Due to their relatively simple premise – allowing users access to a portion of their paycheck before repercussion is incurred on payday – wage access applications have become increasingly popular. However, that advantage comes at a cost, as the infrastructure that supports access to an employer's paystub, confirming an employee's hours worked and the manner in which he or she is compensated, as well as linking the employer and app directly to the employee's bank account, creates a complex data environment that the user typically is not aware of or exposed to.

Earnin Data Breach: Recently, it was brought to the public's attention that personal information was accessed by a hacker through the EarnIn application, which helped to shed light on how much sensitive information is being collected by wage access applications and why a security breach of this nature poses a greater risk than similar breaches within the traditional banking industry.

All wage access applications must verify an individual as currently employed, as well as providing verification of an individual’s weekly hours worked and wage patterns. In order for this verification process to take place wage access applications require access to:

• An individual’s full legal name.
• An individual’s date of birth.
• An individual’s Social Security number.
• An individual’s home address.
• An individual’s complete bank account information.
• An individual’s estimated employment/income.

By collecting this information from a wage access app, a detailed profile of each employee can be created, which can be more extensive than what may be provided to a traditional bank account.

The Hidden Layer: Employment and Earnings Data

A number of wage-access providers base their earnings estimate on previous collections (temporary workers), which are reflected in each employee's spending habits, deposit/withdrawal patterns, frequency of employment, payroll cycles and transactions.

By monitoring this behaviour, criminals have the means to develop impersonation schemes, anticipate salary payments or conduct theft and fraud against the financial stability of the account holder.

Why This Data Is a Target for Criminals

Identity, Banking and Employment Information (including temporary workers) Create the full identity profile/pattern for criminals to engage in:

• Account hacking
• Applying for loans, mortgages, etc. using another person’s identity
• Redirecting Employee's Paychecks
• Targeted Phishing Attacks Based On Employer/Payroll Information
• Filing False Tax Returns

With the evolution of technology, cybercriminals can tell when and where employees will receive their salaries to create convincing disguises.

The issue: Integrating many systems together and utilizing third-party integrations.

To process payments quickly, many wage-access apps have integrated multiple systems (i.e., payment processors, employment verification), through multiple environments and this creates multiple entry points for hackers.

If a hacker were to penetrate one system's security, there could be thousands of records exposed, even if the wage-access app's database was never compromised.

The way most users perceive wage-access apps is a tool to access pay sooner. Most users are unaware of how many different types of Personally Identifiable Information (PII) are being transmitted through a wage-access app. This includes:
• Personal details (Identity)
• Financial information
• Employment history and Work history
• Behavioral Trends, etc.

The connection of all these categories of data creates large amounts of PII that a hacker could easily acquire and use to develop a profile of an individual without the individual being aware they have been hacked.

Recent events, such as the EarnIn release, have provided insight into the quality of security early-wage-access apps need in order to secure sensitive customer data as they continue to grow.

Understanding that there is a vast amount of data being shared by consumers is the first step in providing protection against becoming a victim of fraud.