It seems like every commercial break now has an ad for some new app that can help you manage your finances, teach your kids to be financially responsible or get you into the stock market with small amounts of money. The companies who develop these applications are part of the financial technology, or fintech, industry. The apps and services they provide have potential to be useful.
But some of those apps will ask you to share the login and password information for your various financial accounts through outside or third-party sources.
Third-party software refers to programs that are designed by companies that attach to another company’s software, but are not actually controlled by that company. It is similar to the way a mortgage broker works. They don’t represent or work for the lender, but they work on behalf of the lender and the borrower to arrange the deal. Hence the term “third-party.”
Fintech companies like Acorns, Venmo and Robinhood use a third-party bank data aggregator called Plaid, as does the local Akronite app. According to their website, “Plaid provides tools that enable you to share your financial data with apps that provide services to you.”
The advantage is that Plaid offers secure transfers for these companies. That allows the companies to focus on providing their service while Plaid focuses on securing the transactions. Plaid is by providing a standard middleman service that’s used by multiple apps and is trusted by the banks and other financial institutions.
However, Plaid uses a controversial practice to accomplish this — and there is a good reason it is controversial. When you are asked by the primary app, say Robinhood, to enter your financial information, they take you to a page that looks like you are going directly to the link to your bank account. Next, they ask you to share your username and password for that account.
Many e-commerce companies, such as Amazon, either ask to enter a credit card or link to PayPal for each transaction. You enter your credit card number on a secure page and complete the transaction. The same is true for ApplePay or Google Pay,
The controversial practice Plaid uses is asking for users’ login credentials to link directly to their bank accounts, not just to a credit card.
It is best to never share your login credentials with a third party. But it is necessary in some cases to access some services. Plaid, for example, is attached to apps that provide some deeper services than the purchasing of goods and services, such as person-to-person money transfers. In order to confirm that you have money in your account to cover the transaction, they need access to your account.
We all have become used to the speed and convenience that our connected devices bring us. But that speed and convenience becomes a liability when we blindly trust the apps.
The key is to use caution. Slow down and be thorough.
Start with the rule that you should never share your login credentials and password with anyone, but with the understanding that some services may require that you do so. Venmo, Acorns, Robinhood and, ironically, Privacy.com are some examples of apps where this is necessary. Some of these financial apps offer real solutions to real problems. If that is the case for you, the next step is to weigh the risk versus the reward.
If you have determined that the app is worth the risk, the next step is to research the company by reading their terms and conditions as well as their security policy. You can find those on the company website. Then dig a little deeper and read with whom else the app or companies does business. If you cannot find them or if you do not think the company is safe, then do not use the app.
In the security section of their website, Plaid states: “To help keep your data safe, we don’t share the username and password for your financial institution with your apps. Once you give us permission to share your financial data, we securely transfer it from your financial institution to the app through our application programming interface (API).”
A data breach for a company like Plaid would be catastrophic to them and potentially all of the other companies that use this service. They use security best practices like encryption of data, robust monitoring of their systems and continuous security tests of those systems to ensure safe storage of your personal data. They are also subject to data privacy laws that vary from country to country, but all have high financial penalties for violations.
There is always a risk every time you share any information with an app or website. I am not in favor of sharing any personal information with third-party applications as a rule. But there are situations where it may be necessary and reasonably safe to do so.
There is not a one-size-fits-all solution for your personal cybersecurity. There is only caution, best practices and contiguous diligence. Protecting your data should always take priority over convenience.
All of this is basically to say, welcome to the 21st century — where we should all be checking our financial accounts daily to make sure we are not hacked.
I would like to hear your questions and concerns for future articles. You can reach me at firstname.lastname@example.org.
Dr. John B. Nicholas is a Professor of Computer Information Systems and Co-Founder of the Cybersecurity Degree Track at The University of Akron. Dr. Nicholas has over 30 years experience in the technology field in both the private sector and in higher education.