On the Risks of Your Data in the Cloud
It’s not often I look at a product or service and say “I really hope this isn’t real“. It’s time for a look at something which cropped up on my radar today, namely a service called FileThis. A quick search will find them, and their app on the Play Store and iTunes store.
With the spread of the “cloud” ecosystem of endless venture-capital funded start-ups, all trying to make your life easier (often with business models that rely on selling your data), why single out FileThis? Quite simply, we question whether consumers are well served by trusting startups like FileThis, which represents a particularly grievous example of a service that requires access to your most sensitive passwords and information.
What is it?
FileThis aims to make life easier by helping people become organised. They do this by retrieving your bank statements, insurance certificates, credit card bills, investments details and bills, and storing them in the cloud for you. It’s effectively a web scraper (to quote the PC World review of it, from 7th January). Except this is not like any other web scraper. It’s a web scraper for which you provide the login information for your bank accounts and credit cards. In fact, FileThis claims to support “over 400” different sources of paperwork, which they can retrieve and hold for you. To be fair, FileThis isn’t the only service that provides similar functionality. Mint.com, which scrapes bank, brokerage, and credit card accounts, was purchased by Intuit for $170 million in 2009. Since then, the information aggregation space has taken off.
The primary problem with gathering all these bank and credit card statements, insurance policy documents, and other bills (such as contract phone bills and subscription satellite or cable), is that users have introduced a single point of failure to their financial existence. You’ve given all your passwords to a private company. But who are they? Why should you trust them? Would you hand over your bank statements to that man who stands outside the subway station on your way to work? Would you give your health insurance documentation (which could easily include details of claims) to the disheveled beggar with the guitar outside Starbucks? Like most XDA members, I am a cynical user of the Internet. I know that scams exist. I can reasonably research companies that request my personal information. My bias is to give that information to as few entities as possible. Below is my (cynical) analysis of why trusting a service like FileThis is a questionable decision. I have no solid proof that FileThis has any negative designs on your data, only red flags. To be fair, I could put together similar analysis for dozens of startups, but the information FileThis is requesting is particularly invasive.
So, who is FileThis? A whois check on their domain doesn’t reveal much. It confirms the domain is registered by “Loyal Bassett” of “FileThis.com”. Keep this name in mind, we’ll return later. There’s no physical address given, and the site is hosted on Amazon’s infrastructure. The real world equivalent of this is “no fixed abode”.
Digging a Deeper Hole
With the above revelation, I took things a bit further: they have an EMV SSL certificate, which means their corporate existence was verified by the certificate authority that issued the certificate. Sadly, this means little; new companies can be formed and closed with the signing of a few forms. Eventually, I stopped trying to find more about where they were based and looked more at how they were funded.
It turns out FileThis isn’t just any old company, but a private company, which currently has debt-financed itself to the tune of $1.4 million. Would you give out your credit card bills and bank statements to someone who owed a million dollars? While there’s nothing to indicate negative intentions on the part of the company, you wouldn’t do it in person, so why to a nearly-anonymous company online? And while convertible debt is a fairly typical way to fund an early stage company, startups are risky. Even discounting any risk of nefarious intentions, startups fail, founder leave, businesses get sold for scrap, even the best security can fail. You just don’t know where your data will end up.
In the process of investigating their funding, I came across their filing with the Securities and Exchange Commission, which at least confirmed they had a physical presence. But even this filing wasn’t exactly forthcoming. Interestingly, their website shows their management team. None of them are the above-named “Loyal Bassett” who appears to own their internet domain. Having looked through their brief biographies, it’s clear they have set up shop with:
- “a 25-year veteran of the software industry and passionate entrepreneur”… making no specific reference to any relevant experience in security or privacy
- a former Adobe programmer with a Computer Science bachelor’s degree from a state university who juggles what appears to be all the coding in the entire company, including security
- a marketing guy
It’s almost like the start of the traditional bad joke – three of the least likely people to protect your private data, are asking you to hand over your online banking passwords. And the programmer, coming from Adobe, will obviously never make any mistakes… ever… Especially not security ones…
Something else that’s worth considering is whether using a service like FileThis is worth the added cost of financial risk to your life. You are potentially liable for any transactions that are carried out using your bank login credentials. It’s also often against the terms and conditions to give your login details to anyone else. Similarly, fraud prevention liability guarantees (such as that provided by Bank of America), state specifically “don’t share personal or account information with anyone.” Presumably this extends to companies, not just people.
By giving login credentials to your bank, you’re exposing yourself to risk of identity theft. Anyone gaining access to your cloud storage would have access to all your statements, policies, and personal documents. Would you upload your bank statements to Dropbox (and again), or Evernote (again) or Box? The risk might be small, but it’s real. FileThis indicates only one employee claiming any kind of computing qualification. He appears to juggle security along with several other tasks. Is that enough to protect your data?
Like many services, FileThis claim to encrypt your data. Indeed, they actually give some technical details surrounding this. But from reading through their website, we detect potential holes. There’s no mention made at all about encryption when looking at their claims of supporting Box or Dropbox. Both of which (as mentioned above) have less than stellar security pasts, Dropbox in particular! FileThis supports syncing with Personal (and Personal seems to use encryption to store your data), but as with most cloud-based products that claim to offer encryption, the web server is able to show your data in the browser, meaning the keys are available to the provider. And, unsurprisingly, given the situation for Dropbox and Box, the Google Drive integration doesn’t encrypt your data.
