How Safe Are One Stop Financial Web Sites?

Look, there's your portfolio

Managing your finances online appeals to you, but the bank account is at one Web site, the brokerage at another--and each of your credit cards has its own site as well. Now, instead of jumping around the Net, popular Web sites are offering to collect all that financial information for you, allowing you to use it the same way you always did--but with just one log-on name and password. Some 300,000 consumers already use these services, and 3.7 million more are expected to sign up over the next 18 months.

Web users can gain access to these services at some well-known sites such as and, but the bulk of the data-gathering, record-keeping, and security functions belong to one of two companies that you've probably never heard of--VerticalOne Corp. and Yodlee Inc. Both data processors, or "aggregators," are little more than a year old. Unlike banks and brokers, they are unregulated and may have no responsibility for fraud. The two are quietly amassing a trove of valuable data on consumers' buying, borrowing, payment, and investment habits, much to the chagrin of bankers. "They're doing what banks should have," says Octavio Marenzi, managing director at Celent Communications Inc., a Boston consulting firm.

Here's how the aggregation process works. A customer signs up for the finance-managing service at a "partner" Web site such as In setting up the account, customers must type in their account numbers and passwords--information that goes directly to VerticalOne or Yodlee. Every night, their computers go online to Web sites run by the banks and brokers, and log on with the customer's name, account number, and password to retrieve information. This data-gathering process is known as "screen scraping."

If you've ever had doubts about putting one credit-card number online, how about your entire financial life? VerticalOne and Yodlee insist their security is bulletproof. Account numbers and passwords are never actually in the hands of the Web-site partner. Instead, they're collected and held by the aggregators.

The account information is separated into names, numbers, and passwords. It's then encoded and stored in high-security databases that use palm-scanners for access. Although together the companies have several hundred employees, there are only six--three executives at VerticalOne and three at Yodlee--who have complete access to the information.

That is an enormous responsibility for these two small companies. Anyone with access to the databases at one of these sites could have thousands of accounts and passwords at his or her disposal, critics worry. Unlike a thief who steals just your credit-card number, this person could theoretically wipe out your entire financial portfolio.

The portfolio wipeout scenario isn't just idle speculation, some say. "There's a real risk that someone could break in and run amuck," says Marenzi. "Every system that human beings have ever built has failed at some point. It's not a question of if, it's a question of when." Armed with the information that these sites compile, a brazen thief could start mailing checks, running up charge-card purchases, and even set up a second bank account, Marenzi says. Hacking into retail sites and illegally using credit-card numbers is already common. About 15% of all purchases made over the Internet are either frauds or chargebacks to correct mistakes, adds Naftali Bennett, chief exec of Inc., a New York City company that makes software designed to limit credit-card fraud.

Account aggregators deny that a break-in is possible. VerticalOne, a subsidiary of bank adviser S1 Corp., collects data for more than a dozen different Web sites, including Ameritrade's, and VerticalOne chief executive and founder Gregg Freishtat says logging on to one of the Web sites his company services is no more risky than going online to each bank or credit-card company where you have an account. The risk lies where your account information and passwords are held, Freishtat explains. In VerticalOne's case, that's at the company's Atlanta data center. Security measures include 24-hour video surveillance, round-the-clock security guards, and regular drug tests and background checks for employees.

TRIPLE-CHECKED., which consolidates account information on its own site as well as partnering with Altavista and Intuit, among others, was founded by P. Venkat Rangan, a former University of California at San Diego computer science professor, and his two brothers. At Yodlee, names, account information, and passwords are also separated and stored in a secure site away from its Sunnyvale (Calif.) headquarters. Information is encrypted and employee backgrounds are checked. "We've had three different security firms come in to check our system, as well as some financial institutions," says Matthew Idema, vice-president for operations.

So would cracking the codes at these data consolidators require a James Bond-like effort?. The two firms are "following the right design principle" to ensure that data is secure, says Daniel Geer, chief technology officer of @Stake Inc., a security firm. But other security experts are quick to add that their allure for a thief is unmistakable. "If these companies get as big as they want to be, they're going to be like the Grand Prix for hackers," says Adi Shamir, security adviser at Cyota.

If naysayers like Shamir are correct, the big question becomes: Who's liable if hackers steal your accounts? The aggregators are not regulated by the federal government like banks, and technically have no responsibility to make consumers whole in case of a break-in. VerticalOne guarantees to reimburse up to $100,000. Yodlee makes no such guarantees.

Sensing their vulnerability, some banks began criticizing these sites last year. Under the Electronic Funds Transfer Act, the law that governs electronic transactions, banks are on the hook if a hacker or employee gains access to account information at an aggregator and illegally transfers funds, explains Kit Needham, co-chair of BITS, Banking Industry Technology Secretariat, a trade group. "Nobody anticipated this kind of technology when this rule was written," she says. "Banks have no way to protect themselves." BITS has asked the Federal Reserve to issue an opinion about banks' specific liability; it's expected this summer.

QUESTIONS REMAIN. The Web sites that offer the aggregators' services also present a competitive challenge to banks. They keep customers away from the banks' online sites, making it harder to sell additional products. And though the aggregators say they don't share specific account information with anyone, they are exploring ways to market to specific customers. For example, if a cell-phone operator is looking for frequent travelers with high mobile-phone bills, aggregators could identify them. But instead of giving up names, the aggregator could display the cell-phone company's ad when those customers went online.

Banks have fought legal battles to keep the screen scrapers from gathering data at their sites without success. In fact, rather than fight them, some banks are even partnering with Yodlee or VerticalOne to develop account aggregators at their sites. and Hibernia Corp. have already announced such partnerships, and more such deals are expected. "Many would argue that account consolidators are as safe as online brokerage services," says Robert Foregger, executive vice- president at

Still, questions about security and liability remain. Says Gayle Wellborn, director of customer advocacy at First Union Corp.: "Should something happen, it's not going to reflect well on anyone." Indeed, if there is a security breach that leads to large losses, consumers will paint the aggregators, the Web sites, and the banks with the same brush.

Before it's here, it's on the Bloomberg Terminal.