Wednesday, March 5, 2014

Weigh security risk vs. productivity gain when using the FileThis billing service

FileThis is a cloud billing service that fills a hole in productivity, but it may also introduce a potential security vulnerability. 


cloud_security_1600x1200_030414.jpg

 Image: iStock/maxkabakov

FileThis, a cloud service that grabs and organizes account statements from hundreds of vendors, exited beta in February 2014 after two years in development. The service fills a hole in personal data mining; there is no standard file format for billing data, and the labor of logging in to each individual account to download monthly statements can be daunting for people who maintain open accounts with a variety of companies.

What is FileThis?

Once a week (or more frequently, depending on your individual plan), FileThis will automatically log in to the website of a company you specify, download the statements from that company, convert the statements to PDF (if they aren't already in that format), and store them on third-party cloud vendors such as Evernote, Dropbox, Box, or Google Drive, among others, in a neatly and consistently tagged and categorized manner. Alternatively, you can opt to keep the files on the FileThis Cloud, which is leased space from Rackspace or AWS, according to the company. (Learn more about the risks of signing up with a cloud provider that doesn't have its own data center.)
FileThis offers this service for hundreds of companies across a variety of industries, including telecoms (AT&T, Verizon), insurance (Anthem, GEICO, UnitedHealthCare, etc.), general retail (Amazon, Target, etc.), clothiers (American Eagle Outfitters, Old Navy, etc.), utilities (conEdison, Duke Energy, etc.), credit cards (American Express, Discover, etc.), investment banks (Fidelity Investments, E*TRADE, PNC, etc.), other houses of high finance (Ally Bank, Wells Fargo, etc.) and miscellaneous companies such as the home security firm ADT and trash removal firm Waste Management.
For most users, this is likely adequate. Retail, insurance, and telecoms operate (for the most part) nationally, and FileThis has an appropriate depth in support for regional services, such as Central Maine Power, NVEnergy, and PSE&G, among others. Users of FileThis not living on the coast likely will not find their electricity provider on the service. For example, Westar Energy, the largest electric provider in Kansas, is not supported by FileThis at present.

A minor complaint about UI best practices

The entire user interface (UI) of FileThis after login is presented in Adobe Flash. This somewhat baffling decision impedes usability, particularly on mobile, as support for Flash on mobile is low, at best, on modern devices. The amount of actual interaction with FileThis can be minimized—it runs automatically and can offload data to other cloud services—and iOS users can use an official app instead of the website.
Independent of the difficulty of using this on mobile, the prospect of having an entire website presented in Adobe Flash harkens back to darker days of the web, with cumbersome, awkward designs that lack basic features found in standard web pages, such as tab navigation.
In addition, Flash-dependent websites quite likely run afoul of the Americans with Disabilities Act(ADA), which may be a potential concern for FileThis, as California courts have historically been very permissive on the type of suits that can be filed for ADA noncompliance. 

Security concerns about the keys to your kingdom

The method through which FileThis obtains this account statement information might raise eyebrows. In order for FileThis to collect your information, you must provide them with your username and password information for every account you wish to track with the service. This should give pause to anyone considering using the service, as the potential damage that could result from a security breach would be massive, particularly when multiple financial accounts are involved.
To its credit, FileThis purports to use AES-256 encryption. In addition, the account credentials entered into the service cannot be viewed after entry; that is, exposing your FileThis credentials doesn't automatically give away your credentials to other services, unless the username and password between two websites (DirecTV and FileThis, for example) are the same. The centralization of account information for the entire digital lives of thousands of users must be a tantalizing target for would-be hackers.
This potential vulnerability highlights a need for a formally defined XML-based file format for billing records, which can be retrieved through a read-only API, to be adopted across industries for record consolidation.

Speak out

What is your opinion of the service FileThis provides? Is it worth the potential security risk, or is the potential risk overblown? Share your thoughts in the discussion.

0 comments:

Post a Comment

Appreciate your concern ...