Security

How To Keep Your Financial Data Safe Cybersecurity threats are now the norm. Here's how we work with customers to protect their financial data. In 10 seconds Your financial information is incredibly valuable. And if you’re like most people, it’s also vulnerable. But by following best practices and using secure apps and services, you can protect your money from digital threats. In 1 minute Cybersecurity threats are bigger and more common than ever. Every investor needs to be on guard. Thankfully, there are plenty of tips and tech to keep your financial data secure. It all starts with you. Trust your instincts Scammers have plenty of tools to steal information. But their most effective tool is often manipulation. Don’t fall for impersonators. If it feels like someone is phishing for your personal information, they probably are. Use encryption Where and how you access your financial accounts is important. Public networks and unsecure apps or sites can easily compromise your information. Encryption adds a level of security. It’s like using a secret code to communicate with a server. Only the server knows the code, and your online activity is unreadable to outside parties.  Hide your data with hashing Hashing is similar to encryption, except even the server doesn’t know the secret code. We use hashing to secure your data at Betterment. If there’s information we don’t need to know—like your password—hashing uses an algorithm to turn it into random characters. At Betterment, we only see the random characters. To ensure your password is correct, we just confirm that the random characters are the same as what we have on file. Sync your accounts securely It’s nice to have all your financial information in one place. Usually, that means giving one account access to the others. This makes those other accounts more vulnerable. Thankfully, there’s a better way. At Betterment, we use app-specific passwords to prevent one account from giving access to others. In 5 minutes In this guide, we’ll: Discuss the threats to your financial data Explore your best digital defenses Explain the safest way to sync your financial accounts When it comes to protecting your financial information, the biggest threats are the most obvious: spam calls, phishing emails, and questionable messages. Scammers are constantly developing new, more devious ways to steal your personal information.  With software, they guess millions of passwords per second. They scrape your social media accounts for personal information to manipulate you or your friends. But most of all, they’re counting on you to let your guard down. Here are four ways we can work together to protect your financial data. 1. Caution is your first line of defense If a phone call, email, or message seems fishy, it probably is. Would your bank really ask for your account number over the phone? What comes up when you Google the number? The IRS says they don’t email or text message people, and they’ll never ask for your personal information—so is that really them in your inbox? Why does that link have random characters instead of a URL you recognize? Is that the correct spelling of that company’s name? Don’t ever share personal information unless you’re sure who you’re sharing it with. And make sure that other people don’t have access to your passwords or login information, and you’re not reusing passwords on multiple sites. Two-factor authentication helps secure your account using a passcode that rotates over time, or one that you receive via text or a phone call.   2. Encryption is essential Any time you access a website or use an app, your device communicates with a server. With the right expertise, someone could hijack these communications and steal your information. Encryption prevents this. Encryption takes these sensitive communications and jumbles them up. The only way to un-jumble them? A key that only your device and the server share. It works like this: When you access Betterment, your connection is encrypted. But if you’re ever visiting a third-party site and don’t see the padlock in the browser bar, your connection is not secure. Don’t share any information on those sites! Bottom line: even if someone snoops on your encrypted activity, they won’t learn anything. 3. Hashing hides your information—even from us! We don’t need to know your password. That’s a secret only you should know. So, we use a technique called “hashing” to let you use it without telling us what it is.  Like encryption, hashing uses an algorithm to turn information (like your password) into an unreadable sequence. But unlike encryption, hashing is irreversible. There’s no key to decipher it. We can’t translate the hashing to read your password. However, every time you enter your password, the hashing algorithm produces the same sequence. So we don’t know your password; we just know if it was entered correctly. 4. App-specific passwords let you securely sync accounts Odds are, between all your investments, savings, payment cards, budgeting apps, and financial assets, you use more than one financial institution. That’s OK. But if you’re trying to get a more complete picture of your financial portfolio and see what you have to work with, it helps to have a single, central account that can see the others.  Today’s technology makes it easier than ever to sync external accounts. But if you’re not careful, connecting them can make your financial data more vulnerable. To provide a middle ground between complete access and maximum security, Betterment uses app-specific passwords to sync your external accounts.  Let’s say you want to sync your Mint account with Betterment, for example. Mint can generate a separate password that gives Betterment read-only access to your Mint account. You’re not sharing your login credentials, and it won’t give you or anyone else the ability to change your Mint account from within Betterment. But you can still see the information you need to make informed decisions about your money. Keep your finances secure At Betterment, we want you to reach your financial goals. It’s a lot easier to do that when you use financial services you can trust. We help secure your financial data through layers of encryption, hashing information we don’t need, and app-specific passwords that reduce your risk.

