My explanation of the security of the different connection types.
Chris_QPW
Quicken Windows Subscription Member ✭✭✭✭
I feel that Quicken Inc's explanations of the different connection types leaves a lot to be desired when they talk about "security". And also, when the financial institutions might talk about security.
Direct Connect, username and password, is only stored in Quicken's encrypted Password Vault, and sent directly to financial institution through a secure communication connection (HTTPS). Has commands to allow for transfers between accounts and syncing with financial institution's bill payment system.
Express Web Connect, username stored in Quicken's Password Vault, also username and password stored at Intuit's server (hopefully encrypted), used on a secure connection with some agreed method of download and login in as the user, subject to all the same login protocols like multiple authentication.
Express Web Connect +, no username and password. The FDX protocol from Intuit to financial institution uses OAuth2 protocol for logging in, which exchanges secure tokens that ensure it is the Intuit server that it is talking to because only Intuit can generate the given security token. Note it isn't subject to multiple authentication that the user uses to log into the financial institution's website because OAuth2 already has measures in place to ensure that it is secure.
It should also be noted that the OFX protocol that Quicken's Direct Connect uses also supports using OAuth2, but neither Quicken Inc or any of the financial institutions it deals with have implement it.
So, what are the security risks of each? I'm going to start with Express Web Connect. The majority of "aggregators" like Intuit that want to access this financial institution have been using a model like Express Web Connect where the username and password is stored on the aggregator's server. Needless to say, this makes the financial institution quite nervous from a security standpoint, having to hope that they have stored their customer's usernames and passwords securely, given that those usernames and password can give someone direct access to the accounts. So, it very clear why the financial institutions want to get rid of this for security reasons, not to mention standardizing on one protocol instead of maybe having different aggregators use different ways to access the data.
For Direct Connect even though the username and password are only on the customer's machine, that machine can be compromised pretty easily given most people know nothing about keeping their machines secure. The encrypted password vault isn't much of a protection since a virus can capture everything you type including the password to open the password vault. Clearly it would have been nice if the industry had adopted OAuth2 in the OFX protocol, but note aggregation has become the standard (mostly because the financial institution adopted nothing as a standard), and as such that is what they are mostly going to be thinking of for any future planned changes.
Direct Connect with "bill pay" turned on adds the added risk that though Quicken transfers and bill payments can be sent. This is definitely both a feature and a security risk.
I think you will find that most long time users/SuperUsers trust their ability to keep their machines and therefore the access to Direct Connect, and as such don't consider it the security risk that say Quicken Inc or the financial institution's might. But there it is.
I have heard some pretty ridiculous statements about why Express Web Connect + is more secure than Direct Connect like Express Web Connect + is "double encrypted" and Direct Connect isn't. Which makes no sense at all. So, with statements like that it really hard to trust their evaluations, but in truth as far a logging into the financial institution and such it is clear to me that FDX/with OAuth2 is more secure than OFX without it. To what degree it is more secure it a matter of opinion.
But there is one other thing to consider. Direct Connect never stores your transactions on a third-party server. Express Web Connect and Express Web Connect + do. Both of them are storing your transactions on Quicken Inc servers and Intuit servers for some undisclosed period of time. Are they encrypted?
No one is saying. So, one has to ask themselves if they are comfortable with that difference.
To me the ideal system would have been Direct Connect with OAuth2, but that wasn't to be.
Direct Connect, username and password, is only stored in Quicken's encrypted Password Vault, and sent directly to financial institution through a secure communication connection (HTTPS). Has commands to allow for transfers between accounts and syncing with financial institution's bill payment system.
Express Web Connect, username stored in Quicken's Password Vault, also username and password stored at Intuit's server (hopefully encrypted), used on a secure connection with some agreed method of download and login in as the user, subject to all the same login protocols like multiple authentication.
Express Web Connect +, no username and password. The FDX protocol from Intuit to financial institution uses OAuth2 protocol for logging in, which exchanges secure tokens that ensure it is the Intuit server that it is talking to because only Intuit can generate the given security token. Note it isn't subject to multiple authentication that the user uses to log into the financial institution's website because OAuth2 already has measures in place to ensure that it is secure.
