Quicken Issues with RBC downloads and 2FA
I have recently been having an issue with Quicken and RBC.
Quicken is triggering 2FA and I can't get to the 2FA message fast enough to allow it. The timeout must be set for a number of seconds. I have sent a complaint to RBC regarding this issue, which has only been happening in the last month or so.
However, I thought my alternative was to simply log on to the RBC website, and manually download the transactions from there. However, when I do that, Quicken does not match any of the downloaded transactions with my entries in Quicken. It gives them a status of NEW, and I have to manually match every single one of them.
When Quicken would get the transactions from RBC through OneStepUpdate, I never had this issue.
Comments
-
That won't/doesn't work… unfortunately.
0 -
This situation with RBC has existed for quite some time now. If you are only recently encountering it, then I wonder whether you recently installed the RBC Mobile App? The issue is this… if you have the mobile app installed, then 2FA insists on using the app and there is no way to accept the 2FA on the phone fast enough. At least, I've never been able to make it work.
You have a few options…
One option is switch of 2FA in the online banking portal. This is possible, but I don't recommend it.
Another option is to switch to using Web Connect and don't download from RBC using Express Web Connect or One Step Update. You will only get duplicate connections the first time as long as you stop using EWC and OSU for RBC. It is a one time switchover - not too painful. IMHO, this is the preffered option because it is secure AND because you will actually get the correct posting dates for your transactions. There is an issue with the transaction posting dates downloaded from RBC by EWC/OSU - they are simply wrong most of the time.
0 -
@Arctic Hare ok, this might be a stupid question, but if it is an issue that RBC, why can't they just simply change their system to allow for time for the user to enter the 2FA code? If this issue has been going on for a while, they must know about it.
0 -
It is not a stupid question, but you are not going to like the answer. If you call RBC and raise the issue, I can pretty much guarantee you that they will tell you that they don't support EWC/OSU with Quicken - that they only support Web Connect, which is downloading from within their online banking portal. Yes, I have experience with attempting to have this conversation with RBC. Give it a try yourself… and be prepared to be frustrated!
There is a lot of cloaked secrecy around EWC/OSU and whether the banks actually endorse it. And, it is complex because the EWC/OSU connection is actually provided by Intuit, which is no longer related to Quicken. Quicken pays Intuit for the connection service. So, it all becomes very awkard and complicated when you try to take these issues up with the bank or with Quicken… believe me, I've tried.
I wish I could use EWC/OSU because it so much more convenient, but I gave up using it for RBC and BMO because of 2FA issues and posting date issues - there is also a posting date issue with BMO when you use EWC. I got a bit further with BMO in that BMO finally acknowledge that they are aware that they are providing incorrect posting dates for EWC, but they have no intention to correct it.
…so, I finally waived the white flag and now I only use Web Connect… the benefit being that it is more secure, unfortunately, it is not very convenient.
The solution to all this is something called EWC+ and the path for that was paved by new legislation in Canada, but, so far, I haven't seen any implementation. EWC+ has been increasing in adoption in the USA over the last few years.
Sorry to be the bearer of bad news.
0 -
I have been using the RBC Mobile App for years. I had issues with the posting dates last year, but that cleared up eventually. Everything was working smoothly in mid-March. Then all hell broke loose and I didn't get a chance to open Quicken until this past week. And that's when I started having the issues as described above.
I can confirm that just using the Update Now function as suggested doesn't work for me.
I did send RBC a message… we'll see if I get a response!
I downloaded my transactions manually for years, I guess that is what I will have to do again. It won't be too bad, since whenever I am using Quicken, I usually have the RBC online banking website open at the same time. Just feels like a step backwards. But I do appreciate your comment saying that it is actually more secure.
0 -
Please clarify - when you say you've been using the RBC mobile app for years are you also saying that you used it with 2FA and you were able to approve the 2FA in the mobile app on your phone? That never worked for me. In fact, my situation was even worse. When the Intuit server would try to login into RBC to do its once per day poll, it would trigger 2FA in the mobile app and this would happen in the dead of night. So, each morning I woke up to a failed 2FA login attempt notice and be asked to confirm "it was me".
If you were able to use 2FA with RBC and their mobile app and not have those issues, I find that really interesting. Why would it work for some people sometime, but not at other times?
The obvious security weakness with EWC/OSU is that your banking password is stored on the Intuit server. The banks will never say it is OK to give your banking password to a third party and there is some potential liability with that situation. EWC+, which we don't have in Canada, avoids having to give your banking password to a third party.
0 -
@Arctic Hare this doesn't surprise me. I have seen other FIs do the same thing. The easiest thing is to remain silent or claim ignorance. Once they admit to an issue, they are pressured (or maybe even obligated) to do something about it. Maybe we can spin it to something positive and hope there may be something in the works so they are holding off on any repairs?
