Online security: download tx without saving passwords
Mac version 7.1.1
I'm more paranoid every day. I think it would be best if Quicken and Apple Keychain were kept ignorant of my bank login credentials. I have a good password manager app, and that's where I keep the goodies.
I'd like to go through downloading transactions in Quicken with me pasting in my passwords each time for each account, and going through 2FA for each account. I don't mind the extra trouble.
It looks like this might not be possible for say, Charles Schwab. I just reset my password with them. In trying to redo my connection, I'm given a screen that requires me to give Third Party Consent for Quicken to access my Schwab account. I'm fine with that, so long as I enter my password manually each login. But it appears that consent involves Quicken storing my password. Do I understand that correctly? Is there a way I can avoid that?
Schwab's consent wording is scary: their security guarantee over my funds is NULL if I give out my password to any third party…that would include Quicken. So if Quicken as a company got hacked, and thieves found a way to get inside my Quicken vault, and the thieves cleaned out my Schwab accounts, then Schwab could legally say, "Sorry, not our problem." Which is fair.
So I'd prefer that Quicken never stores my passwords. Any recommendations for me?
Answers
-
How about taking it to the extreme:
Do not go online to download transactions thru Quicken. Enter all transactions manually. That way you never have to worry about Quicken, as an intermediary third-party, knowing any of your passwords.
I hope that your browser's security, working in conjunction with your Password Manager and 2FA, covers the remainder of your security concerns.0 -
Find FIs which support the "Web Connect" method of downloading. Note NOT "Express Web Connect". You would need to leave Schwab to achieve that.
Quicken user since version 2 for DOS, now using QWin Biz & Personal Subscription (US) on Win10 Pro.
0 -
I tried to post a response here a while back, but looks like it went into the ether.
Quicken gave me contradictory info on whether it's passwords or it's tokens that get saved at their unnamed "third party aggregator" service that is used for downloading bank info.
I know Quicken takes every security precaution with my info. But I also know that the following companies took every security precaution, and they have all been hacked to one degree or another: JP Morgan Chase, Microsoft, eBay, Home Depot, Equifax, Marriott, Facebook, Dropbox, Yahoo, LinkedIn…it's a long list, you get the idea. I think I'm right to be a little paranoid when it comes to my retirement money. My driver's license number, social sec#, health info, and old passwords are all out there on the dark web. Experian sends me an arm-waving email about these breaches every few months. Like I can do anything about it! Hacking is the new norm.
Good news: I did figure out a fairly easy solution for anyone who shares my concerns about unknown parties storing passwords to major financial accounts. I just change my bank account password after I download to Quicken. That way, it doesn't matter if my password gets stolen from Quicken's aggregator company, whoever they are. The password is already outdated. (Every password I have is unique and never reused).
This does mean I have to go into Quicken's Update Login dialog for my two retirement accounts before I download. I add the new password, download, and immediately change the password with my 2 banks. (I don't bother doing this with the smaller accounts like PayPal, checking, etc. Just the accounts that would really wipe me out if they got hacked.)
It takes me a few minutes every month / every other month, when I download to Quicken. Worth the extra peace of mind. Maybe this will help someone else out there.
0