Personal-Finance

It’s life-changing, but how safe is the 22seven app?

2016-04-22 10:30

Maya Fisher-French investigates money management App 22seven

When you first register with 22seven.com, in order to link your account you have to provide your online banking password and PIN. With my bank drumming into my head that I may never, ever share my banking login details and also writing on a regular basis about online security, this was a big leap of faith for me to make.

Security update: When things go wrong

As part of our review of the 22seven smart money app, we promised to bring you the good, the bad and the ugly.

Unauthorised login

In what must be one of the most remarkable cases of Murphy’s Law, after reviewing the security of 22seven I had two unauthorised logins to one of my online banking accounts that is linked to 22seven. One of the IP addresses was from India, the other was the IP address Yodlee uses to collect the daily data.

Fortunately it all turned out to have a reasonable explanation and at no point was there a security breach or even an attempted breach, but it did highlight to me how important additional security measures are. 

Firstly my bank sends me an SMS each time my account is logged into so I knew immediately that it was an unauthorised login and immediately cancelled my online banking profile. Secondly, the fact that no-one can transact on my account without a One-Time PIN gave me the sense of security that at least my funds were safe.

The problem

In essence, what happened was that Yodlee, the technology company that 22seven uses to update customer accounts, had been investigating a reported data error on a credit card company that 22seven supports. I happen to have the same brand of credit card and Yodlee’s technical team, which is based in India, proactively decided to check that the glitch had been fixed by running the normal daily data update outside of my normal times and from a different IP address. 

As Andre Wessels, head of customer services at 22seven, explained to me the agreement is that Yodlee can only investigate once permission is obtained from a customer and that 22seven will explicitly inform customers that they will get login notifications when Yodlee investigates.

The problem was that Yodlee never informed 22seven about this update which created, as you can imagine, a huge amount of stress for both 22seven and myself. There is one area that 22seven cannot afford to get wrong, or even have a perception of having a problem – and that is on security. 

“We find this totally unacceptable and have escalated the incident to Yodlee’s top executive team,” Wessels wrote to me in an email.

The solution

Ultimately the faith in the product has to lie with the technology behind it, namely Yodlee. 22seven confirmed that when Yodlee’s engineering teams investigate any errors or issues on linked accounts, they never, ever have access to login credentials or actually physically log into customer accounts. They trigger a manual account update in their secure development environment and then troubleshoot the account update logs in order to try and figure out what the problem may be. 

“This is the same kind of account update that happens when accounts are updated via 22seven. It’s just triggered manually by Yodlee’s engineering team,” says Wessels.

My feeling at this stage is that how a company handles a problem can be more important than the problem itself. The issue was taken very seriously and escalated to the Chief Information Security Officer at Yodlee in the United States.  I am comfortable that my account was not compromised and there was never any security issue, but I remain vigilant because in the world of cyber space that we operate in everyday by using our cellphones, bank cards or online transacting, there is always a risk, albeit a small one, that hackers will get through. 

So I chatted to Kenny Inggs, co-founder and chief technical officer at 22seven.com about their security measures and did a bit of my own research. 

First up, it’s worth remembering that your password and PIN are no longer enough information to actually transact on your bank account. Banks’ own security measures now require additional steps to move funds such as one-time PINs (OTPs). So even if the layers of security at 22seven.com were ever breached, the most the person can do with the information is view your accounts. 

Second, 22seven is not actually the data collector – it is just the pretty interface that makes it accessible and user-friendly, which means 22seven staff have no access to your banking credentials. 

The technology is powered by Yodlee, the world’s biggest financial services aggregator. Yodlee is the technology that accesses the data from the various financial services companies which it then collates and categorises into intelligible information. 

Tell us what you think
As part of the Show Your Money Who’s Boss campaign Maya Fisher-French is writing about the 22seven.com app - the good, the bad and the ugly but also tips to get more information out of the data to make better choices. We want our readers to join in the journey and give us feedback, ask questions and share their experiences. 

