nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Is this info being shared with Quicken ?

SmokeyToo

Even though I dont use quicken web/in the cloud?? Schwab cant answer... By re-authorizing and NOT using the cloud/web, is quicken still getting access to my info? Tks

Find more posts tagged with

Comments

Sherlock

When the Express Web Connect connection method is set up, you are authorizing Intuit's server to pull your data using the sign-in account at the financial institution and Quicken Inc. to pull the data from Intuit's server.

SmokeyToo

Is Express Web Connect is the only type of connection now utilized for Schwab investment accounts?

So if i understand your answer, if i re-authorize my schwab investment accounts, even though all my info is local on my pc, i am authorizing quicken to log into my schwab account, send my data to their servers then back to my computer?

Tks

Sherlock

SmokeyToo said:

Is Express Web Connect is the only type of connection now utilized for Schwab investment accounts?

So if i understand your answer, if i re-authorize my schwab investment accounts, even though all my info is local on my pc, i am authorizing quicken to log into my schwab account, send my data to their servers then back to my computer?

Tks

Schwab is only the fourth financial institution to decide to rely exclusively on the Express Web Connect connection method for investment accounts.

Intuit and Quicken are two distinct companies. You are authorizing Intuit to access your Schwab account and Quicken Inc. to pull the data from Intuit.

Note: The Quicken program contacts a Quicken server. The Quicken server contacts the Intuit server. The Intuit server contacts the financial institution's server.

SmokeyToo

Hummm. This is really getting confusing now. So In all this Schwab / Quicken re-authorization stuff I don’t see Intuit listed anywhere. Maybe off topic now, but is intuit maybe who they might mean (amongst others) when it says with whom your information will be shared with?? I guess we can only guess….

Chris_QPW

Quicken Inc pays Intuit for the Express Web Connect service. Intuit deal with the actual connection to the financial institutions.

The connection flow is:

Quicken (the program) syncs with QCS (Quicken Connection service which stores transactions in the Quicken cloud data set on their server)
QCS connects to the Intuit servers and places request for the transaction data and when retrieved stores it in the Quicken Cloud data set.
Inuit contracts with the financial institutions to download data/transactions as an "aggregator". What method/API is used varies between financial institutions. When it retrieves data/transactions it stores them on its servers so that it can service the requests from QCS for those data/transactions.

Note QCS is the same system used for sync to Mobile/Web, except that if you haven't turned on sync to Mobile/Web that data can't be viewed through Mobile/Web.

SmokeyToo

so, to confirm - even though i do not use quicken in the cloud, mobile or web, just resident on my pc, under the new re-authorization process, if i agree, quicken and intuit and whomever else they share my info with will have access to all my accounts history, holdings, balances, etc. that i choose to sync from/with Schwab investmets accounts?

Chris_QPW

SmokeyToo said:

so, to confirm - even though i do not use quicken in the cloud, mobile or web, just resident on my pc, under the new re-authorization process, if i agree, quicken and intuit and whomever else they share my info with will have access to all my accounts history, holdings, balances, etc. that i choose to sync from/with Schwab investments accounts?

Yes, and no. In the case of Express Web Connect it has been stated the Intuit only caches a limited timeframe of transactions (maybe 30 to 90 days, they didn't state an exact amount). As for what is stored on the Quicken server, they have never stated how far back they keep for Express Web Connect. For sync to Mobile/Web they start with a sync of two years, and don't delete anything. This may or may not be how much they sync when it is Express Web Connect only. They aren't telling.

So, the part of your statement that might not be true is "all", but the rest for a limited timeframe they are definitely storing transactions, holdings, and balances.

Sherlock

SmokeyToo said:

so, to confirm - even though i do not use quicken in the cloud, mobile or web, just resident on my pc, under the new re-authorization process, if i agree, quicken and intuit and whomever else they share my info with will have access to all my accounts history, holdings, balances, etc. that i choose to sync from/with Schwab investmets accounts?

Any data entered in Quicken may already be shared as you have accepted Quicken's Terms of Use:

Image: https://us.v-cdn.net/6031128/uploads/editor/c8/hhhdf69ggtq1.png

SmokeyToo

Thank you both. I guess this last part, “ You hereby waive any of your moral rights in any of your Content, Credentials, and other information in
favor of us, our Suppliers and each of our affiliates.”
Releases them or affiliates from any responsibility if the customer accounts are hacked and heisted , mine or whosoever?? In other words, use at you own risk?

