I use Empower Personal Dashboard on a monthly basis to collect my net worth information. I’ve been at it for over a decade.
When I tell people I use a tool to do it, they all ask me the same question – is Empower Personal Dashboard safe?
Security is one of the biggest concerns people have with any financial aggregator or tool. Whether it’s Mint, Empower Personal Dashboard, or some other service – putting your data into the “cloud” can be unnerving. This is especially true given how many hacks we’ve seen recently. Equifax, one of the biggest credit reporting agencies, was hacked and 143 million consumers had their data stolen. It was enormous.
How do you know that your data is going to be safe at another company?
It comes down to two key parts – how do they safeguard your information when they have it and how do they safeguard the transmission of your information while they get it.
❓What happened to Personal Capital? Personal Capital was acquired by Empower Retirement in 2020 and in February 2023, it was re-branded into Empower Personal Dashboard. Everything about the tools remained the same except for a new logo and name. You can read more about what happened to Personal Capital in this post.
Table of Contents
🔃Updated February 2023 with the name change from Personal Capital to Empower Personal Dashboard. The interviews below were conducted before the name change so we kept the quotes the same. They will refer to the tool by its previous name, Personal Capital.
Two Key Security Areas
When it comes to financial apps and security, there are two key pieces to look at:
- How Safe is My Data – When you give the tool your data, how is it stored and protected? What is stored and where is it stored? How are the employees monitored to prevent any kind of theft?
- How Safe is the Connection – When you communicate with the tool, how secure is that connection? When you log in, when you view your data, when you update anything, when you give them your credentials… the transmission of that data is subject to risk.
The information you put into the system has to be safe in its place of storage. The way you communicate that information must also be secure.
How Safe Is My Data in the Cloud?
One of the biggest concerns people have with tools like Empower Personal Dashboard is having their data in the “cloud.”
I reached out to David M. Parker, Asst. Prof., Div. of Accounting & Finance and Director, Center for the Study of Fraud and Corruption at Saint Xavier University, for his thoughts on services like Mint and Empower Personal Dashboard. He shared some valuable thoughts on how to weigh the potential risks and rewards of using cloud-based tools:
With regard to general thoughts about storing data in the cloud by giving your data to Amazon, Microsoft, Dropbox, Equifax, your bank, Google, Facebook, or whoever… is it safe? Recent news items reveal the many, many companies that have suffered data breaches at the hands of cybercriminals.
Can your data be stolen if you hand it over to the cloud? Yes.
So, you decide to keep your data safe at home. Can it be stolen? Also yes. Cybercriminals can break in to your home computer, your home wi-fi, your Internet-enabled thermostat or doorbell, etc.
Points in favor of the cloud include that a big company like Amazon or Microsoft might have more resources and be better at defensive security that you are at home. And, certainly, it is in the best interest of their business to do their best to remain secure. They also offer redundant storage to an extent you would not have just storing your data at home where your hard drive could blow up or your house burn down with your data in it. So, it is often an acceptable risk.
I have no direct personal experience with Mint or Personal Capital. My understanding of these third party financial data aggregator services is that they work by gathering all your financial data into one place and offering their clients the resulting convenience of the nice graphs and charts. This means they need to work with your bank, broker, etc. to get access to your transactions. The extent and type of access they will be able to get may depend on whether the financial institution views them as a partner or a competitor.
An issue that comes to my mind is the size of the attack surface. If your bank and your aggregator both have a copy of your information it gives the criminal two possible targets from which to steal it. Also, if all of your information is collected at one spot, rather than having to break into multiple accounts the criminal now has one-stop shopping.
There will always be risks. No system will ever be perfectly secure. There will always be vulnerabilities and bad people willing to exploit them. But, it always comes down to an individual judgment about whether the risk is reasonable or minimal compared with the benefit of the service.
Your data isn’t 100% safe at home and it isn’t 100% safe in the cloud.
But the companies that you trust with your data will have safeguards in place (“defensive security”) to protect you.
Let’s take a closer look at Empower Personal Dashboard and what they do to secure your data.
How Safe Is My Data at Empower Personal Dashboard?
Are you worried about your data being stored on Empower Personal Dashboard servers?
The guy you want to talk to when it comes to security at Empower Personal Dashboard is Fritz Robbins. At the time of our brief email interview, he was their Chief Technology Officer and Chief Information Officer (now he is the CIO of Wealth Management within Empower). He has over 20 years of experience in their field including a three-year stint as a System Architect at RSA Security and 8 years running his own full-lifecycle software engineering company. He holds an M.S. in Computer Science from Stanford University to boot.
(also, for what it’s worth, Personal Capital’s Founder Bill Harris co-founded PassMark Security, a company that built online authentication systems used by most major banks, and Fritz Robbins was with that company as well)
I asked Fritz about security and he mentioned a few of the points I’ll dive deeper on below:
Our point of view is that viewing your banking and brokerage accounts via Personal Capital is *safer* than going directly to the banking/brokerage site from your browser. You touched on many of the reasons why:
- Your credentials are stored in a secure data center versus always being transmitted via the user’s (generally less-secure) browser
- The connection is read-only and no money can be transferred out of your banking/brokerage account via Personal Capital, and your banking/brokerage passwords are never returned to your browser from our servers.
