Identity theft for the hip blogger on-the-go?

Identity theft for the hip blogger on-the-go?

Summary: Xpenser allows users to send their expense information to a hosted spreadsheet using SMS, IM, Twitter and Jott. Security risk, anyone?


I was minding my own business on Twitter last night when I saw a tweet from Laura Fitton that said, "totally stoked i can now tweet expenses to myself at the point i incur them (and IM, email, SMS too)." I did an immediate double-take. I think my audible reaction was, "Eek!"

Turns out that Fitton was talking about a free service called Xpenser. Here's a quick snippet in the company's own words:

We were fed up with how painful expense reports and tracking were. After many experiments we found a workable solution: record expenses as soon as they happen and forget about them.

Xpenser lets you do just that - record expenses via whatever means are available to you quickly and painlessly. Send them in via Email, SMS, IM, or voice (call a number and say your expense). From your Blackberry, email "Lunch 78.50 with BigClient" and it's recorded. From your phone, SMS "exp groceries 27.13". From your computer, IM "Equipment 889.19 backup server". From your phone, call and say "taxi 39 office to airport". Use the Web interface to edit and finalize them or export them to your favorite financial management software. No more forgetting your cash expenses, no more half-day expense entry sessions.

Identity theft for the hip blogger on-the-goI'm not against online expense services as a whole (I know a lot of people who use and love FreshBooks). My concern with Xpenser is the data in transit from other Web-based services, some of which have been notoriously insecure at times. Users can send these expenses via instant message, Twitter, SMS, Jott, etc. From what I understand all of this feeds into a simple hosted spreadsheet that appears from the demo to only include dollar amounts and expense types, but that's just the demo. Since true expense management includes relating your expenses to the type of account you used to pay them, isn't there a risk that some users would list their account numbers or account types? Hard to tell from the demo -- and nothing is written on the site to address this concern. Nor is there anything written that tells less-than-savvy Internet users how not to use this service in order to protect themselves.

It's akin to writing private information on a piece of paper and throwing it in the trash can. There's a very slim chance that anyone will find it -- but there is still a chance.

Some people might say that Xpenser is an OK service if one knows better than to include account names and numbers but, quite frankly, I don't want to put out there even the slightest bid of information that could allow a hacker to financially profile me, or even my small business, and give them added incentive to compromise any other part of my financial life.

This, to me, is one scary step away from the "Twitter as a PayPal killer" mumbo jumbo that was circulating around the Web a month or so back. As progressive as I feel about social networking tools I still feel we are a long way from trusting them with our financial records.

When I threw this over to a couple of security friends via email last night, one of the replies I got back was, "Good gravy, Xpenser sounds terrifying."

When I commented on my continued shock this morning, Twitter pal Grant Beery, of the hockey blog Daily Deke, said, "Identity theft for the hip blogger on the go" (and thus the inspiration for my headline).

These folks get it. I don't even know that Xpenser gets it. I dug through the site's FAQ and blog and found nothing relative to security. Are people not asking these questions? The thing is, that Xpenser may be able to secure its site to the hilt (well, to some degree) but it cannot assure security of the services transmitting the data. So why trust it? [poll id=3]

Topics: Security, Banking, Browser, Collaboration, Hardware, Mobility, Networking, Telcos, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • ewww

    Totally insane. We're having enough problems with REGULAR identity theft, and everyone knows IM messages aren't secure, look at that congressman who got his page fetish exposed in national news. No thanks, I'll stick with a standard spreadsheet and trustedid.
  • RE: Identity theft for the hip blogger on-the-go?

    I think you missed the point of the service. It's not a comprehensive financial management solution. It's simply a way to track what you spend when you take money out of your pocket. If you sign up, you'll see that all you can create is a list of expenses with 4 fields: date, amount, expense type, and notes. No linking to bank or credit card accounts, or anything of that nature (as of right now). I travel nearly every week for my job. Recording expenses for reimbursement is painful and I'm always wondering if I'm short changing myself. Receipts get lost, I forget to write things down, etc. Expensr is an easy way to record cash expenses in a central place. I don't see why you'd include account numbers in the notes field, but if you're foolish enough to do that, I suppose you deserve what you get. I'm not worried about someone knowing that I spend $10+ every day on lunch. Worst case, I'll get spammed with diet ads.