Steadfast FinancesWhy I Don't Use Web or Mobile Personal Finance Software

Why I Don’t Use Web or Mobile Personal Finance Software

Filed in Banking , Investor Psychology 10 comments

With the rise of web based and mobile financial tools, I’ve been something of a late adopter. Actually, I’m more of a “no” adopter. Sure, I trade a few stocks online or I’ll purchase a few gifts using a one time use only credit card number, but other than that, my trust in placing all my personal information into “secure” personal finance software is zero.


Because no system is invulnerable to attack.

Case in point:

In May, the Dow Jones Industrial Average plummeted 1,000 points in less than half an hour after a trading algorithm malfunctioned, exposing the vulnerabilities of stock exchanges that increasingly rely on digital infrastructure. This weekend we got another reminder when the Nasdaq OMX Group, which runs the Nasdaq stock exchange, revealed that hackers broke into a service for corporate officers to share confidential documents.

Investigators are trying to determine whether the attack was an act of terrorism or an effort to obtain trade secrets or illegal trading advantages, the Wall Street Journal reports. The hackers planted malware files inside Nasdaq’s Directors Desk web application but didn’t acquire private information or breach Nasdaq’s trading platform, which accounts for around 19 percent of U.S. stock trading. While some evidence suggests the hackers were from Russia, they may have simply been using Russian computers.

Uri Freedman, The Atlantic Wire

The screaming conclusion: if the Nasdaq can get hacked, what chance does the little guy have?

Whether they stole information, of which I’m 99% sure the Nasdaq, NYSE, and every other stock exchange would do their very best to downplay as much as possible to save face fearing a drop in investor confidence, is immaterial to me. Moreover, such a security breach makes the flash crash look like drop in the bucket because it proves their systems are no where near as tight as their marketing and public relations efforts has stated all along.

But that’s not as important to me — the user.

What is important is that a single or group of motivated hackers penetrated the honey pot of the financial capital of the world. They managed to sneak into the world’s most secure — presumably — financial marketplace in the world, drop some code, and based on the press releases, appears to have gotten away without even so much as a scratch.

And that, ladies and gents, is why I put as little financial information into the Internet ether as possible. In today’s day and age, if someone wants the data badly enough, I seriously doubt any security system will prevent them from getting it. Sure, there are governmental agencies with nation state sized budgets (e.g. unlimited resources) that can actively fend off hackers, but I seriously doubt a basic personal finance website that outsources it’s security for a few bucks a month could stand up to this sort of cyber attack.

If I’m wrong, by all means correct me.

If you enjoyed this post, make sure you subscribe to my RSS feed!
Posted by CJ   @   8 February 2011 10 comments
Tags : , , ,


Feb 8, 2011
11:26 am
#1 Daniel :

Disagree, what incentive would big-time hackers have to attacking your personal account? What are the odds someone gets your password and decides to use it?

Do you not use online banking? TurboTax? Where do you draw the line? I think you have a much better chance of getting your wallet stolen or dropping your credit card than having your information stolen from

Feb 8, 2011
11:42 am
#2 Matt SF :

It’s not necessarily my individual accounts I’m worried about. It’s the centralized locations where vast quantities of user information is stored, that would make a hacker’s effort worth their while.

Example: would they be better served going after a single, individual account or a treasure chest of 25,000 users that have bank account numbers, credit card numbers, investment account numbers, etc. Or, would they rather go after individual accounts individually and try to crack a password.

Smart money, in my opinion, says go for the treasure chest. Which is why you see major retailers or retail websites getting hacked, losing 10,000+ credit card numbers stolen, etc. But yes, I do use online banking but I have a separate desktop hardwired to the web (no wireless) that I only use for financial transactions. No web surfing reduces my chances of malware on that system.

Feb 8, 2011
1:06 pm

I do a lot of online banking but I never keep the password and I clear the cache.

Still, I see your point. I’d never trust Mint with my info, for instance.

Feb 9, 2011
10:18 am
#4 Matt SF :

Same here FB. Same here. I keep a separate PC wired (no wireless) to the net so that unit has zero chance of picking up malware. No surfing, no email, nada.

Feb 8, 2011
1:41 pm
#5 Joe :

Seems like you have to balance the slight risk of compromise with the even slighter consequences of a successful attack. If Intuit (which now houses Mint’s servers) got hacked, and despite their proclamations to its impossibility, gave up all your account names and passwords, what happens then?

First question, can they even access your accounts? Every bank and CC company I use at least has the option for a cell phone verification before allowing an unidentified computer to access your account for the first time.

But lets say they get around that, what can a hacker do with access to your accounts’ websites? I guess first, they get to see your account balances (big deal).

For credit cards, they get your number. But even that’s pretty useless without the code on the back of the card. And even if they did find a way to use the number, your CC company is going to flag any out of country shipments and call you about it (most do, anyway). But if they ship inside the country, and let’s say you don’t even notice it until your new CC statement arrives, it ultimately just ends up being a hassle in getting the charge reversed and a new CC issued.

Same thing with bank accounts. Most likely, their computer needs to go through an additional layer of security before accessing the site the first time. Even if that happens, they need to go through another layer of security before being able to transfer funds (likely through a PIN delivered to a cell phone, if you set that up). And even if that happens, most often you jsut tell your bank your ID got stolen and then they fix it.

And we’re leaving aside whether Intuit would jsut make everyone whole anyway, given the severe reputational damage they’d suffer if their users got robbed.

Feb 8, 2011
6:17 pm

I agree with Joe. You have to weigh the risk with the benefit. I like the convenience of using a service like Mint where I can track my expenses from anywhere in the world. Is someone hacking into Mint a possibility? Sure. Is someone hacking into your online bank account and transferring money out a possibility? It would be difficult but sure, it is possible. But I, and millions of others, continue to use online banking a lot.

The point is you can never eliminate the risks. I find the convenience of many of these services compelling and while I try to reduce the risks (my main passwords are stored primarily in my head) I will continue to use them.

I can think of no instance of any security breach at a major financial institution that has lead to anyone losing money in a savings or investment account – can you? This, despite the trillions of dollars and hundreds of millions of accounts behind electronic firewalls. Of course it could happen…but then again the world may end in December next year.

Feb 13, 2011
7:33 pm
#7 Al :

Interesting posting, Thank you!

FWIW, I have safely done over $600K of online purchases and sales without loosing a cent to ID theft. Ironically none of my ID problems have come from online activity.

I can attribute 100% of my ID theft issues to careless handling of my (YES) offline information by banks, brokers, insurers, and 3rd parties that they have contracted with.

Certainly, you can control what YOU do with YOUR information, but unless you deal primarily with Bank of Mattress, your bank/broker/insurer already has your personal information on a laptop, network, server, or a third-party site- where you have no say over who sees what or how it’s secured. This (and not your own abstinence or mindfulness) presents the greatest threat to your security. How do they secure your information? How they vet employees and vendors?

Avoiding online business may not do much protect you when the greatest threat is well beyond your control and oversight.

Google “bank looses laptop” for some timely examples.

Feb 13, 2011
9:00 pm
#8 Matt SF :

I didn’t say I avoided all online business… just places that aggregate vast pools of consumer financial information.

But to address your points, I agree, I can’t control whether my auto insurance company holds my credit card information, nor can I control whether my brokerage company has a dingbat employee who leaves a laptop with my personal finance info a NYC cab.

However, I can control how much info I give them, to whom I give my info, and I can ask that they not store any financial information (like credit card numbers) in their databases. If their policies do not comply, just move to one that does.

Trackbacks to this post.
Leave a Comment




Previous Post
Next Post