The danger of sending a sanitized data file.

Options
Chris_QPW
Chris_QPW Member ✭✭✭✭
edited December 2023 in The Water Cooler

I'm going to throw this out a "did you know" post.

When you send a sanitized data file to Quicken support it goes through and obscures the names of payees, account names and such. It also removes your username and password.

What it doesn't do is remove the Online Connections.

Now if you have been following the progression of Express Web Connect and especially Express Web Connect + in Quicken for a couple of years now, the username and password is either no longer used at all (Express Web Connect +) or is not required to be put in to make the connection (Express Web Connect) because they just use the one stored on the Intuit server.

The end result is that if you send a sanitized data file to Quicken support the data file is still "live" for online downloading of transactions.

Signature:
This is my website: http://www.quicknperlwiz.com/

Comments

  • Boatnmaniac
    Boatnmaniac SuperUser ✭✭✭✭✭
    edited November 2023
    Options

    It does not deactivate the accounts? That would remove the DC accounts usernames & PWs from PW Vault and it should then also remove the EWC/EWC+ login info from Quicken/Intuit's servers, right?

    I had always assumed when a file is sanitized all of the online services accounts were deactivated. But if all it does is remove the username & PW from PW Vault that would be of concern to me.

    Quicken Classic Premier (US) Subscription: R57.16 on Windows 11

  • Ps56k2
    Ps56k2 Alumni ✭✭✭✭
    Options

    The usual Quicken dilemma - creating something in the past, that can not account for changes implemented in the future -
    thus creating a Terminator situation

  • Rocket J Squirrel
    Rocket J Squirrel SuperUser ✭✭✭✭✭
    Options

    Also, all your attachments remain in a sanitized file.

    So the best thing to do is a File > Copy prior to sanitization. That can remove attachments as well as online connections.

    We're in the Water Cooler so I don't know whether any of this applies to QMac. I only know QWin.

    Quicken user since version 2 for DOS, now using QWin Biz & Personal Subscription (US) on Win10 Pro.

  • Chris_QPW
    Chris_QPW Member ✭✭✭✭
    Options

    Removing of the username and passwords for Direct Connect (and in the past for Express Web Connect) is nothing more than removing the Password Vault. The Direct Connect accounts being still connected isn't a problem if you don't have the username and password.

    They don't go to each account and deactivate them from downloading. If they did this would fix the problem. In both cases (Express Web Connect + and Express Web Connect), if the account is deactivated, you have to reactivate it to get the connection again, and that means reauthorizing/sending of username/password depending on which one you are talking about.

    Note you can easily check out what is being done, there is a sanitized file option on the Help menu. Once it creates the sanitized data file, you can just extract it from the ZIP file and open it.

    I do believe the leaving in of the attachments is of a lesser risk. They do remove links to the attachments in the sanitized file, and one tries to access the attachments directly they are encrypted. I'm not sure how the "encryption key" is formed, but I would guess if someone has access to the code looked, they might be able to figure out how to get that key/access to the attachments, but it wouldn't be as trivial as just clicking on something.

    Signature:
    This is my website: http://www.quicknperlwiz.com/
  • Rocket J Squirrel
    Rocket J Squirrel SuperUser ✭✭✭✭✭
    Options

    @Chris_QPW

    I do believe the leaving in of the attachments is of a lesser risk. They do remove links to the attachments in the sanitized file, and one tries
    to access the attachments directly they are encrypted. I'm not sure how the "encryption key" is formed, but I would guess if someone has access
    to the code looked, they might be able to figure out how to get that key/access to the attachments, but it wouldn't be as trivial as just clicking on something.

    I would not be surprised if someone on the Quicken team has long ago written a standalone attachment decrypter. Not as a privacy invader per se, but as an investigative or debugging tool. The info in my attachments is often of a more private nature than my Quicken data, so I wouldn't risk sending attachments in a sanitized file. It's easy enough to truly remove them using File Copy.

    Oh, also all your Category names remain visible and searchable. Only the category descriptions are removed. So you might think about renaming the categories Booze, Cannabis, and Pornography before submitting the file. 😜

    Quicken user since version 2 for DOS, now using QWin Biz & Personal Subscription (US) on Win10 Pro.

