KL33ParticipantStatus: Other Professional, SpousePosts: 11Joined: 10/30/2018
I know this topic has come up now and then…but I was wondering what current opinion was on the security of using online sites such as Mint or Personal Capital. I was considering how useful it would be to use one of these. But, that’s a single third party site that would have access to all our financial data and passwords. Seems like “secure” sites are being hacked pretty regularly lately, which makes me hesitant to set one of these accounts up.December 5, 2018 at 6:48 am MST #171776ENT DocParticipantStatus: PhysicianPosts: 3024Joined: 01/14/2017
I think budgeting can be done efficiently without them using a simple spreadsheet of your own or even a monthly review once you’re in a rhythm. Wealth tracking and rebalancing doesn’t need to be done often – spot checks to your accounts can be done 1-2x/yr. All that for a nuanced understanding of my data and at $0. The security is a non-issue when I framed it like that. Add security concerns and annoying add targeting, and I see them as providing negative value.KambanParticipantStatus: PhysicianPosts: 2203Joined: 08/01/2016
using online sites such as Mint or Personal Capital.Click to expand…
I don’t have a choice that my bank has online banking and allows the transactions to be done online for others whether I want it or not for myself. Same with brokerages. But if they get hacked at least they will be responsible and their insurance will reimburse me for the lost money.
But in the case of Mint and Personal capital I am taking the risk on to myself. If someone hacks my data and misuses it and unless Mint reimburses me, it will be my fault. It may sound far fetched but the ingenuity of the hackers is getting bolder day by day.
Therefore I have stored all my transactions from all my institutions in my Quicken program at home. I don’t really need to have access to that data at all times with all devices. Just having it at work and home is sufficient for me. I also decline mobile banking from my phone since I am prone to misplacing my phone and even with precautions someone can get to my transactions. Maybe exaggerated concerns but I feel that for me the benefits are not worth the risks. I also understand that a hacker can get into my home computer and then get onto Quicken but they are more likely to hack bigger sites with more valuable data than a single home with very little data.
Might be different for different people.bean1970ParticipantStatus: PhysicianPosts: 469Joined: 07/12/2017
i don’t use Mint, but as far as I know Mint is not a financial entity. PC is a financial advising firm with rights to manage assets and has to comply with same security as banks and brokerage firms. It is regulated. Most banks have actually lifted the security platform that PC uses.
That said, to use the PC platform only, they don’t have access to your passwords once it is submitted. it is read only. I’ve compiled some cut/paste explanation. it is actually safer to log into PC than to log into your bank.
PC has bailed me out of fraudulent charges on more than one occasion. My bank doesn’t always notify/text me because a $305 charge at Nike store isn’t really “out of ordinary” for our spending and stores we shop at….but it is when no one has shopped at Nike store that day/month/week. Like i pasted below, daily email is way easier to jog memory than at end of month and can get new card faster. We have three people using different credit cards in different states on most days. Having all transactions aggregated has bailed me more than once like I said…..
When you enter your bank credentials into Personal Capital, they encrypt it with AES-256 with multi-layer key management, which includes rotating user-specific keys and salts. AES-256 is the Advanced Encryption Standard (AES) and is the gold standard as determined by NIST, the United States National Institute of Standards and Technology. 256 refers to the length of the key used and 256-bits is a longest. It is also the same encryption used by the US Government.
They never store your financial login credentials. That data is encrypted and stored at Envestnet Yodlee, a platform that powers a laundry list of financial services and wealth management tools and companies. Yodless is periodically audited by the Office of the Comptroller of the Currency. As for internal access controls, no one at Personal Capital has access to your credentials. Zero.
Your credentials are stored in a secure data center versus always being transmitted via the user’s (generally less-secure) browser.
The connection is read-only and no money can be transferred out of your banking/brokerage account via Personal Capital, and your banking/brokerage passwords are never returned to your browser from our servers.
PC service gives you notification of all banking/brokerage transactions (via email or mobile push notifications) that make it easy for you to monitor you banking/brokerage accounts for fraud, all in one place!
All of your online interaction with Personal Capital is encrypted, so no one can decipher what you’re communicating with Personal Capital servers. They prefer TLS 1.2 but also support TLS 1.1 and TLS 1.0. They do not allow other less-secure protocols. In encryption, you need to exchange keys during a session of communication and they use ECDHE key exchange for Perfect Forward Secrecy (read the encryption primer for more information).
