Express Web Connect + Security

cjim

I have noticed that I can download transactions from my financial institution without having to supply Quicken with my Vault password.

I open Quicken (no password is required), select an account and then perform an "Update Now" on just that account. Quicken will immediately begin downloading transactions. It does not ask me for my vault password. I've noticed that this happens with accounts that have been set up to use Express Web Connect +.

This does not appear to be very secure. Can someone please explain if this is the expected behavior and if so why I should not be concerned about security.

splasher

The security between Quicken and your financial institution is still the same. Even though in the past, Q kept a copy of the password for an FI in the password vault for EWC type connections, it wasn't necessary since it was stored on the EWC aggregator's (Intuit) server to make the nightly data collection. Because of that, Q removed them from the password vault. EWC+ uses a slightly different security protocol, but the need for the password to be in the password vault is still not needed.

The security you should be concerned with is on your computer. Do you use a strong password for Windows? Do you have screen lock setup to require a password when you leave your computer on and unattended?

Not that I think that Q's file password is the greatest since they can remove it for you, it does prevent your honest friends from opening your Q data file, but any hacker worth their salt can get by it.

Personally, I use an encrypted data vault program to keep my Q data files in, so just running Q does not open a data file, you have to open the data vault (using a password) to make the files accessible before you start Q. Some of the anti-virus programs include such an encrypted data vault feature.

So, beef up your personal security settings in Windows if you want real security on your computer.

Chris_QPW

I'm going to add a bit more about the security.

Express Web Connect → Store username/password on aggregator's site (Intuit), actual connection made, Quicken to the Quicken servers to Intuit servers to financial intuition's website, logging in as you.

Express Web Connect + has the same flow, but between Intuit and the Financial institution they are using a protocol called FDX which uses modern rotating security tokens. This part of the connection is much more secure than Express Web Connect with usernames and passwords.

Direct Connect → Stores username and password in Quicken's Password vault (which is encrypted) talks directly to the financial institution using the OFX/QFX protocol. It is noted that the newest OFX protocol version has the use of the same rotating security tokens but Quicken and the US/Canadian financial institutions don't use them.

In all of these encrypted communications (SSL) are used to send and receive the data.

The Quicken Id is used to connect Quicken to the Quicken servers for the flow above, other online services and to check if your subscription is valid.

splasher

The security between Quicken and your financial institution is still the same. Even though in the past, Q kept a copy of the password for an FI in the password vault for EWC type connections, it wasn't necessary since it was stored on the EWC aggregator's (Intuit) server to make the nightly data collection. Because of that, Q removed them from the password vault. EWC+ uses a slightly different security protocol, but the need for the password to be in the password vault is still not needed.

The security you should be concerned with is on your computer. Do you use a strong password for Windows? Do you have screen lock setup to require a password when you leave your computer on and unattended?

Not that I think that Q's file password is the greatest since they can remove it for you, it does prevent your honest friends from opening your Q data file, but any hacker worth their salt can get by it.

Personally, I use an encrypted data vault program to keep my Q data files in, so just running Q does not open a data file, you have to open the data vault (using a password) to make the files accessible before you start Q. Some of the anti-virus programs include such an encrypted data vault feature.

So, beef up your personal security settings in Windows if you want real security on your computer.

cjim

Thank you @splasher.

I have one more question for you…what is the Quicken Id password used for? Every once in a while, not often, I open Quicken and I am asked for the Quicken Id password.

Also, what encrypted data vault do you recommend? I use currently Norton. Does Norton have this capability?

Chris_QPW

I'm going to add a bit more about the security.

Express Web Connect → Store username/password on aggregator's site (Intuit), actual connection made, Quicken to the Quicken servers to Intuit servers to financial intuition's website, logging in as you.

Express Web Connect + has the same flow, but between Intuit and the Financial institution they are using a protocol called FDX which uses modern rotating security tokens. This part of the connection is much more secure than Express Web Connect with usernames and passwords.

Direct Connect → Stores username and password in Quicken's Password vault (which is encrypted) talks directly to the financial institution using the OFX/QFX protocol. It is noted that the newest OFX protocol version has the use of the same rotating security tokens but Quicken and the US/Canadian financial institutions don't use them.

In all of these encrypted communications (SSL) are used to send and receive the data.

The Quicken Id is used to connect Quicken to the Quicken servers for the flow above, other online services and to check if your subscription is valid.

cjim

Thank you @Chris_QPW

splasher

@cjim

Also, what encrypted data vault do you recommend? I use currently Norton. Does Norton have this capability?

Sorry, I don't make recommendations. As far as Norton, you would need to check with them.