- Our service gives you notification of all banking/brokerage transactions (via email or mobile push notifications) that make it easy for you to monitor you banking/brokerage accounts for fraud, all in one place!
Not for nothing but knowing the security chops of the team behind Empower Personal Dashboard gives me confidence they’re on top of their game.
There are two ways that Empower Personal Dashboard keeps your data safe:
- They use very powerful encryption and,
- They have strict internal access controls.
Quick Primer on Encryption
(click to expand this section & read a primer on encryption)
When you enter your bank credentials into Empower Personal Dashboard, they encrypt it with AES-256 with multi-layer key management, which includes rotating user-specific keys and salts. AES-256 is the Advanced Encryption Standard (AES) and is the gold standard as determined by NIST, the United States National Institute of Standards and Technology. 256 refers to the length of the key used and 256-bits is a longest. It is also the same encryption used by the US Government.
They never store your financial login credentials. That data is encrypted and stored at Envestnet Yodlee, a platform that powers a laundry list of financial services and wealth management tools and companies. Yodless is periodically audited by the Office of the Comptroller of the Currency and their security processes are available here.
As for internal access controls, no one at Empower Personal Dashboard has access to your credentials. Zero.
How Safe is the Connection with Empower Personal Dashboard?
Your data is safe and encrypted on their servers, but it needs to get there first without someone peeking.
That’s where encryption plays yet another role.
All of your online interaction with Empower Personal Dashboard is encrypted, so no one can decipher what you’re communicating with Empower Personal Dashboard servers. They prefer TLS 1.2 but also support TLS 1.1 and TLS 1.0. They do not allow other less-secure protocols. In encryption, you need to exchange keys during a session of communication and they use ECDHE key exchange for Perfect Forward Secrecy (read the encryption primer for more information).
They also require 2-factor authorization. This means that if you log in from an unknown or new device, they will confirm it’s you via your phone or email (you pick when you set it up). I feel it’s a must for any financial institution and there are some banks who don’t have this yet!
Finally, their apps are tested by NowSecure and the AppSecure certification process.
How Empower Personal Dashboard Protects Against Fraud
To this point, we’ve talked only about how Empower Personal Dashboard protects you and your data. What if the data is bad?
What if your credit card gets used in a fraudulent way? Empower Personal Dashboard monitors your transactions and can send you a Daily Transaction Monitor email that lists everything it has seen that day. Rather than reviewing your statement at the end of the month, you review it daily when your memory is fresh. You may not remember a transaction from two weeks ago but if it happened today, you will.
I personally set transaction notifications for any amount above $0 or $1 (depends on the card, some won’t let you do $0), but this is a good alternative if you feel that level of notifications is overkill (it probably is).
Is Empower Personal Dashboard Safe?
Yes, Empower Personal Dashboard could actually be safer than your bank.
(This is the concern that worries people the most.)
How is Empower Personal Dashboard safer than your bank?
They do everything your bank does plus more, in some cases:
- It’s read-only. When you connect your accounts to Empower Personal Dashboard, it can’t do anything except read the data. You can’t transfer funds, you can’t pay bills, you can’t do anything except read data.
- It’s not an appealing target. It’s read-only and your credentials are stored elsewhere (Yodlee).
- It has 2-factor authorization. Not all banks have 2-factor authorization (stunning but true) but Empower Personal Dashboard does. It’s an extra and necessary layer of security.
- They encrypt everything to 256 bits. Against a brute force attack, it would take 1 billion billion years.
- One point of access for multiple banks means you don’t have to log into each of those banks individually. In fact, when you log into your Empower Personal Dashboard, you never have to enter your bank credentials so it never gets transmitted. If your computer is compromised by malware or a keylogger, your financial accounts are secure.
Nothing Is 100% Safe
As they say, the only thing that’s 100% safe is abstinence.
Nothing else is 100% safe. Empower Personal Dashboard is not 100% safe. The best alternatives to Empower Personal Dashboard are not 100% safe either.
If you add another layer to the system, it’s another layer that can be attacked.
That said, you have to weigh the benefits you get from using them (you can read my Empower Personal Dashboard review to see everything I like and dislike about them) versus the small chance they could be attacked.
I am personally comfortable with using them but that’s ultimately for you to decide. They have put all the proper protections in place, often higher standards than is required, and that’s good enough for me.
Steve says
I agree that nothing is 100% safe, but I personally think Personal Capital is a great tool to use, and will continue to refer newbies to it when it comes to tracking their net worth for the first time. It’s a fantastic resource.
Mitch says
I’ve been reading reading a lot about Personal Capital lately and it seems to be greatly favored among the Personal Finance commentariat. I am one of those who has reservations about putting personal financial data in the “cloud”.
