Home Quicken for Windows Signing in, Passwords, and Activation (Windows)

How does Quicken login to my bank account?

About 1 month ago, I logged into my bank's online banking (RBC Canada). I got a warning message that someone had attempted to login to my account with the correct account number and password but failed to answer my security question. It gave me the date and time and I confirmed it was not me logging in. It then prompted me to change my password.

My banking account and password are in my head only. Not written anywhere, not saved anywhere, not the same as any other password and not easy to guess.

My next login to Quicken several weeks later, my update didn't work , of course, because I changed my bank password. After some research on how to get my accounts updating again, I got it working again. About a week later, same message as above when I logged into my online banking. I realized at this point, Quicken does save my password (although I can't figure out how, or how to disable it).

My question. When Quicken logs in to my account, how does it handle the security question from my bank, if asked? Or does the bank not ask the security question when it gets a request from Quicken? This is very frustrating and scary. Either, the problem is with security question, in which case Quicken becomes useless to me, or my account and password are being stolen from my bank or Quicken (which are the only two sites with access to this information).

I've emailed Quicken support about this but never got a reply. I'm using Canadian Version with all updates.

Answers

  • RocksRocks Member ✭✭
    Until a few months ago when I went to update my account transactions, I was prompted for my banking password. After an update, can't remember which, it now automatically signs in to my banking account. I never asked to save my password and don't like this. How can I disable this so I have to enter my password each time? I don't use any Web Connect features.

    Second question. After the same update I started to see that Quicken Web Sync was successful. I never enabled this and would like to disable it. I can't find anywhere where I can do this.

    I've found various other topics on this and the actions they mention are not available in my version. I have the Canadian version with all updates.

    Please help. This is very frustrating and should be a simple setting.
  • Greg_the_GeekGreg_the_Geek SuperUser, Windows Beta ✭✭✭✭✭
    Quicken Subscription HBRP - Windows 10
  • RocksRocks Member ✭✭
    Sorry, must have done it online as you mention. I'll double-check.
  • RocksRocks Member ✭✭
    I did it through Help > Report a Problem. Never got any confirmation or feedback.
  • Greg_the_GeekGreg_the_Geek SuperUser, Windows Beta ✭✭✭✭✭
    Quicken Subscription HBRP - Windows 10
  • thecreatorthecreator SuperUser ✭✭✭✭✭
    Hi @Rocks ,

    Have you bother to check your Password Vault? You need to know your Password Vault password, in order to access it.
    thecreator - User of Quicken Subscription R30.10  USA & Quicken 2017 HBRP R20.5 USA
                       Windows 10 Pro 32 & 64-Bit Build 20262.1010
    also            Windows 10 Pro 64-Bit Build 19042.630

    View: https://community.quicken.com/discussion/7859218/work-with-copies-of-your-actual-quicken-data-files/p1?new=1

  • Chris_QPWChris_QPW Member ✭✭✭✭
    Rocks said:
    My question. When Quicken logs in to my account, how does it handle the security question from my bank, if asked? Or does the bank not ask the security question when it gets a request from Quicken? This is very frustrating and scary. Either, the problem is with security question, in which case Quicken becomes useless to me, or my account and password are being stolen from my bank or Quicken (which are the only two sites with access to this information).

    Frankly this is a big "unknown" and Quicken Inc and Intuit aren't talking.  At least I have never heard anyone from Quicken Inc/Intuit really explain what is being done, most likely because of "security" and because the answer is different for different financial institutions.

    Note that Inuit provides the Express Web Connect service (Quicken Inc pays them).
    And it was originally designed (and most likely still does it) to log in once a night to your financial institution's website and get your transactions, and save them on their server until you ask Quicken to pick them up (One Step Update or Update Now).
    This isn't done with any "standardized protocol".  Instead it is an "agreement" between the financial institution and Intuit.  And as such is different for different financial institutions.  And it seems with the financial institutions putting more and more 2FA and such kind of security measures in place,it is getting harder for this process to work right.
    (I'm using the latest Quicken subscription version)
  • Chris_QPWChris_QPW Member ✭✭✭✭
    P.S. On report a problem.  That is for reporting a bug, not for any kind of feedback if you need feedback you need to contact Quicken support, or post a question here.
    (I'm using the latest Quicken subscription version)
  • Chris_QPWChris_QPW Member ✭✭✭✭
    BTW just in case it isn't obvious.  When you use Express Web Connect, the Intuit servers store your credentials (username, password, security questions, ...) you entered on their servers (encrypted from what they have said).
    (I'm using the latest Quicken subscription version)
  • RocksRocks Member ✭✭
    > @thecreator said:
    > Hi @Rocks ,
    > Have you bother to check your Password Vault? You need to know your Password Vault password, in order to access it.

