Quicken Community is moving to Single Sign On! Starting 1/22/21, you'll sign in to the community with your Quicken ID. For more information: http://bit.ly/CommunitySSO

How can Quicken automatically send my passwords to the "data aggregator" - I never stored passwords?

With the new announcement that I don't need to enter my passwords when updating my accounts/ downloading activity, how did Quicken obtain my passwords to send them automatically to the "data aggregator?" I always entered my passwords manually when doing updates/ downloads, NEVER stored them in the Quicken password vault, and, indeed, never stored them anywhere on my computer.

I'm concerned about this breach of security for my existing passwords. Data aggregators have been known to have security breaches (such as a very large breach involving a data aggregator named Blackbaud, involving many large hospital systems, including one that I use).

Just who is this data aggregator for Quicken?

I'm now currently downloading activity directly from my bank/ credit card websites, but some of them don't support downloading a .QFX file; even with those that do support such downloads, I have to do a separate download for each account rather than updating all accounts at one time (as with the Express Web Connect). That becomes extremely tedious. And some of them don't support "Direct Connect" instead of the "Express Web Connect" that I've had set up for my accounts and had been using up until now.

I also note that this ability to bypass my having to input my passwords DOESN'T apply to some of my accounts, such as one major credit card and one major brokerage firm. I still have to input the passwords for those institutions when I do an update -- so why not for the others?

It's irrelevant that Quicken says it encrypts the data (including passwords) automatically sent to this unknown data aggregator. I should still be allowed the option to enter my passwords manually in the One-Step Update, as I did previously, as that gives me more control over my passwords.

This really needs to be fixed. I don't trust Quicken now, as Quicken has somehow made my passwords available to the data aggregator despite my NEVER having stored my passwords in the Quicken password vault. This has to mean that Quicken has captured/ saved my passwords from my previous updates, where I entered the passwords manually, despite Quicken having previously said that it doesn't store/ save passwords that are entered manually and not stored in the password vault.

Best Answer

  • Boatnmaniac
    Boatnmaniac SuperUser ✭✭✭✭
    edited October 2020 Accepted Answer
    The aggregator is not unknown...it is and always has been Intuit. 
    PWs for DC financial institutions are never saved anywhere except in PW Vault on your computer.
    PWs for EWC financial institutions have always been saved on the aggregator's server.  Once an account is set up for EWC downloads, the PW is saved on the aggregator's server...makes no difference if that PW is saved in PW Vault or not.
    This is necessary because EWC account data is retrieved by the aggregator from the financial institutions at night and without the PW that process cannot be completed.  That data is then saved on the aggregator's server so we can then later download it into Quicken.  So, no PW on the aggregator's server means no data gets downloaded into Quicken.
    Nothing has changed with how EWC PWs are saved on the aggregator's server and how they are used.  What has changed in this regard is that the new connection channel process is more transparent about it than the old connection channel process is.
    The only way to prevent your EWC PWs from being saved on the aggregator's server is to not set up your accounts for EWC.  If you have EWC connections already established for some of your accounts, you can deactivate those EWC connections and your PW will then be removed from the aggregator's server .  If you do this, then your options for updating these accounts will be:
    1. Set them up for DC (if the financial institution supports that).
    2. Set them up for WC (if the financial institution supports that).
    3. Manually enter your transactions into your account.
    (QW Premier Subscription: R33.19 on Windows 10)

Answers

  • Boatnmaniac
    Boatnmaniac SuperUser ✭✭✭✭
    edited October 2020 Accepted Answer
    The aggregator is not unknown...it is and always has been Intuit. 
    PWs for DC financial institutions are never saved anywhere except in PW Vault on your computer.
    PWs for EWC financial institutions have always been saved on the aggregator's server.  Once an account is set up for EWC downloads, the PW is saved on the aggregator's server...makes no difference if that PW is saved in PW Vault or not.
    This is necessary because EWC account data is retrieved by the aggregator from the financial institutions at night and without the PW that process cannot be completed.  That data is then saved on the aggregator's server so we can then later download it into Quicken.  So, no PW on the aggregator's server means no data gets downloaded into Quicken.
    Nothing has changed with how EWC PWs are saved on the aggregator's server and how they are used.  What has changed in this regard is that the new connection channel process is more transparent about it than the old connection channel process is.
    The only way to prevent your EWC PWs from being saved on the aggregator's server is to not set up your accounts for EWC.  If you have EWC connections already established for some of your accounts, you can deactivate those EWC connections and your PW will then be removed from the aggregator's server .  If you do this, then your options for updating these accounts will be:
    1. Set them up for DC (if the financial institution supports that).
    2. Set them up for WC (if the financial institution supports that).
    3. Manually enter your transactions into your account.
    (QW Premier Subscription: R33.19 on Windows 10)
  • A.R.
    A.R. Member ✭✭
    Oh, so Inuit is the data aggregator? Really? Intuit doesn't own Quicken any more, so why should we trust Intuit? Does Intuit provide insurance against losses from our bank/ brokerage accounts or fraudulent charges on our credit cards due to theft/ hacking of our passwords that Quicken has given to Intuit?

