A few years back I bought some PC components from third-party retailer. Not a month later, fraudulent charges were being rung up on my card. I had to contest the charges, cancel the card, and order a new one. A familiar story for many.
Data breaches are fairly common and can leak your sensitive information to a lucrative black market underpinning a booming identity fraud industry; however, since inputting your debit/credit card details is the default payment method online, avoiding them can be difficult.
Virtual Cards #
A virtual card is a unique, 16-digit payment card number with a CVV and expiration date that is created instantly through a website or mobile app. Virtual cards function just like a credit or debit card but without the physical card, and can be used for online shopping, over the phone purchases, or any transaction that requires entering a card number.
— Privacy
There are many banks that provide this service natively, but since mine did not, I decided to use Privacy. I was mainly attracted to the base tier’s four main features:
- Merchant-locked cards
- Single-use Cards
- Transaction spend limits (monthly, annual, or total)
- Pause and close cards
These features help prevent unwanted charges and unauthorized use at other merchants if a card is compromised, while also making it easier to manage and control recurring payments like subscriptions. Additionally, at checkout, you can use any name and address for the billing information—protecting you from data breaches and third-party vendors selling your data.
Who they protect you from #
A virtual card’s main objective is to shield your information from third-party vendors, not from financial institutions. Privacy has full knowledge of which merchants you are interacting with. By default this information is forwarded to your bank as well, but can be curtailed by enabling private spend mode. However, given the nature of anti-fraud laws, it would probably be trivial for your bank to retrieve this information.
Privacy isn’t so Private #
Despite their utility, I do not recommend them.
As a legally compliant financial institution Privacy must comply with strict anti-fraud legislation. This results in compromises in their privacy policy and very strong know your customer (KYC) procedures. While I choose to trust them with my banking information and Social Security Number (SSN), I do not trust the third-party British company they use for verification.
During verification, your government ID/Passport and a required facial scan are sent to Entrust (formerly Onfido), a company that settled a lawsuit over allegations of violating Illinois’ privacy laws for $28.5 million.1
Your biometric data is then handled according to Entrust’s privacy policy, which does not set a hard limit on data retention and leaves deletion requests up to Privacy, the client, rather than you as a user. Additionally, they are free to share your information with third parties to analyze trends and provide market insights—as well as any number of sub-processors.
Financial Data Aggregators #
Over the years I’ve funded a number of apps by connecting them to my bank—ranging from PayPal, to Venmo, to washing-machine apps. I thought I was simply funding my apps via ACH transfers. In reality, I was unwittingly granting financial data aggregators—like Plaid and Yodlee—full access to my bank account.
Financial data aggregation is a lot less confusing than it sounds. The process involves compiling information from different accounts—including bank accounts, credit card accounts, investment accounts, loans and other financial accounts—into a single place.
…
At their core, financial data aggregators provide third parties with the APIs they need for consumers to permission access to the data in their accounts. With the rise of online banking, data aggregation is not just a more convenient way to access financial information: it’s the future.
— Mastercard
These services aren’t about providing a convenient way of linking your bank to other fintech apps, they’re about providing third parties a holistic financial profile of you. Third parties are the customer; your banking information is the product:
Data about an account balance, including current and available balance;
Data about credit accounts, including due dates, balances owed, payment amounts and dates, transaction history, credit limit, repayment status, and interest rate;
Data about loan accounts, including due dates, repayment status, balances, payment amounts and dates, interest rate, guarantor, loan type, payment plan, and terms;
Data about investment accounts, including transaction information, type of asset, identifying details about the asset, quantity, price, fees, and cost basis;
Identifiers and data about the account owner(s), including name, email address, phone number, date of birth, and address information;
Data about account transactions, including amount, date, payee, type, quantity, price, location, involved securities, and a description of the transaction; and/or
Once you consent to this, they have unfettered access to your transactions, investments, and liabilities. Third parties can then continuously monitor your every transaction and activity on other Plaid applications.
You can rest easy. We’ll notify you anytime there’s a new or updated transaction linked to a connected account.
— Plaid
Robinhood uses these features to monitor customer activity outside of their platform, and Venmo uses Plaid to query your bank balance.
You may not even be aware that you ever gave your credentials to Plaid. Until they settled a lawsuit over allegations of mishandling users’ banking information for $58 million, 1 Plaid did not brand its portal when connecting banks.
Furthermore, even after uninstalling apps that you no longer use, they and Plaid retain access to your bank account. Most banks have a security or third-party access page that allows you to revoke unwanted connections. I used mine to remove all third-party connections.
Even after revoking connections, Plaid still retains all previously collected data. To delete it, you must request its deletion. 2 However, every third-party app (PayPal, Venmo, etc.) that connected through Plaid still holds its own copy of that data, requiring separate deletion requests to each individually.
Yodlee has a similar deletion request form, but it requires an upload of an official government document for identity verification.
Online Marketplaces #
I’m not completely opposed to online marketplaces; however, large players like Amazon are so general in their offerings that they effectively monopolize most online shopping. This means that they functionally serve as a centralized record of all your purchases under your account. Not something I trust with a company that has pledged to send all your voice recordings to their servers, and charges Prime customers higher prices for products than non-Prime customers.
There are of course, items that are only available online, but these can generally be ordered directly from suppliers’ websites.
Anonymity #
I mainly care about privacy in my financial life, not anonymity. That said, when I do want true anonymity, I use cash for in-person purchases and Visa gift cards online. Cryptocurrency is an option that’s growing in popularity, but not one I personally use.