Connected Services & Security

mark miller

As a longtime Quicken user (20 years now) and a tech product guy , i've watched Quicken evolve its product into two area's (for various reasons) that maybe beneficial to Quicken but not to the end user in these (security) related areas:

1. Requiring a user to have a internet connection to open a local file (a longer post and doesn't happen all the time, but a change in the platform) —Also pushing to NOT have a locally installed version.
2. Reason for my post: Changes in connected services and associated security: https://www.quicken.com/support/changes-your-connected-services-quicken/

Now in essence Quicken (Remote/cloud) is managing your 3rd party accounts (your password authentication), with the (BIG) Assumption they aren't selling/brokering your data in some manner, WHEN they are breached (not a matter of IF, but WHEN) and ones accounts are cleaned out (worst case) and/or compromised (best case), what is Quickens Liability?

I see NOTHING specific to this and as of now, am shutting down 3rd party and entering data in. (as man of my 3rd party financial institutions are recommending..esp when you read all the fine print!).

This of course obviates the usefulness of the Quicken application and probably won't be using it much longer.

Interested in others specific input to primarily #2 & the question of Quickens Liability.

Thanks

mark miller

Update point to above given it just occurred (again)…

Quicken/Intuit "Middleman" services, aside from security concerns, yet another failure point. Wells fargo services down 2 days. If i had direct connect, it would have worked just fine.

Interesting no responses to prior post. Indicates a problem.

Quicken Kristina

Hello @mark miller,

The specific article you reference in your original post, https://www.quicken.com/support/changes-your-connected-services-quicken/ , is talking about the shift to the Express Web Connect + (EWC+) connection method that several financial institutions have done. Because you are authorizing through the financial institution's website, Quicken does not see or store your login credentials; the financial institution issues a token which is used authenticate with the financial institution so Quicken can download your account information into your file.

For information about how Quicken protects your financial information, I recommend reviewing this article:

https://www.quicken.com/support/how-quicken-protects-financial-information/

Whenever you go through the Add Account process in Quicken, you should see this screen:

It gives you more information about what data is accessed, as well as a link to our privacy policy, and reminds you that you're able to revoke permission to connect at any time by unlinking your account. It also provides a link to the Quicken Terms of Use.

I hope this helps!

mark miller

It doesn't. I"m aware of that It indicates "With this new connection method, you'll sign in to authorize your accounts directly from Quicken," —so 'man in the middle'. Similar to PLAID approach.

This doesn't address my various concerns/questions as i stated.

Primarily: WHEN they (quicken) are breached (not a matter of IF, but WHEN) and ones accounts are cleaned out (worst case) and/or compromised (best case), what is Quickens Liability?

Secondarily is the issue of going through Quicken Services to the financial institutions, unless you can tell me specifically how to avoid that ??

Also to state perhaps the obvious, its even more Quicken Exposure if NOT using a local install/copy and using Quicken cloud services.

Thanks
Mark

mark miller

Still awaiting a response from ANYONE. Also, just to use one example, from Schwab for those that don't read the fine print..

this is just one section (there are many) but in short, by authorizing Quicken 3rd party access, if ANYTHING happens, they aren't held liable.

Schwab disclaimer upon authorization: (just one section).

You understand that allowing access to and the use of Account Information could potentially expose you to increased privacy and security risks, including unauthorized account transactions, loss of funds, identity theft, fraud, and unauthorized disclosure or compromise of your Account Information.

How the Schwab Security Guarantee Applies.What a Third Party Provider or Authorized Provider Party does in connection with your Account and your Account Information is authorized by you, so the Schwab Guarantee does not apply to their actions.

Boatnmaniac

@mark miller - The answers to your questions are pretty clearly spelled out in the Quicken Terms of Use as linked above in @Quicken Kristina's earlier reply. Here is a snapshot of the section in the Terms of Use that addresses it:

It's a boiler plate that is intended to limit their liability, much like that Schwab verbiage you posted. Schwab's intent for providing that language is not to advise you that your account data and security could at sometime be compromised by a bad actor but is almost 100% intended to limit their liability for engaging with Quicken (and other 3rd party softwares) on your behalf. Will this language actually protect them in the event of a major data breach/hack? Probably not because that is when the class action lawsuits start up and those attorney's find ways to hold them accountable to at least a minimal degree.

If you are looking for Quicken or anyone to take ownership for liability for the what-if scenario of financial data getting hacked before it ever might happen then you will be waiting forever because Quicken will not do that. Neither will any other 3rd party financial software nor any financial institution or other business do that….not even those you currently do business with. That simply will not happen. These boiler plates simply will not address hypotheticals because that would be bad legal practice. And I'm pretty sure that the Moderators will not address any of your liability questions in this thread other than to point you to the Quicken Terms of Use document as was done above. For them to say anything more than that would likely get them in trouble with their management team and we don't want that to happen.

If you wish to continue using Quicken but want your risk exposure minimized you should read up on the types of connection methods that Quicken uses by clicking here: https://www.quicken.com/support/how-quicken-connects-your-bank/. . There is lots of good information there that can perhaps help you decide which connection methods best meet your wants/needs, whether it would be best to totally disconnect every account and manage all data manually or to discontinue using Quicken entirely and track/plan your financials by some other method.

To summarize the lowest risk options for managing your accounts in Quicken:

• Do not use Express Web Connect or Express Web Connect+.
• Do use Direct Connect or Web Connect or manually manage everything in your data file.
• Make sure Mobile and Web Sync in Preferences is turn OFF.

It all boils down to it being a personal choice as to what we find is acceptable or unacceptable. There simply is nothing black and white about this.

There has been a lot posted in this Community on this subject. Do a search if you want to read some of them. Just note that there will be little different in them from what has been posted here.