Are budgeting apps like Mint safe to use?

Budgeting can be a wonderful thing. It keeps your expenses and shopping habits in check and, at least in theory, ensures that you always have enough funds to make ends meet. But when budget charts moved from spreadsheets to personal finance apps that have direct access to your bank account, people began to question how secure their data would be. When applications like Mint, PocketGuard and Wally were first released in the mid-2000s, they garnered a lot of negative media attention focused on the presumed security risk of giving away your banking passwords for the sake of organizing your finances.

MORE: How a single mom spends $600 a month on groceries

Since then, the negative noise has died down, and Mint, which comes from Intuit, the same company behind Quickbooks and Turbotax, has become one of the most popular budgeting apps, with over 10 million users. But have these apps become more secure, or did people simply become more comfortable with them? Should consumers be worried?

What are the risks and how can you avoid them?

Apps like Mint ask you to plug in your banking information so the program can keep track of your expenses and overall balance to make a budgeting plan. The main concern with this is that giving these apps access to this sensitive information can make you vulnerable to fraud because of the risk of a data breach, or an outside party somehow gaining access to your banking passwords. There’s always the option to turn to apps like Dollarbird and Goodbudget, which let you manually input your expenses, but if you decide to use an automatic app for the sake of convenience, take the time to learn everything you can about it and its company’s history, says Bill Buddington, a senior staff technologist at Electronic Frontier Foundation and an expert in digital security. “If they have a history of data breaches, if they have a history of being litigious against security researchers — these kind of things are red flags,” he says, adding that users should lean towards reputable companies and read up on their privacy policies and security measures to know exactly what will be done with their personal data and how it will be protected. If this information isn’t accessible, that’s a red flag too. Many of these programs were created by reputable financial institutions with a reputation to uphold, which means they’re more likely to take security seriously. Look for apps that use end-to-end encryption, which guards third-party users from accessing your information. (Mint, for example, is encrypted with 128 bit SSL, which protects digital data files in transit. Files are also protected on the company’s servers with 256 bit encryption.) In the case that someone with malicious intent gains access to an account, it’s often due to a mistake made by the user, according to Alex Cameron, a privacy and cybersecurity lawyer at the Toronto-based law firm Fasken.

READ: Envelope budgeting 2.0: How this system works

“The user having a weak password, using the same password across multiple services, clicking on phishing emails and giving up their password that way — those are more common types of risks,” says Cameron, adding that consumers should be doing their due diligence to ensure their information remains secure. He recommends that users set up a two-step authenticator to log in, which mitigates the risk of someone guessing your password. PocketGuard uses this form of double protection by asking users to plug in a randomly produced pin code and password combination every time they want to access their account. In the event that your account is hacked, both Mint and PocketGuard are designed to be read-only, which means that you can’t actually move money into different accounts — and neither can your hacker. They’ll have access to your data and see how much money you have in your account, but won’t be able to do much with it. Your full financial account numbers, credit card usernames and passwords aren’t displayed.

What do the banks say?

When these kinds of apps were first introduced, banks didn’t approve of their customers’ use of third-party programs that require bank access to organize their finances — and they still don’t. Laura Butcher, a communications manager at TD Canada, told us they “do not endorse the use of aggregation services due to the potential risk to personal information,” adding that the institution recommends their customers review their agreement with their bank before signing up. The Royal Bank of Canada (RBC) shares a similar position. Jeff Lanthier, RBC’s director of communications, told us that protecting sensitive information is a “shared responsibility” between the bank and the client. Most banks hold this stance in order to avoid liability in the case that a customer’s data is breached. According to Imran Ahmad, a Toronto-based lawyer with a focus on cybersecurity and privacy law, breaches are often handled case by case, but most of the time, the application would be held liable, not the financial institution.

READ: This couple can’t stick to their $8,000 monthly budget

If a breach occurs, the app company will usually inform the client about what their next steps will be, which often includes offering a credit monitoring program to ensure that the customer isn’t being affected financially and instructions to change their bank password. As of November 1, Canadian companies will be legally required to let you know in a timely manner if your privacy has been breached. “Ultimately, any financial loss suffered by the individual would then be borne by the application, so you hope at that point they’ve got proper insurance in place,” says Ahmad.

What now?

Once you’re aware of the potential risks of using these programs and understand how to protect yourself, you can decide whether an application like Mint is right for you. But if you still don’t feel comfortable using third-party aggregators, many national banks offer in-house budgeting programs such as TD’s MySpend and RBC’s NOMI. The important point is to take proper precautions. There are risks with everything, but if you take the right steps, you’ll know that you did everything in your power to avoid them. And if you’re still worried, there’s always the good old fashioned spreadsheet.

This post is part of Spend It Better, a personal finance collaboration between Chatelaine and MoneySense about how to get the most for your money. You can find out more right here.