Third-party financial apps: convenient, popular -- secure?

Droves of smartphone apps are available to make personal finance easy. There are apps to help you budget, monitor spending and flag irregularities on your account. But security is sometimes an open question, so you need to use them with care.

Apps such as Mint, HomeBudget and SpendBook are popular for their convenience and useful tools, such as spend-tracking, budgeting and bill pay. But there is no room for modesty in convenience. To use the apps effectively you'll need to hand over private information, such as your bank account, credit card numbers, TFSA, and RRSP savings account numbers. banking-apps

"There's such an explosion of the use of these apps on mobile
devices but with everything you do, you have to be skeptical and use good judgment when you install these things," says Iain Kenny, who leads computer forensics at accounting firm MNP, focusing on cyber breaches and theft of intellectual property.

Apps operated by your bank don't carry as much concern as those from other vendors. As long as you protect your password, which should be complex, and surf the web on secure networks, financial institutions will reimburse you should anything go wrong.

That doesn't necessarily apply to third-party apps because banks
have no control over how your information is stored or where it's
going. While Apple's App Store and Google Play vet applications for content, purpose and security, some third-party apps are still in the Wild West when it comes to consumer protection, Kenny warns.

"Security is not at the forefront of mobile devices, it's still a bit of an afterthought," he says. "You have to think of what this application is asking for -- your banking information, access to cameras and microphone -- don't blindly trust things if you don't understand them."

Many security breaches are still user error
That's not to say all apps have shaky security. In fact, some of apps are incredibly polished and for good reason: the last thing developers want is to lose the public's trust in their product, says Robert Siciliano, a personal security and identity theft expert.

"Any app meant to handle your finances has everything to lose and nothing to gain by being compromised," Siciliano says. "They generally spend significant resources to maintain ongoing application security. However, there is no such thing as 100 per cent security, so consumers need to monitor their accounts closely no matter what."

The most secure third-party apps come with multiple layers of "military grade encryption," similar to the security banks have in place, he says. If faulty apps slip into app stores, they don't last long.  Users or researchers flag the product's flaws and it's pulled quickly, Siciliano explains.

Instead, vulnerabilities are more likely to happen because of user issues, lost or stolen devices and inadequate password management.

"Easy-to-guess passwords are the same passwords across all accounts or their devices have malware," Siciliano says. "We see [fraud] happen, but nine out of 10 times it's user error."

Use your judgment
No matter how sophisticated the app is, at the end of the day, Kenny says you need to use your own judgment and decide if it's worth putting your information into a third-party app, even one backed by a legitimate company. The bottom line is these kinds of apps won't offer the same protections or zero-liability policies as a bank app. Some people are comfortable with using Mint and other polished apps anyway, some are not; whichever camp you want to join is your own call.

If you do decide to use a third-party app, do your homework and choose one with many good reviews and a reputable company backing it. For example, Kenny says, Mint is sophisticated and backed by Intuit, which provides tax filing and bookkeeping products.

"It's a household name at this point so you know you're getting a reliable company instead of somebody developing an app while eating pizza in their basement," he says.

Remember you may be breaking your bank's contract
Each bank offers its own stance on third-party apps, but it appears most of the big banks say that handing your information to such an app is a breach of your contract -- in other words, if it goes awry, the bank may be on your side, but it isn't guaranteeing a reimbursement.

"We strongly recommend that bank customers carefully read their credit card and account agreements before providing any user IDs or passwords," Kate Payne, spokesperson for the Canadian Bankers Association, said in her emailed response to questions. "Providing this kind of confidential information may violate terms of an account agreement and may make customers liable for unauthorized transactions in their accounts."

 "The cardholder agreement between Scotiabank and its customers prohibits customers from disclosing their banking PINs/passwords," Jeff Marshall, vice-president of self-service customer experience at Scotiabank, said in an emailed statement. "By requiring bank customers to divulge their confidential access codes and passwords, third-party sites induce breach of contract between Scotiabank and its banking customers."

TD says that it is "committed to providing our customers with a safe and secure experience" but that it also emphasizes the consumer's responsibility to keep usernames and passwords secure. In section 5 of TD's cardholder terms and conditions, it says "you must keep your card, PIN and credentials confidential and take every reasonable precaution to maintain them safely."

A spokesperson for CIBC said in an email that the bank hasn't partnered with or endorsed any third-party apps.

"A client who shares their user ID and password with a third party would be in violation of our Electronic Access Agreement and not covered by our Online Security Guarantee in the event of a loss," the spokesperson said. "However, as part of our relationship with our clients, we will generally reimburse clients in cases where the sharing of information with a third party did not contribute to the fraud loss," a spokesperson said in an email.

Finally, RBC's terms and agreements state that the bank is not responsible and will not reimburse losses to an account if "you access online banking via an electronic access device that you know or reasonably ought to know contains software that has the ability to reveal to anyone, or to otherwise compromise, any of your passwords, personal verification questions or an e-Transfer question and answer."

See related: How to safely use mobile banking, Want more rewards? There's an app for that

Published May 27, 2015

Most recent All credit card news Stories