I see you now, eyes steely with determination, mouth set in a grim line. You march towards your finances, resolve in your soul. You will not take no for an answer. You will master those numbers. They will bend to your will. You will make them set you free.
The first step to mastery though, is understanding. You need to know what those suckers are up to before you can tame them and train them. The first step to financial independence is to track your numbers.
Tracking your Numbers
If poring over your receipts and statements and manually entering every transaction into a spreadsheet is your idea of a fun Friday night, don’t let me keep you. On the other hand, if you do not enjoy the drudgery of keeping track of every dollar by hand, but you do still need to understand your numbers, read on. You are lucky that you are alive in the Age of the Internet, with financial apps and trackers and websites crawling out of the woodwork. These apps, like border collies, are intelligent, and eager to please and can’t wait to run around tirelessly keeping track of all your dollars. Unlike border collies, a lot of them are free.
If the only reason you aren’t using an app to track your numbers is that you are ‘worried about security’, this post is for you. I don’t want a misguided fear of exposing yourself to hackers to be the one thing standing in the way of you whipping your finances into shape.
One great favourite of practically every financial blogger out there is Personal Capital. There is a chorus of blogs singing its praises. I use it myself (and other apps as well, like Mint). I’m going to delve into how Personal Capital keeps your accounts and passwords safe. Note that I don’t work for them. I have not had a conversation with their head of all things security. All I’m going to do is try and explain some of the security they implement. They haven’t invented any of these things themselves – all of this information is public domain and I am going to try and demystify some of it. Also, I’m focussing on Personal Capital in this post, but most of the cryptographic methods we discuss are now ubiquitous and are probably in use no matter which application you choose to employ.
Understanding Personal Capital Security
Let’s start with some quotes from Personal Capital’s website:
- “Data is encrypted with AES-256 with multi-layer key management, including rotating user-specific keys and salts.”
- “We use ECDHE key exchange for Perfect Forward Secrecy”
- “Our servers prefer TLS 1.2, and also support TLS 1.1 and TLS 1.0”
To the vast majority of their customers, that web page might as well say “Gobbledy gobbledy gook plexiblotemy bopflefloom”. In other words, what they are actually saying to you is “We know security. You don’t. Trust us. We’ll just keep spouting acronyms till your eyes glaze over, so just trust us”.
Can we do a little better than that? I think so.
The world of computer security is vast. I can’t cover all of it in a blog post. I’m not even close to being an expert, so even if I had the option to hold you captive and force you to read a sixty thousand word monster post, I don’t have sixty thousand words to say on the subject. So what are we going to do instead? We will focus on two (of many) security problems that an app like Personal Capital has to solve and try to understand those solutions.
Problem 1: How do they ensure that you can securely log into your account?
Problem 2: You give them the keys to your kingdom. How do they store these keys securely?
Before we get to those fun bits though, we’re going to go over some basics of cryptography.
Wikipedia defines cryptography as “the practice and study of techniques for secure communication in the presence of third parties called adversaries”. Cryptography is the foundation of online security.
If I have a secret to tell you, and only you, and whispering it in your ear was not an option, I would want to encrypt what I want to tell you using a key. When you receive my ultra important communication, you could decrypt it using the same key and then read it. As long as you and I are the only two people in the known universe who know what the key is, our communication is secure. Unless, of course, some annoying smarty pants guesses the key, or breaks our code, and therefore hacks our communication.
Consider the following simple ‘cipher’. Substitute every letter with another letter that is ‘n’ positions ahead of it in the alphabet. Roll around when you reach the end of the alphabet.
We choose a value of n = 13. 13 is our ‘key’.
Here is an example of our simple substitution cipher at work.
When my snoopy younger sister unfolds the note instead of passing it on as instructed, she would be befuddled, because she isn’t privy to our secret key or the clever substitution scheme.
Unfortunately, she is the only one who would be befuddled, and probably not for very long because this simple cipher is very easy to crack. Given enough samples of this ‘encrypted’ text it wouldn’t be long before our curious siblings were reading all about our latest crush and giggling.
Modern ciphers, thankfully, are made of sterner stuff. Modern encryption algorithms are typically based on hard to solve math problems.
Hard Math Problems
Certain math problems are known to be hard to solve. Some have remained unsolved for a long time and have $1,000,000 prizes on offer for their solutions. Cryptography relies on math problems whose solutions are easy to compute, but given the solution, computing the input is really, really hard. There are some things that are easy to do (e.g. say a really mean thing in the heat of a fight) and very hard to undo (e.g. undo the memory of your meanness and the hurt that it caused). This is the basis of modern day cryptography.
The simplest example of this is multiplication vs. factorization.
If I ask you to compute the product of two prime numbers, say 19 and 23, you would whip out the calculator on your phone, or scribble on the back of a napkin, or (if you were a bit of a show off) think for a few seconds and say 437. On the other hand, if I was to give you 437 and ask you to find the prime factors, i.e. tell me which two prime numbers you need to multiply to get that number I could probably finish a coffee before you could respond (and you’ll note that while your handy phone calculator includes a button for multiplication, it doesn’t include one for the inverse, factorization). Now imagine how much harder this problem could get if we consider prime numbers with hundreds or thousands of digits each. One of the earliest modern ciphers (and one that is still widely in use today) RSA is based on exactly this hard math problem and was published in 1977.
The very cool thing about modern cryptographic algorithms is that since they are based on number theory, they don’t rely on secrecy of the algorithm for security. No longer do we have to transport, hide and secure codebooks in order to communicate securely. The best and most widely used cryptographic systems today publish their algorithms and designs online and then mathematicians, cryptographers and hackers the world over try to crack them. Some of them have stood the test of decades of the best minds in the world trying their level best to break them. An algorithm that can pass these rigorous tests is probably worthy of your trust.
Before we can get to the supremely satisfying step of exchanging notes back and forth that drive our younger siblings to the edge of the pit of despair, we would need to find a way to agree on our ‘key’ in secret. If your sneaky younger brother, with ear pressed to keyhole, heard us come up with our brilliant scheme, all would be lost. If I wrote it down on a nifty note and taped it to the underside of my desk and it was discovered, we would be doomed. The problem is much more pronounced when it is you and Personal Capital who have to exchange this shared secret that will help you encrypt and decrypt communication to each other in the future and you have to do it before the watchful, nosy eyes of all the internet.
So, the basic cryptographic tools we need are:
- A secret key that is known only to the two parties communicating
- A way to establish what the secret key is with the internet looking on. And no, we don’t get to use telepathy.
- The algorithm (a.k.a. the cipher) that we use to convert our plaintext to ciphertext should be mathematically robust.
In part 2 of this post, we will see how Personal Capital uses these cryptographic tools to solve problems 1 and 2.
Hagvy arkg gvzr………