Your article and others address many of those concerns but there is one area that no one seems to cover. Who has access to the data and can it be linked back to me?
Yes, the data is read only and account credentials are encrypted and stored at Yodlee. That’s great. Who can read my data and what can they do with it offline? Software isn’t cheap to develop and maintain and I’m not sure I believe the argument that Advisor fees cover the cost. How would consumers know that their financial data won’t be reviewed and sold just like Google and Facebook do with the data they have?
Doug says
You say “Personal Capital can’t do anything except read the data. You can’t transfer funds.” — but they take my credentials! It seems to me at that point they can do anything.
Two factor authentication is nice… do I have the option to use it in every transaction between PC and my bank or brokerage? No.
If only my bank and brokerage offered read-only credentials (ING used to do that) I’d feel a lot safer.
Jim Wang says
If your bank and brokerage only offered read-only credentials, that would be the ideal scenario because then you’d 100% be safe but unfortunately few do. 🙁
Becky says
I received a notification that Personal Capital is now offering a high-yield savings account that can be managed from the dashboard. (Personal Capital Cash.) It seems to me that that changes the read-only nature, right? Would you have concerns about opening such an account?
Jim Wang says
I have to dig a little deeper but I suspect if you take advantage of it then it would have to be a different system entirely.
If you have a high yield savings account already, you are getting a rate that’s just as good or close enough to what they’re offering. Right now, Ally Bank (the bank I use) pays 2.20% APY (6/14/2019) which is close enough for me. I won’t be opening another account and changing my whole financial system just for an extra 0.1%.
Becky says
Thank you! So that would negate or diminish security concerns?
I do not have a high-yield account at present so for me the highest number is king. I would do Varo, but I cant run their app. It’s 2.8% if you meet the conditions.
Jim Wang says
I don’t think it would worry me but I understand if it would worry others.
Becky says
I opened a savings account. It offers you the option to fund the new account from any of your bank accounts in the dashboard.
I got the squicks and removed all the accounts from my dashboard except my checking account from which I will fund the new savings. I don’t rely on it to the level you do, so this was not a hard decision for me. It’s too bad to lose out on the planning features and convenience of viewing all my accounts in one place but at the moment that is the tradeoff for me.
Jim Wang says
Thanks for digging in Becky, I totally understand your choice. I don’t think I would be as concerned, though I’ve never been burned by something like this so that may play a role!
John says
Do you have any insights on the privacy aspect of data within Personal Capital. I’m interested to know who (or how many people) have access to my data within PC. Do all their staff (advisors, support, engineers, etc) have access?
When you go to a bank, you know the tellers can see your account when you make a transaction. Anyone above her probably has access as well. But that data is limited to your accounts with the bank. But with PC, they (people/staff/individuals) have a view to your entire net worth. Wondering how many people gets access within PC as this becomes a security issue if it gets leaked.
I recently submitted a support ticket regarding an account not getting processed correctly. Supports response was quick, issue was acknowledge and kicked up for developers to fix. I was advised to keep the account linked so they can trouble shoot and fix the issue. From a support perspective, it’s excellent.
But from a privacy/security perspective, it seems like there’s a lot of potential for data leaks. Is my data only available to one particular support personnel, or is it open to all of their support staff? Where are they based? What about the engineers/developers? I assume there will be a testing group once they have fixed the issue.
Most people probably won’t care. But what about high net worth people, celebrities, public figures etc? Is it safe for them?
Jim Wang says
Hi John – I posed this question to my contact at Personal Capital and he received this from their security team:
That answer satisfies me and gives me the confidence they have the proper security controls to avoid most issues of this nature.
Sam Lee says
John,
Last year I got 30+ phone calls from PC badgering me for a free consultation even when I declined them politely. This year they call a few times every other month. For certain they use user account data to aggressively to target potential wealth management clients. But exactly how much of the account detail PC employees have access to is not explained in their privacy policy. I’m presuming the wealth mgmt division is under the “need to know” umbrella.
Jim Wang says
The key to stopping the calls is to be very clear you’re not interested – they will keep calling if they get voicemail or don’t reach a person. I’ve told them on the phone that I’m not interested and they’ve stopped calling.
Tabitha says
If there is a breach and my finances are compromised is there any guarantees by personal capital?
Jim Wang says
They only have a read-only connection so there’s no offer or a guarantee in the case of a breach.
Aravindh says
I used to use Personal Capital’s advisory services and recently opted out. I then found out from my advisor on Personal Capital that even though I no longer using their advisory services, the advisory team still has the ability to view everyone’s personal dashboard irrespective of their subscriber status. This in my opinion is another high privacy concern for me which I am sure if Personal Capital users are aware of.
Jim Wang says
Where did you hear this?
Kevin Recursive says
To add a layer of security, I manually added my investments and manually update them monthly. I’m willing to add a bit of inconvenience to have an added layer of protection.