It's a losing battle . . .

Posted by RNG_HatesMe@reddit | sysadmin | View on Reddit | 15 comments

So I was trying out a financial site/application that purports to leverage AI to help you analyze your household budget. Overall it's an interesting site, and has some interesting features (Origin).

HOWEVER, I noted that I left the site open and came back to my PC hours later and I was still logged in to the site. Keep in mind this site links all of your financial accounts (bank accounts, credit cards, mortgage, brokerages, etc.). They are read only (through Plaid, I think), but it's still very sensitive information. I also noted that if I closed the site tab (not the browser), and went back to the site, I was *still* logged in. So clearly they were using session cookies with *no* time limit. I've never seen *any* other financial site do that.

I posted my concern about this to their subreddit and their support contact, and to their credit (after an initial rather vague response), they did indicate that they understood the security problems with that, and planned to address it.

Unfortunately the responses on the subreddit from other users are disheartening. Some people don't want to be inconvenienced and don't EVER want to be logged out. Others say there's no point, because Internet security is crap anyway, why worry about it here. One person claimed that it wasn't a financial site (the subreddit is called r/OriginFinancial for God's sake).

Sometimes I think we should just ask them all to post their SSNs right here on reddit and see how many oblige.

[-]

GallowWho@reddit

So logout and use a private browsing tab...

[-]

RNG_HatesMe@reddit (OP)

*I* know to do that, I'm not freaking out about it. I posted back to the site operators as something that they should fix. And to their credit they acknowledged it. I have *zero* issue with the response from them.

I only posted here on the clueless responses from everyone else who clearly have no understanding of the risks involved here or anywhere online.

I particularly love the one guy who says that all of our privacy has already been lost, so I shouldn't worry about it. I said that by that logic he should be fine posting his SSN, which surprisingly he didn't oblige with.

[-]

GallowWho@reddit

We could argue until the cows come home about best practices, unfortunately in my experience it's been "if it works, we won't fix it".

[-]

itishowitisanditbad@reddit

Person handing financials around to anything "AI" has security concerns.

If you want a service that uses AI to analyze financials, unless you setup your own local AI to do so, you don't really have an option.

Yeah, and its the reason a lot of people then choose NOT to do it rather than just... pushing ahead?

Its going to be an incredibly hard uphill battle to swing this bat when you're already participating in a horrifically bad security practice itself.

I also noted that if I closed the site tab (not the browser), and went back to the site, I was still logged in. So clearly they were using session cookies with no time limit. I've never seen any other financial site do that.

Thats a false conclusion AND I have seen that before so... your whole initial premise is a false conclusion and you're outraged over it.

You've jumped to some conclusions, got outraged over those conclusions, and are now not understanding why people are not as outraged as you?

I don't know man.... maybe reconsider your conclusions and whats going on to get where you're at.

Shiiiiit man. Personal responsibility comes into things a liiiiiitttle bit sometimes. Can't handhold every single danger in the world. Especially when people are slinging personal financial information into the AI black hole.

[-]

EquivalentOil6480@reddit

If you're on a personal device that only you use and you secure with a device password when not in use, what is the issue that you are worried about exactly? Other financial trackers also seem to keep you logged in to, such as when I used Copilot. So this is not exactly just applied to Origin. You most likely keep your email and stuffed logged in unless on a shared device, so this is kinda like that.

[-]

WendoNZ@reddit

So... just so I understand this. You've knowingly allowed AI access to your financial data, and the privacy concern you're worried about is that it doesn't log you out after a time period?

I mean yes, it's a problem, but isn't the one I'd be most concerned about

[-]

RNG_HatesMe@reddit (OP)

Your point is completely valid, but it's not really one that can be addressed easily. If you want a service that uses AI to analyze financials, unless you setup your own local AI to do so, you don't really have an option. But yes, it's most definitely something to worry about, and I'm not sold on the risk / reward of an application like this, it's something I was exploring. Looking into how they treat AI queries is critical. From what I'm seeing, I'm thinking they treat the AI queries as a RAG model, where it's not training on your data, it's using it as augmented input. So it shouldn't retain that information. But I haven't confirmed that, and it is a very important question!

The auto logout is low hanging fruit though.

[-]

RNG_HatesMe@reddit (OP)

Since you made me take this a bit more seriously, I did ask them the following question:

Does Origin or the AI models Origin uses retain any of the information from entered queries or analyses? Does origin use any customer financial information to train the AI models?

The response was :

Origin does not use your personal or financial data to train the AI models.

Your connected account data stays inside Origin’s secure environment, and it is never shared or exposed to public AI systems.

What we do keep is some information for things like fraud prevention, troubleshooting, investigations, legal terms, and legal requirements (including some records that must be kept longer than one month).

For chat memory, we only save what you explicitly ask to remember, and it does not automatically store entire conversations.

While the response was AI generated it did provide appropriate links to their policies, which seem applicable.

[-]

LaDev@reddit

I guess since they don’t process PCI they don’t have to maintain the same controls. I’d be curious what Plaids terms are for the data and how it’s protected.

May be accessed through a third party aggregator but I’d imagine for their own image they’d (Plaid) have policies in place that specifically require the protection of PII and financial information? Maybe wishful thinking.

[-]

RNG_HatesMe@reddit (OP)

You would hope.

I agree it's not as sensitive as a site that has actual power to make transactions, but exposing all of your financial accounts and account numbers is still a concern.

[-]

MySurvive@reddit

I just went through and read the thread and wowwee. What a ride lol.

[-]

RNG_HatesMe@reddit (OP)

Isn't it? And I don't want to trash the site/app itself, their response was quite reasonable. But it's so eye-opening on what normal people don't understand!

[-]

anonymousITCoward@reddit

Closing the tab will, more often than not, log you out of a site... heck closing the browser doesn't even log you out of Reddit, thank you cookies!!!

[-]

reserved_seating@reddit

In… 1997(ish?) my dad told me to disable cookies because it was really bad for privacy. At that time I was pretty annoyed cause my dad was being a conspiracy nut and I couldn’t go to any website…

Now, I go out of my way to hit the sliders to turn off cookies that aren’t necessary and I also know that probably doesn’t mean shit.

Point of the story? Dads are usually right.

[-]

RNG_HatesMe@reddit (OP)

100%. It's not easy to know when you've securely logged out of anything anymore. With SSO you can even select *logout* and SSO will immediately log you right back in!

That's why financial sites (and other secure data sites, like anything health related) need to have a strict inactivity timeout and disconnect.