Personal Capital Security Explained

Personal Capital Security Explained

I see you now, eyes steely with determination, mouth set in a grim line. You march towards your finances, resolve in your soul. You will not take no for an answer. You will master those numbers. They will bend to your will. You will make them set you free.

The first step to mastery though, is understanding. You need to know what those suckers are up to before you can tame them and train them. The first step to financial independence is to track your numbers.

Tracking your Numbers

If poring over your receipts and statements and manually entering every transaction into a spreadsheet is your idea of a fun Friday night, don’t let me keep you. On the other hand, if you do not enjoy the drudgery of keeping track of every dollar by hand, but you do still need to understand your numbers, read on. You are lucky that you are alive in the Age of the Internet, with financial apps and trackers and websites crawling out of the woodwork. These apps, like border collies, are intelligent, and eager to please and can’t wait to run around tirelessly keeping track of all your dollars. Unlike border collies, a lot of them are free.

If the only reason you aren’t using an app to track your numbers is that you are ‘worried about security’, this post is for you. I don’t want a misguided fear of exposing yourself to hackers to be the one thing standing in the way of you whipping your finances into shape.

One great favourite of practically every financial blogger out there is Personal Capital. There is a chorus of blogs singing its praises. I use it myself (and other apps as well, like Mint). I’m going to delve into how Personal Capital keeps your accounts and passwords safe. Note that I don’t work for them. I have not had a conversation with their head of all things security. All I’m going to do is try and explain some of the security they implement. They haven’t invented any of these things themselves – all of this information is public domain and I am going to try and demystify some of it. Also, I’m focussing on Personal Capital in this post, but most of the cryptographic methods we discuss are now ubiquitous and are probably in use no matter which application you choose to employ.

Understanding Personal Capital Security

Let’s start with some quotes from Personal Capital’s website:

  • “Data is encrypted with AES-256 with multi-layer key management, including rotating user-specific keys and salts.”
  • “We use ECDHE key exchange for Perfect Forward Secrecy”
  • “Our servers prefer TLS 1.2, and also support TLS 1.1 and TLS 1.0”

To the vast majority of their customers, that web page might as well say “Gobbledy gobbledy gook plexiblotemy bopflefloom”. In other words, what they are actually saying to you is “We know security. You don’t. Trust us. We’ll just keep spouting acronyms till your eyes glaze over, so just trust us”.

Can we do a little better than that? I think so.

The world of computer security is vast. I can’t cover all of it in a blog post. I’m not even close to being an expert, so even if I had the option to hold you captive and force you to read a sixty thousand word monster post, I don’t have sixty thousand words to say on the subject. So what are we going to do instead? We will focus on two (of many) security problems that an app like Personal Capital has to solve and try to understand those solutions.

Problem 1: How do they ensure that you can securely log into your account?

Problem 2: You give them the keys to your kingdom. How do they store these keys securely?

Before we get to those fun bits though, we’re going to go over some basics of cryptography.

Cryptography Basics

Wikipedia defines cryptography as “the practice and study of techniques for secure communication in the presence of third parties called adversaries”. Cryptography is the foundation of online security.

If I have a secret to tell you, and only you, and whispering it in your ear was not an option, I would want to encrypt what I want to tell you using a key. When you receive my ultra important communication, you could decrypt it using the same key and then read it. As long as you and I are the only two people in the known universe who know what the key is, our communication is secure. Unless, of course, some annoying smarty pants guesses the key, or breaks our code, and therefore hacks our communication.

Consider the following simple ‘cipher’. Substitute every letter with another letter that is ‘n’ positions ahead of it in the alphabet. Roll around when you reach the end of the alphabet.

We choose a value of n = 13. 13 is our ‘key’.

Here is an example of our simple substitution cipher at work.

personal capital security explained what is encryption

When my snoopy younger sister unfolds the note instead of passing it on as instructed, she would be befuddled, because she isn’t privy to our secret key or the clever substitution scheme.

Unfortunately, she is the only one who would be befuddled, and probably not for very long because this simple cipher is very easy to crack. Given enough samples of this ‘encrypted’ text it wouldn’t be long before our curious siblings were reading all about our latest crush and giggling.

Modern ciphers, thankfully, are made of sterner stuff. Modern encryption algorithms are typically based on hard to solve math problems.

Hard Math Problems

Certain math problems are known to be hard to solve. Some have remained unsolved for a long time and have $1,000,000 prizes on offer for their solutions. Cryptography relies on math problems whose solutions are easy to compute, but given the solution, computing the input is really, really hard. There are some things that are easy to do (e.g. say a really mean thing in the heat of a fight) and very hard to undo (e.g. undo the memory of your meanness and the hurt that it caused).  This is the basis of modern day cryptography.

The simplest example of this is multiplication vs. factorization.  

If I ask you to compute the product of two prime numbers, say 19 and 23, you would whip out the calculator on your phone, or scribble on the back of a napkin, or (if you were a bit of a show off) think for a few seconds and say 437. On the other hand, if I was to give you 437 and ask you to find the prime factors, i.e. tell me which two prime numbers you need to multiply to get that number I could probably finish a coffee before you could respond (and you’ll note that while your handy phone calculator includes a button for multiplication, it doesn’t include one for the inverse, factorization). Now imagine how much harder this problem could get if we consider prime numbers with hundreds or thousands of digits each. One of the earliest modern ciphers (and one that is still widely in use today) RSA is based on exactly this hard math problem and was published in 1977.

