EWC+ Security Token
From descriptions of Express Web Connect Plus, I gather that an aggregator (either Quicken or a third party) gets a "security token" or certificate from the bank containing your account credentials and stores it. Later when you sync to the bank, it hands it back to the bank to log in.
Given recent hacks, I'm very curious about how secure this is.
What is known about the token/certificate credentials? Are the username/password pair "encrypted" or is there a hash? Does it adhere to a standard?
Does the aggregator do regular third party security audits?
Comments
-
What happens if the aggregator's store of "secuity token/certificates" is hacked. Can plain text version of username and password be extracted? Can a third party use them without decrypting to log into my bank and withdraw money?
1 -
Digging around a little, it seems ewc+ is Quickens' implementation of the Financial Data Exchange (FDX) protocol. Here is some information . It's pretty comprehensive (lots of bells and whistles) and probably pretty good. The 'security token' expires and does not contain the credentials. So that's good. I think it is an OAUTH "opaque token".
1