As financial tech becomes more of a thing, I’m concerned the media and consumer advocacy sites are not adequately addressing security concerns. Worse, they’re instilling false confidence, like my hat does when I join video conference calls.
Below is a quote from a large Australia financial comaprison site. They proudly state in their footer that they’ve been featured in the Deloitte Technology Fast 50 and the Australian Anthill Smart 100:
Q: Is $NewFinancialCompany safe and secure?
A: Absolutely, $NewFinancialCompany uses encryption technology.
And here’s a quote from a well known, respected consumer advocacy site:
Is $NewFinancialCompany safe?
$NewFinancialCompany uses 128-bit Secure Socket Layer (SSL) data encryption to protect all your information and financial transactions. 128-bit SSL encryption is the same technology used by banks all over the world.
The above points are true, and meaningless. Okay the latter isn’t even true; the site uses TLS not SSL. The one technical detail they managed to include, with care taken to spell out the abbreviation, was wrong.
Leaving aside technical pedantry though, here’s just a few things answers like this didn’t address:
Where does it use this encryption technology? What is it? Is it only in transit, or it also at rest? Where is this encrypted data domiciled?
Do they ever share your personally-identifiable and financial information with third parties, for profit or otherwise? If so, why? How do they limit it? Is your consent solicited?
Do they provide two-factor authentication? Does it use SMS for it, or a fob, or a mobile application? How do you set it up? How easy is it to revoke?
What’s their policy on sharing credentials? Will they ever ask for them over the phone? Do they frown on password managers?
Do their financial integrations require you to share your credentials with your banks or other financial accounts? Do they adequately explain the risks in doing so? How do they store those credentials? What technical measures and internal policies do they have to ensure access is limited?
What happens if you lose access to your account? How do you verify your identity? Is verification processed by a third party? If so, refer to point 2.
What security certifications do they have? Are they compliant with the latest financial services legislation? Have they been independently vetted or audited? Is that information publicly accessible?
Have they ever had a data breach before? We’re all human, so if so, how did they rectify it?
To the layperson, the encryption technology answers above sound confident and complete. I’d go as far as to say they’re more dangerous than not addressing the issue at at all.
Some of my questions above do enter the nitty-gritty side of security, but it’s the entire job of journalists and consumer advocacy groups to make these topics approachable, understandable, and underscore their importance.
I can’t think of a single other issue beyond financial literacy that would be as important to know about when choosing a new financial service as security and data privacy. Leaked or improperly-stored financial data could be some of the most damaging things to recover from, not to mention the short and long term risks posed from identity theft. It floors me these sites didn’t think such concerns warranted a mention; they can and must do better.