Banks usually would cover fraudulent charges if your information were stolen in a breach. But there are other risks in putting all your account information in one app
Budget-minder apps such as Mint.com and YouNeedABudget.com can help spendthrifts track and control spending. They also carry a security risk, as they require users to hand over sensitive information such as credit card and bank account numbers, then allow the apps access to that information.
In this era of headline-grabbing security breaches, just how safe are these apps? And what would happen to users if their sensitive information fell into the wrong hands?
Before answering those questions, it’s helpful to review how budget apps work. They aggregate users’ finances, assembling information from checking, savings, credit card and even retirement accounts, to give users a single snapshot of their finances: what they’re spending, what they’re saving.
The apps are popular. Mint.com, whose website promises users “the complete picture in minutes,” claims 20 million users.
Information entered into Mint.com is read-only, explains Holly Perez, consumer money expert at Intuit, the Palo Alto, California-based company that developed and owns Mint.com. That means the app cannot use account information to transfer funds between accounts or make purchases.
Too, not all budget apps require access to bank statements and credit card accounts. Rather than have users hand over bank account numbers, YouNeedABudget.com asks them to download bank statements into a Dropbox file; a YNAB spokeswoman says Dropbox uses 256-bit AES encryption to protect data.
Card protections kick in
Banks and card networks say in the event of a breach, zero-liability protection would cover any fraudulent charges. MasterCard’s policy covers both debit and credit cards. “Our zero liability protection applies whenever a MasterCard branded card is used,” says Becky Kitchener, a spokeswoman for MasterCard. “App use has no impact on card protections.”
App use has no impact on card protections.
|— Becky Kitchener|
Wells Fargo, too, would cover fraudulent charges on credit or debit cards if an app were to have a security breach, according to a spokeswoman.
Even if it didn’t, U.S. law offers protection. The Fair Credit Billing Act limits consumer liability to $50 for unauthorized charges on credit cards, and $0 if the user reports a stolen card before the card is used fraudulently. The Electronic Fund Transfer Act offers similar protections to debit card users in certain cases.
The fine print
Both bank-based and law-based protections come with some fine print, though. Users must dispute charges within a fixed time frame. For instance, you have 60 days to comply with the Fair Credit Billing Act. You’ll need to report fraudulent debit card charges within two business days or you could be on the hook for up to $500. Wait more than 60 days and you could be liable for the entire amount.
The fine print at most banks says cardholders must exercise reasonable care in protecting their privacy, as well as report fraud in a timely fashion.
Mint.com, for its part, referred to FCBA guidelines when asked about credit card protection. It says debit card protections depend on the user’s bank.
Some banks will not cover unauthorized debit card charges or fraudulent bank-account activity if customers hand over private information to a third party, says Leo Hopper, information security manager at GreenPath Debt Solutions, a nonprofit financial consulting agency in Farmington Hills, Michigan.
Too, some financial institutions will not allow Mint.com access to customer accounts.
Hopper’s advice: Check with your bank before signing up with a budget app to see what protections are available to you. He also suggests checking with the apps you plan to use to see what protection they offer.
Risks to personal information
Yet another caveat: Terms of service “always say they will not share or sell your information, but that’s always subject to change,” particularly if an app is sold to another company, Hopper says.
The greatest risk for these services is that all your information is accessible in one location.
|— Leo Hopper|
GreenPath Debt Solutions
Massive, hacker-led security breaches aren’t what bother experts such as Hopper, though. It’s personal carelessness that could cause a smartphone and an app, and all that sensitive information, to come into a crook’s possession. “The greatest risk for these services is that all your information is accessible in one location,” Hopper says. “Worst case, they can access your info and do some form of identity theft.”
Greenpath counselors, he continues, encourage clients to use budget apps, as they’re useful tools for people who need help organizing budgets and finances. For the most part, the apps are reputable and safe: Users are more likely to click on a spam-phishing email and get “had” that way rather than have a budget app experience a systemwide breach, he says.
Budget app safety tips
The key to using a budget app safely: Follow good tech hygiene rules and use your brain. Here are seven app-safety guidelines from Becky House, education director at American Financial Solutions, a nonprofit financial counseling agency in Seattle.
1. Use the apps as your comfort level permits. Apps can track spending and saving by aggregating information from all accounts, “but there are a lot of people who are not comfortable connecting accounts [and] having all their eggs in one basket,” House says.
2. Protect yourself with a password. Budget app sites encrypt passwords, so even if a hacker were to break in, he’d have to decrypt passwords first. Someone who grabbed your iPhone off a table at Starbucks, though — that’s another story, particularly if your phone isn’t password-protected. The lesson: Password-protect your smartphone and set up the password function so you have to log in every time you use the phone.
3. Use complicated passwords. It’s old advice and worth repeating: For the phone and for the apps themselves, don’t use your birthday, address or other easily guessable digits as passwords. “Make sure it’s complicated,” House says.
4. Do not agree to auto-logins when you access a site. You know that window that pops up and asks, “Remember this password?” with the choice to answer “Yes,” “Not now,” or “Never for this site?” “Never” is always the right choice, House says.
5. Use anti-virus software on your phone. It’s something people should do, but don’t: “I feel I harp on this a lot,” House says. Norton, which makes anti-virus software for computers, has a smartphone version available at us.norton.com.
6. Pay attention. Budget apps alert users to activity on their bank accounts and credit card statements; if you see unusual activity, check it out and report it. That is crucial, as zero-liability and FCBA protections do hinge on timely reporting of fraudulent behavior.
7. Be discreet in public. Don’t play with your budget app when you’re using public Wi-Fi at a coffee shop or at the airport; those airwaves are public and susceptible to breaches. If you must log on, say to check out an account activity report, use cellular data if possible and remember to log off as soon as you’re finished. Also be aware of who’s around you; someone at the next table might have a full view of your screen.
The bottom line: Budget apps can do lots to help users gain financial wisdom; the rewards of using them outweigh the risk. Users — by being smart and careful — can do much to reduce that risk.
See related: 7 exceptions to ‘zero liability’ policies, Video: 5 steps to secure smartphone data