Security questions
Hello. I have been using Quicken for Mac for years using the one step update . I noticed on many of the accounts I connected Quicken to, they state use of 3rd party will void any reimbursement of funds should there be a breach . Is this a common issue with using Quicken and is the a legitimate concern or is there adequate security to prevent funds from draining from my accounts ?
Answers
-
I have never heard of a breach for Quicken, but one can't 100% rule it out.
Here is such a discussion in a Windows thread, most of it should apply to Quicken Mac with a few notes.
Quicken Connect would be similar to Express Web Connect/Express Web Connect + in Quicken Windows. I don't think there is any way in Quicken Mac to directly tell in it if the more secure (FDX protocol, that Quicken Windows calls Express Web Connect +) is being used or not, but it is certainly easy to see when first setting up the account. The newer protocol will never ask you for your username and password, instead you are redirected to the financial institution's website to authorize Intuit to access your accounts at the financial institution with a rotating security token.
The other difference would be where the username and passwords for Direct Connect are stored. In Quicken Windows they are stored in the Quicken Windows data file (encrypted). In Quicken Mac they are stored in the Mac OS keychain.
Signature:
This is my website: http://www.quicknperlwiz.com/0 -
thanks Chris for the reply. I did notice when I set up my fidelity account for example it did direct my to log in with username and password thru intuit. One difference was it did not ask me for the second authorization code I added for extra security like I would need going directly into the fidelity account.
0 -
I might be wrong, but I don't think Fidelity has changed over to the new "FDX" protocol. I think it is still using Direct Connect. That you should be able to see in your account information. It should show either Direct Connect or Quicken Connect.
Let me also state that neither Direct Connect nor connecting with new FDX protocol is "logging in as the user".
Direct Connect uses a protocol called QFX (which is just a slight variation of OFX). And you are connecting to an OFX server at the financial institution. So, even though it uses your username and password, it is in fact not logging into the financial institution like it was a web browser simulating you logging in. It has its own security model, and as such isn't subject to the save 2FA that you would be if you log into their website.
FDX is similarly a protocol designed for server-to-server communication. And uses a very secure token that changes for every access. When you setup for this you are directed to the financial institution's website and you log in using your username and password, but that is just to access their site to do the authorization. Quicken/Intuit never see your username and password, it is only the financial institution's website that sees them.
Old protocol Quicken Connect (what Quicken Windows calls Express Web Connect) is the Intuit server logging in as you, simulating a web browser connection. And as such is subject to the same 2FA rules.
Note that in both Quicken Mac and Quicken Windows downloading a QFX file is called Web Connect. The QFX file is actually what would be returned in a Direct Connect information exchange where by the protocol Quicken asks for the transactions. Just stored in a file. The original "Express Web Connect" was the Intuit servers logging in as the user and then doing what was needed on the website to download the QFX/Web Connect file. Later that was expanded to get the transactions in different formats and then convert them back into QFX format for Quicken.
Signature:
This is my website: http://www.quicknperlwiz.com/0 -
One more note for investment accounts, in the past they were almost never Quicken Connect/Express Web Connect and certainly Fidelity was Direct Connect. There might be an exception now for some on the newer "not really broker" investment accounts (like crypto currency accounts), and I think one way to tell them apart is that they can only support simple investing mode.
Signature:
This is my website: http://www.quicknperlwiz.com/0 -
thanks so much for your time in explaining this to me. Perhaps i am being too paranoid to my concerns of using one step update and quicken in general. I do try and be secure as possible thru extra security codes, lifelock etc.
I was also wondering if there is any value to adding password to the quicken data file. I am under the impression it would be a safeguard for someone who might have access to my computer where the file only?
Thanks again
0 -
Whether adding a password to a data file is needed or not really depends on the person's use case.
One has to consider not only is possible for someone to access the account, but also the data file.
For instance, the protection that your MacOS security for your accounts wouldn't be in play if that data file was stored say in the cloud or on some media. Whatever security that server or media has (or doesn't have) would be in play. But if there was a password on the data file, then that security goes wherever the data file goes.
Clearly though of others have access to your account and you don't want them to see what is in your data file you need to block that in some way. That can be the data file password, it might also be some other kind of encryption system.
EDIT: Bottom line yes it adds a layer of security, but of course a bit of inconvenience that you have to put it in whenever accessing the data file in Quicken.
Signature:
This is my website: http://www.quicknperlwiz.com/0 -
I am wondering if anyone has some thoughts regarding using the Quicken one-step updates for banks, investments , and credit cards. While I love all the data I receive from Quicken regarding my investments, my difficulty is how safe it is doing this? My concern is providing login info and signing it up with Quicken leaves me vulnerable to being hacked. Furthermore, as I read the fraud guarantee at the accounts, it voids this if a 3rd party app is used and determined as the cause for the breach. While I love the data from Quicken is it worth the risk or voiding a guarantee if an issue happens ? I could try to manually enter or download offline and import into Quicken but not all accounts have these features ? Thanks
0 -
Did you see this post?
I'm staying on Quicken 2013 Premier for Windows.
0 -
yes I have read it
0 -
I don't think there is much more to say about the subject. If one is looking for anything definitive, you aren't going to get it. Even if you went to a lawyer, they wouldn't be able to tell you what the outcome might be.
I personally, think it is pretty safe or I wouldn't be using it, but that like everyone's, is just an opinion. In that other thread I did state the varying risk levels for the different access methods. It is up to everyone to decide for themselves about the risks vs rewards.
Signature:
This is my website: http://www.quicknperlwiz.com/0