified in doing so, assuming that his work was suffering. But benefiting from his death crosses a line.

The credit bureaus are a bit different — we do not directly use them like banking or other services, unless it is to get a copy of our credit report. However even here, our actions helped lead us to the credit bureaus we have today. And there are some things we can do to change how they work in our favor without additional legislation — but no doubt it is a long difficult process.

Avoid Debt

Just like in choosing how to bank, avoiding debt is the key way we can influence how credit bureaus work. One of the common complaints on Dave Ramsey’s show, for instance, is that without a credit score or a credit card certain products are unavailable or more expensive. Examples include cell phones, apartments, rental cars, some hotels, insurance and home loans. It is true, with a poor credit score and/or no credit cards, insurance premiums go up, deposits are required for cell phones, and home loans are significantly more difficult to get. This is all because credit scores work! The key to changing this behavior is to cause credit scores to be a poor, or maybe more achievable, a mediocre way to assess ability to pay.

Credit scores are so effective because so many people are in debt. If we can steer the masses away from debt toward cash, most of these groups will need to find other ways to assess ability to pay.  But assuming we could get the masses debt free, then some of the extra costs do not matter as much. Deposits for cell phones are really no issue (because you have the cash). Higher insurance premiums, although annoying, become less of an issue. Apartments, hotels, and rental cars would all lose a significant customer base unless they make it easier for those without credit cards to get their service. Home loans would have to go back to  manual underwriting.

Sure it might be idealistic and a bit of a pipe dream, but this is how capitalism works. And so far, we have been telling these companies we want it to work with the credit bureaus we have today.

Freeze Your Credit

Even if you still have debt, and even if you still want obtain more credit sometime in the future, freeze your credit!  It is one of the great ways to protect against identity theft. Do not buy the monitoring that credit bureaus provide, it only increases their pocket books and provides sub par and reactive protection.  You can get your free credit report, one from each bureau, every year from AnnualCreditReport.com. You can have coverage every 4 months if you spread out your credit reports.

Credit freezes can cost around $10 depending on your state. If you have been a fraud victim you can get a security freeze for free. TransUnion’s initial credit freeze is free, whether you have been a victim of identity theft or not. When you are looking to get credit in the future after you have frozen your file, you will need to “thaw” it permanently or get a temporary lift of the freeze. This usually costs $5 or $10.  Here are links to the three bureaus and their security freeze:

Experian (http://www.experian.com/consumer/security_freeze.html)
Equifax (https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp)
TransUnion (https://annualcreditreport.transunion.com/fa/securityFreeze/landing)

If you are still concerned about identity theft after freezing your reports, you can then consider buying identity theft insurance which will help resolve the issue and reimburse for losses that are not covered elsewhere.

Conclusion

There has been some good legislation that has come about regarding credit bureaus, especially from states that required bureaus to provide freezes and consumer protections. However I still cannot help the feeling that even that legislation might not have been necessary if we were more in control of our money and eliminating debt.  Government some times gets it right, like the security freeze laws (though I am sure some disagree), but often government goes to far. So, let’s not wait on legislation and the government. Let’s continue to vote with our money on the products and services we want, preferably with cash

Credit cards can become a bit of a vicious cycle, not only from a debt perspective, but even from a tracking perspective. Just having a credit card makes it easier to spend, and makes it statistically more likely that a person will spend.  Spending and buying more results in potentially more debt, but it also makes it more difficult to track all of the spending and whether the amount is correct or not.

Our credit card was used for fradulent charges a couple of months ago. The charges occurred in Europe and they happened over a Friday / Saturday. Fortunately, Quicken pulls in recent charges from Capital One during the middle of the billing cycle, and I noticed two charges before any more could be made.

In our first call to Capital One, we apparently did not specify that we need to talk to the fraud department. We disputed the first charge, however instead of simply disputing we needed to inform the fraud department. After we saw the second charge, we made sure we were talking to the fraud department, asked that the card be frozen and received a new card about a week later.

Some important lessons from this include:

Check Charges On-Line, Often

The best bet is to check the credit card site directly, and check it every few days.  Even using Quicken I don’t receive the charges until a day or two after the charge. And at the end of the billing cycle, Capital One seems to shut down its feed to Quicken of my charges until the statement is ready.  So checking on the card issuer site directly provides the most up-to-date information.

