When I tell people I use a tool to do it, they all ask me the same question – is Empower Personal Dashboard safe?
Security is one of the biggest concerns people have with any financial aggregator or tool. Whether it’s Mint, Empower Personal Dashboard, or some other service – putting your data into the “cloud” can be unnerving. This is especially true given how many hacks we’ve seen recently. Equifax, one of the biggest credit reporting agencies, was hacked and 143 million consumers had their data stolen. It was enormous.
How do you know that your data is going to be safe at another company?
It comes down to two key parts – how do they safeguard your information when they have it and how do they safeguard the transmission of your information while they get it.
❓What happened to Personal Capital? Personal Capital was acquired by Empower Retirement in 2020 and in February 2023, it was re-branded into Empower Personal Dashboard. Everything about the tools remained the same except for a new logo and name. You can read more about what happened to Personal Capital in this post.
Table of Contents
🔃Updated February 2023 with the name change from Personal Capital to Empower Personal Dashboard. The interviews below were conducted before the name change so we kept the quotes the same. They will refer to the tool by its previous name, Personal Capital.
Two Key Security Areas
When it comes to financial apps and security, there are two key pieces to look at:
- How Safe is My Data – When you give the tool your data, how is it stored and protected? What is stored and where is it stored? How are the employees monitored to prevent any kind of theft?
- How Safe is the Connection – When you communicate with the tool, how secure is that connection? When you log in, when you view your data, when you update anything, when you give them your credentials… the transmission of that data is subject to risk.
The information you put into the system has to be safe in its place of storage. The way you communicate that information must also be secure.
How Safe Is My Data in the Cloud?
One of the biggest concerns people have with tools like Empower Personal Dashboard is having their data in the “cloud.”
I reached out to David M. Parker, Asst. Prof., Div. of Accounting & Finance and Director, Center for the Study of Fraud and Corruption at Saint Xavier University, for his thoughts on services like Mint and Empower Personal Dashboard. He shared some valuable thoughts on how to weigh the potential risks and rewards of using cloud-based tools:
With regard to general thoughts about storing data in the cloud by giving your data to Amazon, Microsoft, Dropbox, Equifax, your bank, Google, Facebook, or whoever… is it safe? Recent news items reveal the many, many companies that have suffered data breaches at the hands of cybercriminals.
Can your data be stolen if you hand it over to the cloud? Yes.
So, you decide to keep your data safe at home. Can it be stolen? Also yes. Cybercriminals can break in to your home computer, your home wi-fi, your Internet-enabled thermostat or doorbell, etc.
Points in favor of the cloud include that a big company like Amazon or Microsoft might have more resources and be better at defensive security that you are at home. And, certainly, it is in the best interest of their business to do their best to remain secure. They also offer redundant storage to an extent you would not have just storing your data at home where your hard drive could blow up or your house burn down with your data in it. So, it is often an acceptable risk.
I have no direct personal experience with Mint or Personal Capital. My understanding of these third party financial data aggregator services is that they work by gathering all your financial data into one place and offering their clients the resulting convenience of the nice graphs and charts. This means they need to work with your bank, broker, etc. to get access to your transactions. The extent and type of access they will be able to get may depend on whether the financial institution views them as a partner or a competitor.
An issue that comes to my mind is the size of the attack surface. If your bank and your aggregator both have a copy of your information it gives the criminal two possible targets from which to steal it. Also, if all of your information is collected at one spot, rather than having to break into multiple accounts the criminal now has one-stop shopping.
There will always be risks. No system will ever be perfectly secure. There will always be vulnerabilities and bad people willing to exploit them. But, it always comes down to an individual judgment about whether the risk is reasonable or minimal compared with the benefit of the service.
Your data isn’t 100% safe at home and it isn’t 100% safe in the cloud.
But the companies that you trust with your data will have safeguards in place (“defensive security”) to protect you.
Let’s take a closer look at Empower Personal Dashboard and what they do to secure your data.
How Safe Is My Data at Empower Personal Dashboard?
Are you worried about your data being stored on Empower Personal Dashboard servers?
The guy you want to talk to when it comes to security at Empower Personal Dashboard is Fritz Robbins. At the time of our brief email interview, he was their Chief Technology Officer and Chief Information Officer (now he is the CIO of Wealth Management within Empower). He has over 20 years of experience in their field including a three-year stint as a System Architect at RSA Security and 8 years running his own full-lifecycle software engineering company. He holds an M.S. in Computer Science from Stanford University to boot.