8 Steps to a Safer and More Secure Betterment Account Here are eight safeguards, including Two-Factor Authentication, that help keep your Betterment account safe and secure. At Betterment, your account security is our priority. We’re working hard to continue building ways to help keep your accounts safe and secure. From our robust physical security protections for our servers to the safeguards we’ve put in place to protect you, our services are designed to improve upon traditional security. Built-In Safeguards to Protect Your Account Betterment has already implemented a number of safeguards to help protect your account. These include: Identity Verification. We conduct thorough identity verification checks for all new customers to confirm that the information provided is accurate, not suspicious, and not on any government watch lists. Transaction Review. We monitor transactions on an automated and manual basis to detect potentially fraudulent and suspicious behavior on our customer accounts. Automatic Logout. If you are logged in and inactive for an extended period of time, we’ll automatically log you out of your account to protect you from unauthorized user access. Contact Information Safeguards. Additional security mechanisms are in place to protect you from unauthorized changes to your account information. Account Ownership Verification. We verify that you have proper access to any synced external accounts, to help ensure that you have linked the correct outside account to your Betterment account. System Outage Protection: If there was ever a system outage, we have processes in place to help keep your financial account data safe and secure. Touch ID: When accessing your Betterment account from an iPhone, you can add a layer of protection by requiring your thumbprint for access. You can even use Face ID on an iPhone X. It’s important to remember, however, that even with all of these safeguards in place, there are a few things you can also do to help protect your account. When conducting personal financial business online or on your mobile device, you are also responsible for helping to keep your personal account secure. We recommend taking the following precautions to help protect your account. Practice Good Password Security Your password is the key to your Betterment account, so we want to help ensure that you’re using a good, strong password. We also know that you’ve heard this a million times, but we’re going to tell you what we think makes your password up to snuff. Good passwords are both long and random. For your Betterment account password, you should avoid using names, places, names of products or services (e.g., “investing” or “Betterment”), and any other factoids that people may know about you or that are discoverable online. Each time you create or reset your account password, we’ll help you see how strong it is. We recommend using unique passwords across all of your online services; this prevents any other services from impacting the security of your Betterment account. While good password practice may seem daunting, there are a number of password manager tools to help you generate and remember your passwords safely. Some examples of these tools are 1Password and LastPass. Two-Factor Authentication To help combat security breaches, Betterment uses two-factor authentication (2FA) to help protect your account from theft, even if an attacker has obtained your password. With this additional layer of security, you’ll be required to enter a unique verification code either from a mobile authenticator application or from a text message or voice call when you log into your account on a new device, or, if you haven’t used 2FA on that device for two years. While no safeguard can 100% guarantee protection against a data or security breach, 2FA makes it significantly more difficult for malicious hackers to access your account. Use App Passwords When Connecting Third-Party Applications to Your Betterment Account Personal finance applications and services (such as Mint and TurboTax) make your life easier. But, they also come with additional risks. By using your username and password to connect these services to your Betterment account, you increase the risk of unauthorized access to your account. Instead, Betterment offers the ability to leverage read-only App Passwords for these services. App Passwords allow you to connect these services for convenience and productivity but in a safer way. When using App Passwords, these services will only have the ability to view your account balance and other financial transaction information, without the ability to make changes, withdrawals, or deposits to your account. This way, you can take advantage of the benefits of these services with an additional level of security. From your Security tab, you should also consider periodically reviewing the third-party services you’ve granted access to your Betterment account, and revoke access from any applications or services that you no longer wish to use. Use Only Trusted Machines and Networks You’re probably using one or two trusted devices for your banking and financial activities. On these devices, make sure you are working with the latest security updates to the operating systems and applications installed. This is actually far easier than it sounds, with most systems and applications offering automated update options. Finally, any time you use a public or unsecured wifi network to access the Internet, you should refrain from logging into any websites containing sensitive personal details or financial information. If you must access these websites using an unsecured network, make sure the URL or Web address begins with “https”; the “s” means that it is secure. If You See Something, Say Something In addition to making it more difficult for hackers, implementing our recommended security tips will make it easier for us to identify suspicious behavior on your accounts. This allows us to more quickly alert you of this activity or take necessary action. We also recommend that you periodically review your account to verify any activity and transactions. Remember that Betterment sends transactional emails to confirm any movement into or out of your account, and you can also review your account activity at any time from the Activity tab. If at any time you suspect that your account may have been compromised or misused, please contact our support team immediately. For more information on our security practices and ways to protect your account, you can visit: https://www.betterment.com/security/security-procedures/