I have learned to just "go with the flow" and not get too frustrated with Quicken or the FIs. Most of the time, you can find alternative ways to work with Quicken to get your transactions entered into Quicken. Sometimes it's just not worth beating your head against the wall.
I think the issue is also that some (if not most) Quicken users have become too dependent on OSU and don't know how to function without it, forgetting life before OSU. Sometimes it's not a good thing to not actually go into your online account and know what's there.
0 -
The Canadian banks are required by legislation to support the new EWC+ format, but it is yet to be seen whether Intuit adopts/implements it for Canadian customers. I've tried to get an answer to that question and haven't received any helpful answers. It is a waiting game.
I really dislike the inconvenience of EWC/OSU, but I've come to accept that it is better to use the reliable Web Connect method until we get EWC+… I've wasted so much time over the years on EWC issues.
Good to hear RBC fixed their posting date issue. BMO has not fixed it and they don't intend to fix it because they specifically designed their online portal to not include the posting date on the main screen - you need to open a dialogue box to see an individual posting date. The screenscrape can't open the dialogue box, so it can't "see" the posting date. So, when you EWC from BMO you get the transaction date for both the transaction date and the posting date; hence, the posting date is always wrong. However, if you use WC instead, both dates are correct. I like the dates to be correct….
0 -
@Arctic Hare they may be required to support EWC+, but I am not sure that is the same as them being able to implement it. Here in the US, at face value, it doesn't look like it's been an easy task, even for the larger financial institutions.
0 -
The issue that I've run into is not so much avoidance of the technical problem, it is that none of the Canadian banks endorse use of any connection/download method that involves disclosing your account credentials to a third party. They won't openly acknowledge that there system works with or is supposed to work with EWC because of that issue. However, it is my understand that they actually have entereded into agreements with Intuit to facilitate exactly what they say they don't endorse/allow. So, when you speak to them about EWC, they tell you that you shouldn't be using a service that requires you to disclosure your credentials and that you may be held accountable for any losses if the credentials are used fraudulently. They do seem to play on both sides of the issue, but, in my experience, the customer facing folks are 100% glued to the position that using such services is not endorsed/allowed and may jeopardize your protections and remedies from fraud.
Honestly, the conversations I've had with bank reps have made me a bit nervous about using EWC - even though I used it for 20 years - or something like that. I believe it is secure, but if something ever went wrong, I'd be awfully nervous about fraud protection.
That's my $0.02.
0 -
@Arctic Hare no matter how one spins it, it all seems to boil down to deceit and denial. It is frustrating when you ask questions and you hit a brick wall.
0 -
I believe there is also a bureaucracy component - the Customer Care folks are disconnected from the IT/systems development and support folks. Furthermore, customer care people are trained to stick to a script. So, when the script says the only method for downloading transactions that is endorsed by the bank is Web Connect… well, that's what you get as a response. The bank isn't going to say "yah, go ahead and store your online banking credentials in some other company's cloud server… we're cool with that… and, if someone makes fraudulent use of those credentials, don't worry, we've got you covered". Finally, the vast majority of the customer care folks are entirely unfamiliar with Quicken and they don't have the knowledge to break from the script even if they were compelled to do so.
Bottom line - we need EWC+.
0 -
@Arctic Hare - I think the bureaucracy and disconnect you describe is by design. On both sides.
Quicken needs to do a better job in convincing financial institutions it would benefit them to work together. I think a lot of financial institutions see no benefit or incentive in working with Quicken. I think the increasing security concerns and measures needed to prevent fraud is only making things worse. And, they are not convinced that EWC+ is going to make things any better.
That being said, it now makes perfect sense why RBC is not too concerned about fixing the 2FA issue. Or why any connection issue takes so long to fix, or never get fixed.
0 -
Unfortunately, it is more complicated than that. Quicken does not provide the aggregation service that obtain the transaction data from the financial institutions for EWC or EWC+. That part of the EWC service that involves the connection to the financial institutions is provided by Intuit, not Quicken. Note: Quicken and Intuit became independent companies a few years ago; Quicken is not a subsidiary of Intuit (anymore).
Quicken contracts with Intuit such that Intuit is Quicken's data aggregator. It is Intuit's systems that log into the online banking portals and scrape the transaction data. All that to say, Quicken has no direct relation with the financial institutions in relation to the EWC connection method. Quicken has a contractual relationship with the financial institutions for Web Connect - and Direct Connect where that exists. However, it is intuit - not Quicken - that has a relationship with the FIs for the EWC service. Thus, if you raise an EWC issue with Quicken, then Quicken has to, in turn, raise the issue with Intuit, and then Intuit has to, in turn, raise the issue with the financial institution.
