Quicken Aggregation [Edited]

robsquick

So, the reason why we don't have to enter username/password to download transactions via Express Web, from our banks is because Quicken gives that info to one of their "aggregate partners". (what does that mean?). This "aggregate partner" then gets the transactions from the bank for us. It's supposedly encrypted, supposedly. And who, pray-tell, is this "aggregate partner" Hmmmmmmm.

Is it just me or does anyone ese have a problem with this?

Please easy my concerns.

Thanks!

markus1957

You don't have any worries about that if you are using Quicken 2017 as your tag indicates. No downloads are in your future with that version.

Boatnmaniac

Downloading transactions into Quicken is only an option with an active Subscription. If you are running QWin 2017 you have nothing to be concerned about because you will not be able to download into Quicken. But if you are using QWin Subscription (and simply have not updated your Community profile) or are thinking of upgrading to Subscription then read on.

EWC has been this way ever since Intuit first offered EWC functionality in Quicken many years ago. Intuit kept that information on their servers then.

Intuit spun off the Quicken software as a new company in 2016 but Quicken and Intuit are still very tied at the hip with Intuit still being the connection manager and the aggregation partner of Quicken.

Many people (including me) do not mind using EWC because Intuit has some very good security protocols. They have had to develop those high level security protocols because Intuit still owns Quickbooks which is a financial accounting software used by many businesses. And with many financial institutions, EWC is the only download connection method they support….and I like being able to download.

Some people, however, don't like the idea of Intuit having their login information on Intuit servers. Even some Super Users don't like it. Those who cannot tolerate EWC because of this concern do not need to set up an EWC connections or can deactivate their EWC connections. This will delete their login information from the servers. Then they have the following options:

• Set up an alternate download connection method with EWC+, DC or WC. None of these connection methods saves our login information on Intuit's servers. But there is the risk that the financial institutions might not support any of these methods. Or, in the case of DC, the financial institution might charge a monthly fee to use it. If you are not familiar with the various methods Quicken uses to connect with financial institutions, you can read up on it in this Support Article: https://www.quicken.com/support/how-quicken-connects-your-bank/ .
• Manually enter and manage all transactions….do not download them.
• If the financial institution supports downloading in QIF, CSV, Exel or OFX formatted files: Manually download transactions in one of these formats and then use a 3rd party conversion software like ImportQIF to convert the data into a QIF file format that can then be imported into Quicken. ImportQIF is a free program (no ads) that was developed and is maintained by a long-time Quicken user and very active member of this Community. Others have said works well for them. You can read up on it and download it from https://www.quicknperlwiz.com/ .

We can be pretty sure that Intuit/Quicken will not be changing EWC. But we also know that for the last 2-3 years some financial institutions have been moving away from EWC and replacing it with EWC+. EWC+ does not require logins to be saved on Intuit's server. Instead, EWC+ takes us to the financial institution's website (in our default browser) where we log in and authorize the financial institution to download into Quicken. The financial institution then sends a security token to Intuit that Intuit will save on their server and use to download transactions data with. I think eventually, EWC+ will replace EWC with just about every financial institution but have no idea about how long that will take.

We are not required to use EWC with any financial institution. It is a personal choice matter. Our choice on this matter will define how we can and will use Quicken.

robsquick

Actually, I have Quicken Classic Deluxe - Ver. R60.15. I'll have to update my tag.

Yes, I've been downloading transactions for a long time and have had this concern for a while. I'm also aware of the Quicken / Intuit split up. When I recently revisited my concern about another entity storing my credentials, I read up about that "aggregate partner". Now I know it is Intuit - thank you for clarifying. Call me old fashion, but I still am leery about someone else storing my credentials given all the news about top company's security breaches reported in the news. I don't even trust iCloud on my cell phone and always have it turned off.

I guess its boils down to two questions - Quicken claiming they're providing Intuit our credentials, encrypted and Intuit claiming they're encrypting them again to our banks vs. the ability to enter my strong and encrypted credentials myself over a VPN with two factor authentication from a firewalled protected PC. (Yes, I know EWC provides 2FA). And don't get e started on sim card hijacking.

Thanks again for answering that 'aggregate partner' thing.

-

Chris_QPW

The aggregator is Intuit, and Intuit has had your password for the whole time you have used Express Web Connect. Note that with Express Web Connect + they don't have your username and password anymore because Express Web Connect + doesn't use the username and password. It is using a new protocol between Intuit and the financial institution called FDX.

So, in summary,

Direct Connect → Password encrypted and stored in Quicken, not given to aggregator

Web Connect → is the "OFX answer to a query for the transactions in file form", so no username and password is exchanged.

Express Web Connect → login as you to website, impossible to avoid giving your password to Intuit, has always been true, but about two years ago or so, they just stopped storing the password in Quicken because it wasn't needed, it is Intuit that needs it.

Express Web Connect + → New FDX protocol that uses OAuth2 which means that Intuit and the financial institution exchange a rotating security token. You log into the financial institution's website to authorize that exchange of security token (and your transaction information), but never does your username/password get exchanged with Intuit. This is in fact, why the major financial institutions want to go to this protocol, they aren't comfortable with the aggregators having the usernames and passwords either.

Note that OFX is out because our stupid financial institutions wouldn't standardize on it. They are probably also claiming that OFX still uses the username and password (sent directly from Quicken to the financial institution using the HTTPS encrypted protocol), but newer versions of the OFX protocol allow for OAuth2. But of the few remaining US financial institutions using it (OFX is a standard used in the EU, mandated by the EU) some of them are still using the very first version of it!

One has to understand that Intuit isn't the only aggregator out there. The aggregators came about to "hack" the system to allow this downloading that the financial institutions will not standardize on. FDX is the "next attempt" at something like this and in my opinion it will "fail" in the same way as OFX, some will adopt it, others won't, so there will be yet another protocol to add to all the others for the aggregators to use, but they will still have to use the "hacks" that they have created. Noted that Express Web Connect is far from the only "non-standard old username/password, do by an agreement system" out there. Each aggregator came up with their own way of doing it.

And as far as FDX goes, nice way to think up a way to keep the aggregators in business at the same time improving the security for you and the financial institution, but allowing your transactions and account summary information (balance, security positions, …) to be stored on a third-party system, when if the US had standardized the OFX protocol and forced financial institutions to use it like in the EU, this would never had been the case.

It is so ironic that the US comes up with systems like OFX, OAuth2, chip rotating account numbers on the credit cards, …., and if it even adopts them, it does so decades after the European countries have been using them. To this day you can expect that a waiter in the US will be asking to take your credit card away out of your site to pay the bill. I was surprised recently when one brought a wireless terminal for scanning my credit card, a rarity in the US, but when I traveled to France some 25 years ago it was the way ALL restaurants France (and I guess most European countries) did it.

Note that the EU adopted chip with pin decades before the US (even though it was created in the US), and the US only got chip and sign (which is useless for a 2FA method) until after the big K-Mart hack where they had stolen millions of credit card number (hacked into K-Marts backend system and collected them as they flowed through the system).

Anyways, frankly I have never been that concerned about even using Express Web Connect. I considered it worth the risk, (but I also had only a few accounts using it), but I knew the risks, until Quicken changed the policy not to store the username and password in Quicken for this connection type, I doubt most people did. What bothers me more is the idiot financial institution and our government that professes "freedom" and pushes undue risk on their citizens. As a programmer, this kind of "logic" just rubs me the wrong way.