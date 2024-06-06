Consumers increasingly are using personal-finance apps to manage their money, relying on them to pay, borrow, save, invest and shop. While these tools can make life easier, is it risky to give multiple apps access to your financial information?

Security experts say it depends. The more apps you use, the higher the risk of hacks and data leaks. But there are things consumers can do to protect themselves.

New online-only banks, as well as digital tools such as peer-to-peer payment apps, personal-loan apps and savings-and-budgeting apps are becoming more popular because they are convenient and in some cases fun to use. Traditional banks and brokerages, meanwhile, are adding options to their apps to help customers better manage their checking, savings, credit cards, mortgages and investing.

While finance apps aren’t particularly vulnerable to hacking, any app could get hacked or breached, exposing users’ financial data or their funds. And if you are tricked into revealing your login credentials, bad actors could have the same easy access to your funds that you do.

There also are concerns about personal data. Apps may sell or share some of your information with third-party partners, creating another point of vulnerability.

“Even if the original app has strong security measures in place, they cannot fully control the data-security practices of their partners," says Delicia Hand, senior director, digital marketplace at Consumer Reports. “If a third party experiences a data breach, users’ sensitive information could be exposed, putting them at risk for identity theft, financial fraud or targeted scams."

Here is a closer look at some precautions you can take to use finance apps more safely.

Review and verify

First, verify that the app you want to use is from a reputable company with security and privacy policies in place—and check to see if there are complaints about it on online forums, says Meredith Fuchs, chief legal officer at financial-technology firm Plaid and a former deputy director at the Consumer Financial Protection Bureau.

Then, download the app you want directly from the App Store or Play Store to be sure you are getting the one you want and not a copycat. Don’t download an app from a link or a website, unless it is the website of the company behind it, says Stuart Schechter, a security and human-behavior researcher at Harvard University.

Review the app’s privacy policy to see how it collects and manages customer data. Selling data has generally fallen out of favor, according to Hand, but some apps share user data—including names, emails and phone numbers, or financial data such as transaction history or account balances—with partners such as service providers, business affiliates and marketing partners.

Look for policies in which the company only accesses data that it actually needs to provide a service, rather than collecting everything it can. “The less data a company has actually collected on you, the less ultimate damage can be done if that data is stolen," says Brian Callahan, director of the Rensselaer Cybersecurity Collaboratory at Rensselaer Polytechnic Institute.

Review how the app handles unauthorized charges or transactions, if applicable. Hand says some apps may have more robust protections than others or more streamlined dispute-and-resolution processes.

Passwords and keys

When setting up an app, use a strong password or a password manager, and turn on two-factor authentication, which verifies identity when logging into an app.

For even stronger security, some apps allow users to upload a current photo or video to verify identity. Some also enable using a passkey, special software that is tied to your phone or other device, or a physical security key that connects to your phone or other device to verify your identity. The latter provides very strong security—as long as you don’t lose it—but it may not be necessary for all users.

Outside of the apps, be sure to keep your devices and email accounts secure. For example, consumers might want to turn on facial recognition—such as Face ID on Apple devices—so that when a bank or app sends a login code it is secure. It is also critical to use strong passwords and enable two-factor authentication on email accounts that are used to access financial accounts, experts say.

Gavin Reid, chief information security officer at cybersecurity company Human Security, uses two email accounts—one for everyday use and another that is only for things like financial accounts—in addition to a physical security key. He also advises deleting any apps you aren’t using, to reduce risk.

“The biggest thing a consumer can do is make sure that they are keeping the things that are private to them—private to them," says Jess Turner, executive vice president, global head of open banking and API at Mastercard. “So: not sharing credential information, passwords or usernames, leaning in on things like biometrics."

Limit links

Connecting finance apps to your bank and other financial accounts is often required if you want to make payments, apply for loans or to manage spending and investing. Many apps and banks use intermediary services such as Plaid, Mastercard, MX Technologies or others to do this. For example, when a consumer wants to connect a bank account to a payments app, Plaid may pop up a window and ask for approval to link the accounts and describe what data will be shared before connecting.

These intermediary services have many security measures in place. Still, connecting apps can present risks by increasing the potential exposure of financial data through the intermediary or the other apps involved, says Reid, the CISO at Human Security.

“You should limit that sort of sharing as much as possible to reduce your risk footprint," he says. “Understanding who has your data and what they can do with it is essential."

Of course, when various apps are sharing information with each other, as well as third-party partners, it can be difficult to track and control how your personal data is being used. To help with this, Consumer Reports has a free app, called Permission Slip, that shows consumers what kinds of data companies are collecting from and about them. The app also will send requests on consumers’ behalf, asking companies to stop selling their personal data or to delete it entirely.

Consumers also might get some help in this area soon from regulators. The Consumer Financial Protection Bureau is expected to issue final rules this year on Dodd-Frank Section 1033, which would, among other things, standardize how data is shared among financial institutions and give people the right to revoke access to their data or to demand that it be deleted, as well as prohibit the misuse of data for things like targeted advertising.

Tomio Geron is a writer in San Francisco. He can be reached at reports@wsj.com.