nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

EWC+ Security Token

Pumphouse

From descriptions of Express Web Connect Plus, I gather that an aggregator (either Quicken or a third party) gets a "security token" or certificate from the bank containing your account credentials and stores it. Later when you sync to the bank, it hands it back to the bank to log in.

Given recent hacks, I'm very curious about how secure this is.

What is known about the token/certificate credentials? Are the username/password pair "encrypted" or is there a hash? Does it adhere to a standard?

Does the aggregator do regular third party security audits?

Find more posts tagged with

Online Banking

download transactions

Comments

Pumphouse

What happens if the aggregator's store of "secuity token/certificates" is hacked. Can plain text version of username and password be extracted? Can a third party use them without decrypting to log into my bank and withdraw money?

Pumphouse

Digging around a little, it seems ewc+ is Quickens' implementation of the Financial Data Exchange (FDX) protocol. Here is some information https://financialdataexchange.org/FDX/FDX/White-Papers-Guides.aspx . It's pretty comprehensive (lots of bells and whistles) and probably pretty good. The 'security token' expires and does not contain the credentials. So that's good. I think it is an OAUTH "opaque token".