Personal finance Managers (PFMs) are the hottest property in Finance 2.0 at the moment. The likes of Mint, Wesabe, Quicken, Buxfer, Thrive etc. (sorry if I missed any of you out, but it’s probably for the best once you read on!) have been beavering away for a year or two now, polishing their tools & marketing messages, and have started to break into the mainstream with credible propositions. Their modus operandi is predicated on the ability to aggregate, analyse and present (in a sexy web 2.0 UI) a user’s personal financial data (i.e. bank account, credit card, brokerage account etc.), advise on improvements, and in some instances, execute against those recommendations. So far, so good; we could all do with that sort of help.
But lets take a step back a bit. How is this data aggregation achieved, and what happens to the data once it’s been grabbed by the PFM? Depending on which PFM you use, the answer ranges from good to bad. Yodlee is the power behind many of the PFMs, and uses what many IT security professionals regard as a security nightmare technique called “screen-scraping” to achieve data aggregation. Yodlee relies on the user to physically hand over log-in credentials for their financial accounts in order to crawl the websites of financial institutions and literally grab the data right off the web page. Does this breach the user’s terms of service for online banking etc? In it’s purest sense, probably. Does this mean the user wouldn’t be ‘covered’ in the event of a subsequent fraudulent use of that online banking service? Maybe. Some of the PFMs try to avoid this issue by keeping the log-in credentials on the user’s desktop (step forward Wesabe; take a bow), but is this enough to keep your personal financial data secure and for your eyes only?
Well, according to twitter user @adambassador, the answer as of about an hour ago is most emphatically no. And here is why:
Rudder messed up
In truth, this was an accident just waiting to happen. The question now: is this just a one-car-wrapped-around-the-lamp-post deal, or are we looking at a Rudder trainwreck?
Looks, unfortunately, as if the answer might be the latter. Ten minutes ago, twitterer @adietz wrote “Getting stacks of emails from rudder.com for accounts that aren’t mine… Thought I would close my account but I can’t log in. Boo Hiss.”So, that’s at least two users who have received a bucketload of email containing other people’s financial data, maybe even yours…
…and no-one is answering the phones at Rudder HQ; I got put through to an answering machine. I’ve tweeted Rudder CEO Nikhil Roy @nikhilroy but no response yet. I’ve also emailed Rudder support for their comments. It’s gonna take a monumental PR effort for Rudder to survive this if the news breaks to a wider audience, and the collateral damage to the other PFMs may result in a number of further fatalities.
This doesn’t look good.
ADDENDUM: I’m certainly not suggesting this is attributable to the data aggregation services these PFMs use; this looks to be fairly & squarely a Rudder cock-up. For the record, Rudder doesn’t use Yodlee for data aggregation; they have a relationship with another aggregator called Cashedge. The purpose of mentioning these data aggregation services & techniques in this post is to provide a fuller picture of the perils & pitfalls of handing access to personal financial data to third parties.
Updates
UPDATE: On May 15th, @adambassador tweeted that Rudder was showing the wrong balance for his checking account, and it’d been like that for 4 days. It’s getting worse; I really did think this was just an automated email problem, but now it looks like there may be data issues too.
UPDATE 2: @alirtsman tweets that “rudder.com just accidently sent me dozens of confidential statements belonging to other customers. time to switch”. Hitting the fan, Rudder; better do something quick…
UPDATE 3: On May 7th, Rudder CEO Nikhil Roy @nikhilroy re-tweeted a link to an article: “Want To Position Your Start-Up To Be Acquired?” Oh dear, this is turning into a real Tommy Cooper moment, Nihil…
UPDATE 4: This from Rudder’s FAQ; hilarious:
“If you’ve signed up for Rudder and you’re not receiving emails, it’s not your fault. It’s the fault of the hysterical legislators who write anti-Spam laws that don’t differentiate between legitimate services like ours and blatantly false (though still tempting) advertisements for penis elongation. The information below will help you correct your email settings in various browsers, thereby ensuring that the life-changing power of Rudder lands in your Inbox instead of your junk mail. Also included are instructions on how to unblock images so you can enjoy Rudder in all its glory.”
To my knowledge, I don’t think any spammer has managed to email pictures of my pre-op tumescence to another individual.
