I was minding my own business on Twitter last night when I saw a tweet from Laura Fitton that said, "totally stoked i can now tweet expenses to myself at the point i incur them (and IM, email, SMS too)." I did an immediate double-take. I think my audible reaction was, "Eek!"
Turns out that Fitton was talking about a free service called Xpenser. Here's a quick snippet in the company's own words:
We were fed up with how painful expense reports and tracking were. After many experiments we found a workable solution: record expenses as soon as they happen and forget about them.
Xpenser lets you do just that - record expenses via whatever means are available to you quickly and painlessly. Send them in via Email, SMS, IM, or voice (call a number and say your expense). From your Blackberry, email "Lunch 78.50 with BigClient" and it's recorded. From your phone, SMS "exp groceries 27.13". From your computer, IM "Equipment 889.19 backup server". From your phone, call and say "taxi 39 office to airport". Use the Web interface to edit and finalize them or export them to your favorite financial management software. No more forgetting your cash expenses, no more half-day expense entry sessions.
I'm not against online expense services as a whole (I know a lot of people who use and love FreshBooks). My concern with Xpenser is the data in transit from other Web-based services, some of which have been notoriously insecure at times. Users can send these expenses via instant message, Twitter, SMS, Jott, etc. From what I understand all of this feeds into a simple hosted spreadsheet that appears from the demo to only include dollar amounts and expense types, but that's just the demo. Since true expense management includes relating your expenses to the type of account you used to pay them, isn't there a risk that some users would list their account numbers or account types? Hard to tell from the demo -- and nothing is written on the site to address this concern. Nor is there anything written that tells less-than-savvy Internet users how not to use this service in order to protect themselves.
It's akin to writing private information on a piece of paper and throwing it in the trash can. There's a very slim chance that anyone will find it -- but there is still a chance.
Some people might say that Xpenser is an OK service if one knows better than to include account names and numbers but, quite frankly, I don't want to put out there even the slightest bid of information that could allow a hacker to financially profile me, or even my small business, and give them added incentive to compromise any other part of my financial life.
This, to me, is one scary step away from the "Twitter as a PayPal killer" mumbo jumbo that was circulating around the Web a month or so back. As progressive as I feel about social networking tools I still feel we are a long way from trusting them with our financial records.
When I threw this over to a couple of security friends via email last night, one of the replies I got back was, "Good gravy, Xpenser sounds terrifying."
When I commented on my continued shock this morning, Twitter pal Grant Beery, of the hockey blog Daily Deke, said, "Identity theft for the hip blogger on the go" (and thus the inspiration for my headline).
These folks get it. I don't even know that Xpenser gets it. I dug through the site's FAQ and blog and found nothing relative to security. Are people not asking these questions? The thing is, that Xpenser may be able to secure its site to the hilt (well, to some degree) but it cannot assure security of the services transmitting the data. So why trust it? [poll id=3]