Why it's safe to use 22seven

Why it’s safe to use 22seven

January 27, 2012  |  Business, Consumerism, Critical thinking  |  Share  | 

Yesterday a new personal financial management service was launched in South Africa called 22seven. The service allows you to track your personal spending and savings with tools for financial planning. The interface is slick and the intention of the developers, who I have spent some time in conversation with, is to make people more aware of their habits surrounding money. It’s a great service in my experience, but has been met with some backlash from South Africans concerned about handing over their internet banking details. I don’t blame people for being concerned, but they really have nothing to worry about. Here’s why…

First off, let me state for the record that I have no affiliation to 22seven. I have met the founder, Christo Davel, and enjoyed many chats with him about behavioural economics and his plans for the business – but as my readers and listeners should know by now, I put emotions aside when it comes to giving people the best possible advice. Especially when it comes to their money.

Personal financial management (PFM) tools have been around for a long time. One of the leading examples of this kind of service is Mint that launched in the USA in 2006. Mint does some of the things that 22seven can, and was met with similar criticism in terms of security when it first launched. But Mint was, and is, very safe to use – and for the same reason that 22seven is.

22seven uses a third-party service provider, called Yodlee, that interfaces with banking systems to extract transactional data. Mint used to use Yodlee too, but has since switched to a system called Intuit.

22seven doesn’t actually log in to your bank account, Yodlee does. The necessary data is then extracted and passed on to 22seven’s servers.

22seven does not store your usernames and passwords either – in fact, 22seven’s systems can’t even see them. When you provide your banking details on the 22seven website, you are actually entering them directly into Yodlee’s secure servers over an encrypted connection.

The above has been confirmed to me by the Managing Director of Yodlee, Jason O’Shaughnessy, who I met last year, and Christo Davel.

So 22seven can’t see and doesn’t store your online banking credentials. But what about Yodlee?

Yodlee is an international company that has been doing this stuff for 11 years. It claims to have over 30 million users worldwide and has not had a security breach. Yodlee has a better track-record of protecting banking credentials than any South African bank.

Yodlee is also officially partnered with some of the world’s top banks. HSBC, for example, who I bank with for my offshore needs, is an official client, supplying data to Yodlee. The big international banks all play ball with the system in developing their own PFM tools and making sure that their customers are supported when using third-party systems.

Does that mean that Yodlee is 100% foolproof? Of course not. No system is perfect. We take some degree of risk every time we interface with financial systems. That’s life.

I was recently a victim of credit card fraud. Thousands of rands were stolen from my account by someone who had managed to capture my card details. The experience made me very wary of security surrounding my banking. But I’m not worried about 22seven. I take much more of a risk every time I let a waiter swipe my credit card in a restaurant.

I don’t blame South Africans for being concerned about handing over sensitive details. You should think twice about doing it and research the people who are asking for it. There is no way I would sign up for a service like 22seven without doing my homework.

What does surprise me is how South African banks – instead of partnering with Yodlee like their leading international counterparts have done – are advising customers not to use the system. It’s just another example of how backward our banks are in their thinking about personal finances, even if they are improving on the service front.

I signed up for 22seven and gave them my details. After chatting to Mr. O’Shaughnessy and researching the Yodlee system I am satisfied that my information is much safer with 22seven than it is with my own bank.

I challenge our South African banks to start thinking about personal finances and how they can empower their customers to make better decisions. It’s 2012. Ripping people off by keeping them in the dark about their own money isn’t cool. Why don’t they want to partner with Yodlee? Why are they warning you against using a system that helps you to make better financial decisions? Those are the real questions to be asking. And you won’t like the answers.

UPDATE: As has been pointed out elsewhere, one consideration with Yodlee is that your bank will not support you in fraud cases. So if Yodlee is compromised, your bank has no liability – unlike in the case of credit card fraud. It’s a good thing Yodlee has never been compromised then.

 
Tags: , , ,
-
  • Andries

    I’m not sure whether the service is worth R70/month, then again, I haven’t tried it yet…

  • http://www.facebook.com/jannie.momberg Jannie Momberg

    Tks for the info. As you say, no system including the banks’ is foolproof. The problem though is what happens after someone gets access to your accounts? My bank will refund me if my account was hacked etc. If something goes wrong with 22seven, the banks won’t help. Neither would 22seven. Otherwise agree with your points including the last paragraph. 

  • Trev

    My only concern is the fact the banks do not support 22Seven, they spend billions of rands communicating that you never put in your pin any where else. Most banks will void your fraud warranty if you’ve allowed access to a site that “screen scraps”. So in your case of fraud the bank would not give you your money back, you wouldn’t have like that now, would you?

    It’s really cool site nicely designed but until they work out the issues with the banks. I don’t think it’s worth that risk.