Call Immediately if there is Fraud

Call the credit card immediately if you notice fraudulent charges, and make sure you are speaking to the fraud department (or make it clear that this is not just a charge dispute, but fraudulent charges). You will need to complete some paper work identifying the fraudulent charges and return it to the card issuer.

File a Police Report

Filing a police report may not be appropriate for all scenarios. For our situation we did not file one — the police in our city are not going to go after someone who made two illegal charges for purchasing train tickets and a bus tour in the U.K. But, if there are more than 4 charges, the amounts are significant (more than $1000) or you know the person who made the charges illegally, it is important to file the police report.

Keep Receipts

If you are concerned about modified charges as in the situation described on Free From Broke, keep your credit card receipts. Admittedly this is something I do not do but it is something to consider.

Debit Cards

With debit cards it is important to be even more diligent. Protections available with credit cards are not necessarily extended to debit cards, unless your bank chooses to provide those protections. If you do not notify your bank within 2 days of learning about the fraud, you will be liable for much more than the $50 liability limit that credit cards provide.  But aside from liability, with debit card fraud there is a good chance that you get overdrafted and are unable to make scheduled and regular payments from the account until the fraud is cleared up.

The bottom line is that you do need to keep a close eye on your accounts and identify suspicious charges or payments immediately.

The recent implosion of our banking system and the bailouts are examples where this did not work. But there are things that we could have done and can do to help keep this happening in the future. And we can do this without enacting new laws. Here are some of the things that we all should consider as consumers:

Avoid Debt

Certainly avoiding debt is easier said than done. It is difficult to draw a line between “just enough debt” and “too much debt.”  But there is no risk in having no debt. Debt creates a constant revenue stream for banks and lenders, saying loudly “we want more of this.”  When consumers take more debt, it completes the cycle to get us where we are today.  Do lenders engage in predatory lending?  Yes they absolutely do, and a large part is because we let them.

We are in a position to reduce our debt, and it is our number one priority. Within 6 months J.P. Morgan Chase will no longer be receiving money from us.  I wish we had learned this one earlier.

Our New Bank

Switch Banks

This is one may be simpler for some than avoiding debt, but it is still not always easy. Automatic debit and deposit make switching active accounts difficult.  However, switching away from the monolithic banks can result in better service, better interest rates, and a vote with your dollars.  For example, although it is not a community bank, ING Direct has a very good service record. The interest rates at ING (1.5% APY at the time of writing) are down right now like they are everywhere, but doing business with ING Direct has been a very positive experience for us. So we are moving more of our business to ING’s Checking and Savings accounts.

Another challenge to this approach is that often smaller banks get purchased by one of the monoliths. So this strategy might have to be employed more than once if a bank gets purchased by a monolithic bank where service suffers, or if the bank begins practices that you do not approve of.

We are currently looking for a local community bank or more likely a credit union where we will do most of our non-Internet banking with.

Avoid Fees

If you do stick with a monolithic bank – avoid fees at all costs. Getting caught with overdraft fees, ATM fees, and other fees helps to legitimize them. This might not be easy to do if your situation is paycheck to paycheck. But if you have the means to make sure that the account does not get overdrafted, then do everything possible to avoid the overdraft. If ATMs are not in the right vicinity and you pay a lot of ATM charges, consider finding another bank to pull ATM withdrawals from.

We got caught with an overdraft charge a few months ago that was completely avoidable. I did not pay enough attention to the timing of some of our automatic withdrawals. We have a larger cushion in our accounts now, and I do a better job of budgeting and anticipating automatic bill payments.

Why “Vote with your Dollars?”

So are we making these types of changes, and why should you consider it?  First, I am confident that you realize that these all have positive influences on our own finances. Second, we want to send a message that we don’t approve of some of the practices of the monolithic banks, such as:

1. Engaging in risk subprime mortgage loans
2. Using life insurance policies on employees to fund executive pentions (http://online.wsj.com/article/SB124277653430137033.html)
3. Changing interest rates on “fixed” terms for existing balances while not providing the option of closing the account under the old terms

I am sure there are more, but these are enough for me.

What concerns me the most is that we may legislate the competitors out of the market, to the point where we can no longer vote with our dollars. I don’t think we are there yet, but the massive bailouts and new legislation certainly favor the big players rather than the smaller community banks and the credit unions. But while there is still an opportunity, we are doing everything we can to send less money to the monolithic banks.