Monday, June 7, 2021

CRED App | A privacy disaster | Better to avoid it

Should you download and sign up for cred?

Short answer: No

Long answer 

So recently I saw this Rahul Dravid add on TV. It is indeed really funny add and I am sure CRED might have taken a lots of mileage from this. 

So the CRED app concept, at least for consumer is very simple

  • Pay Credit card bills (On time apparently) 
  • Get reward points 
  • Use them to buy stuff from the CRED app.
    • Mostly coupon and discount offers.
    • But products are also available. 
The best part of the App, Great UX and what is actually trying to offer. 

But there are lots of red flag,

Their deep hooks into your financial information, The take consent and pull your Experian credit report. 

Ok that is not bad, I think all financial apps are doing it, at least they are open about it.

Mandatory whatsapp integration at sign up, you can't deny it while creating account. In the times where whatsapp become the antonym of privacy, it sure looks like a red flag, though you can disable this integration within the app. This is certainty a sneaky behavior at the starting. 

Phone Access Required

  • phone (Mandatory)
    • It is a mandatory permission require if you want to setup UPI.
  • SMS
    • But unlike other apps, they don't say that they will not read your sms and store it on their service, it is not just for OTP, it is for on the fly knowing your financial information
  • Location
    • To show you offers (Ads) according to your location

It want to take full read access of your email!

They wan to read your credit card statement, But they do not ask you to setup a mail forward rule in your email, but they want have full read access your primary email account and for a gullible user who is too desperate to use CRED because all the "FREE" stuff it is providing, it is not even optional, you can see in the screen shot below, they have not even given the skip button for this step while signing up, you have to click on Activate now, it will take you to your email read authorization page. 

As I expected, it want to have access to all your emails. 


It seems like not even skippable step as there is no skip option, but once cancel the authorization request, as I got spooked when they ask for full email access, cancel the authorization and came back. Then suddenly the skip step showed in pale grey color at top right. This is a major red flag, this barely 2 year old startup, with big valuation of $800 million and losses of Rs 420 Cr, in two year. Even with all of their good intention, we should not trust it with our full email access. They primarily want credit card statement and they could have easily asked to setup a email forward for this analysis, rather than asking for full email access. 

Infect when I setup the app, I did the same, I created one more email account just setup the Credit card email forward on that mail, CRED has no issue reading from that mail. They don't even ask for the password of the statement as they already have all the information they need to decipher your password, Great naa! They could have just asked user to setup a mail forward for credit card statement, on personalized CRED email linked with your account. But they don't want that, they want you primary email because now they have consider that dummy (by usage) email account as my primary email account. 

I think what they were going for a simplicity of setup for a non techy gullible user, but as they have not even consider mail forward option as a secondary choice. Even we they they are legally bounded to just read your opt in credit card statement, but they are not. As per their User license agreement" they can access not just opt in credit card statement email but all financial emails. Below is the section of their ULA
We only read emails from financial service providers including banks and credit card issuers and do not open, read or access any personal e-mails. We hereby confirm that we do not access any other personal information. 
It means they can read all financial services, not just credit card you opt in with, but banks other banks, your secret stash account

Overall after looking at lot of youtube videos, even of after watching few hours of Kunal Shah talking about the app him self I was still end up scratching head how the app is going to earn money, and seems like a border line fraud (which I am sure it is not). 

But surely its delta 4 bullshit, I came to know about CRED from TV app only and I think majority of the users came to knew about it  which they earned by burning lots of cash by giving users lots of free goody and stuff in the starting, and later there are lots of review on google play saying the rewards are not like what they were use to be. 

So again this seems to be a glorified freecharge, and strategy is to gain the trust of the user who actually earn money, 750+ Experian credit score will make sure of it. 

So you get fed up and you want to delete you email account! 

Welcome to the club, they don't have a delete button, you have to contact the chat support to delete it, with 5-10 mins of wait they will put request to delete account, 

but they will retain: 
  • All your cards information
  • The financial transaction
  • your statements information
  • and the financial mails they have already read because of audit reasons

Because I put the delete request, they told me that they will withhold most of the financial information and then delete my account. Remember to deauthorize your email access too. 

But when I opened the app in the evening, just to check if it got deleted or not, they skipped the account creation step in a second and again activated my account and all the financial information was just there. So signing up for CRED is a one way street.

All I understand that, what they are doing is barely legal and they should not with hold or even ask for access of user account.

In my opinion, if you like your financial privacy, this the the app best to avoid you will get free stuff for few months but they will have your financial information for eternity and if you don't know how to deauthorize a service from account (Which is pretty simple, google it) option they will have your email access too.   


No comments:

Post a Comment

CRED App | A privacy disaster | Better to avoid it

Should you download and sign up for cred? Short answer: No Long answer  So recently I saw this Rahul Dravid add on TV. It is indeed really ...