Sherlock

SmokeyToo said:

Thank you both. I guess this last part, “ You hereby waive any of your moral rights in any of your Content, Credentials, and other information in
favor of us, our Suppliers and each of our affiliates.”
Releases them or affiliates from any responsibility if the customer accounts are hacked and heisted , mine or whosoever?? In other words, use at you own risk?

That is not the legal definition of moral rights but the Terms of Use does clearly states where your use of the product is at your own risk.

Chris_QPW

I have yet to find a terms of use for a software program that doesn't include a statement like this:

The software is provided "AS IS" without any warranty, either expressed

or implied, including, but not limited to, the implied warranties of

merchantability and fitness for a particular purpose.

The definition of Moral right is interest (and not you are waving your).

I read this as basically saying you can't complain that your data is "yours" and they can't use it without your permission.

SmokeyToo

Thanks again. This https://www.quicken.com/terms-of-use
Should be enough to scare anyone away!

SmokeyToo

Just heard back from Schwab the other day. If ones account gets hacked from data being gotten from Quicken or the aggregator - user id, etc... Its not covered by the Schwab Security Guarantee.

"n regards to Quicken, if Schwab clients shares credentials with Quicken and there is fraud through that avenue, the Schwab Security Guarantee would not apply. Clients would need to pursue Quicken to cover the losses if the account access came through that channel."

Chris_QPW

SmokeyToo said:

Just heard back from Schwab the other day. If ones account gets hacked from data being gotten from Quicken or the aggregator - user id, etc... Its not covered by the Schwab Security Guarantee.

"n regards to Quicken, if Schwab clients shares credentials with Quicken and there is fraud through that avenue, the Schwab Security Guarantee would not apply. Clients would need to pursue Quicken to cover the losses if the account access came through that channel."

There isn't any way Quicken Inc or actually more properly (depending on where the hack really is) Intuit are going to cover the expenses of hack. First off, the license agreement clearly states, "As is" and other words that means they are responsible for such. There isn't any guarantee about security.

Second Quicken Inc is too small of a company to pay for such a breach. Intuit maybe, but again there isn't any kind of security guarantee.

And for the people that think that using Direct Connect buys them a guarantee with their financial institution, they should read some of the details of what they are agreeing to. I have certainly seen in a few of them that when they turn on Direct Connect, they don't guarantee the security through it.

SmokeyToo

I was talking about schwab. Not quicken covering the loss - if any. Quicken is quite clear too - they only will be responsible for the subscription cost I think is what I saw and not any other assets stolen. Schwab will not be responsible if the data are breached from and bc of quicken. So, the user uses at their own risk. I was just saying that if any of this applies, the Schwab Security Promise wont protect the user.

Q97

Doesn't the new Schwab EWC+ authentication process store only a read-only access token with the aggregator? If so, the worst that could happen if this token is compromised is that someone could view your account data. With standard EWC, you are storing your actual FI password with the aggregator. If this is compromised, far worse things (like complete access to your account, including the ability to transact) are possible.

Chris_QPW

Q97 said:

Doesn't the new Schwab EWC+ authentication process store only a read-only access token with the aggregator? If so, the worst that could happen if this token is compromised is that someone could view your account data. With standard EWC, you are storing your actual FI password with the aggregator. If this is compromised, far worse things (like complete access to your account, including the ability to transact) are possible.

The token is better than storing the username/password for sure. That is in fact one of the main reasons that Schwab is going to it. Between standard Express Web Connect and Express Web Connect + that is using rotating tokens (OAuth2) clearly this is better.

But note that in the case of the investment accounts that isn't what is happening.
With Direct Connect the connection if straight from Quicken to the financial institution, so neither the credentials nor the transactions are stored with a third party.

So, for all the other "aggregators" that Schwab has this is definitely an improvement, but for switching out Direct Connect it is "questionable". Ideally financial institutions would go to Direct Connect with OAuth2 security (and Quicken, the program, would have to implement this too), but that just isn't happening.

How much a hacker can do with access to your transactions, it probably debatable too.

SmokeyToo

So if the new way is better, safer and more secure why Schwab will no longer stand behind the longtime Security Promise? For some reason, it’s still good for Quickbooks.

Chris_QPW

SmokeyToo said:

So if the new way is better, safer and more secure why Schwab will no longer stand behind the longtime Security Promise? For some reason, it’s still good for Quickbooks.

That sounds like a question for them. We certainly can't answer that kind of question.

EDIT P.S. Note that not all decisions made by a financial institution are based on technical facts. And they can be made by people that are more concerned with protecting the financial institution than learning about the real risks.