  • Nic Callegari

    Totally agree. But there’s a chronic fundamental problem that will still take years to overcome in SA.  The local banks are a cartel of titans.  I can guarantee that had 22seven approached the banks before launch the old men in grey suits would have had one look at the service and thumbed their noses at it.  I feel for 22seven, I really do.  

    And I want to use this service.  But I’m at the mercy of my bank’s terms and conditions, which is something I cannot change unless they amend their fraud policies.  

    Here’s the problem: 22seven say they are secure and Yodlee is way ahead of even the local banks for security.  And I want to believe them.  But, what happens if one day your account is breached (not via Yodlee or 22seven) and the first question your bank asks is “Did you give your internet banking password to any 3rd parties?”  

    If you say yes, you’re screwed because it’s an easy out for the bank to say, oh well…not our problem then and the onus will be on you to prove that the breach DIDN’T happen via 22seven or Yodlee.  The issue is not how secure 22seven and Yodlee are, the issue is the mentality of the old men in grey suits at the top of the local banks.

  • http://www.simon.co.za/ Simon

    Great points Nic. And all valid. 

    Which is also why I’m increasingly starting to bank with HSBC – a perfectly workable solution, even in South Africa. 

    As a local bank I use FNB exclusively. I like to think they’re ahead of the curve on this stuff.

  • http://www.simon.co.za/ Simon

    All true – except your assertion that 22seven won’t help. We don’t know that. I’m trying to find out whether or not Yodlee offers any form of cover or guarantee.

  • Dan

    Im wondering why they did not put more effort into the obvious security concerns that exist with a service like this. There are two things they could have easily done that would have downplayed these concerns

    1. There is very little info on the 22seven homepage (before you register or login) to explain what steps they have taken to protect your information (as far as I can see there is a single short page on this with no info about who their ‘Data collection partner’ is) IMO they should have put a little more into explaining why they should be trusted.

    2. For those who really don’t want to give away their details why not allow users to upload a CSV of their transaction history? (FNB allows you to download one) This would bypass the need to enter your details and would still allow you to use the service….

  • http://twitter.com/dbulls David Bulmer

    I totally agree with you and thank you for giving a factual and objective review of the service. I personally know and have worked with Christo and the team during my employ at 20twenty so maybe I’m a little biased but I know security +/- 13 years in banking / application security with Investec, RBS, 20twenty / Standard Chartered and protecting their customers is top of mind. I’m sure some clarification by 22seven on whether there is a level of recourse against Yodlee and 22seven is in place would help to alleviate the fears of current and future customers.

  • http://www.simon.co.za/ Simon

    That would be a great step towards assuring customers. What we’re really seeing here is a power struggle between the banks that think they own our money and the people who really do (us).

  • Nic Callegari

    Ja, but even FNB’s advising people that using 22seven is “at their own risk”.

    Interestingly, on FNB, you can create a 2nd read-only profile for Internet banking and use those credentials to sign into 22seven.  Even if those are compromised, the hackers will only ever have read-only access to your account.

    But it still doesn’t mitigate the “did you give your password to anyone” question.  There needs to be a revolution.

  • Trev

    The banks did thumb there noses at Moneysmart, they are welcoming them with open arms.

  • http://www.simon.co.za/ Simon

    We’re not going to get our revolution by refusing to use services like 22seven. The only way we win is if we act in numbers. 

  • http://twitter.com/SimonPB Simon Brown

    Banks are protecting themselves, tis what they do.

    Two thorts, you as a tech expert are able to determine the security of a service like 22seven, most people are not.

    Than what happens when a bogus site pops up that is not safe? In short, people need to be massively careful about who they give login details to (for any service, even just their email account). That all said I think it is great that people ar being very careful, frankly they should be and it shows a level of security which I didn;t think existed – considering how many people still get spammed by pfilshing etc.

  • http://www.bandwidthblog.com Minnaar Pieters

    Simon – but doesn’t services like Mint use an agreed upon API that does not in fact use your internet banking username and password?

    Second Q – Banking with HSBC – what does the banking charges look like in SA terms? Worth it?

  • http://www.simon.co.za/ Simon

    Yes, if the banks partner with Yodlee then data is supplied without requiring login. That’s why the banks do it overseas – good for the customers, and safer for their systems.

  • Punctuation King

    Hey. Simon. did you perhaps notice. whilst proofreading your piece. that your commas have been replaced by full stops?

    Makes reading your thoughts very awkward.

  • Greg Mahlknecht

    > I can guarantee that had 22seven approached the banks before launch the old men in grey suits would have had one look at the service and thumbed their noses

    This might be true, but the problem is they never even tried.  Instead of 22seven taking the high road and being able to say “we tried to work with the banks, but they said no, so we went this route”, their opening salvo was surprising the banks by scraping their sites.  A manager in the FNB online fraud division phoned me on launch day after I got a bunch of unusual logins on my account.  He hadn’t heard of 22seven.