    I don't use the password vault.
  • RocksRocks Member ✭✭
    > @Chris_QPW said:
    > (Quote)
    > Frankly this is a big "unknown" and Quicken Inc and Intuit aren't talking.  At least I have never heard anyone from Quicken Inc/Intuit really explain what is being done, most likely because of "security" and because the answer is different for different financial institutions.
    > Note that Inuit provides the Express Web Connect service (Quicken Inc pays them).And it was originally designed (and most likely still does it) to log in once a night to your financial institution's website and get your transactions, and save them on their server until you ask Quicken to pick them up (One Step Update or Update Now).This isn't done with any "standardized protocol".  Instead it is an "agreement" between the financial institution and Intuit.  And as such is different for different financial institutions.  And it seems with the financial institutions putting more and more 2FA and such kind of security measures in place,it is getting harder for this process to work right.

    Pity that no one is talking. I like the application but it's pretty useless if I can't download my transactions. What you said about Quicken downloading transactions periodically makes sense. The warnings I got from my bank indicate "someone" tried to login and it wasn't me. I also noticed since it started updating without me entering the password, the transactions were downloaded very quickly, so maybe they were downloaded to Quicken already. I'm all for security but unfortunately it's killed this app for me.
  • RocksRocks Member ✭✭
    > @Chris_QPW said:
    > BTW just in case it isn't obvious.  When you use Express Web Connect, the Intuit servers store your credentials (username, password, security questions, ...) you entered on their servers (encrypted from what they have said).

    Where is this set and is there another setting I can use so it doesn't remember my credentials?
  • RocksRocks Member ✭✭
    Thanks for all the feedback.
  • Chris_QPWChris_QPW Member ✭✭✭✭
    Rocks said:
    > @Chris_QPW said:
    > BTW just in case it isn't obvious.  When you use Express Web Connect, the Intuit servers store your credentials (username, password, security questions, ...) you entered on their servers (encrypted from what they have said).

    Where is this set and is there another setting I can use so it doesn't remember my credentials?

    Express Web Connect is setup on each account:
    Right click on the account name in the account bar -> Edit/Delete account -> Online Services tab  (look at Connection Method:)

    While the account is activated for Express Web Connect it will certainly continue to behave this way.  There isn't any setting for having it connected and not have it save the credentials.  And note I have even seen reports that after deactivating that the Intuit servers didn't "get the message" and at least continued to try to download for a time.  If that happens I would recommend changing the username.  Changing just the password would result in continued login failures.

    If the financial institution supported Direct Connect then the credentials would only be stored in the Quicken Password Vault (if used) or prompted for every time.  But from what I understand no Canadian financial institution supports Direct Connect.

    The only other way to get transactions is Web Connect (downloading/importing a QFX).  Of course there is the extra steps because the user has to do this using their web browser for every financial institution and maybe even every account.  But of course no credentials are ever passed to Quicken/Quicken Inc/Intuit.
    (I'm using the latest Quicken subscription version)
  • The short answer is that they use a Data Aggregator.

    These 3rd-party entities (aggregators) use YOUR financial username and password to obtain YOUR info.

    Financial institutions -- who might require 2FA from you -- often work-out agreements w/ these aggregators to relax 2FA requirements on these "trusted entities" to allow access w/o 2FA.

    Obviously, this is a backdoor into you account which could be exploited by bad actors if all parties are not "on their toes" re: the constantly-evolving threat vectors.

    "Krebs on Security" had a very informative piece on it last fall; linked below:

    https://krebsonsecurity.com/2019/11/ncr-barred-mint-quickbooks-from-banking-platform-during-account-takeover-storm/
    Quicken Premier (Windows) user since 1992
  • Chris_QPWChris_QPW Member ✭✭✭✭
    The short answer is that they use a Data Aggregator.
    Yeah, and Intuit is that Data Aggregator.  Doing data aggregation is error prone, and "labor intensive", as such requires a large company that has "connections/agreements" with all the financial institutions.  Something that Quicken Inc couldn't do on their own, so when Intuit sold Quicken they "kept" that that part and Quicken Inc pays them for the service.  Besides Intuit needs to keep doing anyways because of QuickBooks.

    Note that Direct Connect (or any other OFX enabled personal finance software) isn't a Data Aggregator.  The personal finance program (Quicken) uses the OFX protocol to send commands/data to the financial institution's OFX server to get the transactions and if available do bill pay and such.  Whereas a Data aggregator is usually getting the data from the financial institution's website and as such has to deal with the same login security as a normal user (unless the agree on something different), the OFX server is usually gets its data from the financial institution's databases.  And it has its own standardized security model.

    BTW a few years ago the EU required its financial institutions to support one or both of two standard protocols for these kinds of operations.  The OFX protocol is one of the two.
    (I'm using the latest Quicken subscription version)
  • Chris:

    Good amplifying info.

    Thanks.
    Quicken Premier (Windows) user since 1992
This discussion has been closed.