Online financial management sites that aggregate information from multiple accounts could pose a security risk, a report concluded.
Access to these sites is typically protected with just a traditional username and password, which offers far less security than banks' Web sites.
Executives of two companies that operate aggregation sites, Wesabe Inc. and Mint Software Inc., said the username-password combination is adequate because their sites do not permit users to initiate financial transactions, and someone gaining access to a user's account could not use it to steal any money.
The author of the report, George Tubin, a senior research director at TowerGroup Inc., a Needham, Mass., independent research firm owned by MasterCard Inc., said the data stored in these accounts could help hackers gain access to users' bank accounts, where they could steal money.
"The danger is getting that information," Mr. Tubin said Tuesday.
Because phishing has become so common, he said, banks have beefed up their own online security with applications that offer device identification or IP geolocation, which can determine whether a computer used to access a Web site or the user's location matches those of the customer. "Just getting a username and password, generally speaking, just isn't sufficient," Mr. Tubin said.
The tightened security has criminals trying new techniques, and a detailed transaction history, such as the ones compiled by financial management Web sites, could help someone impersonate a bank customer to a call center, he said.
Marc Hedlund, a Wesabe co-founder and its chief executive, conceded that "a history of transaction data for one consumer could be used by a determined attacker, but only to determine who that person was."
To commit fraud, "you would have to have other information that we do not store," he said.
He defended Wesabe's security approach. The company considered using stronger authentication methods than a username and password combination but determined they were unnecessary, he said. "We do not believe that that's effective."
Wesabe and other sites generally ask users to provide the username and password needed to access their bank account and gather transaction details.
Mr. Hedlund said these credentials are encrypted, are not stored in the same place as users' financial details, and cannot be obtained by someone who gained access to a user's Wesabe account.
In addition, users who do not want to give Wesabe their passwords can choose to upload their transaction data directly instead.
Aaron Patzer, Mint Software's founder and CEO, said his company chose to put the bulk of its security on the back end to protect the information users provide to grant the site access to their bank accounts.
"Our physical systems exist in an unmarked co-location facility, where you need to go through a biometric scan, guards, a 'man-trap' tunnel, where you then get to a locked server cage (used only by Mint) which is monitored 24/7 via video," Mr. Patzer wrote in an e-mail. Within that cage, "the server racks themselves are locked, and the hard drives encrypted."
However, accessing users' accounts "requires only username and password," he wrote.
Mint considered using stronger authentication, but "we sided against multifactor authentication for a number of reasons: it's cumbersome, irritates users, and leads to more customer service overhead," Mr. Patzer wrote. "I think the decision was advisable in that Mint is significantly different than banks," which "are transactional and therefore have different security practices."
Mint uses aggregation technology from Yodlee Inc., but does not use all of the software's features. For example, Yodlee can connect users directly to the secure area of their banks' sites after they have logged in to the aggregation site, but Mint does not allow that.
"It may make more sense to have … [multifactor authentication] or additional security questions on sites like that, or before using those features," Mr. Patzer said.
TowerGroup's Mr. Tubin, whose report came out Tuesday, said sites that do not permit transactions still require a more effective security system than the basic username and password. "The criminals will always go after the path of least resistance," he said. The aggregation companies underestimate "the danger that access to that data could provide."
"Hopefully it doesn't take some type of high-profile incident" to convince the aggregators to put in stronger authentication, Mr. Tubin said.
"I just think that they're misguided. They just don't understand the value of the information that they have," he said.
Though he said that a detailed transaction data may be less valuable than passwords, he said the data still deserves strong protection.
"We have to look at both sides," he said. "It's why banks still try to take down phishing sites" even though strong authentication makes phished passwords harder to use.
"It's just a matter of time" before the aggregation companies decide to put in stronger authentication, Mr. Tubin said. Though it took a regulatory mandate to kick in before strong authentication became the norm among banks, many have found their fraud levels went down once the change was made, he said.
Aggregation providers are "so new, they just don't know any better," he said.