    I wouldn’t expect the banks to react in any other way.  22seven did absolutely the wrong thing in surprising them.  The banks might be being twits about it, but 22seven is the bigger twit here.

  • Greg Mahlknecht

    Just playing devil’s advocate here – I haven’t seen a statement from a bank yet that categorically says “we’re not going to work with 22seven” – it’s just cautionary notices about security.  Let’s be fair, it’s been a day since launch, and banks didn’t get a heads-up on the service.  I don’t think they’ve taken a decision on access yet, and it’s not fair to expect any of them to have come forth with a comprehensive data sharing policy in the last 24 hours. 

    In a perfect world it’d be nice if the banks all proactively partnered with Yodlee then waited for people to buld services around them, but in the real world it’s the responsibility of companies like 22seven to court banks and convince them to partner.

  • http://profiles.google.com/gamesbook Derek Hohls

    You have 3 months to try it for free before deciding that…

  • Virgilio

    The fact of the matter is that no matter how trustworthy 22Seven and yodlee may be, if you have a repeat of credit card fraud unrelated to this service, your bank will NOT cover you if you have used 22seven… And an investigation of your account will show access from them so it wont be difficult for banks to figure this out. It may be fantastic, but considering the banks’ position, anyone using 22seven are opening hemselves up to risk.

  • Simonsays

    Have you seen the 22seven terms & conditions? Slightly scary to say the least!

    4.1 All information submitted by you, including information about yourself and your accounts
    maintained at other web sites and service providers shall be true, accurate, current and
    complete. All such information must be kept up to date and accurate. You warrant that
    you are authorised to submit such information to us.
    4.2 By using the Services, you grant us and our authorised service providers the right to use,
    adapt, modify, distribute and create derivative works from any information, data, security
    credentials, materials or other content (collectively, “Content”) you provide through or to
    the Service. We and our authorised service providers may use, modify, display, distribute
    collect, receive, record, organise, collate, store, update, alter, disseminate, merge, link
    and erase such Content and create new material using such Content to provide the
    Service to you. By submitting Content, you agree and warrant that the owner of such
    Content has expressly agreed that, without any particular time limit, we and our
    authorised service providers may use the Content for the purposes set out above.

  • Greg Mahlknecht

    >>you grant us and our authorised service providers the right to use,adapt, modify, distribute and create derivative works from any information, data, securitycredentials,…

    So if they or Yodlee got hacked and your credentials leaked out, they could turn around and say “hey, you said we could distribute it!”. Not that they would. But when you agree to T&C you always have to assume worst case scenario, because they’re never usually brought into use until something pretty worst case happens.

    Also, if times gets tough and the business plan isn’t going as expected, this gives them permission to sell all your data to marketers and other people who would pay a lot for it! 

    After seeing that, I’ll definately delete my account with them.  Unless a service like this has a strict “we’ll never give your infomation to anyone” policy, it’s doing it wrong.

  • http://www.facebook.com/people/Clark-Gardner/818825332 Clark Gardner

    Simon, I agree that the Yodlee engine is secure and a brilliant tool. My concern rather lies with the banks relinquishing responsibility for fraud where someone has obtained your online details – if they find that a consumer has given their online login details to 22seven then I am not so sure they will react in your favour. I believe South Africans are merely ready for the first step to these tools which is to download csv files and ensure the engines produce the same results as a 22seven site.
    One should also be aware of why such a site exists – this team and its investors do come from a banking or insurance background. Will they be selling products or will they be looking out for your best interests. It is for this reason 6cents stayed clear of any products and instead offers solutions such best practice benchmarking, shopping lists to stick to best practices, estate planning tools, life journey decision tips and so on.

  • http://www.facebook.com/people/Clark-Gardner/818825332 Clark Gardner

    Nic, I agree 100% with your comments. In fact we showed our tool 6cents to ABSA last year and after a number of meetings and presentations realised they were merely creating their own tool.

  • http://www.facebook.com/people/Clark-Gardner/818825332 Clark Gardner

    Goodness me, this is extremely dangerous. In fact all our clients on 6cents demand the strictest privacy and confidentiality rules to apply to all their information. For this reason we cannot access any of their personal information without consent to a financial review.
     

  • Anonymous

    Great piece Simon. Perhaps the banks would like to explain how easy it is to get recourse from them when defrauded? I know for one of them you actually need to get a court order before they will pay up.

  • Thetruth

    The banks are also scared that this kinda service will highlight the amount you pay in fees to use their service….

  • http://www.facebook.com/people/Rob-Hansen/719031120 Rob Hansen

    Yes, the csv upload makes sense. Another solution might be to have a ‘Read Only’ user account added to your banking profile - an account that can’t make any changes to anything on your banking profile.

    This would involve a bit of work by the banks.

  • Wycked Za

    Except that FNB has that functionality already?