(also, for what it’s worth, Personal Capital’s Founder Bill Harris co-founded PassMark Security, a company that built online authentication systems used by most major banks, and Fritz Robbins was with that company as well)
I asked Fritz about security and he mentioned a few of the points I’ll dive deeper on below:
Our point of view is that viewing your banking and brokerage accounts via Personal Capital is *safer* than going directly to the banking/brokerage site from your browser. You touched on many of the reasons why:
- Your credentials are stored in a secure data center versus always being transmitted via the user’s (generally less-secure) browser
- The connection is read-only and no money can be transferred out of your banking/brokerage account via Personal Capital, and your banking/brokerage passwords are never returned to your browser from our servers.
- Our service gives you notification of all banking/brokerage transactions (via email or mobile push notifications) that make it easy for you to monitor you banking/brokerage accounts for fraud, all in one place!
Not for nothing but knowing the security chops of the team behind Empower Personal Dashboard gives me confidence they’re on top of their game.
There are two ways that Empower Personal Dashboard keeps your data safe:
- They use very powerful encryption and,
- They have strict internal access controls.
Quick Primer on Encryption
When you enter your bank credentials into Empower Personal Dashboard, they encrypt it with AES-256 with multi-layer key management, which includes rotating user-specific keys and salts. AES-256 is the Advanced Encryption Standard (AES) and is the gold standard as determined by NIST, the United States National Institute of Standards and Technology. 256 refers to the length of the key used and 256-bits is a longest. It is also the same encryption used by the US Government.
They never store your financial login credentials. That data is encrypted and stored at Envestnet Yodlee, a platform that powers a laundry list of financial services and wealth management tools and companies. Yodless is periodically audited by the Office of the Comptroller of the Currency and their security processes are available here.
As for internal access controls, no one at Empower Personal Dashboard has access to your credentials. Zero.
How Safe is the Connection with Empower Personal Dashboard?
Your data is safe and encrypted on their servers, but it needs to get there first without someone peeking.
That’s where encryption plays yet another role.
All of your online interaction with Empower Personal Dashboard is encrypted, so no one can decipher what you’re communicating with Empower Personal Dashboard servers. They prefer TLS 1.2 but also support TLS 1.1 and TLS 1.0. They do not allow other less-secure protocols. In encryption, you need to exchange keys during a session of communication and they use ECDHE key exchange for Perfect Forward Secrecy (read the encryption primer for more information).
They also require 2-factor authorization. This means that if you log in from an unknown or new device, they will confirm it’s you via your phone or email (you pick when you set it up). I feel it’s a must for any financial institution and there are some banks who don’t have this yet!
Finally, their apps are tested by NowSecure and the AppSecure certification process.
How Empower Personal Dashboard Protects Against Fraud
To this point, we’ve talked only about how Empower Personal Dashboard protects you and your data. What if the data is bad?
What if your credit card gets used in a fraudulent way? Empower Personal Dashboard monitors your transactions and can send you a Daily Transaction Monitor email that lists everything it has seen that day. Rather than reviewing your statement at the end of the month, you review it daily when your memory is fresh. You may not remember a transaction from two weeks ago but if it happened today, you will.
I personally set transaction notifications for any amount above $0 or $1 (depends on the card, some won’t let you do $0), but this is a good alternative if you feel that level of notifications is overkill (it probably is).
Is Empower Personal Dashboard Safe?
Yes, Empower Personal Dashboard could actually be safer than your bank.
(This is the concern that worries people the most.)
How is Empower Personal Dashboard safer than your bank?
They do everything your bank does plus more, in some cases:
- It’s read-only. When you connect your accounts to Empower Personal Dashboard, it can’t do anything except read the data. You can’t transfer funds, you can’t pay bills, you can’t do anything except read data.
- It’s not an appealing target. It’s read-only and your credentials are stored elsewhere (Yodlee).
- It has 2-factor authorization. Not all banks have 2-factor authorization (stunning but true) but Empower Personal Dashboard does. It’s an extra and necessary layer of security.
- They encrypt everything to 256 bits. Against a brute force attack, it would take 1 billion billion years.
- One point of access for multiple banks means you don’t have to log into each of those banks individually. In fact, when you log into your Empower Personal Dashboard, you never have to enter your bank credentials so it never gets transmitted. If your computer is compromised by malware or a keylogger, your financial accounts are secure.
Nothing Is 100% Safe
As they say, the only thing that’s 100% safe is abstinence.
If you add another layer to the system, it’s another layer that can be attacked.
That said, you have to weigh the benefits you get from using them (you can read my Empower Personal Dashboard review to see everything I like and dislike about them) versus the small chance they could be attacked.
I am personally comfortable with using them but that’s ultimately for you to decide. They have put all the proper protections in place, often higher standards than is required, and that’s good enough for me.