It should also be noted that the OFX protocol that Quicken's Direct Connect uses also supports using OAuth2, but neither Quicken Inc or any of the financial institutions it deals with have implement it.
So, what are the security risks of each? I'm going to start with Express Web Connect. The majority of "aggregators" like Intuit that want to access this financial institution have been using a model like Express Web Connect where the username and password is stored on the aggregator's server. Needless to say, this makes the financial institution quite nervous from a security standpoint, having to hope that they have stored their customer's usernames and passwords securely, given that those usernames and password can give someone direct access to the accounts. So, it very clear why the financial institutions want to get rid of this for security reasons, not to mention standardizing on one protocol instead of maybe having different aggregators use different ways to access the data.
For Direct Connect even though the username and password are only on the customer's machine, that machine can be compromised pretty easily given most people know nothing about keeping their machines secure. The encrypted password vault isn't much of a protection since a virus can capture everything you type including the password to open the password vault. Clearly it would have been nice if the industry had adopted OAuth2 in the OFX protocol, but note aggregation has become the standard (mostly because the financial institution adopted nothing as a standard), and as such that is what they are mostly going to be thinking of for any future planned changes.
Direct Connect with "bill pay" turned on adds the added risk that though Quicken transfers and bill payments can be sent. This is definitely both a feature and a security risk.
I think you will find that most long time users/SuperUsers trust their ability to keep their machines and therefore the access to Direct Connect, and as such don't consider it the security risk that say Quicken Inc or the financial institution's might. But there it is.
I have heard some pretty ridiculous statements about why Express Web Connect + is more secure than Direct Connect like Express Web Connect + is "double encrypted" and Direct Connect isn't. Which makes no sense at all. So, with statements like that it really hard to trust their evaluations, but in truth as far a logging into the financial institution and such it is clear to me that FDX/with OAuth2 is more secure than OFX without it. To what degree it is more secure it a matter of opinion.
But there is one other thing to consider. Direct Connect never stores your transactions on a third-party server. Express Web Connect and Express Web Connect + do. Both of them are storing your transactions on Quicken Inc servers and Intuit servers for some undisclosed period of time. Are they encrypted?
No one is saying. So, one has to ask themselves if they are comfortable with that difference.
To me the ideal system would have been Direct Connect with OAuth2, but that wasn't to be.
Signature:
This is my website: http://www.quicknperlwiz.com/
This is my website: http://www.quicknperlwiz.com/
3
Comments
-
Here is some other information about the connection types.
https://community.quicken.com/discussion/7916268/my-explanation-of-the-different-term-services-that-quicken-has-provides-and-provided-in-the-past
Signature:
This is my website: http://www.quicknperlwiz.com/0 -
If any Mac users see this thread. All of this applies to Quicken Mac too, except in Quicken Mac they use the term Quicken Connect for what is called Express Web Connect and Express Web Connect type connections in Quicken Windows and there isn't anything in the program that lets you see which is actually being used between Intuit and the financial institution.Signature:
This is my website: http://www.quicknperlwiz.com/0 -
Thank you - well written. It bears emphasizing that moving from Direct Connect to Express Web Connect + is a net negative for Quicken users. It adds a third party (Intuit) in the middle of the transaction flow, exposes consumer data to Intuit that they can monetize, potentially adds costs (Intuit fees, although they collected Direct Connect license fees), slows the transfer of data and increases the chances of things going wrong.0
-
True, note this in the terms of use for Quicken Inc, which would apply to Intuit too:wrldtvlr said:Thank you - well written. It bears emphasizing that moving from Direct Connect to Express Web Connect + is a net negative for Quicken users. It adds a third party (Intuit) in the middle of the transaction flow, exposes consumer data to Intuit that they can monetize, potentially adds costs (Intuit fees, although they collected Direct Connect license fees), slows the transfer of data and increases the chances of things going wrong.- We or our Suppliers may also use summary or aggregate results relating to such research and distribute or license these anonymous, aggregated results for any purpose, including but not limited to helping to improve the Products and Services, troubleshooting, or technical support.
Quicken (the program) -> Quicken server (Quicken cloud dataset/sync) -> Intuit servers -> Financial institution's servers.Signature:
This is my website: http://www.quicknperlwiz.com/0
This discussion has been closed.