Quicken Security Issue

Rick_Tinker
Rick_Tinker Quicken Windows Subscription Member ✭✭
edited November 24 in Reports (Windows)

I enter Quicken for Windows and it prompts for the password on my data file. After that, I can click on an account, click the gear icon, and tell it to update transactions, and it does this WITHOUT prompting for the password vault password. It does the update on the account I selected and any others from the same financial institution. It does not prompt when I do this for all of my bank accounts, and my credit card accounts. The only time it prompts for the password vault password is for an investment institution (Fidelity) or if I click Update All.

This is a serious security flaw that demonstrates that Quicken does not take security seriously, which is why I do not store my information in any of their online offerings. Furthermore, why is it that every time you try to report something to Quicken, they want to do a screen share where all of your financial portfolio is visible?

09:32 AM | Erick from Quicken: Thank you for contacting Quicken Support, my name is Erick. Please allow me a moment to review the reason of your contact today.

09:33 AM | Erick from Quicken: Hi ! I was wondering if you could kindly provide me with more details about the issue at hand. This will help me better understand and assist you. Thank you!

09:34 AM | Richard : If I click the gear icon and tell Quicken to update on an account, it does the update for that account and all others with the same financial institution WITHOUT prompting for the password vault password.

09:34 AM | Richard : If I do an update all, then it prompts.

09:34 AM | Richard : But that is not security if you can update individually and never have to put in the password vault password.

09:34 AM | Richard : It is not a vault, it is a sieve.

09:36 AM | Erick from Quicken: I completely understand your situation. Would it be alright if we could do a screenshare to simplify this interaction?

09:37 AM | Richard : I just did an update on a Fidelity account and it prompted me, but it did not for my banking accounts with 2 different institutions.

09:38 AM | Richard : No actually because I am reporting a bug, and you guys always manage in a screen share to blame it on too much data or some other situation where you ask me to completely change how I use the product. You need to fix this based upon your own ability to demonstrate it.

09:39 AM | Erick from Quicken: "Sometimes, this issue occurs when a financial institution or account is not properly configured to work with the vault password. To make things easier, sharing your screen would greatly facilitate our interaction. However, if you prefer not to, that's completely fine. I am more than happy to guide you through the process via chat."

09:40 AM | Richard : GIVE ME A BREAK! There is NO configuration for whether a password is stored in the vault or not. It is either in the vault, and I am prompted the first time I use the vault for the password to the vault, or it is NOT in the vault in which case I am prompted for the financial institution's login information.

09:41 AM | Richard : I think it is about time I start sharing all of my issues with Quicken on the Internet. This one will DEFINITELY be popular.

Comments

  • Jim_Harman
    Jim_Harman Quicken Windows Subscription SuperUser ✭✭✭✭✭

    Apparently your bank connections are using Express Web Connect + (EWC+). When you set up this type of connection, you authorize your bank to share your transaction data with Quicken's aggregator (Intuit). This is a one-way read only connection and does not require you to provide a password each time you access the data.

    The connection to Fidelity uses Direct Connect, where your computer accesses a Fidelity's server directly. This type of connection does require you to supply a password, either directly or via Quicken's Password Vault.

    For more information, see this Support article.

    https://www.quicken.com/support/how-quicken-connects-your-bank/

    QWin Premier subscription
  • q_lurker
    q_lurker Quicken Windows Subscription SuperUser ✭✭✭✭✭

    The only account connections that use your FI’s access password are Direct Connect connections. EWC and EWC+ use a different security approach that does not require the Quicken program to pass along your account password.

    It is likely (from your description) that the Fidelity account is your only account using Direct Connect for the interface, and thus your only account making use of the password stored in the password vault.

    I won’t go into whether EWC or EWC+ are suitably secure. That is a wholly different subject about which some are strongly opinionated.

  • Rick_Tinker
    Rick_Tinker Quicken Windows Subscription Member ✭✭

    I can understand that there is a difference, but does Quicken require a password on the data file if you have even 1 account set up with EWC? If not, then this is horrible security.

    I also do not understand why the Quicken support person could not write out an explanation like two of you did, and instead they always want to do a screen share. If support was able to provide the same information as what I got here, I would not have been in such a foul mood after chatting with them. It is bad enough how many firewalls you have to go through just to get to chat support.

  • Jim_Harman
    Jim_Harman Quicken Windows Subscription SuperUser ✭✭✭✭✭
    edited October 24

    Quicken does not require a password on the data file, but it is certainly a good idea to set one up.

    The data file password is completely separate from the Password Vault and the accounts you have set up and how they connect to your FIs.

    QWin Premier subscription
  • Chris_QPW
    Chris_QPW Quicken Windows Subscription Member ✭✭✭✭
    edited October 24

    it is already an option to set a password on the data file, and not everybody is going to agree with you that it should be a requirement to set a file password if all the accounts are express web connect or web express web connect +.

    so with that in mind, I think Quicken is functioning exactly how most people would want it.

    EDIT: it also occurs to me that since this is a one-way connection the only ramification is downloading transactions into Quicken so that they can be seen there. If somebody can open your data file without a password because you have chosen not to 1 or don’t have any other kind of security to prevent it and they can see all your balances and everything. They just can’t see the most recent.

    Signature:
    This is my website: http://www.quicknperlwiz.com/
This discussion has been closed.