When I tell people I use a tool to do it, they all ask me the same question – is Personal Capital safe?
Security is one of the biggest concerns people have with any financial aggregator or tool. Whether it’s Mint, Personal Capital, or some other service – putting your data into the “cloud” can be unnerving. This is especially true given how many hacks we’ve seen recently. Equifax, one of the biggest credit reporting agencies, was hacked and 143 million consumers had their data stolen. It was enormous.
How do you know that your data is going to be safe at another company?
It comes down to two key parts – how do they safeguard your information when they have it and how do they safeguard the transmission of your information while they get it.
Two Key Security Areas
When it comes to financial apps and security, there are two key pieces to look at:
- How Safe is My Data – When you give the tool your data, how is it stored and protected? What is stored and where is it stored? How are the employees monitored to prevent any kind of theft?
- How Safe is the Connection – When you communicate with the tool, how secure is that connection? When you log in, when you view your data, when you update anything, when you give them your credentials… the transmission of that data is subject to risk.
The information you put into the system has to be safe in its place of storage. The way you communicate that information must also be secure.
How Safe Is My Data in the Cloud?
One of the biggest concerns people have with tools like Personal Capital is having their data in the “cloud.”
I reached out to David M. Parker, Asst. Prof., Div. of Accounting & Finance and Director, Center for the Study of Fraud and Corruption at Saint Xavier University, for his thoughts on services like Mint and Personal Capital. He shared some valuable thoughts on how to weigh the potential risks and rewards of using cloud-based tools:
With regard to general thoughts about storing data in the cloud by giving your data to Amazon, Microsoft, Dropbox, Equifax, your bank, Google, Facebook, or whoever… is it safe? Recent news items reveal the many, many companies that have suffered data breaches at the hands of cybercriminals.
Can your data be stolen if you hand it over to the cloud? Yes.
So, you decide to keep your data safe at home. Can it be stolen? Also yes. Cybercriminals can break in to your home computer, your home wi-fi, your Internet-enabled thermostat or doorbell, etc.
Points in favor of the cloud include that a big company like Amazon or Microsoft might have more resources and be better at defensive security that you are at home. And, certainly, it is in the best interest of their business to do their best to remain secure. They also offer redundant storage to an extent you would not have just storing your data at home where your hard drive could blow up or your house burn down with your data in it. So, it is often an acceptable risk.
I have no direct personal experience with Mint or Personal Capital. My understanding of these third party financial data aggregator services is that they work by gathering all your financial data into one place and offering their clients the resulting convenience of the nice graphs and charts. This means they need to work with your bank, broker, etc. to get access to your transactions. The extent and type of access they will be able to get may depend on whether the financial institution views them as a partner or a competitor.
An issue that comes to my mind is the size of the attack surface. If your bank and your aggregator both have a copy of your information it gives the criminal two possible targets from which to steal it. Also, if all of your information is collected at one spot, rather than having to break into multiple accounts the criminal now has one-stop shopping.
There will always be risks. No system will ever be perfectly secure. There will always be vulnerabilities and bad people willing to exploit them. But, it always comes down to an individual judgment about whether the risk is reasonable or minimal compared with the benefit of the service.
Your data isn’t 100% safe at home and it isn’t 100% safe in the cloud.
But the companies that you trust with your data will have safeguards in place (“defensive security”) to protect you.
Let’s take a closer look at Personal Capital and what they do to secure your data.
How Safe Is My Data at Personal Capital?
Are you worried about your data being stored on Personal Capital servers?
The guy you want to talk to when it comes to security at Personal Capital is Fritz Robbins. He is their Chief Technology Officer and Chief Information Officer. He has over 20 years of experience in their field including a three-year stint as a System Architect at RSA Security and 8 years running his own full-lifecycle software engineering company. He holds an M.S. in Computer Science from Stanford University to boot.
(also, for what it’s worth, Personal Capital’s Founder Bill Harris co-founded PassMark Security, a company that built online authentication systems used by most major banks, and Fritz Robbins was with that company as well)
I asked Fritz about security and he mentioned a few of the points I’ll dive deeper on below:
Our point of view is that viewing your banking and brokerage accounts via Personal Capital is *safer* than going directly to the banking/brokerage site from your browser. You touched on many of the reasons why:
- Your credentials are stored in a secure data center versus always being transmitted via the user’s (generally less-secure) browser
- The connection is read-only and no money can be transferred out of your banking/brokerage account via Personal Capital, and your banking/brokerage passwords are never returned to your browser from our servers.
- Our service gives you notification of all banking/brokerage transactions (via email or mobile push notifications) that make it easy for you to monitor you banking/brokerage accounts for fraud, all in one place!
