This is an excerpt from Dollar Scholar, the Money newsletter where news editor Julia Glum teaches you the modern money lessons you NEED to know. Don't miss the next issue! Sign up at money.com/subscribe and join our community of 160,000+ Scholars.
Work has been tough lately, and I’ve found that when I log off at the end of the day, the only content my exhausted brain can handle is old Star Wars movies. They’re the perfect salve: I’ve seen them before, and space is cool.
The only problem? Because of my aforementioned tired brain, I keep pausing the TV to Google dumb questions about basic Star Wars plot points. Most recently, I went down a rabbit hole to try to figure out why R2-D2 didn’t tell Luke about Anakin/Darth Vader. Like, the famously helpful R2-D2 randomly decided to keep that crucial fact to himself? What gives?
Some people say R2-D2 didn’t know Anakin went to the dark side; others argue it was too painful to talk beep about. But if you ask me, I think R2-D2 clammed up because he just didn’t know whether that information was secret.
It’s similar to how I feel when I log into my bank app and see that my account number is starred out. Is that information supposed to be confidential? Why?
Time for a non-Star Wars investigation.
Do I need to keep my bank account information secret?
Under the Gramm-Leach-Bliley Act, financial institutions are required to “ensure the security and confidentiality of customer records and information.” It’s legit spelled out in the law that they must “protect against any anticipated threats or hazards,” including “unauthorized access” that “could result in substantial harm or inconvenience to any customer.”
One way they accomplish this is by masking, or replacing sensitive information with asterisks. Terrie Cloud, director in the IT advisory practice at banking consulting firm Cornerstone Advisors, says masking is all about attempting to thwart prying eyes.
“If you're on an airplane, for example, and you're trying to access your bank account, you may want your account number masked so the guy next to you can't peer over your shoulder and get your number,” he says.
Most financial institutions require all logins to go through a multi-factor authentication process, so the risk isn’t really that a bad guy could see my number and drain my checking account within seconds.
According to Eileen Tan, chief information security officer at Varo Bank, the issue is that my bank info is one of many pieces of data that could be used to defraud me later on.
“Threat actors are slowly gathering information about you,” she says. “You don't know who's storing it; once it's out on the internet, it's there forever.”
If a stranger gets their hands on my financial details, they can Google me, easily turning up my phone number and email address. Voila! Stealing my identity just got a whooole lot easier.
Cloud says they can also weaponize that data to trick me in the short term.
Say I’m checking my balance on the Bank of America app in Starbucks, and the person behind me in line glimpses the last four digits of my account number. Now they know 1) I’m a Bank of America customer, 2) that I was at Starbucks at X time on Y day, and 3) that my account ends in 1234.
If, later that day, I get a call from an unknown number with a person saying, “Hey, I’m with Bank of America, and I’m reaching out about a problem with a Starbucks charge on your account ending in 1234,” my guard is more likely to be down — and I’m more likely to turn over information I’d otherwise be smarter about protecting.
It’s called social engineering.
“People are not savvy, and they get this alert, and all of a sudden they freak out,” Cloud says. “Before you know it, they’re compromised.”
Tan says the best practice is not to share any of my financial information unless absolutely necessary. Giving my employer my bank data for direct deposit or the IRS for tax payments is fine, but that's about it. She adds that my account number, which is specific to me personally, “is definitely more secret” than my routing number, which is a nine-digit code that identifies my bank.
But I should keep both close to the chest. And if I get a call, text or email saying it's from my bank, I should proceed with caution. The best response is to refrain from providing personal information, hang up and instead reach back out to them using official channels.
The bottom line
Scammers are smart, patient and everywhere: Americans reported nearly 1.4 million cases of identity theft to the Federal Trade Commission last year. So while my bank account information isn’t necessarily top secret, it’s absolutely worth protecting.
It shouldn't be an issue if the only data a fraudster has is my bank account number — “but the problem is, in this day and age, there's a lot of information people can find out about you just by Googling [and using] the dark web,” Tan says. “Don’t give people that opportunity.”