2

So I download this budget manager app called Emma, created an account, until it brought me to a login page where I was supposed to enter my back account details.. I didn't expect this, and I wasn't thinking and started to enter my username and password and clicked enter, and turns out the username was incorrect... then I stopped and wondered if I should be doing this.

Doing some research about Plaid, the financial 3rd party handler Emma uses, it doesn't seem to be too safe, so I want to delete this app but I have a few questions.

1) I already signed up using my email and password, I want to delete my account, but that means I need to be able to go into the app, which I can't do if I can't link my bank account. Is it okay if I just leave my account registered?

2) I already sent my password to Emma when I used my wrong username. They know the bank I tried to sign into as well, is this unsafe?

Thanks!

ming
  • 123
  • 1
  • 4
  • 2
    If you ever think your password might be compromised you should change it. Especially if you use this password on more than one site (i.e. this app and your bank). – David Mar 01 '20 at 03:40
  • Plaid was just bought by Visa for $5.3 billion in January. It's definitely a legitimate company. – oldtechaa Mar 16 '20 at 14:33

2 Answers2

4

tl/dr: Passwords are like old food: when in doubt, throw them out. If you're worried just change your password.

3rd Party Financial Services

First some background: the banking industry can, unfortunately, be a bit behind the times in this area. As a general rule of thumb there isn't yet a great way (at least in the US) for 3rd party financial services (such as Emma) to easily integrate with banks. I'm sure that some banks have well-secured API services for just these sorts of things, but many banks (especially smaller ones), just don't.

As a result it is unfortunately common for 3rd party financial services to access your account by asking for your actual online banking username and password. It's a terrible idea, and it really shouldn't be done like that, but unfortunately it is.

One (of the many) reasons why it is so dangerous is because it teaches people to hand over their usernames and passwords. When you have a service you integrate like this and then use it successfully for a while, it makes it seem less crazy when a scammer comes around and says, "I just need your username and password". Anytime someone asks for your username and password to your online banking the default response should be exactly what you did - "NO WAY! You're crazy!". Unfortunately though, the fact that a service asked for your username/password doesn't actually mean that it is a scam, because in many cases that is the only way that legitimate 3rd party financial services can actually access your data.

Unfortunately telling the difference between "Legitimate and safe 3rd party service", "Legitimate but unsafe 3rd party service", and "Outright scam" can be very difficult or just impossible. That leaves a lot of people in your boat.

Can you leave your account partially registered?

This is really up to you. If you signed up with a strong password then you probably have very little to worry about. Personally though I would reach out to their customer service and ask them to delete my account. You may or may not have success.

Password in Username

Only Emma would be able to tell you the implications of accidentally sending your password in the email field. Personally I wouldn't be too concerned. It is possible that they log all details of all failed login attempts, and therefore there is a plain-text copy of your banking account password somewhere in their system. From my own personal experience though I don't expect many companies do this, so the risk is likely low. Either way an employee seeing that in the logs, fetching your bank account info, and trying to login to your bank account to do something malicious is probably also very unlikely.

Still, think of this as a risk/benefit analysis. The risk of someone seeing your password and trying to log into your bank account is hard to predict but probably low. However, the cost of changing your online banking password is probably also very low, and the benefit of doing so is that you no longer have to worry about whether or not someone will use your old password. As a result, if you're worried, just change your online bank account password.

Community
  • 1
Conor Mancone
  • 29,899
  • 13
  • 91
  • 96
  • Thank you very much! You mentioned that my account was partially registered, what does that mean? Usually when I sign up for a service or app with my google account, it shows up under Subscriptions and Connected Apps in my settings, but it's not there right now. Do you know if that's a sign that my account wasn't actually registered because I didn't finish the registration process with a bank account? – ming Mar 05 '20 at 21:22
  • @ming no, I don't know anything about that. My "partially registered" I was just referring to your statement that you had registered but not connected a bank account, so couldn't do anything. "Partial registration" seemed like a good way to do that. Try resetting your password. If you can reset your password then they do have a record of you in their system. If you can't reset your password then it may be that they either never saved your account or already deleted it because you didn't attach a bank account. – Conor Mancone Mar 05 '20 at 21:32
  • I can't reset my password I don't think, they just asked me for my phone number, sent me a code I needed to enter to proceed, then I entered my name, email, password, then it's stuck at the page where it needs my bank info, and restarting the app won't do anything, I still haven't gotten "into" the app yet. Is there another way to "reset" my password other than emailing them? I have changed my bank account's password but I just want to know if my account was made or not without emailing them haha, but if that's not possible I guess I can't do anything else – ming Mar 05 '20 at 21:41
  • @ming given that there really isn't a way to know whether or not they have recorded your information. They might have, they might not have. If you have changed your online account password you may just have to call it quits. – Conor Mancone Mar 05 '20 at 21:42
-2

With a 4.5 rating and 1,537 votes on Google Play, I wouldn't worry. Emma Finance also has a 4.7 rating in the App Store- which meant it had to pass through Apple's strict review process and sandboxing.

Emma has already rolled out 16 updates this year- which is also promising for security as it shows there's "someone home" working to improve the app.

I honestly can't see any reason to be concerned about Emma.

Vam Monaco
  • 1
  • 7
    This is not an answer. The OP was asking about specific threats. And a 4.5 rating, only 1,500 votes, and an Apple scan of the ***app*** says nothing about the quality of the security in how it handles your data. – schroeder Mar 01 '20 at 09:18
  • 3
    @Vam Monaco: 1) Rating in the App Store and in Google Play has no sense because the most of opinions look like "Cool" or "Great". They don't explain *what* is good and *why*. It is ridiculous to rely on such rating. 2) Apple reviews only app. Apple cannot review what happens with the user's data when the app sends data to the back end application. – mentallurg Mar 01 '20 at 11:06
  • The ever-relevant XKCD: https://xkcd.com/937/ – Xan Mar 16 '20 at 10:20
  • Oh it’s definitely an answer. Might not be the one you want, might not even be correct, but an answer, it is. – Vam Monaco May 06 '20 at 14:12
  • Furthermore, while a high rating doesn’t say “everything”, it does say “something”, right? IMO, it‘s a colossal a waste of time to dive into the source code of an IPA or APK with a 4.5 star rating that’s been downloaded by a million people, because with numbers like that, you already know that no less than 100 Chinese engineers have already probed, prodded and pillaged the resource files for their own apps. – Vam Monaco May 06 '20 at 14:50