UPDATE 5: If you are a Rudder user, this is the type of personal data they are emailing to other people right now (screenshot courtesy of @adambassador):
content of one of Rudder's erroneous emails
UPDATE 6: @aaronaiken also tweeted: “Rudder.com seems to be having problems”, but that’s nothing compared to what “Dave” has commented on below! Oh dear, Rudder meltdown…
UPDATE 7: Rudder’s Privacy Policy states that users must “…agree to (a) immediately notify Rudder of any unauthorized use of your password or account or any other breach of security”. What happens when they appear to be the cause of the breach? Well, don’t bother trying to phone, tweet or email them; they don’t reply…
UPDATE 8: Game’s up; Mashable & Techcrunch have run the story, and Rudder’s CFO Nikunj Somaiya has come clean (see 2nd paragraph). Other PFMs now scrambling to contain the fallout.
FINAL UPDATE: Over 700 users were compromised by Rudder’s security breach (that’s just under 4% of their user base – based on numbers before this happened, of course!). The breach was caused by an attempt to fix a problem with daily email updates to users, which were being caught in a Yahoo spam filter. Unfortunately, the fix wasn’t tested properly, and each user ended up getting everyone else’s updates too, until Rudder realised their error and shut down the email system. The story is about to trend on Twitter, but Rudder still hasn’t made any effort via their website to tell users what is going on. Users who have either received 100s of sets of sensitive financial data or have had their own data exposed, have not been contacted by Rudder, either!
Related posts:
The same thing is happening to me today. Receiving hundreds of emails for other users accounts. Also, if I clicked on one of the nav buttons at the top like “Dashboard”, it takes me to web page logged in as that user! I notified their support email that this is happening but no response yet. I was able to delete my account though, by using the Dashboard link in my own Rudder email, which opened my web page logged in as myself, then went to delete account. It seems to have worked, hopefully before someone else was in there. Luckily I am a nice person and happen to work in a security function myself in my job. Someone else may not be as caring, advise all to try deleting their accounts ASAP using their Dashboard links.
Good luck
Dave, that’s not happening for me. I can’t login to other users’ dashboards, fortunately.
It goes without saying that trust is a huge issue in the personal finance space, and in the end, you stake your reputation on your ability to deliver not just to deliver a quality experience to your users and to actually save them money, but also on your ability to protect the money they have. As noted in the linked article, however, I’d hate to see people swear off the personal finance space in general because of the mistake of a single company – just because the Ford Pinto was prone to exploding does not mean that you shouldn’t drive cars from other companies.
Here at Thrive (www.justthrive.com), we take our users’ data very seriously and are fanatics about security. After all, every single member of our team uses Thrive and so do our friends, family, and loved ones, not to mention all the people that use Thrive every day to get personalized advice and help with their finances.
To provide some perspective on this incident, think about your bank. They could make the same mistake Rudder did and expose a great deal more information to the public. In the highly unlikely event that someone managed to hack Thrive (white knight hackers haven’t managed it yet), they would not be able to actually move your money. No bank passwords and user names are stored on our system. You cannot move money from within Thrive. Really, someone could get more information about your bank accounts (including your actual account number) by stealing the well-marked bank statements that arrive in your mailbox, and for far less work.
I am not trying to trivialize this data breech: it is a serious issue. But as a personal finance advisory website, Thrive has helped people spend less and save more. I can look at the data from our site, month-to-month, and actually see real change. So there is real reward to using a personal finance site and I would hate to see people move away from this space simply because of the bad practices of one company. Thrive, along with others in the personal finance space including Wesabe and SmartyPig, bring real value to the people that use them and that is important to remember when evaluating the Rudder incident.
Dave here again.
Just wanted to update previous comment. I received a total of 557 emails for other users accounts today. That’s not a trivial amount. And again, I can click the Dashboard link and it opens the web page logged in as the user. I tested it a step further by trying the ‘Settings’ link, then ‘Preferences’, ‘Email settings’. If I click the ‘change’ link next to the user email address, it opens up the two blank boxes to change and verify the users email address! Yikes. Again, I am a nice person who works in a security function. I deal with private data all the time and am sworn to protect the information I oversee. Others who have received similar access to the Rudder accounts may not. Delete your accounts now!
Just trying to help. I am a victim of this as well.
As another competitor to Rudder in the PFM space I feel for them and personally know them and they are a good team that has all their users best interests in hand. Trust is huge in the personal finance space and all companies are doing there best to provide not just a great service to manage your money, but to ensure that your money and data is safe.
