why does Chase need to share data with quicken?

alocksley

As part of the conversion process for Chase accounts in quicken there's a notification -- not an option -- that Chase will share data with intuit. Was this always the case or is this new with the changes in connecting to Chase thru quicken?

Frankx

Hi @alocksley

If you have been "connecting" or updating your accounts with Chase (and/or other financial institutions) using either the Direct Connect or Express Web Connect methods, Chase has been sharing certain data with Intuit as a part of that updating process - this has always been the case and is not new.  Data is passed between Chase and Intuit (which is involved in this process as a Quicken subcontractor) to Quicken to effect the downloads. 

That notification is just legalese to protect the parties from potential lawsuits should your data should become compromised or if other problems develop.

Frankx

Chris_QPW

@Frankx I would note that there is a very big difference between the data Direct Connect shared, and what Express Web Connect methods share.  Direct Connect is between Quicken and the financial institution, it doesn't go through Intuit to get the transactions.  Express Web Connect methods do, and they also go through Quicken Inc's servers.  So, for some period of time your transaction are on both Intuit's and Quicken Inc's servers.

alocksley

So if someone compromises intuit what's the exposure?

Chris_QPW

alocksley said:

So if someone compromises intuit what's the exposure?

With Express Web Connect + no usernames or passwords are stored on Intuit servers.  So, the "exposure" would be whatever transactions happen to be on the Intuit server at the time.  It is "known" that transactions are stored there for some period of time so that Quicken can retrieve them, but they have never specify how long they are kept.  Note the transactions are also stored on Quicken Inc servers, and again they have never specified how long they are kept there when using Express Web Connect or Express Web Connect +.  For Sync to Mobile/Web which uses the same syncing system/dataset storage it is forever.

With Express Web Connect the username and passwords were stored on the servers, but they say they were encrypted.

Note nothing has ever been stated on if the transactions are stored encrypted or not.

Chris_QPW

I should also state the Express Web Connect/Express Web Connect + are "read-only" connection methods.
No one can use them to do things like transfers or such.

alocksley

Thanks

mshiggins

alocksley said:

So if someone compromises intuit what's the exposure?

I would be also be asking about exposure if Quicken Inc is compromised. 

Chris_QPW

mshiggins said:

alocksley said:

So if someone compromises intuit what's the exposure?

I would be also be asking about exposure if Quicken Inc is compromised. 

Yes, I tried to cover that even though it wasn't asked.

I think the answer is basically the same as Intuit, with maybe the exception that Quicken Inc's servers might retrain the transactions longer.

Chris_QPW

P.S. My answers were only for downloading transactions.  Other services like Quicken Bill Manager, Credit score, ... are another can of worms.

alocksley

Thanks

mshiggins

Chris_QPW said:

mshiggins said:

alocksley said:

So if someone compromises intuit what's the exposure?

I would be also be asking about exposure if Quicken Inc is compromised. 

Yes, I tried to cover that even though it wasn't asked.

I think the answer is basically the same as Intuit, with maybe the exception that Quicken Inc's servers might retrain the transactions longer.

I was thinking more along the lines of the differences between the two companies - Intuit and Quicken Inc - and would that factor into the risk of compromise. 

Chris_QPW

@mshiggins good point.  I sort of lump them together because at least on the surface they "talk" about security (and marketing for that matter) pretty much the same way.

In other words, I don't trust either more than the other, but I trust my understanding of what is "out there" enough not to worry about it.  I think my usernames and passwords are pretty secure (only use Direct Connect), but even if I used Express Web Connect I believe them when they say they store them encrypted.  People have to realize that none of the major encryption systems have yet been broken.  As long as people are using long, and different passwords for everything they should be OK in my opinion.

As for the transactions.  I don't see how see how that really gives hackers and real useful information.

EDIT and just to be clear, 20 character is a very long password, it doesn't have to be greater than the 32 characters allowed like some people think.

thecreator

From Release Notes:

Release R43.20 (US Versions, September 2022)

Before you install this update, we recommend you perform a One Step Update to ensure that your data is synced to the cloud. You should also make a backup of your data file.​

What’s Fixed

• While reauthorizing Chase accounts, even though accounts were linked, existing account names that are linked were not shown. Also, in some cases accounts were not linked automatically, causing duplicate accounts.