  • Chris_QPW
    Chris_QPW Member ✭✭✭✭
    Options

    That is certainly possible but like for a lot of features in Quicken I long ago gave up on attachments, so my data file doesn't have any. So, that isn't really a concern for me.

    BTW the reason I realized this new problem with Express Web Connect + is because when testing out Bill Presentment after a person asked if it was now working properly, I found a crash with adding Citi Cards if you have Direct Connect setup. Without thinking about it too much I sent the sanitized data file to them as requested.

    Then I looked and saw that it was still setup for downloading of transactions and I tried an update, and sure enough it updated without any errors. Then I did do a copy and retested and sure enough couldn't reproduce the problem without setting up the Direct Connect account again, basically proving that they wouldn't been able to reproduce the problem with a copy. On the other hand, I had already given them the exact steps they needed to reproduce it in any data file as long as they a Citi Cards account to work with.

    Signature:
    This is my website: http://www.quicknperlwiz.com/
  • MHSwizzleStick
    MHSwizzleStick Member ✭✭✭✭
    Options

    So I take it that, after uploading a sanitized file, changing the FI's password would have no effect on the ability of the sanitized file to download transactions. The new password would simply be saved to Intuit's server, so the connection would still be successful. Correct?

  • Chris_QPW
    Chris_QPW Member ✭✭✭✭
    Options

    That is a really interesting question. Note that for Express Web Connect + it wouldn't be the password, but a rotating security token, but it doesn't seem like that details would matter. I'm certainly, not 100% sure of this, I think I will try it out later, but my feeling is that you are correct and changing your password (better the username so that no failed password attempts show up on your account) or reauthorizing would simply reconnect both data files because they both still have the same unique Id that connects them to the Quicken Connection Service, which in turn somehow connects to the information on the Intuit server.

    It seems to me the only sure way to completely disconnect the data file that Quicken has is by using Quicken's copy which changes the unique Id and deactivates all the online services. And for the Express Web Connect change the username/password, and for Express Web Connect + first deactivate all downloading authorization, before reauthorizing.

    Signature:
    This is my website: http://www.quicknperlwiz.com/
  • Chris_QPW
    Chris_QPW Member ✭✭✭✭
    Options

    Well, I changed the password on one of my Express Web Connect accounts to see what a sanitized data file would do (and compare it to the real data file).

    First off, let me say that I got one thing wrong, they didn't delete the Password Vault, they just removed the usernames and passwords from it.

    Anyways, the "dangers" seems to be "less" than I might have thought. The first thing I noticed is that the sanitized data file download happens really fast. I'm sure this is because it is only going to the Quicken Connection Services and not out to Intuit. Since the Quicken Connection Services does have caching, I had to wait some hours to make sure that wasn't why it was returning so quickly. It doesn't appear to be the case. Still getting a real quick update. Whereas with the "real" one it takes even longer than normal because it encounters the error on the one account that I changed the password on.

    So, I don't know what they have done, but it does appear that they have blocked the sanitized data file from getting any new transactions. It is still fetching whatever is in the Quicken Connection Services though.

    Of course, then that leads to what happens if the "real" data file connects gets transactions, and then you go back to the sanitized one?

    The answer is that sanitized decides that all your accounts have been deleted and you get CC-800 errors.

    Which of course showed in my real data file when I did another update in it.

    Bottom line for me is that I will be doing a copy to change the unique Id in the data file and re-setup all the online services again. And I will be deleting the cloud dataset from the first "real" and shared with sanitized data file.

    I thought of it, and I don't really have to change passwords and because with the cloud dataset gone nothing will be there to connect with.

    Signature:
    This is my website: http://www.quicknperlwiz.com/
  • Chris_QPW
    Chris_QPW Member ✭✭✭✭
    Options

    Some extra information:

    The sanitized dataset is called out as being separate here from "Current" (the "real" data file). That means that it is a separate cloud dataset, and that means that it looks like they changed the unique Id. But that doesn't seem to be enough to really separate the two data files. After all the CC-800 errors in the sanitized, showed up in Current the next time it updated.

    Clearly, a very complicated relationship…

    Signature:
    This is my website: http://www.quicknperlwiz.com/
This discussion has been closed.