New Schwab Web Express Security

I was used to downloading my data directly from Schwab and it worked fine.
Now I am being asked to use this new Web Express Interface. I am wondering how secure is my data. Does it go directly to my desktop software or is is also kept at Quicken. chwab has this Data Security Guarantee but then has some weasel words if you give your passwords or info to a 3rd party.
Does anyone know the pat of our data? Is it US->Log in at Quicken and Schwa_> Schwab downloads data to Quicken online and they in turn send it to our desktop or are we dealing directly with Schwab and Quicken merely provides a shell but never has our data or other info unless we ask them to store it in the cloud? It looks like Schwab has a few providers including Intuit, Mint and a few others that they have collaborated with, but Quicken is not mentioned. In fact you can't find any info on Schwabs site about quicken. I just don't want to chance that Quicken uses the data for other purposes, shares with partners or worse is hacked and I loose all of my retirement money.

does anyone have any insight?

Answers

  • Chris_QPW
    Chris_QPW Member ✭✭✭✭
    Express Web Connect + (or just regular Express Web Connect) has this communication path.
    Quicken -> QCS (Quicken Connections services/Quicken Cloud dataset) -> Intuit -> Financial institution's website.

    The + part talks mainly on how the Intuit server talks to the financial institution.  The + implies using newer API and protocols for logging in and getting the data.  Instead of a username and password it uses a rotating certificate, so that part should be more secure than non plus Express Web Connect.

    So, the data is fetched from Schwab, stored on Inuit servers, where Quicken servers retrieve it, and store it on their servers, which then the cloud sync, syncs it back to the Quicken (and the Desktop data file).

    You mention Intuit/Mint which is very appropriate because it is one of the "aggregators" did this same switch.

    In the case of all the other "aggregators" this would represent increased security, because the data was already being stored on the aggregator's server, but logging in using the username and password.  Schwab has said they have more than 4 aggregators accessing their customer data.

    In the case of switching off Direct Connect, which isn't like the "aggregators", in my opinion the risk goes up because of the extra places the data is now store.  The use of rotating certificates is better though.  Of course, then we are talking about your machine getting hacked in comparison to a server that is on the Internet.  Given that they could have done the same rotating of certificates with Direct Connect, I definitely think this path the industry is taking the wrong one.  But given that in the US "aggregators" are the norm, and that Schwab doesn't want to support multiple connection methods going forward, this probably the future.  The Quicken CEO certainly seems imply that is it a great thing that will be rolled out to more financial institutions in the future, ironically in the email he sent out where he apologized for the bad conversion to Express Web Connect + for Schwab.
    Signature:
    (I'm always using the latest Quicken Windows Premier subscription version)
    This is my website: http://www.quicknperlwiz.com/
  • Sherlock
    Sherlock SuperUser ✭✭✭✭✭
    When we use the Express Web Connect connection method, Intuit servers attempt to pull our data from the financial institution overnight.  When we use the Quicken program, Quicken for the Web, or the Quicken Mobile app, a Quicken server pulls the data from the Intuit servers.
  • Chris_QPW
    Chris_QPW Member ✭✭✭✭
    For what it is worth, I don't think these days that the fetching of the data by the Intuit servers is strictly "overnight".  For some financial institutions it seems to be both happening when the user runs One Step Update and overnight too.
    Signature:
    (I'm always using the latest Quicken Windows Premier subscription version)
    This is my website: http://www.quicknperlwiz.com/
This discussion has been closed.