EWC+ Security Token
From descriptions of Express Web Connect Plus, I gather that an aggregator (either Quicken or a third party) gets a "security token" or certificate from the bank containing your account credentials and stores it. Later when you sync to the bank, it hands it back to the bank to log in.
Given recent hacks, I'm very curious about how secure this is.
What is known about the token/certificate credentials? Are the username/password pair "encrypted" or is there a hash? Does it adhere to a standard?
Does the aggregator do regular third party security audits?
Comments
-
What happens if the aggregator's store of "secuity token/certificates" is hacked. Can plain text version of username and password be extracted? Can a third party use them without decrypting to log into my bank and withdraw money?
1 -
Digging around a little, it seems ewc+ is Quickens' implementation of the Financial Data Exchange (FDX) protocol. Here is some information . It's pretty comprehensive (lots of bells and whistles) and probably pretty good. The 'security token' expires and does not contain the credentials. So that's good. I think it is an OAUTH "opaque token".
1
Categories
- All Categories
- 56 Product Ideas
- 36 Announcements
- 224 Alerts, Online Banking & Known Product Issues
- 22 Product Alerts
- 704 Welcome to the Community!
- 671 Before you Buy
- 1.2K Product Ideas
- 53.7K Quicken Classic for Windows
- 16.4K Quicken Classic for Mac
- 1K Quicken Mobile
- 809 Quicken on the Web
- 111 Quicken LifeHub