They also require 2-factor authorization. This means that if you log in from an unknown or new device, they will confirm it’s you via your phone or email (you pick when you set it up). I feel it’s a must for any financial institution and there are some banks who don’t have this yet!
Finally, their apps are tested by NowSecure and the AppSecure certification process.
How Personal Capital Protects Against Fraud
Personal Capital monitors your transactions and can send you a Daily Transaction Monitor email that lists everything it has seen that day. Rather than reviewing your statement at the end of the month, you review it daily when your memory is fresh. You may not remember a transaction from two weeks ago but if it happened today, you will.
Is Personal Capital Safe?
Yes, Personal Capital could actually be safer than your bank.
(This is the concern that worries people the most.)
How is Personal Capital going to be safer than your bank?
They do everything your bank does plus more, in some cases:
It’s read-only. When you connect your accounts to Personal Capital, Personal Capital can’t do anything except read the data. You can’t transfer funds.
It’s not an appealing target. It’s read-only and your credentials are stored elsewhere (Yodlee).
It has 2-factor authorization. Not all banks have 2-factor authorization (stunning but true) but Personal Capital does. It’s an extra and necessary layer of security.
They encrypt everything to 256 bits. Against a brute force attack, it would take 1 billion billion years.
One point of access for multiple banks means you don’t have to log into each of those banks individually. In fact, when you log into your Personal Capital, you never have to enter your bank credentials so it never gets transmitted. If your computer is compromised by malware or a keylogger, your financial accounts are secure.
Nothing is 100% safe, but it is really safe.jhwkr542ParticipantStatus: PhysicianPosts: 1088Joined: 02/15/2016
I think the concern is always overblown. I’ve already been part of the hack on the IRS and Experian, so at this point, I’m just waiting for the next company to give me a free year of credit monitoring next.PedsParticipantStatus: PhysicianPosts: 3626Joined: 01/08/2016
I know this topic has come up now and then…but I was wondering what current opinion was on the security of using online sites such as Mint or Personal Capital. I was considering how useful it would be to use one of these. But, that’s a single third party site that would have access to all our financial data and passwords. Seems like “secure” sites are being hacked pretty regularly lately, which makes me hesitant to set one of these accounts up.Click to expand…
they can be hacked like anyone else.
they can be stupid and leave your data nonencrypted like anyone else.
i dont personally use them. i track everything on excel.
trusted 3rd partys are security holes….Drop it into MDParticipantStatus: PhysicianPosts: 440Joined: 09/20/2018
I use Personal Capital and have had a very similar experience to Bean. I have been on about 6 months now. It is nice to be able to log into one site and see that all the transactions happened as they should. It is probably safer then logging into each other site individually but who knows. I do like the daily email feature. I can see how you would catch a fraudulent charge much easier then reviewing your statement at the end of the month. I was using Excel prior to track my NW but I found it to be tedious.
The only knock I have against PC is the multiple notifications to join their paid service. But, hey we all gotta make money.December 5, 2018 at 8:14 am MST #171799KL33ParticipantStatus: Other Professional, SpousePosts: 11Joined: 10/30/2018
Thanks everybodyDecember 6, 2018 at 6:13 am MST #171979hightowerParticipantStatus: PhysicianPosts: 1384Joined: 12/07/2016bean1970 wrote:
The connection is read-only and no money can be transferred out of your banking/brokerage account via Personal Capital, and your banking/brokerage passwords are never returned to your browser from our servers.Click to expand…
Yes, but that doesn’t mean a brilliant hacker couldn’t figure out how to get the passwords off the servers. If there’s a will, there’s a way.
Thanks for explaining how personal information such as passwords are stored on sites such as Personal Capital. It’s interesting stuff. However, it still doesn’t make me feel like it’s safe to use. To me it seems like the fewer sites you use, the better. I don’t use Mint anymore and I’ve never used PC because I just can’t believe that it’s safe to have all of your passwords and secret question answers stored in one place, no matter how encrypted and fancy their security systems are. I’m sure they are very tough to crack, but some of the smartest computer minds in the world are working as hackers 24/7 looking for ways to break in. The damage that could be done if they were successful at gaining access to one of these sites is pretty huge. They would have access to all of your bank and investment account passwords simultaneously. They could then drain your accounts pretty quickly before you even realized anything had happened. Eventually someone is going to figure out how to steal passwords from Personal Capital or Mint, etc. It’s not a matter of if, it’s a matter of when.
