Account Locked and Pi-Hole

tldr: pi-hole (and other firewall products using blacklist filtering) can break quicken login forms. They appear to work, but will not accept a good password. Try disabling your pi-hole.

Hello, I am posting this here in case others have the same problem. And also, to hopefully gain attention of a quicken developer who can fix this issue on their end. Because ultimately, this is not a problem with pi-hole, or any of the other anti-virus/firewall products quicken wants you to disable. It's a problem with Quicken infrastructure.

The problem I experienced:

- I was unable to log in to Quicken for several days.
- Entering the correct password, stored in my password manager, failed.
- Failed attempts locked the account.
- I reset the password, but was still unable to log in, even after waiting days for the supposed account lock to lift.
- Login form displayed the message Your Account is Locked, Try Again later. Turns out, this error message is displayed improperly, instead there was a network communication problem. This misleading and improperly displayed error message only compounds the problem and confusion, both for the customer and for Quicken phone support.

Calls with Quicken Support

- The support reps were perplexed
- If I entered an obviously bad password, their system logs recorded a failed login attempt
- If I entered the right password, their system logs did not record a login attempt, failed or successful
- The support reps were unusually obsessed with questions about windows firewall or virus scanner products.

Disabling my pi-hole fixed the login form

- The login form on their website, and embedded in the windows application, is interfered with by pi-hole.
- Some internet host it's connecting to is in a public malware/virus block list. The pi-hole, and other firewall products using that block list presumably, therefore break the login form.
- The login form displays incorrect and misleading messages when this happens, leading the customer and quicken front line tech support on wild goose chases.

Suggested Fix:

- it's irresponsible for quicken to ask customers to disable security products to open their desktop banking software.
- Therefore, somebody at quicken should be regularly inspecting public malware/virus block lists relied on by security products for any IP/domains associated with quicken infrastructure. Any developer with junior level scripting knowledge could automate this process in a short timeframe, by pulling down all known block lists on a regular basis and cross-referencing with a list of quicken infrastructure assets.
- When quicken appears in these block list, quicken admins should respond immediately to get themselves removed.
- Somebody should also evaluate the cause of quicken being included in these block lists. Are they delivering adware/trackers/malware from the same ip/hostnames as their software platform? They should separate the activity from servers that people are trying to block (adware/tracking) from activity people aren't trying to block (login forms/banking data)

In the meantime:

When I get a chance, I'll try to create a white-list of domains/ips that can be loaded into pi-hole/firewall products to allow quicken to work, without disabling the security product. I'll post what works for me as a follow-up here.

Comments

  • Chris_QPW
    Chris_QPW Member ✭✭✭✭
    @Perimus you state:
    "The support reps were unusually obsessed with questions about windows firewall or virus scanner products."

    But that was in fact exactly the "source" of the problem.  Seems to me they were doing their job correctly.

    Note I do believe that once the problem is found it shouldn't be left at "turn off your firewall/virus software/...", but certainly the first step is to determine if such software is blocking the communication.  Once determined then that is when the "full process" should include getting to the root cause and figuring out how to fix it.

    On this statement:
    "Login form displayed the message Your Account is Locked, Try Again later. Turns out, this error message is displayed improperly, instead there was a network communication problem."

    You are assuming that they can tell the difference.  With all the different network layers and such this may not be the case at all.  Certainly it should be looked at, but I can tell you that many times all the developer has to go on is a "generic network error".

    And BTW the error message is might be accurate, as in because of a "network error" you couldn't get logged in X number of times, and as such your account was locked.

    On the subject of somehow find all the "black lists" and keeping Quicken off of them.  There are tons of such programs/lists and it most likely isn't a practical approach to try and monitor them all and put in requests to get off of all these lists.  Maybe some of the major ones, but certainly not all of them.

    On the subject of the login form, and "ad blocking" programs.

    I see two possibilities why Quicken's log in form is being blocked.

    One is that a log of times on websites they use APIs from third parties that do a given function, that have ad/monitoring functions built into them, even if they aren't being used.
    If this is the root problem, they may be able to switch to other code or disable something or such.

    The second is that in fact Quicken Inc is very much into "advertising" Quicken and their other products.  So they certainly have connections to their ads.

    And I might add that one might consider an "ad blocking" program that changes the web form communication in a way the prevents it from working properly is a bug in that software, not the website.
    Signature:
    This is my website: http://www.quicknperlwiz.com/
  • NotACPA
    NotACPA SuperUser ✭✭✭✭✭
    I went out to pi-hole.net and noticed that it's intended to  run on a server.  ARE you running Q on that same network/server?
    HOW is your Q configured to run?

    Q user since February, 1990. DOS Version 4
    Now running Quicken Windows Subscription, Business & Personal
    Retired "Certified Information Systems Auditor" & Bank Audit VP

  • Chris_QPW
    Chris_QPW Member ✭✭✭✭
    @NotACPA The reason it is called "pi" is because it was intended for running of RaspberryPis.  As such they are running on Linux, which have server capabilities.


    Signature:
    This is my website: http://www.quicknperlwiz.com/
  • NotACPA
    NotACPA SuperUser ✭✭✭✭✭
    @Chris_QPW, thanks for the info ... but, as i suspected, this is a VERY non-standard configuration.

    Q user since February, 1990. DOS Version 4
    Now running Quicken Windows Subscription, Business & Personal
    Retired "Certified Information Systems Auditor" & Bank Audit VP

  • Chris_QPW
    Chris_QPW Member ✭✭✭✭
    @NotACPA Totally agree, the only reason I even know about it is I happen to use Raspberry Pis for some things I do.
    Signature:
    This is my website: http://www.quicknperlwiz.com/
This discussion has been closed.