Not for nothing but knowing the security chops of the team behind Personal Capital gives me confidence they’re on top of their game.
There are two ways that Personal Capital keeps your data safe:
- They use very powerful encryption and,
- They have strict internal access controls.
Quick Primer on Encryption
If you want to encrypt something that only I can read, you need my public key. You encrypt your message with my public key and then give the encrypted message. The only way to decrypt it is by using my private key (which I would never share). If I want to send you something encrypted, I will need your public key to encrypt it. Then only you can decrypt it using your private key.
Fundamentally, modern encrypted communications all work this way. There are variations to make it more secure, depending on your needs (more hoops = more secure = more time).
For example, one classic variation is to rely on “session” keys rather than “permanent” ones. It’s like using a temporary credit card number rather than your actual one. For every conversation, you create new keys that expire after the session is over.
Another variation is how we get the public keys to one another. We can just publish them, and that’s typically fine, or we can use what’s known as the Elliptic Curve Diffie-Hellman (ECDHE) key exchange. It’s more temporary keys that only the two of us would use for this single session. This is what Personal Capital uses.
When you enter your bank credentials into Personal Capital, they encrypt it with AES-256 with multi-layer key management, which includes rotating user-specific keys and salts. AES-256 is the Advanced Encryption Standard (AES) and is the gold standard as determined by NIST, the United States National Institute of Standards and Technology. 256 refers to the length of the key used and 256-bits is a longest. It is also the same encryption used by the US Government.
They never store your financial login credentials. That data is encrypted and stored at Envestnet Yodlee, a platform that powers a laundry list of financial services and wealth management tools and companies. Yodless is periodically audited by the Office of the Comptroller of the Currency and their security processes are available here.
As for internal access controls, no one at Personal Capital has access to your credentials. Zero.
How Safe is the Connection with Personal Capital?
Your data is safe and encrypted on their servers, but it needs to get there first without someone peeking.
That’s where encryption plays yet another role.
All of your online interaction with Personal Capital is encrypted, so no one can decipher what you’re communicating with Personal Capital servers. They prefer TLS 1.2 but also suppoert TLS 1.1 and TLS 1.0. They do not allow other less-secure protocols. In encryption, you need to exchange keys during a session of communication and they use ECDHE key exchange for Perfect Forward Secrecy (read the encryption primer for more information).
They also require 2-factor authorization. This means that if you log in from an unknown or new device, they will confirm it’s you via your phone or email (you pick when you set it up). I feel it’s a must for any financial institution and there are some banks who don’t have this yet!
Finally, their apps are tested by NowSecure and the AppSecure certification process.
How Personal Capital Protects Against Fraud
To this point, we’ve talked only about how Personal Capital protects you and your data. What if the data is bad?
What if your credit card gets used in a fraudulent way? Personal Capital monitors your transactions and can send you a Daily Transaction Monitor email that lists everything it has seen that day. Rather than reviewing your statement at the end of the month, you review it daily when your memory is fresh. You may not remember a transaction from two weeks ago but if it happened today, you will.
I personally set transaction notifications for any amount above $0 or $1 (depends on the card, some won’t let you do $0), but this is a good alternative if you feel that level of notifications is overkill (it probably is).
Is Personal Capital Safe?
Yes, Personal Capital could actually be safer than your bank.
(This is the concern that worries people the most.)
How is Personal Capital going to be safer than your bank?
They do everything your bank does plus more, in some cases:
- It’s read-only. When you connect your accounts to Personal Capital, Personal Capital can’t do anything except read the data. You can’t transfer funds.
- It’s not an appealing target. It’s read-only and your credentials are stored elsewhere (Yodlee).
- It has 2-factor authorization. Not all banks have 2-factor authorization (stunning but true) but Personal Capital does. It’s an extra and necessary layer of security.
- They encrypt everything to 256 bits. Against a brute force attack, it would take 1 billion billion years.
- One point of access for multiple banks means you don’t have to log into each of those banks individually. In fact, when you log into your Personal Capital, you never have to enter your bank credentials so it never gets transmitted. If your computer is compromised by malware or a keylogger, your financial accounts are secure.
Nothing Is 100% Safe
As they say, the only thing that’s 100% safe is abstinence.
Nothing else is 100% safe. Personal Capital is not 100% safe.
If you add another layer to the system, it’s another layer that can be attacked.
That said, you have to weigh the benefits you get from using them (you can read my Personal Capital review to see everything I like and dislike about them) versus the small chance they could be attacked.
I am personally comfortable with using them but that’s ultimately for you to decide. They have put all the proper protections in place, often higher standards than is required, and that’s good enough for me.