    And, as I said, I NEVER stored ANY of my passwords in the Quicken password vault, nor anywhere on my computer. So, just how did Quicken know my passwords to give to Intuit for downloads that would no longer require me to type in my password?

    And it's utter nonsense to say that the aggregator retrieves the account data from financial institutions at night and to say that the " data is then saved on the aggregator's server so we can then later download it into Quicken. " If that had really been the case, then there would never be all these problems that Quicken reports when it can't download data, whether it's one of the mysterious error codes that doesn't tell you anything useful or a statement that there's a problem connecting to the financial institution -- since I used to download data during the daytime (that is after the "aggregator" supposedly already had downloaded the account data).

    And, by the way, Quicken used to have statements all over the Quicken software that they didn't save your passwords (especially if you always entered them manually and didn't use the password vault) -- which, it is now apparent, was untrue.

    I think that an actual Quicken employee should be answering my questions.
  • Chris_QPW
    Chris_QPW Member ✭✭✭✭
    A.R. said:
    And, as I said, I NEVER stored ANY of my passwords in the Quicken password vault, nor anywhere on my computer. So, just how did Quicken know my passwords to give to Intuit for downloads that would no longer require me to type in my password?
    Think back, when you setup the account for downloading to use Express Web Connect, you typed in your username and password.  That is when it transferred to the Intuit server.

    And it has been there all these years.  The only thing that has really changed in this regard is that you have woken up to how Express Web Connect works because they have made it obvious of what has always been true.

    Note the following article has been the official information on this for years:
    https://www.quicken.com/support/how-quicken-connects-your-bank

    But I will state that it is also years out of date in the sense that it only talks about the nightly updates.  They still happen, but it quite clear that for some financial institutions that they are also done when the user runs One Step Update, and especially when you run Update Now.

    And BTW Quicken Inc is too small of a company to handle keeping 15,000+ financial institution agreements up and running so they will always need an "aggregator".  Intuit on the other hand still needs this for QuickBooks, so it makes perfect sense that Quicken Inc just pays for the service and continues on as before.  Not to mention what a major disruption it would have been to change to something else.

    If you are concerned with such security you should be using only Direct Connect or Web Connect (download and import a QFX file).
    Signature:
    (I'm always using the latest Quicken Windows Premier subscription version)
    This is my website: http://www.quicknperlwiz.com/
  • Chris_QPW
    Chris_QPW Member ✭✭✭✭
    BTW.  If you are going to stop using Express Web Connect I suggest that you change both the username and password at the financial institution.  If you change only the password then you will get password failures at your financial institution as the "aggregator scripts" try to log in.  One would think that by deactivating the accounts from downloading in Quicken that they would be removed from the Intuit servers, but reports of problems makes it clear that they aren't always removed.
    Signature:
    (I'm always using the latest Quicken Windows Premier subscription version)
    This is my website: http://www.quicknperlwiz.com/
  • Boatnmaniac
    Boatnmaniac SuperUser ✭✭✭✭
    edited October 2020
    @A.R. - Quicken has posted several Support articles regarding the different connection methods.  There is also some very good information in Quicken Help that helps to distinguish between them. 
    Here is what Quicken Help says about EWC:

    Here's what Quicken Help says about DC:

    I have been a Quicken user since 2008.  All of this was true back then and it is still true today.  And when we accepted the EULA during installation of Quicken we gave our permission to Quicken regarding all of this.  If we didn't agree to the EULA Quicken would not have installed on our computers.
    (QW Premier Subscription: R33.19 on Windows 10)
Sign In or Register to comment.