Given that you can access your data via the FileThis website, it’s clear they are in possession of the encryption keys necessary to decrypt and view that information. This means if they lose the keys, those keys are stolen, or their service is compromised, identity theft becomes a risk.
In their terms and conditions, FileThis state that
Protecting your documents and your account passwords and user names is very important to us. We make every effort to ensure that these are secure against unauthorized access and disclosure using a variety of authentication, encryption and security processes and procedures. However, in the Internet Age, there is no 100% guarantee of such security and you understand this and agree that the Service is provided “AS-IS” and without warranty or guarantee.
As a measure of the confidence that FileThis has in its security precautions, all FileThis officers use our service just the way you will.
If using FileThis is a prerequisite to working for them, I can certainly say that their employee’s confidence in their own product is foolhardily high. The code isn’t open source, so it can’t be audited for flaws. This service is a huge target – if you get a password, you win the ultimate identity theft jackpot – someone’s literal, entire identity, including all the documents you would need to apply for ID and credit in their name, or even to authenticate to their bank as themselves. When your bank asks for past transaction information for security, anyone with access to your statements can supply this! This includes anyone with access to your “cloud” statements.
We also find the technobabble on the site unconvincing. They say on their security page that
the credentials to your FileThis account, and to all your account connections are encrypted from the moment they are entered. On our servers and in our database, your credentials are encrypted utilizing AES 256-bit encryption, which is the highest encryption standard available today. Bottom line: even if a hacker could get access to your credentials on our servers (they cannot), it would be impossible for them to read any of the data.
OK, let’s take that at face value, and presume their security is good! The problem is that their service accesses your credentials in order to log into those sites and retrieve your data. Anyone breaking into their servers would have access to the decrypted contents, as they would have access to the requests being made to the remote systems (the banks and other companies). Since FileThis can check for new documents when you are not online and logged in, they do not require your password in order to access your account data, meaning they hold the keys to decrypt the data in their database. Your data is encrypted there, using a key which is held within their infrastructure. That’s simply not nearly as secure as they suggest!
If someone gets in, they’ll get your account passwords and be able to find out which accounts you sync with. If you sync your data externally (to other cloud accounts), it might not be held on FileThis systems, but attackers could still get access to the data “in transit” (an attacker could exfiltrate these files by carrying out a second access to the files directly rather than passing them on to the cloud storage service you use).
The existence of companies like this prove the general public’s blind (and maybe stupid) trust in “the cloud”. I can imagine a service, one that looks and feels remarkably similar to this, that is actually an elaborate hoax or honeypot to steal people’s identities: Who says being audacious doesn’t work? Just ask users for their details, then you can’t be accused of stealing!
As much as I do hate to sound like an Apple product launch keynote, there really is more! From the company’s terms and conditions of the service:
So there you go! You’ve just appointed a power of attorney over at least some aspects of your finances! Did you realize you could grant someone a power of attorney through a click-wrap agreement? Nope; neither did I! Of course, this smells like lawyers run amok. There is at least some ambiguity as to what rights this agreement purports to provide to FileThis: you appoint them the ability to “use your Account Information with the full power and authority” to do what, exactly? Can they use your information to drain your account? While I don’t believe for a moment that this power of attorney agreement would stand up to even the least technically inclined of judges, it’s still unfortunate that people don’t question it before just clicking through!
What if I’m a Business?
FileThis aren’t just trying to target the naive and less technologically inclined consumer. Their “Pro” service (in theory) puts your financial advisor, accountant, or tax advisor at similar risk as they are encouraged to use FileThis to store their customers’ data. If ever there was a data mine to attack, this is it. The data held within these accountants’ accounts (not computer scientists, unlikely to pick a good password) is very valuable to bad actors.
The whole concept of FileThis (and FileThis Pro) flies in the face of events of late in which criminals gain access to the accounts of other people on “cloud storage” and steal their files. And it doesn’t matter how it’s done – once your bank statements or credit card/utility bills are stolen, your identity is at risk. It doesn’t matter who is to blame, your credit may be ruined. Recovering can be diffiult. If this data found its way onto a torrent, it would be available for a long time. The inconvenience will be significant.
If you have used FileThis, I urge you to consider this decision carefully. If you decide to cancel, send them an email to ensure they really did remove everything. Then go to every account provider and reset your passwords. Sign onto a credit monitoring system, and keep an eye to ensure nothing strange happens. Then go to your cloud storage accounts, and delete any files it stored there. Then purge them from any undelete or history features. The fact is, you won’t be able to get rid of them completely; there will be backups.
Dear internet, please think about this for a minute, and let’s go back to the old days when we were more skeptical. All your bank statements, credit cards, store cards, utility bills, and insurance documents in one place? Do people really think that’s a good thing to store online, in the cloud? Sadly, today, it seems they do. And that’s just asking for trouble!
How do you know any company is legitimate? A flashy website? A few well-worded webpages in a quick-to-make WordPress blog? A fancy SSL certificate available to anyone that registers a company? A few press releases? Criminals are not exactly going to call their service “identitytheftasaservice.com”. The internet is full of dangerous people, who don’t have your best intentions at heart. FileThis is likely a reputable company founded by passionate entrepreneurs. We hate to single them out like this. But who knows about the next company, or the next one after that? We urge skepticism, even cynicism.
What do you think? Would you use a service like this? Do you know anyone who has? Share your thoughts below.
Source: FileThis via AndroidPolice.