POSTED BY October 21, 2010 5:52 pm COMMENTS (15)ON
I recently came across a financial planning webite perfios.com that organises and manages personal financial data. Otherwise a very useful site, but it has provisions, (if opted for) for automatically extracting financial information from bank accounts, credit card, mutual funds etc. Is it safe and prudent to disclose netbanking and other login passwords at such sites ?? As the facility of auto updation in case one gives in password access appears very convenient & husslefree ..
The site claims PW security though but am not too sure.
2021 © Jagoinvestor.com All Right Reserved
15 replies on this article “Is it ok to divulge bank password details on Financial planning website”
That’s not recommended in today’s time and age when we can use an app like Walnut (on Android) that uses transaction messages from our SMS inbox to provide analysis of expenses and bill reminders. No need to reveal sensitive information such as account numbers and bank login details to any software when you can do the very same things without putting yourself at such a risk.
While we constantly hear about companies using state of the art security to protect our sensitive information, its a fact that nothing in the virtual world is ever bulletproof. That is why still hear stories of major hacks from time to time that can not only run major companies to the ground but also leave their customers in the dirt and open for target practice by various cyber criminals.
I for one wouldn’t take such risk in connecting back accounts to third party sites. Its a violation of bank policies and if something untoward were to happen, banks would take no responsibility for it. You will be left in no man’s land. Besides, is it worth the risk just to see some pretty graphs? Excel can do a pretty good job in managing the debt portion of your portfolio since the returns are fixed and formulas are there to help you to generate all sorts of data. Stocks and Mutual Funds can be easily tracked with a Moneycontrol account. Set up the SIP for MFs and its fairly automated after that. I myself am using this combo and atleast if not anything, I sleep well at night knowing I am in control of my finances.
Thanks for sharing your experience with all of us. It was a great learning.
I have been using Perfios for several months.
I dont feel any security threat with this.
It gives a lot of info and clarity about your financial cash flow and other investment details if you enter all your info.
My wife is a banker, and she screamed, “Are you outa your mind! Giving your Customer ID and password to an unknown online software??!!”.
Many thanks to Santosh and Manish for clarifying, and reassuring on how the security issues on Perfios works.
In fact, I came across this blog while searching the net for an alternative to Perfios: I decided to use GnuCash (on Ubuntu) and resort to accessing the statements online; which is where I needed to find out what back-end Indian banks use : OFX or HBCI…
Anyway, GnuCash isn’t working out too well, so will continue to use Perfios, and pacify the wife.
@Santosh: Why not have an offline/downloadable version of Perfios?
And, more importantly, can you please quickly move out of Flash?? It’s sure to die before the year is out…
I am using Walnut expense tracker, it does not ask for any bank passwords or customer ids but works seemless. I suggest you should check this application on playstore. Giving bank passwords is really scary.
If you delete your SMS messages Walnut cannot accurately track your transactions. Additionally all transactions are not available on sms. Also not all the information is available via SMS. And how is allowing Walnut full access to your sms messages not an invasion of your privacy!!! Apple doesnt even allow 3rd party app access to sms messages as its viewed as a privacy issue.
Earlier I had entered my passwords to similar site (artha something); and it used to work fine.
Just make sure you do not share transaction password; and keep it different than login-password.
I am the co-founder of Perfios and happened to come across this thread. 🙂 I am pasting below our “standard” response to the question of security and privacy. I am adding further notes after the following section:
“Security & Privacy concerns are perfectly understandable and our approach has been to be forthright about the topic and we are always happy to spend time to educate our users. Security and privacy is an issue Perfios takes VERY seriously and we have approached the same both from a software engineering perspective as well as sound processes and audit mechanisms. Additionally, unlike other services, we DO NOT store users’ financial institution credentials on our servers. It is encrypted and stored on your machine. Why is it such a big deal? Imagine a scenario where we store a million users’ user ids/password on our servers. It would be a worthwhile target for any hacker to break into. We “dis-incentivise” a potential hacker by not providing a single point of failure. Is it safe to keep encrypted credentials on a user’s machine? Yes, it is because it can be decrypted only on our servers. However, we advise our users to practice some b asic discipline when using ANY web based service…like having a good anti-virus software, keeping it up-to-date, run scans regularly etc. Our service is purely read-only and you cannot do any transactions. We do not ask for anything more than an email id for you to use Perfios. The less we know about you, the better! 🙂 And yeah, we DON’T sell or pass on your email id to anyone :)”
(1) Unlike other services, automatic update from your financial institutions isn’t the only way you can update your accounts in order to derive benefits provided by Perfios. You can create a manual account and:
a. add your holdings and transactions row-by-row (it is a tad painful but you can do it if you have the time).
b. upload your data in excel format
c. upload statements received from your financial institutions.
d. configure statement forwarding option so that when you receive your statement from your financial institution, simply forward it to firstname.lastname@example.org to be automatically processed.
