A recent security issue with the Web-based personal finance management (PFM) application called Rudder has served as a wake-up call to all service providers in the PFM industry and should serve as a cautionary tale for all consumers of these services.
Briefly, it appears that some Rudder users were inadvertently emailed the financial information of other Rudder users without the consent of those other users. Furthermore, it has been reported that links within the unencrypted email messages permitted recipients of the email messages to gain access to the other users Rudder accounts.
Web-based PFM tools are springing up at the rate of about one a week it seems these days. Some of these tools are the product of bootstrapping start-ups with no reputation upon which to base a relationship of trust. Others are well funded with executive management teams and boards of directors that give an air of respectability but given the performance of the financial sector recently, everyone’s judgement is called into question.
What then should a wise consumer base the decision to use such tools upon? We suggest that there are three relatively easily answered questions that should guide you.
What information are you being asked to share?
In the case of Rudder, as with many of the more popular PFM tools, users link their bank statements to their user accounts within the PFM tool. Whether or not the bank account login information is stored within the PFM tool, a significant amount of information is at risk for compromise. Rudder emails detailed financial data to users. Many would consider that practice risky, especially if the email messages are unencrypted.
What risk are you exposed to if that information is compromised?
Once more, in the case of Rudder, detailed bank account information appears to have been compromised yet access to the bank accounts of Rudder users was read only. Aside from potential embarrassment, little if anything of direct financial value was compromised. If the developers of Rudder were capable of releasing code that emailed user data improperly then it is a reasonable concern that they might also be capable of unintentionally saving bank account login information putting it at risk of compromise.
Who might benefit from access to your information?
One primary reason why we created BudgetSketch was because most of the PFM tools we found available on the Web seemed to be more focused on marketing credit cards and loans than on the elimination of debt and growth of personal wealth. BudgetSketch is a tool that we used to gain control of our personal finances that we knew might be of value to others. Thus we decided to offer it to everyone, free of charge from this day forward, with the ambitious aim of helping to reverse the currently bleak economic future by promoting sound personal financial planning.
With simplicity as a primary consideration in its design, BudgetSketch does not suffer from the security vulnerabilities of applications like Rudder. BudgetSketch requires that you enter your planned spending for the coming month but that information never leaves our server, especially not in unencrypted email messages. Since no bank account information is needed to make use of BudgetSketch, it is an unappealing target for hackers seeking access to the financial accounts of others. Finally, at its core, BudgetSketch has always been, and will always remain a tool dedicated primarily to delivering maximum benefit to its users.
