on 10/13 I started to convert by connection to BofA. BofA required I agree to shre my login info

Phil Pecora

with third party: quicken (Intuit). I was relunctant but I decided to try it. The connections worked OK to download. However I expected that On a second attempt to connect to the bofa that I would be prompted for my password. It did not. I always was being prompted for the password before when using Direct Connect. So I am thinking that my password is being stored somewhere. Does anyone else experienced the BofA request to share the login credential? do you normally enter your password when using quicken to connect to BofA?

Boatnmaniac

Yes, DC does require a PW to be entered (either manually or via the PW Vault) when updating the account. 

EWC does not because the login information is saved on the aggregator's server.  This needs to be done because the aggregator connects with and downloads from the financial institutions at night.  It's been like this for some time now.

The new connection method being used by BOA is EWC+.  This new connection method requires one to log into the BOA website during the online services setup process.  Then BOA authorizes the Quicken connection and provides Quicken a token.  It is my understanding that this token is then saved on the server and is used instead of a PW when the aggregator obtains the downloaded account data (which is typically done at night).

You can read more about the methods Quicken uses to connect to financial institutions here:  https://www.quicken.com/support/how-quicken-connects-your-bank.  Note that this Support Article has not yet been updated to include EWC+ but that request has been submitted.

Does this answer your question?

Phil Pecora

Thank you, but I have additional question. Can the token be stolen and used to login to my bank account? About the aggregator is this new with this new process? In the past anytime I wanted to download my "new posted transaction data" I would just connect (update) and I would get the list of transactions to review and accept per my review for all accounts with BofA. What company is responsible for the aggregator server? is my bank data then duplicated in other servers besides BofA?

Chris_QPW

Phil Pecora said:

Thank you, but I have additional question. Can the token be stolen and used to login to my bank account? About the aggregator is this new with this new process? In the past anytime I wanted to download my "new posted transaction data" I would just connect (update) and I would get the list of transactions to review and accept per my review for all accounts with BofA. What company is responsible for the aggregator server? is my bank data then duplicated in other servers besides BofA?

The actual protocol for the security tokens is OAuth2, which is very secure.  The token is changed for every access.

The aggregator is Intuit and other than the new protocol between Intuit and the financial institution it is the same as Express Web Connect.
Here is some more information on it:
https://community.quicken.com/discussion/7916268/my-explanation-of-the-different-term-services-that-quicken-has-provides-and-provided-in-the-past