By Amanda Urrutia
September 12, 2018
Banking on It
It’s likely you know someone who uses a money management application. There are bank-specific apps that allow you to quickly access your personal information and transfer funds, as well as other apps that take the information from your accounts and aggregate it for easy analysis of your spending habits.
These apps are an easy and convenient way to manage and keep track of finances, or to quickly transfer money over to a friend for that lunch they treated you to. But any time finances are concerned, security should be a top priority. Many people assume these apps are secure based on big-name brands and word of mouth, but fail to follow up and ask some important questions, such as “which applications are real?” There are a variety of fake doppelgangers out there that are imitating popular trending applications but are actually designed to steal your information. When considering the full risk of using financial management apps, it’s important to understand the dangers and legal ramifications, as well as how you can minimize your risk. After all, we should not have to forgo convenience for safety.
Don’t Be Fooled by Fake Apps
One of the easiest ways to be fooled by scammers is by fake applications listed on an app store, particularly on third-party application stores that are not built into your device. Searches for popular apps such as “Mint” can bring up multiple results with little to no differences, making the end-user have to gamble with their data. These fake apps are only on the rise; according to Tech Crunch Google removed over 700,000 malicious app from the Google play store in 2017. How exactly are you supposed to figure out which of these thousands of apps is not trying to steal your information?
First, you’ll want to make sure you carefully read all of the information listed about the app, and check to be sure that the application and developer names are consistent with what you are searching for. For example, the “Messenger” app should list a developer of “Facebook” and not something like “Facebook™” or “Facebook©”.
Secondly, you’ll want to examine the reviews on the application in question. If there are too few reviews, that should be an immediate warning sign, as these handful of comments could be paid off or placed by the scammer. Additionally, even if there are a decent number of reviews, always check both the 5-star and 1-star reviews. If the 5-star reviews seem too good to be true, they probably are. Most 1-star reviews will give you plenty of opinions on whether the application functions as intended or has ripped people off by being a scam.
Within these reviews, you may also see other warning signs, such as actions that are necessary in order to use the application. While making a dedicated account might not raise any flags, having to input your credentials from any other app should always be met with extreme scrutiny. This is especially the case for “free” apps that offer in-app purchases but require your credit card credentials to be input directly in the application.
Finally, one of the most obvious differences between an official and a fake app is the advertised logo. Subtle changes in a logo, like a tight cropping or a logo that is blurry or out of focus could fool many customers, especially if every other factor of the application seems legitimate. Small font changes in the letters or even slight color changes to the logo could be a sign of a false application. The best way to ensure you are downloading a legitimate application is to go directly to the developer’s application website or social media and navigate to the application store from there. It’s also important to make sure the developers have not recently been trying to alert users of a scam, and to check if they have even released a version of the app for your platform. For example if the developer mentions on their website that the app is for Android only, if you’re viewing it on an iPhone, chances are it’s a scam.
Security Risks of Financial Management Apps
Any application has inherent risks to the user, but financial applications can be especially risky. Risk is based on the level of access you grant the application to your device, as well as the information the app provides to other services.
Important questions to ask when considering a financial management app include, “what exactly are these apps asking you to provide,” and, “what are they requesting access to?” Consider whether or not you are personally comfortable releasing this information; this is where it becomes vital to be familiar with the terms and conditions, especially with the recent global impacts of the General Data Protection Regulation (GDPR) changes in 2018. You may not be familiar with the term, but you likely felt its impact when many of your applications and subscribed services sent you a privacy notice and update to their terms and conditions. In summary, those long terms and conditions notices are now required to be shrunk down and translated into understandable language. GDPR also requires a clear statement if your data is to be used by an outside source, as well as clarification surrounding the terms on deletion/erasure of data once a user requests removal.