I do have experience that demonstrates that some issues do get resolved through that complicated set of relationships, but when the issue is only affecting or being raised by a small number of users, it tends to get little to no attention and generally doesn't get resolved or the resolution is very slow coming. I've had issues that I campaigned to get fixed, worked closely with escalated support at Quicken, and it still took years (not weeks or months) of active campaigning, working with escalated support, etc to finally get action taken.
Bottom line: although Web Connect is inconvenient, it is the most reliable and secure method of downloading transactions AND if there is a Web Connect problem it is generally fairly easy and quick to get it resolved. Conversely, EWC and EWC+ are great when they work, but it can be very difficult, slow, and painful to get issues resolved because of the complexity of the contractual relationships and split responsibilities.
0 -
I have had 2FA turned on for quite a while. This issue only started in the last month. Twice I have had the situation where I woke up to a failed 2FA login attempt, and I assumed it was someone else, because I do not have scheduled updates turned on in Quicken. I changed my password after the first one. I didn't bother after the second one.
But right up until mid March, I could fire up Quicken, and do a one step update without issue.
0 -
Based on this comment, some clarification is required: "I assumed it was someone else, because I do not have scheduled updates turned on in Quicken."
Turning on Scheduled Updates does not schedule logins to your online banking; instead, it schedules a OSU process, which is a login/connection to the Intuit server to fetch whatever new transactions are available there. However, the process for the Intuit server to fetch transactions from your online banking portal is a different process that normally runs independently and at a different time/schedule. The process that has the Intuit server logging into your online banking portal(s) is done on a different schedule that you can't control or set - with one or two exceptions, e.g. lightning bolt Update Now.
The intuit server will login to your online banking portal once per day - typically in the middle of the night - to fetch new transactions. When you run a OSU - either on a schedule or manually, Quicken fetches transactions from the Intuit server. One exception to this is that the "Update Now" lightning bolt triggers the Intuit server to perform a fetch… but, there do seem to be some limitations to how frequently using the Update Now feature will trigger the Intuit server to perform online banking logins - maybe limited to once every 12 or 24 hours (it is not entirely transparent what the limitations are)?
I also noticed that running a OSU sometimes triggers the Intuit server to login into bank accounts - but, maybe that only happens when the once nightly polling failed. That is, I suspect that, if you run OSU and the Intuit server hasn't had a successful login to your account within the last 24 hours, then it will attempt to login to your online banking. If the Intuit server has successfully logged into your banking account recently, it won't login to your online banking; it will simply provide whatever transactions it fetched during that last successful login. What I have described in this paragraph is a bit of a grey area where I've made some inferences based on observed behaviour.
The "someone else" you assumed was trying to login into your bank account was in all probability the Intuit server doing its daily transaction fetch - i.e. just behaving normally.
What I can't explain is why your online banking portal treated the Intuit server as a trusted device for a period of time and then suddenly stopped recognizing it as trusted. That is the crux of the issue. What needs to happen to solve this problem is that RBC needs to recognize the Intuit aggregation server as a trusted device for all account logins. 2FA gets triggered when the login is not from a trusted device. So, if the Intuit server is not a trusted device, then the Intuit server will trigger 2FA every day when it attempts to login in to fetch new transactions. And, of course, that causes a problem because all of those login attempts will fail.
Once upon a time, I was also able to use OSU with 2FA turned on, but that stopped working for me a long time ago. I've never been able to get a transparent and robust answer as to why… but, there has also been no appetite to make it work again.
Furthermore, there is an issue with not being able to grant the 2FA permission to allow a login with the RBC mobile device when the login is from the Intuit server.
EWC+ can't arrive anytime to soon….
EWC+ should handle 2FA/MFA better than EWC because it is legislated to be an accepted process for obtaining your own financial information and must be endorsed by the financial institutions… which is not true for EWC.
1 -
Thank you for all this information!
Maybe once every week or two (since mid-March), I got the the 2FA message overnight. As I mentioned, the first time it happened to me I actually logged on to my bank the next day and changed my password, because I had never received a 2FA from anything other than me trying to logon.
I have received it overnight maybe two or three times since then. I feel a little more secure in the knowledge that it was probably the OSU process you mentioned above, rather than a person trying to hack into my bank accounts overnight in some other part of the world. But you can bet, I will be monitoring it closely.
As of a week or so ago I have excluded RBC from my One Step Update process, and am now once again downloading my transactions manually from the RBC website.
0
Categories
- All Categories
- 29 Product Ideas
- 27 Announcements
- 184 Alerts, Online Banking & Known Product Issues
- 17 Product Alerts
- 730 Welcome to the Community!
- 605 Before you Buy
- 1.1K Product Ideas
- 50K Quicken Classic for Windows
- 15.4K Quicken Classic for Mac
- 986 Quicken Mobile
- 775 Quicken on the Web
- 75 Quicken LifeHub