Finance apps can be great for budgeting. But, beware hungry hackers

Americans are increasingly using financial apps to manage their money, but they need to be careful about which ones they choose to share their most sensitive data and how they do it, experts say.

Nearly 3 in 4 of the financial apps examined by researcher Creditnews share at least some information with third parties. On average, the apps shared about six types of data, including device or other ID information, names, email addresses, app interactions, and phone numbers, Creditnews said. The most egregious apps shared about three times that amount of data.

Due to sensitive information used in financial apps, they’re prime targets for cybercriminals. Each time the app shares your data with a third party, your data footprint widens, creating more opportunities for your data to get stolen. Criminals can use stolen information to steal your money, identity, or reputation.

Data can also be used to create profiles on you that can be used for ad targeting or potentially, discrimination, Creditnews said. Some financial apps disclose data on race and ethnicity, health, web browsing, voice and sound recordings, contacts, and emails — all of which bad actors could twist to use against you in finding a job, a place to live and more

“Therefore, staying informed and thinking critically about how and with whom you share your data is essential,” Sam Bourgi, a Creditnews analyst wrote.

Nearly 3 in 4 of the financial apps examined share information with third parties.

3 in 4

How do you know if a financial app is safe?

Some things experts say to check before signing up include:

  • Reputation. “Stick with larger well-known institutions, like a Charles Schwab, which can connect all your accounts,” said John Jones, investment adviser representative at Heritage Financial. “Always try to stick to bigger more credible undefined than cheaper knockoffs. If something does happen, they also have appropriate resources to help you.” Always read reviews, too, to see if people have had any issues, and download from reputable sites, he said.
  • Check encryption and privacy policies. Safer apps use end-to-end encryption to prevent anyone from seeing your information while it’s being transmitted. They also disclose what data they share and allow you to opt out. Before you install an app from Google Play, you also can check the app’s data safety section.
  • For Android users, before you install an app from Google Play, you can also check the app’s data safety section.

Always use two-factor authentication, biometrics or other methods that’ll verify your identity when logging in and can protect you in case you lose your device. “

Jeffrey Bernstein – Director of Cybersecurity and Data Privacy, Risk Advisory Services

What can I do to make sure my information is safe?

You also can take steps to protect yourself, experts say. These include:

  • Don’t use the same password for everything. Instead, use a number of strong passwords and if you’re afraid of forgetting them, use a password manager to store them all.
  • Don’t click on links in an email or text unless you’re certain you know who sent it because it could be a malicious link that downloads malware, or a phishing scam to steal your username and password. “If someone rang your doorbell in the middle of the night, you would find out who it is before opening the door,” said Jeffrey Bernstein, director of cybersecurity at professional services firm Kaufman Rossin.
  • Always use two-factor authentication, biometrics or other methods that’ll verify your identity when logging in and can protect you in case you lose your device. “That’ll stop 99% of attacks when your credentials are used,” Bernstein said.
  • Keep software updated on all devices. “Companies are always making security control enhancements,” Bernstein said.
  • Avoid unknown Wi-Fi access points, like those in airports, because they can be unsecured and vulnerable to attack.
  • Set privacy settings at the highest levels tolerable to you so others can’t see your data, Bernstein said.
  • Keep devices closed, locked, and protected with passwords and enable tracking and remote wiping if you lose them, he said.
  • If you have apps on your device you don’t use, delete them to reduce the number of places you can be attacked, Bernstein suggested.

What if I think my information’s been compromised?

Most financial institutions and credit bureaus can detect suspicious activity and alert you, but if you’re not sure, reach out to the company that runs your app. Report any suspicious messages and then immediately, block and delete that sender, Bernstein said.

If you’re not sure if your log in credentials were stolen, you can go to free sites like Have I Been Pwned that allow you to check if you may have been put at risk due to an online account having been compromised or “pwned” in a data breach.

You can also tell companies to stop sharing your information with a mobile app called Permission Slip from Consumer Reports. The app shows you what data companies collect, and with a simple tap, you can tell them to stop selling your data or to delete your data entirely, Consumer Reports said.

“Apps make life a lot easier, like credit monitoring and helping to create and understand and build wealth, but you have to weigh the benefits against the risks like getting compromised,” Bernstein said. “If anyone’s using these apps, consider that mobile banking apps are not always designed with security in mind and new exploits are coming online all the time.”

Having said that, Bernstein also said “I never coach people from going away from using them. Instead, just practice good digital hygiene.”

Read the full article at USA TODAY.


Jeffrey Bernstein is a Risk Advisory Services Director of Cybersecurity and Data Privacy at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.