There’s been no shortage of high-profile hacks over the last few years — think Target, Sony and Ashley Madison — but one sector that hasn’t made as much news for breaches is financial. According to the Identify Theft Resource Center, out of the 781 data breaches tracked in the United States in 2015, just 71 were banking-related.
While that may be welcome news to the millions of people who use financial websites and apps, that number is rising, jumping by about 50 percent from the year before. And with more people using everything from personal finance applications and robo-advisor sites to fraud-detection programs and mobile wallet software, we’ll likely see more hacks in the future.
“There’s a huge amount of benefit to leveraging technology to bring insights to your account, but there’s always a risk when you start to consolidate all of that information into one program,” said Kennet Westby, co-founder and president of Coalfire, a Westminster, Colorado-based cybersecurity advisory that has a number of financial clients.
Generally, apps and websites from banks and other well-known financial institutions are considered fairly safe from intrusion, in part because they have the money to spend on security. Reportedly, Bank of America will spend $400 million in security this year alone, while other banks are also spending copious amounts of money to keep their virtual walls secure.
However, even big security budgets can’t always prevent a major hack. In 2014, JPMorgan Chase was the target of one of the largest breaches in American history. Hackers broke into its network and stole data — names, email addresses and phone numbers — from 83 million customers. Not surprisingly, the company has increased its cybersecurity budget this year, from a reported $250 million to $500 million.
Of course, not all financial companies have such big security budgets. Many start-up companies don’t have the resources to throw at security nor the many decades of history in trying to keep client money safe, said Westby.
For instance, in 2010, Blippy, a social-media-meets-financial site that allowed people to share credit card purchases with other users, was found to have accidentally leaked some of its customers’ credit card information on Google. The company shut down a year later.
While Westby thinks that consumers should use financial apps and sites, they also need to be aware of what they’re using and what kind of information they’re sharing online.
Read the fine print
It’s unlikely you’ll find a company that says it has no security, so it’s up to the user to make sure the company is protected.
Start by reading the company’s security and privacy disclosures, which should be somewhere on their site, said Westby. You want to be able to get a sense of how they’re managing their security and privacy programs and what kind of responsibility they’re willing to take if a breach occurs.
The next step is to look at the company’s security certifications. A payments card company, for instance, should have the PCI certification, which is given out by a Qualified Security Assessor under the PCI Security Standards Council program.
Other financial institutions might be audited and certified under the Federal Financial Institutions Examination Council (FFEIC). Mint, the personal finance app, is certified through the TRUSTe Privacy Seal Program, which is another popular data privacy management company.
Finally, make sure the company’s privacy and security programs have been validated by a third party. The big four accounting firms do this, said Westby, as do businesses like Trustwave, Verizon and Coalfire.
“You don’t want the company to just say, ‘We’re secure. Trust us,'” said Westby. “You want someone to validate that they’re actually doing it.”
Embrace the longer logins
The companies that do have proper security measures will be encrypting all your sensitive data — they convert information into a complex code that’s difficult to decipher — but for privacy experts, that’s not enough. Companies should also use two-factor authentication for customer logins, according to Adam Levin, chairman and founder of IDT911, a Montreal-based security solutions company, and author of “Swiped.”
When a site doesn’t recognize the device you’re using, it should ask you a series of questions to verify that you are the user of the account. It may also send a code to a trusted device, like an email address or mobile phone. Essentially, it’s adding another layer of authentication beyond a login and password.
Many companies still don’t do this — it can be an annoyance for customers, he noted — but it will soon become standard procedure. And users should embrace it, he explains. One extra step goes a long way in keeping your information secure.
Most financial breaches don’t actually happen at the company level, said Levin. Since security is generally strong, hackers tend to hoodwink customers into handing over login passwords or sensitive data.
One way they do this is through phishing. That’s when a hacker sends an email to users that looks nearly identical to something a bank or another company might send out to a user. Either the user clicks on a file that installs data-collecting malware onto a computer or they click a link that takes them to a page where they’re then asked to enter their account information.
If you ever get an email from a financial company asking for information, don’t click the link, says Levin. “The minute you authenticate yourself, you’re not in control of the situation anymore,” he said. “If you didn’t initiate the contact, then delete the email.”
It’s also a good idea to have different passwords for your money-related apps and sites. Hackers often steal information from non-financial sites that don’t have strong security and then use that password to get into a financial application, since most people use the same login information for every site they visit, said Levin.
Don’t bank in public
Another tip: Don’t bank or use your financial apps on public Wi-Fi, such as the wireless connection you get at an airport. Public Wi-Fi is easy to hack, said Robert Siciliano, CEO of IDTheftSecurity.com.
If a hacker breaks into a public network, they may be able to see what users are typing on their computers or phones. Go to a financial site and that hacker will now have your login credentials.
“You wouldn’t want the CIA to be exchanging government secrets on airport Wi-Fi, so you shouldn’t be doing anything sensitive on it, either,” he said.
As well, make sure your operating system is updated — companies often release security patches in updates — and consider signing up on an account-monitoring site, which can send you a notification for every transaction you make. That way, you can see if any accounts have been compromised in real-time. Many banks now offer this kind of service, too, said Siciliano.
Ultimately, financial apps are good for you, and all three experts believe they can help Americans spend and save better, but don’t sign up blindly. Monitor your transactions, change your passwords and you should be OK.
“It’s something we all have to manage on a personal, company and country level,” said Westby. “You have to be engaged. Don’t approach security carelessly.”