This is the reason we at BudgetPulse decided to opt for a manual input tool, one that does not sync with bank or personal account information because of fear of an event like this.
There is real value and reward from personal budgeting software and would hate to see others move away from the the personal finance space when so many companies like BudgetPulse bring exception value and safety to everyone. I hope people can evaluate the Rudder crisis as an isolated event and not hold it against the industry.
Craig Kessler
Marketing Director at BudgetPulse
craig@budgetpulse.com
I think it’s interesting that other PFMs are advertising their product in the comments while making it look like they’re showing sympathy. If you want to advertise, go ahead and do so, just not under false pretenses ok?
Adam, Thrive, BudgetPulse, Rudder, and all the rest are junk! You should use BudgetSketch!
But seriously, I think everyone with a horse in the PFM race has to be very sensitive not only to the needs of our customers (I’m VP of Finagilous LLC, creators of BudgetSketch) but also of your perception of our industry as a whole.
The fallout of the Rudder issue effects us all, producers and consumers. We, the producers have been given a wake up call. Some of us were already awake. Others are still sleeping. Your challenge as a consumer of our services is to choose your PFM partner carefully.
Good luck!
Im with you Adam, their comments are disguised as showing some kind of empathy for the user when they are really here to advertise. Come on guys, we see through this.
I’ll be pulling my accounts from Rudder tonight, they’d gotten pretty buggy for me and I just cant risk it. Ive been using Yodlee anyway but I liked Rudder because of the forecasting calendar.
Dave, Adam, Ginger,
I am Nikhil Roy, the Founder & CEO of Rudder.com
First of all, we’d like to sincerely apologize for the error that resulted in the inadvertent distribution of our users’ financial updates. This error was caused was due to a breakdown in process, and not due to a security breach.
Our users’ privacy is of utmost importance to us and we have taken several measures to address the concerns of those effected.
1. We’ve identified and rectified the issue to make sure this will never happen again.
2. Although the emails didn’t include anything that would let others log in to user’s bank accounts, transfer or withdraw money (emails do not include banking credentials, names or SS#s), we’re offering all those affected, a subscription to an Identity Guard service, paid for by us.
3. We’ve set up a hotline for those concerned to call us if they have any questions – (877) 730-4914 xtn 0.
4. We’ve set up a blog post that people can go to see what exactly happened and what we are doing about it. http://rudderupdate.tumblr.com/
The online banking industry itself (including companies large and small) has been grappling very publicly with issues of security and privacy for many years. We sincerely regret that Rudder let down our users with this incident.
More than anything, we hope that users do not let this incident discourage them from pursuing the benefits of managing their finances online, regardless of which provider they may use. Improving Americans’ financial health has been our mission since day one, and we continue to believe that this new generation of personal finance management applications, including Rudder, have the potential to change the world for the better.
Regards,
Nikhil Roy
Founder & CEO
Rudder.com
Adam, Ginger, are we really that cynical already? I can’t say I know the BudgetPulse guys, so I don’t know their intentions, but I’m certainly not here to advertise: I just think it is an issue worth talking about. As Nikhil points out in his letter to users and to the public, the concern here is not just for the data of the individual users (which is a serious problem) but also for the stability of a burgeoning group of sites that are trying hard to help people improve their finances.
We know the Rudder guys and they have always seemed genuinely interested in helping people do better with their finances, which clearly is a mission we love and are on board with. Let me be 100% clear about the motivations behind my response: keeping people interested, and involved, with PFM sites that are going to actually help them save money and that have that as their primary mission.
We don’t want this to be a Ford Pinto. I’ve tried to explain how we deal with this exact issue, and I’d love it if other companies would speak up about the same, so that users understand the precautions people take; I’m glad the BudgetPulse guys chimed in.
They are actually good example. I think we, as a group of sites doing this sort of work in the world, should want people to know that there are automatic options and manual options and that people should be able to choose. Heck, we should want them to know that a choice even exists!
So cut us a little slack. The goal here is to help people, and I’m not so sure jumping to the conclusion that we’re all commenting in some vague advertising scheme is accurate or quite the way to go. =]
This Matt guy is a complete vulture. People who pose as if they care, while taking advantage of other people’s problems and incessantly plugging their sorry **s products are dirt.
Shame on you Mr. know it all. I trust the readers have the intelligence and common sense to be able to separate the wheat from the chaff here.
In short: get lost LOSER!