Download the app to receive your free airtime and if you have any questions or comments email us at personalfinance@citypress.co.za.

Do you feel safe using online banking platforms?

SMS your comments to 35697 using the keyword “22seven”(SMS costs R1.50)

By participating, you give permission to take part in marketing opportunities

Yodlee provides the same technology to 950 organisations globally, including 12 of the 20 largest banks in the US, and collects data from 27 million accounts. It is a large company. Last year it was bought by financial services software company Envestnet for $950 million (about R13 billion), so they have the financial means to keep the technology cutting-edge. 

Because 22seven.com was the first company in South Africa to use Yodlee it took some work on their part to convince the banks that the technology was secure – this was not an easy exercise and 22seven hit a few challenges along the way with Absa initially refusing to provide access and FNB requiring their clients to have a separate “read-only” profile. 

Inggs says 22seven brought the Yodlee team to South Africa to meet with the banks and also the banking regulators. The banks are now comfortable enough with the security to allow 22seven.com to access their customers’ data, to the extent that even Nedbank and Investec are using Yodlee for their financial aggregator products. 

So that covers the high level security element, but locally Inggs says 22seven.com takes the security a step further because, let’s be honest, the entire business case relies on clients’ confidence and trust. If I feel that my information is not safe, there is no way I am going to use the app. 

Twice a year 22seven uses an external security company to test the system to see if there are any holes or ways for hackers to break through. This is the same process employed by the banks. 

“We track ourselves every day to watch for unusual activity but so far there has been no concerted effort to penetrate our security because there is really nothing a criminal syndicate can do with it, we just hold information. There is no pot of gold so it is not really lucrative for a syndicate,” says Inggs, who adds that the only real value of the information held could be for identity theft reasons so the company has added in extra security to ensure that all personal identifiable information is encrypted. 

“They have no way to tie into a real person with email, name or identity number, so there is no reason to even try access it for identity theft.” 

But, just in case, the company has taken out insurance that covers their clients for any personal loss that they could experience if the system’s security was breached. 

For me an added comfort is that Old Mutual is a major shareholder in 22seven. It is a big company and they face huge reputational risk if something happens to 22seven – and they also bring their technical expertise as back-up. Inggs says that although 22seven works on a completely separate platform, they do work with the security team at Old Mutual. 

Interestingly enough it was my own bank’s security that created the most panic. Since signing up as a 22seven customer, every day I receive an SMS from my bank to tell me that there has been a login to my online banking profile. The first evening I received the SMS I was nowhere near my laptop, and hadn’t been on my banking website that day. Then I realised that it was 22seven collecting the information on that day’s transactions. Inggs says this does often catch new clients by surprise and they are hoping to work with the banks to identify those logins as 22seven. 

Am I the product? 

So my information may be safe from hackers (as safe as one can be online) but is it safe from a marketing perspective? It would be a fairly profitable business to sell this information, even to their own parent company Old Mutual. Inggs strongly refutes this. 

“Old Mutual has no access to 22seven customer base and our privacy policy states that if we were ever acquired by another company they would not get access to the customer information.” 

He also confirmed that if I decide to close my account my profile will be removed at Yodlee and all records are also permanently removed from the 22seven database. 

Personally I feel a bit safer that legally 22seven is obliged under the Protection of Personal Information Act to keep our information private and secure. There certainly would be legal and financial consequences for breaking this privacy. 

So if they are not going to sell my data, how then does the company plan on making money? As they say, if you are not paying for the product, then you are the product. At the moment Old Mutual is funding the business but long-term Inggs says the plan is to integrate money management with savings and investments.

Already 22seven offers two low cost investments – one of which is a tax-free savings account. 

The competitive edge is the low fees and the ease at which you can invest without going through a huge amount of red tape. 

Inggs says that the company’s primary objective remains behaviour change rather than becoming a sales channel, but, realistically, if any company is to become self-sustaining it has to have a sales model. 

This is fine, as long as we understand what it is we are being sold. 

Next on City Press

December 9 2018