There’s some debate on the security of online account aggregators. Some like Trent at the Simple Dollar isn’t so sure how safe Yodlee, Wesabe, or Mint might be. Others like myself are not so worried about security. I’ll be the first admit, I’m just not a very a paranoid individual. Maybe I should be. Security when it comes to your finances is incredibly important. I’ve been using Yodlee for over 5 years and feel pretty safe, but that’s not to say that the security issue has been completely licked. Others who don’t share my disposition are justified in being worried.

However, I do think I have some grounding to feel relatively secure. I think there are many reasons if you’re already comfortable using online banking, credit card, or brokerage services one should be comfortable with account aggregation. Personally I use both Mint and Yodlee. However both are supported by the same back end technology furnished by Yodlee. So if you trust Yodlee, you should trust mint.

When actually evaluating security of an account aggregator there are actually a couple different things to look at. I think the most important question, and the more fundamental question, is to ask what would someone have access to if they got hold of my online information. I have accounts with the following financial services.

  • Citibank
  • HSBC
  • ING
  • ETrade
  • Ameritrade
  • Bank of America
  • Capitol One
  • American Express

If someone were to get access to my account login information, they would be able to log in to my account. However, logging into my account doesn’t actually allow a perpetrator to do that much as one might initially expect. The financial institutions are smart enough not to allow you to make easy transfers out. Transfers are generally setup as transfers in, and account information is required.  Without my account numbers, a potential perp could easily pay my bill, make trades, and transfer money between my accounts. Transferring money into outside accounts is not something they can readily and directly set up with just my login information. This is the primary reason I feel safe, though there is a loophole for this which I’ll get to.

The bigger issue is not online access to my accounts, but the security at the financial institutions. More people use online banking services than account aggregation. If you trust your bank or credit card, I don’t think you’re too far away from trusting an aggregator. Aggregators are not too different from a mailbox.  It’s like I’m getting all my financial statements sent to the same mailbox (which most people in the physical world already do). I think it’s much easier to break into my mailbox than it is my online account. If there is a security issue, it’s in the form of statements both physical and online. Many of the financial institutions do display account number information on the physical statements and PDFs they sometimes have available online. With the account number information a criminal could set up transactions, but even then these type of transactions takes time to process , and if I’m monitoring my accounts would hopefully tipped off on such a transfer. I would also think that banks would notice such fraud and be able to put the appropriate freezes on.

Still even though I feel pretty safe that there isn’t all that much direct damage that could be done, I do realize that my privacy is at risk. Anyone who got access to my account in Yodlee would know a hell lot more about me than I probably even know about myself. I imagine there would be enough information to lift my idenditity and I certainly don’t want that. I’m willing to put some faith in the security that Yodlee has instituted. I think the most effective hacks are not exploiting technical shortcomings but people shortcoming, i.e. a stray laptop with information. While I still have concerns, the convenience of services of Yodlee and Mint outweigh my worries for me. For others the worries outweigh the convenience.