How Account Security Works at Betterment Here are some of the ways we are keeping you and your data safe. The Internet can be a scary place: websites can get hacked and private data can get stolen. We understand that personal safety on the Internet is more important now than ever, especially when it comes to managing your investments online. To help keep your investments safe, we have a dedicated security team of experts who think about things like passwords and encryption so that you don’t have to. Here are just a few of the ways that we work to help keep your information safe. Password Safety In our digital age, passwords can sometimes feel like the bane of our existence. We’re expected to have different passwords for different websites and have them all be complex but still easy to remember. This often leads to bad habits, like reusing the same password for multiple websites because it feels easier. This makes passwords a valuable target for hackers. When they hack into a website, this is usually the first thing they go for. We make this more difficult for hackers by storing your password in a format called a “bcrypt hash.” In short, this format is used to store your password in a scrambled state so that any potential hackers can’t read your password. This scrambled state also makes guessing difficult, so an attacker would still need to spend a lot of time and energy to decipher the original password. We also offer app-specific passwords. For example, tax preparation software will often need access to your accounts to build an accurate understanding of your finances. The risk is that these third-party services have to save a copy of your password. They could use it do anything with your accounts that you could do yourself, including taking actions such as withdrawing all your money or changing your bank account information. Our app-specific passwords were designed to prevent this scenario. These special passwords grant read-only access to third parties, meaning they can only be used to read information but not change it. If an attacker were to get this password, they would not be able to withdraw any money or make any other changes. Two-Factor Authentication Typically when you log in to a website, you just need your password. Your password is acting as the first factor in place in order to access your account. With two-factor authentication, you not only need your password to log in, but you also need your trusted device. We’ll text you or call you with a code, and you’ll have to enter that code in order to finish logging in. The code is now the second factor in place for account access. Two-factor authentication strengthens the security of your account. Even if an attacker knows your password, they still would not be able to log in unless they also had access to your trusted device. While this adds little friction for legitimate customers, it frustrates attackers. We’ll even remember which trusted devices you’ve logged in with in the past, so that you don’t have to keep entering codes when you log in repeatedly with the same device. Limited Data Access At many companies, external network security is taken very seriously, but the internal network can be a data free-for-all. At Betterment, we make sure that this is not the case. Most of our employees do not have access to any customer account information at all. Access to customer data is only given to those who need it. Engineers who work on our software and administrative tools use a sanitized copy of the necessary data. This means the data is structurally similar enough to real data to get their work done, but does not contain any personally identifiable information. Limiting access to customer data has two benefits to user safety. In the unlikely event that there is an employee with bad intentions, the amount of data they could access is kept at an absolute minimum. If an outside attacker found their way inside our network, they would still have a hard time gaining access to customer data. Encryption Even before you log in to your account, encryption has already kicked in via Transport Layer Security (TLS). TLS helps to ensure privacy for all communications between your computer and our servers. Without it, anything you send us—such as your password or bank account information—would be sent out in the open web, making it easy for attackers to access your information. Because of TLS, you can feel confident that any information sent between you and us is kept private as it makes its way through the internet. We also use encryption when storing your personal information. The information we encrypt includes your financial information, such as bank account and tax identification numbers, to your personal information, like social security number and secret questions. Our dedicated security team is always working for you. We understand that when you open an account with us, you’re placing a lot of trust in our services. This is why we have a dedicated in-house security team that works full-time to keep you safe. The team regularly reviews new code to minimize the potential for security issues, they monitor our various tools and systems, and they stay on top of industry trends and events. Keeping your account safe is our top priority, and we hope that gives you peace of mind.