(2) We strongly believe that being open about our security and privacy practices is the best way to convince users and believe it or not I answer hundreds of mails on this subject every day. 🙂 To get a perspective… when was the last time you asked your bank or brokerage or any online service how they handle your online passwords, credit card details etc and how often do you get a reply from them? So, if you have any specific concerns or suggestions feel free to get in touch with me at kunnath[dot]Santhosh[at]perfios.com and I will be happy to answer your queries.
So, give it a whirl and I am very sure you will like what you see! 🙂 Do follow us on LinkedIn (Group: Perfios Users Group) to follow some of the relevant discussions.
Great to hear from you . Thanks for the reply which will help our readers to take a better decision .
Does Perfios supports 2FA for login?
I can understand how a human being thinks about sharing the details online . But lets not comment without understanding the technicals and how it all works . There are standards which are made and they are much more secure than we think . Here are some excerpts from a moneylife article .
An online money manager will work well only if you provide online access to banking accounts for a one-time setup. This raises security concerns, but here is how it works. The login username and password for individual online banking accounts is used to retrieve read-only data. The ‘transaction password’ for online banking should be different from the ‘login password’ for greater security. You don’t have to reveal your ‘transaction password’. Customers do not have to give any personally identifiable information, making the process safer. Moreover, the account is completely anonymous and requires only a username and password. All the banking accounts are linked to provide consolidated data. In the consolidation process, vendors will have access to your financial records on a read-only basis, but privacy policies of these entities should prevent abuse of information.
All three vendors use impressive technology with decent security features. They have security certification from several reputed third-party service-providers and, without getting into technical details, it can be safely assumed that the tracker is as secure as your online banking account. The caveat is that you are not directly connected to an online banking account but indirectly through the online money manager.
The vendors have worked at keeping customers’ login credentials for accessing the website safe; for this, the security of a password and its location are important. The three companies have dealt with this in different ways. Perfios has chosen to alleviate security concerns by locating the encrypted login on the customer’s personal computer (PC) and not on their server. Only the encryption key is stored on their server. But what if the customer’s PC is not secure? Intuit has built-in security at three levels: product, partner integration and company. Aditya Prasad points out that “In Perifos, the credentials are encrypted and stored in the customer PC, but the key to decrypt them are not stored in the user’s system. So, even if the customer PC is compromised, there will not be much damage. Similarly, if you change your PC, all you need to do is to re-create the credentials for your account. All the data is preserved and there is no need to create a new Perfios registration.” The other two vendors store the encrypted login on their server which they say is secured by enhanced physical security, firewall protection, electronic shielding and other security measures. According to Rahul Majumdar, Arthamoney does not find any major difference in security levels with respect to a PC-based solution for password location. “In fact, the reliability and security is better managed centrally on a server within a controlled environment,” he says.
How do the vendors fetch read-only data from an individual’s online banking website, when Indian banks don’t allow a third-party API (application programming interface)? Until the Reserve Bank of India (RBI) issues some guidelines or the banks open up their API, vendors have to rely on what is called ‘screen-scraping’ or some equivalent technology. A screen-scraper collects character-based data from the display output of another program. They can extract the data and present it in a richer format with graphs or tables. The problem with screen-scraping is that when banks change the layout of their website, the data feed from which the vendors grab the read-only data may not work and need re-programming.
Umang Bedi tells us, “Most data communication from the partner site to ours is done using the Online Financial Exchange (OFX) standard which is adopted by over 5,000 banks and is deemed an industry benchmark. Alternatively, we use Web Connect, another leading global standard adopted by over 21,000 financial institutions worldwide.” Intuit also aggregates data via standards-based approaches, once it has the user’s consent to do so. The company refused to answer our specific question about the impact of changes to the layout of the bank’s website, saying, “The question is related to proprietary technology.” Mr Prasad tells us that Perfios’s application “is designed to handle the change in the layout of the bank’s web pages. To the extent possible, we shield these changes from our users and make the required changes even before our user notices them. In addition, we are also interacting with various banks to see how well we can integrate with them.” Rahul Majumdar says, “We use screen-scraping technology and have a team which continuously tracks and monitors changes on web interfaces of banks.” This, he claims, ensures that the Arthamoney site is always updated with accurate information.
Source : http://www.moneylife.in/article/7739.html
Do NOT share your password with anyone. Who knows they are hackers to get your passwords. Even of they are not hackers, the information stored in website is not 100% safe. Giving password them means you’re giving keys to all your financial assets and information. Can u trust unknown people for that?
There are many other websites / software to manage your portfolio & they don’t ask for your passwords. Try them.
Hope it will help you.
No – never do that…just read bank’s security guidelines, time to time banks publish ads in newspaper to aware their customers.
Even though the site confirms password protection it is not safe to store your passwords in the software. Please be extra careful while using these softwares when it comes to entering your security details.