Seems too risky just for the convenience of being able to see your numbers online. I’d rather keep a spreadsheet. Spreadsheets are fun anywayDrop it into MDParticipantStatus: PhysicianPosts: 440Joined: 09/20/2018
Password management is handled by everyone different.
Some people let google keep all their passwords saved in chrome. This is convenient but all someone would need is one password to get into everything.
Save them in your email. Same as above.
Use the same or similar password for everything. Kind of the same as above
Write them all down. This has obvious issues
Come up with a unique difficult password only saved in your memory and change it on a quarterly basis. Sounds great but I have well over 20 things I log into on a regular basis and who knows how many more in total. Seriously I have 5 different passwords just for my different work EMRs.
What I am trying to say is if someone wants to get into my information that bad they are going to and I do not thing using PC is going to effect that much. However I will notice if major changes happen to any of my accounts no later then the next day.December 6, 2018 at 7:53 am MST #171998justlearningParticipantStatus: Other Professional, SpousePosts: 114Joined: 08/15/2017
i would say it is much easier to hack personal computer and obtain spreadsheets and other docs than hacking Mint or PC but your changes of getting hacked may differ than Mint or PC. They use industry standard encryption defined by NIST so does most of the online shopping sites and banks. After NSA leaks about their capabilities and Experian Hack no personal information safe online.
I would say using a different strong password for each web site probably provide better security outcome than someone deciding not use Mint or PC due to security concerns. Most of the financial institutions provide linking external accounts etc (BoA, Charles etc).December 6, 2018 at 7:56 am MST #172000StarTrekDocParticipantStatus: PhysicianPosts: 1723Joined: 01/15/2017
If you do online banking — your risk is already there.
We use PC as a nice quick aggregator and alert platform. With 2FA, it’s actually safer than my Fidelity/BOA/Chase accounts to brute force/phishing attacks
We still use quicken for the heavy lifting transactions -expenses, charity, etc. makes life a lot easier at tax time.sir_throckmortonParticipantStatus: PhysicianPosts: 16Joined: 11/20/2017
I personally don’t like the idea of having all of my user names and passwords at one site. I understand it’s supposedly really safe, but they aren’t going to say it’s unsafe. It’s safe until it gets hacked then everyone is like wtf were we thinking? Yea, I use online banking and online investing accounts, etc, but they are all at different institutions. I actually enjoy tracking all of my financial data in Excel anyway so that’s how I do it.December 7, 2018 at 10:19 pm MST #172591ACNModeratorStatus: PhysicianPosts: 549Joined: 01/08/2016
Use a password manager and two step authentication and you’ll probably be very very safe for a long time.
If you're ever having a bad day, just remember in 1976 Ronald Wayne sold his 10% stake in Apple for $2,300.December 8, 2018 at 9:35 am MST #172625wxl31ParticipantStatus: PhysicianPosts: 7Joined: 12/16/2017I know this topic has come up now and then…but I was wondering what current opinion was on the security of using online sites such as Mint or Personal Capital. I was considering how useful it would be to use one of these. But, that’s a single third party site that would have access to all our financial data and passwords. Seems like “secure” sites are being hacked pretty regularly lately, which makes me hesitant to set one of these accounts up.Click to expand…
I have used an online aggregator of some type (Yodlee, Fidelity, PC, Mint) since they first came on scene, maybe ~2010. Have not received a email from any of them stating they had a hack (can’t say the same for retailers/banks/credit card issuers/credit reporting agencies/health insurance companies). Have not noticed any change in frequency of fraudulent credit card transactions pre-2010 or post-2010. Have not noticed a single fraudulent transaction in a brokerage or retirement account. I am no expert on security, but based on my limited experience, the risk seems pretty low.
I find the online aggregators incredibly convenient. After Yodlee was changed for the worse a couple years ago, I switched to doing things manually with Excel, then Drive, but it was tedious, prone to data entry errors, prone to forgetfulness. Maybe I had grown soft, having relied on Yodlee for a long time. Finally gave up Excel/Drive, switched to PC+Mint (PC for investments, Mint for keeping track of bills), which has worked nicely.December 10, 2018 at 2:46 pm MST #173181