YNAB You Need A Budget

[DarkBls]

I'm glad to see that I'm not the only one concerned by the issue. Online storage definitely involves strong encryption.

[MRKlink]

You can always enable two-step verification on your dropbox account, if you're that worried.
https://www.dropbox.com/help/363/en

[DarkBls]

Don't worry. Already done ! But what about internal Dropbox failure ? Two step auth isn't the silver bullet of Computer Security

You can always enable two-step verification on your dropbox account, if you're that worried.
https://www.dropbox.com/help/363/en

[MRKlink]

So you don't think that someone who would hack into Dropbox would hack an additionally encrypted file? If I were a hacker, I might just think "oh, it's encrypted, it's got to have something important and revealing in it..." If your stuff is online, there's always going to be a "what if" situation.
I am like others, who will show my YNAB file to anyone. The only revealing thing is the credit card company name, and maybe the local names of non-chain restaurants or the utility company for my general location.
No last names anywhere, and no account numbers or anything. If they hack into dropbox, then they could find out the credit card company name from hacking into my email also... and what bank account I use that sends me e-statements, etc. Oh wait, I use a different email for dropbox than I do for the financial emails. But I'd say I'd be more worried about them hacking into my email than into my YNAB file anyway.

[captindave]

To be honest, I would be much more concerned with any QIF or OFX files that you might have lying around on my hard drive than the YNAB files. Those transaction exports have full account numbers in them and those can be found en-masse with a simple filesystem find command by some rogue program.

[Yicke]

If someone were to get their hands on a YNAB file, either on a Dropbox share, via USB key or other method, they would have an enormous volume of data that could be maliciously over-used in various, nefarious ways.

Can you list some of those ways?

Sure. You've got the person's bank accounts, credit card numbers, possibly email address and name etc. and all the juicy info you can glean from transaction details, like with whom the person has shopping or other accounts. The customer numbers will be in there and everything.

When you have those kind of "dox" on a person and a sneaky disposition, you can do all kinds of nasty things to a person's private life and business.

How do they have the person's bank accounts and credit card numbers? My YNAB-accounts are names 'ING Professional' - 'ING private' - 'Dexia savings' etc. My credit card is named credit card, no number attached anywhere. Same with when I buy something at a store I have a loyalty card with, I enter the transaction as paid for with my debet card. It has storename, data, amount and with what account I paid for it, but how does that link it to my bankaccountinfo?

[brad]

If you read the Wired article that hacker linked to, it makes it clear that these people don't even need your account number, just your name and the institution you bank at. So for example if your accounts are named ING Professional and ING Private, they know you have accounts at ING and they know your name. Then it's a matter of calling up iNG and posing as you, claiming you forgot your PIN number, etc. Banks are wise to this kind of thing, but hackers can be extremely resourceful. For example with your YNAB file they could very convincingly state the last five transactions you made, and where they were made, to convince the bank that they're talking to you and not an identity thief.

After I read the article, I changed the names of all my accounts to remove the name of the institution from them. That should at least make it harder.

[MRKlink]

I don't have bank names either, but the interesting thing is that.... Calling up a bank gives them, basically, what information I have in my YNAB file: Transactions, balances, the like. My bank does not share account numbers by phone, and if I can't remember my PIN, they send me a card through the mail. I suppose they could try to gain access to my online banking, but, from prior experience, they will not help with both a username AND a password in the same week. AND they can typically see the last time you logged in, if there were invalid login attempts using the correct username, etc. So there should be red flags if you logged in this morning or yesterday, and now you're calling and forgot your info.

[Yicke]

Mhm. I would assume this is a bigger problem for english-spoken, US-based people?

To call my bank, one must not only know which one, but also that it is a local branch, specified for our profession, not the main branch. And they would have to speak my language. Calling in English won't do it.

I have never been able to fix anything by phone as easily as it seems to be to do so in the states. Perhaps with Amazon or Apple, yes, but never with banks or insurance companies. They always refer me to either internet banking or my local office and/or agent. The only thing they will do on the phone is block your accounts and cards until you can make it to the local branch. And then they need your identity card and your bank card and your signature.

Maybe it's false safety, but listing the names of my bank, without the numbers or anything with them, does not make me feel insecure.

[MRKlink]

Yicke, the biggest problem is that people will get an account with a smaller, local bank, and then move where there's no local branch (I am guilty of this - I live in Michigan, and I have accounts in a bank in New York!). Or they open accounts with online banks that don't HAVE physical branches -- but I would assume those online banks have higher security standards because they cannot send you into a local branch.

Most banks here have similar policies of sending you into the local branch for the more sensitive information. However, the above cases are the exception to that.

[Yicke]

That is not so much of a problem around here. I don't know if the equivalent of a credit union even exists around here and all banks are national.

The most commonly used banks are Belfius, BNP Paribas, KBC, ING. They all have plenty of local offices, in my small city (little over 100.000) most have more than one.

I do have internet-accounts with some, but not with an internet-only bank.

[brad]

The risk is probably small, but it's no big deal for me to rename my accounts so I did it. There are other scenarios you can think of: if you have a habit of going to the ATM each Friday morning to pull out cash for the weekend, someone who gets your YNAB file can see that pattern in your transactions, and if they know the name of your bank and can figure out your home address (not difficult to do), they might be able to deduce where you go to take out your money every Friday morning. And one Friday they might be there waiting for you.

The chances of these things happening are very small, but we live in a strange and dangerous world; it doesn't hurt to take a few minor security precautions.

[blackdiamond]

The risk is probably small, but it's no big deal for me to rename my accounts so I did it. There are other scenarios you can think of: if you have a habit of going to the ATM each Friday morning to pull out cash for the weekend, someone who gets your YNAB file can see that pattern in your transactions, and if they know the name of your bank and can figure out your home address (not difficult to do), they might be able to deduce where you go to take out your money every Friday morning. And one Friday they might be there waiting for you.

The chances of these things happening are very small, but we live in a strange and dangerous world; it doesn't hurt to take a few minor security precautions.

This might make more sense if you were the only person using the ATM, but it would be much easier to simply steal the numbers and/or card from a random person. Right now, there's a problem in the region with some people watching people entering their pins at the grocery store and then creating a scene in the parking lot so that they can swipe the matching card without it being noticed. They are targeting older ladies.

After watching too much Law & Order SVU I can just see the detective asking me if there was anyone that I could think of that would want to steal my money with my best response being I think someone targeted me after stealing my YNAB budget file from Dropbox. I'm pretty sure they'd put me in for a night at Rikers for sounding crazy.

[DarkBls]

It's funny to see the brainstorming of people trying to find and arg about every possible threat knowing that the solution is strenthforward: strong encryption.

[DeguelloTex]

That presumes there's a problem. For the bajillionth time, there's nothing in my YNAB file that I need encrypted. Not my name, not my address, not my account numbers, not my SSN, nothing.