personal finance apps will help you budget, but are they safe?Mint, PayPal, Venmo, Digit – in the growing world of personal finance apps, these are well-known services that provide a lot of utility to their users. While these apps allow users to save money, allocate their investments efficiently or simply not have to worry about splitting a check when dining out with friends, does this convenience come at a cost? Below we take a hard look at mobile finance apps and the cybersecurity sacrifices they might seem to require of us.

What are personal finance apps?

Defined loosely, personal finance apps are services that allow users to either manage their money or aid them in financial planning. Most of these services can only be accessed through their respective mobile app, with the exception of some that allow you to access the service via mobile phone and computer. Because the category of personal finance apps is broad, it can include anything from an online banking application to a basic investment calculator. Although a number of personal finance apps are widely used, the ones that are among some of the most popular are mobile-based financial apps that allow for greater control of financial planning and spending in real time; either by linking directly to your financial accounts or by manually feeding these apps your financial information. Because of the sensitive nature of this information, all of these apps guarantee the highest degree of security, and a number of them only have “read-only” access to any accounts you decide to link, meaning they can’t do anything other than view your account history. Still, in a world full of data breaches, it’s plausible to believe that sharing such private information, even with a secure source, might be more of a risk than many consumers should be willing to make.

Are personal finance apps unsafe?

There’s nothing to directly imply that any of these apps are unsafe, especially apps run by long-standing financial tech industry titans like PayPal and Intuit (the latter of which owns the very popular app called Mint). In fact, given that they are tech companies, a case could be made that, in some ways, they’re possibly more security-conscious than newer companies or non-tech companies that are now just getting around to investing in Internet-based financial services. That said, some people have held off on adopting this type of financial technology because of the fear that it increases their attack surface – that’s tech speak for the number of ways a hacker can get you. Essentially, signing up for more services and using more devices means your information is in more places, which translates to hackers gaining additional methods and opportunities to take your information or more risk of your information being leaked in a breach.

What’s particularly unnerving about financial apps that require your banking information or online banking login credentials is that they effectively create a duplicate of your financial data. A real-real time budgeting app like Mint, for example, requires you to enter your bank account username and password. The application is then provided with details like how many bank accounts or credit cards you have, your bank account balance and your account history (e.g., debits and credits). Since this information would be available on both your bank’s servers and the app’s servers, a hacker now can have their pick of which to attack instead of having to focus their efforts on just one. That said, this alone doesn’t exactly increase hacker’s odds of successfully pulling off a data breach – that comes down to the strength of the back-end security protocols of both services. In fact, given the high level of security among both banks and popular financial apps, hackers will probably decide to target you instead.

This is why linking services together doesn’t just increase the attack surface for data breaches, it can also increase the attack surface for social engineering attacks specifically targeting you. For example, a hacker could create a custom email in an attempt to phish your banking or credit card information. They could approach you as a representative from your bank or, conversely, as a representative from your preferred financial app. Either way, information gained from one account could, in theory, be leveraged to access the other account by allowing hackers to play a convincing version of you with a real customer service representative. It’s important to note that there have been no known or at least widely-reported data breaches for the most popular financial apps out there, but it bears saying that this alone does not preclude the possibility of it happening down the line.

If you choose to use third-party personal finance apps …

While some individuals abstain from using third-party financial apps altogether, a large number enjoy their benefits. Ultimately, the decision to use these apps comes down to personal preference – if you practice good cybersecurity habits and trust the security protocols of the company whose services you’re interested in, you should be fine. However, before enrolling in a service you should ask yourself the following questions:

1. What do the terms of service for your bank say? The terms of service for your bank are going to be critical. Because these third-party financial apps are an emerging technology service, there can be a lot of uncertainty around how banks should deal with them. Some banks claim that they reserve the right to waive away fraud reimbursement if you link your bank account to one of these apps (although some have become more lenient about this over time). Other banks might play nice and even provide you with a temporary login you can use to link your accounts to the service without having to fork up your online banking login credentials.

2.What do the terms of service for the app say? You’ll also want to read the terms of service for the application you intend to use. You should pay close attention to the security and data retention policies. Essentially, you want to know the lengths the company will go to protect your data and if it sells any of your information. Also, given the sensitive nature of the data, you’ll want to know what happens to it if you leave the service or die, or if the service provider goes out of business.

3. What security features do your bank and the app offer? Both your bank and the third-party app should offer things like two-factor authentication (2FA) or HTTPS. You should be familiar with any security features before you start using a service. Another thing to consider is whether or not the security features of both services will complement or hinder one another. For example, some banks and financial services require you to disable 2FA before you link your accounts to Mint or similar services. This is because these services have not set up an infrastructure to recognize logins through third-party services as legitimate logins. This isn’t a security failure, but a technological oversight that’d have to be addressed on a case-by-case basis. If your bank or financial service doesn’t play nice with your preferred financial app, then it’s probably best you avoid linking them, as you might have to make unnecessary security sacrifices.

4. Does your bank or other financial institution (e.g., your credit card) already do something similar? Many online banking services allow you to monitor your spending with reports – perhaps not with the same pizzazz of mobile finance apps — but many banks do, or are beginning to, offer the services provided by popular third-party financial apps. Similarly, your credit cards likely offer some form of the same services. In order to avoid oversharing your financial data, it’d probably be best to take thorough inventory of the services and features your bank or credit card provides, rather than immediately giving your information to a third-party service.

Even though most services aim to provide top-notch security to their users, it’s still important to take a moment to recognize what information a service is asking you to provide before you sign up, as the modern age is no stranger to data breaches. For more information about cybersecurity, data breaches and more, keep reading our technology blog.