This App Promises Easy Cash, But It’s a Security Nightmare Waiting to Happen
Earnin, a popular payday loan app, may not do enough to protect users
Earnin is a popular payday loan app with a simple promise: You can cash out part of your upcoming paycheck without any fees or interest, and you’re only asked to “tip” whatever you think is fair in return. But while Earnin may not demand much of your hard-earned dough for its services, the company is certainly taking hold of some very sensitive data in return.
Since launching publicly under the name ActiveHours in 2014, Earnin has raised $65.1 million over three investment rounds. It has users employed at more than 50,000 companies such as Walmart, Starbucks, Pizza Hut, and Apple. According to Crunchbase, Earnin has been downloaded nearly 1 million times in the past 30 days. (The company doesn’t release user numbers.)
It’s the kind of app banks have been warning people to stay away from for years.
To use the app, you’ll first need to fork over a host of sensitive financial, employment, and location data that, together, could mean a nightmare-grade disaster if Earnin is ever hacked. What’s more, Earnin isn’t protecting user data to the extent that some experts feel is necessary. Though it collects information including your work address, it doesn’t even offer two-factor authentication.
In other words: It’s the kind of app banks have been warning people to stay away from for years.
“I think it’s terrifying. It’s like a permanent Big Brother with access to some of your most intimate and sensitive information,” said Lauren Saunders, associate director at the National Consumer Law Center, a nonprofit that advocates for low-income and disadvantaged people in the United States.
Saunders, an expert on electronic payments, bank accounts, small loans, and consumer protection regulation, makes this comparison because the app monitors your every move. To verify that you’re actually earning money, Earnin tracks your location through its “Automagic” system. You provide your exact work address and pay cycle information, and Automagic keeps tabs on how much time you spend at that address, and thus, how much you’re earning.
It’s like a permanent Big Brother with access to some of your most intimate and sensitive information.
Once you have enough hours registered with Automagic, you can cash out up to $100 per pay period (the amount can increase to $500 if you keep using the app). When you receive your direct deposit, Earnin automatically deducts the amount you borrowed from your account to recoup the loan.
Hourly workers who have their wages tallied through compatible online time trackers like TSheets have the option to skip the location tracking and use their digital time sheets instead, but most don’t. Out of Earnin’s users, who reportedly rack up 5 million worked hours weekly, the vast majority use Automagic, founder and CEO Ram Palaniappan said. (For gig workers at specific partner companies like Uber, there’s a completely different system.)
To make it all work, Earnin requires users to provide:
- Email address
- Employer name
- Work address
- Pay cycle information
- Which bank they use
- Bank login and password (through the Plaid API, or sometimes the bank’s webpage)
- Checking and routing numbers
- Debit card info (for the Lightning Speed feature, which transfers your money instantly, rather than in one business day)
Earnin obviously isn’t the only company handling sensitive information. After all, 2018 has been an especially notable year in breaches, with large companies like Facebook, Eventbrite, Google+, and many others reporting their fair share of major security issues. Some resulted in lawsuits and others in users deleting their accounts en masse. And as Saunders points out, even some of the largest banks in the world have suffered breaches.
With Earnin, a lot of people’s financial security may be on the line — when bank account data is involved, the main worry is that hackers could find a way to access your money. Unlike when your credit card information is stolen and used, you can’t simply dispute the charges; a bank could say you’re out of luck on the basis that you handed your information over to the service to begin with. And even if your banking information is secure, the sheer amount of identifying information Earnin collects remains cause for concern.
Financial and security professionals believe using Earnin — especially because of the combination of financial, employment, and location information — is a risk.
“It could be very damaging if they suffer a breach,” Saunders said.
Joseph Steinberg, a cybersecurity and emerging technologies advisor, said it’s especially concerning any time a company can pull money from your bank account.
“If the firm has the ability to pull money out of people’s bank accounts, I imagine that there could be some serious issues,” he said, referring to the potential withdrawal of cash. “Of course, it has personal and employment information as well.”
Palaniappan said that Earnin has an internal security team but wouldn’t discuss the number of employees or offer any other details about the team.
Robert Siciliano, a security analyst with Hotspot Shield who specializes in fraud prevention, said the underlying concern regarding startups of this nature is how much they’re allocating toward security in the process of developing the technology.
“History shows that getting to market is often more important than security,” Siciliano said. “So, it’s only through adversity — a hack where someone discovers a flaw in their network, or sometimes from a white hat — that [exposes] vulnerabilities and leads them back to the drawing board. Or they get sued and have to redo it. You see that over and over again and hope the principals involved know what the hell they’re doing.”
In response, Palaniappan said he sometimes runs internal bug challenges, that the “sensitive data” Earnin retains is encrypted, and that the platform has anomaly and intrusion detection systems. He wouldn’t give much more detail on the service’s security.
When asked for examples of actions taken to improve security between the company’s launch and now, he said, “I think we’re continuously looking out to see what is the best practice, and it’s far ahead of what the industry standard would be.”
Palaniappan said that Earnin has an internal security team but wouldn’t discuss the number of employees or offer any other details about the team. He also said that Earnin has partner companies that aid security, but he wouldn’t say which companies or what they do.
Earnin doesn’t offer users the option to sign in using two-factor authentication, which all the security experts agreed is the bare minimum for a platform of this type. Similar companies, including PayPal, Venmo, Mint, Cash App, Circle, Robinhood, and Clarity Money — many of which have experienced breaches in the past — offer it.
“[If] it has the ability to pull money from peoples’ checking accounts but does not offer multi-factor authentication, I would be concerned about the current level of information-security maturity, in general,” Steinberg said.
Palaniappan would not comment on plans to introduce two-factor authentication to Earnin. He did say that users have the option to unlock their accounts with fingerprints, but this method is accompanied by security concerns as well.
“My worry with biometrics is we’re still using it as a single-factor authentication. For sensitive information like bank accounts, we need to force it to be two-factor,” Corey Nachreiner, CTO at WatchGuard Technologies, told ZD Net.
Palaniappan said that even if a hacker were able to gain access to a user’s account, they wouldn’t be able to do much because the system is “closed loop,” which we can’t confirm. At the very least, if someone accessed your account, they could see personal information like your phone number or change your settings and banking information.
Whatever the case, a lot of people have registered with Earnin. In an age when downloading and signing up for an app takes minutes or even seconds, this is no surprise. The average email address in the U.S. is linked to 130 online accounts.
Companies must be accountable for safely guarding user data, but people can protect themselves as well, by researching services’ security before signing up, actually reading the dreaded terms and conditions, using different passwords for every account, and limiting the information they hand over. In some cases, this may mean not signing up in the first place.
Update: This article has been updated to clarify the information Earnin collects when you sign up.