For money management applications specifically, it is important to be aware of whether you are creating an account with that service itself or simply plugging in your account information. The level of risk completely depends on the type of application, as well as your assurance that it is legitimate and your willingness to provide your personal information. For example, providing the account credentials of your Chase bank account to the Chase banking app should have minimum to no risks associated; not only because you have ideally verified its source using the methods listed above, but also because it is an app promoted and endorsed by a company you trust and that utilizes a large portion of its security sector towards cybersecurity.
On the reverse side, providing your Chase bank account credentials to a third-party provider such as Mint raises questions. What would you do if that account was compromised? What liability are you left with, especially if your bank has stated that utilizing third-party apps leaves you liable to any fraud or identity theft issues due to the negligence of that application developer? Money Week highlights this very issue in their article discussing whether money aggregator applications should be trusted. In the article, they state that a lot of these liability considerations are located in your individual bank terms and conditions for use.
Managing Your Risk
We should not be deterred from using these applications simply based on “what-if’s.” The most important factor to all security is minimizing your risks. One of the best ways to minimize risk is obvious: do your research. Whenever you go to download an application that you are going to trust with your financial or personal information, look into the methods they use for keeping your data safe. Mint, for example uses 128-bit SSL encryption for information that you are able to readily access. Another layer of that security is their “Customer Central,” an isolated network which houses your information and communicates directly with the banks, only pushes readable data to your application, and is unable to be accessed directly. It is also protected by 256-bit encryption. Even further, since Mint is owned by Intuit, their Customer Central location is not only electronically monitored for threats, but also physically; their physical data center is “guarded 24/7 with cameras with lights that follow you as you walk, and doors that won’t unlock until the previous door is fully secured behind you” (Smart Money Nation). In comparison, a company that utilizes a small-scale cloud-based provider to store company data copies that data down onto their own local servers—often the same servers that are open to the internet and are used for day-to-day activities. This is vulnerable on multiple levels. Knowing the type of security that protects your data within an application will help you decide whether or not you want to trust the organization with your data.
While checking the security of the app, make sure you activate fraud and activity alerts on the accounts you plan to connect with the app. This way, you can be aware of strange activity and correlate them between your applications. If you receive alerts from your bank, but not the management app you are using, it’s probably best to remove that application and write a review to warn other potential purchasers.
This next step should be applied to any application with sensitive data: use a separate generic email. Instead of using a name such as email@example.com use something generic but memorable to you, like firstname.lastname@example.org. As well as not using an email address that’s associated with your name, don’t use similar or easily-guessed passwords. Try using long passphrases instead of simple words, or—even better yet—a password management tool that generates and stores complex randomized passwords that you can change on a routine basis.
While two-step verification is standard for most email accounts these days, it’s important to emphasize the security of dual-authentication (also known as two-factor authentication--read more on SecureEnvoy) on your email, and, if possible, on the financial app you are using as well. This will help in the event that your phone or credentials are stolen; if you have two-factor authentication enabled, you should have the ability to access your account on a completely separate device and deny access or change your password to remove the intruder.
Lastly, it’s important to consider the ability to shut-down your phone remotely and utilize backups to restore it to a newly acquired phone. If your phone gets stolen, this is a crucial tool that can be used. For example, Apple allows you to do this automatically though your Apple ID and iCloud account, provided you have set it up to sync. If you set this up properly and then lose your phone, at least your data could be protected.
Applications have made a huge impact on our lives, allowing us to keep track of the complexities of our day-to-day and save for our futures. But it’s important to understand where we are laying our trust. By taking a moment to know what application you are downloading onto your mobile device, as well as knowing what kind of information they are asking you to provide and how they plan to use it, you can take initiative and protect your data by minimizing risk. There’s no such thing as being too safe when it comes to cybersecurity; reading the fine print on those terms of service forms, creating new emails and passwords, enabling fraud alerts and having remote control of your device are great steps forward. These preventative measures might not stop every theft attempt, but they should give you better peace of mind in the event something happens.
Contact your local Eide Bailly professional to learn more about how to practice good cybersecurity on your devices.