The very cool thing about modern cryptographic algorithms is that since they are based on number theory, they don’t rely on secrecy of the algorithm for security. No longer do we have to transport, hide and secure codebooks in order to communicate securely. The best and most widely used cryptographic systems today publish their algorithms and designs online and then mathematicians, cryptographers and hackers the world over try to crack them. Some of them have stood the test of decades of the best minds in the world trying their level best to break them. An algorithm that can pass these rigorous tests is probably worthy of your trust.

Exchanging secrets

Before we can get to the supremely satisfying step of exchanging notes back and forth that drive our younger siblings to the edge of the pit of despair, we would need to find a way to agree on our ‘key’ in secret. If your sneaky younger brother, with ear pressed to keyhole, heard us come up with our brilliant scheme, all would be lost. If I wrote it down on a nifty note and taped it to the underside of my desk and it was discovered, we would be doomed. The problem is much more pronounced when it is you and Personal Capital who have to exchange this shared secret that will help you encrypt and decrypt communication to each other in the future and you have to do it before the watchful, nosy eyes of all the internet.

So, the basic cryptographic tools we need are:

  1. A secret key that is known only to the two parties communicating
  2. A way to establish what the secret key is with the internet looking on. And no, we don’t get to use telepathy.
  3. The algorithm (a.k.a. the cipher)  that we use to convert our plaintext to ciphertext should be mathematically robust.

In part 2 of this post, we will see how Personal Capital uses these cryptographic tools to solve problems 1 and 2.

Hagvy arkg gvzr………

12 thoughts on “Personal Capital Security Explained”

  1. Hey! Thank god for people like you output there that ask the how’s of things! I’m a shy person but I often don’t dig into the how’s. I do use PC but I never checked it! I am the nerd with the spreadsheets and I love to manually fill it all in. Seriously, the highlight of my money is payday…but not because I get paid, just so I cam allocate and fill in my spreadsheet. 🙂

    Regardless of how you do it, you’re right, it has to be done. Tracking is such and important part of our financial literacy. Thanks for taking the time to out this together for the scardy cats! Hopefully it reaches a few to change their minds. 🙂

    1. Thanks Miss Mazuma. I like spreadsheets too. More than is healthy, I am sure. But I don’t like them for the purpose of tracking every expense every day manually. That is just a snoozefest. And for that, apps like PC are the best thing since sliced bread.

  2. Haha, until next time indeed… 🙂 Thanks for the cryptography info. I just go with, “We know security. You don’t. Trust us.” and done. Mrs. SSC used Mint and may still use it, but it didn’t get detailed enough for her, lol. We also use PC and love it. By we I mean, I don’t know that I could log into it. I just ask Mrs. SSC and or she sends over the monthly tracking spreadsheet when iw rite the monthly spending update. A quick glance, yep, it all looks good, and that’s about how much I “use” PC. Thank goodness Mrs. SSC’s hobbies include “spreadsheeting”. 🙂

    1. I _knew_ you’d get that little joke.

      As long as you track finances one way or the other you are in most excellent shape. The “I trust them” model is a pretty good one really. So much better than “I really don’t trust them but for love or money I couldn’t tell you why not”. I am like Mrs. SSC. I own the spreadsheets and the apps (yep, for me apps are in addition to spreadsheets, not instead of).

      Hope to see you back here for part 2. That is when I trot out the truly fun crypto stuff. You will have a ball. Or fall asleep. One or the other. Only time will tell.

  3. Very neat information. Fascinating!!

    I honestly don’t know what we would do without PC. I guess we would have very dull Friday evenings pouring over spreadsheets. And that would be no good, would it? Saying all that, we still use XLS for some things e.g my UK based pension from a former life has funds that are not recognizable by PC

    I do wonder when they might start charging a small annual fee for those who don’t enlist in their financial advisor service. I think I would pay it if it came to that. That’s how much we rely on it now

    1. Oh I absolutely use spreadsheets too. I just don’t like them for the purpose of entering EVERY SINGLE EXPENSE. I’d rather poke at my eyeballs with various pointy objects. The mindless stuff should be done by apps. The fun stuff should be left to me and my spreadsheets.

      I really like the fact that PC shows asset allocation (although imperfectly) and does expense ratio check ups. I really dislike the fact that their financial advisor seems as determined to talk to me as I am to not have a conversation with him.

  4. Great information! I must admit that cybersecurity is always in the back of my mind when I use financial apps and websites. I’m a spreadsheet nerd as well. Like you, I don’t use them to track every single expense. That’s too tedious. I use them to monitor the progress of our retirement and investment accounts. I also have them set up to spit out our asset allocations. While it does take some time to input the data, it’s still something that I enjoy doing. At least for the moment. Looking forward to Part 2!

    1. Ha, yes! I have an asset allocation spreadsheet too (doesn’t everyone? they don’t know what they are missing!). Thanks for taking the time to comment. I publish part 2 tomorrow.

  5. wow, that’s some crazy stuff! love the way you put it into a story and “layman’s” terms for us! I’ve been using Personal Capital and Mint for quite a while and have always felt safe with them!

Leave a Reply