This is the major difference between the US and EU. In the EU this isn't the "bank's customer data" this is the "customer's data." The customer actually has a legal right to see what data is held about them by the bank, and the bank has a legal obligation to make sure that data is accurate and up to date.
The dumb part is banks are more than willing to support Quicken's Express Web Connect, which literally stores your username/password on Intuit's servers, logs into your online banking portal and downloads the .qfx files you would get if you did it by hand. This is the same company that owns Mint, and it's literally doing the same thing!
Oh well, until banks decide to stop allowing users to manually save .qfx files the worst they can do is make life inconvenient.
I'm not sure about Quicken (which, incidentally, is being divested, so it won't be part of Intuit soon enough), but Mint uses the same internal service for communicating with financial institutions as Quickbooks and TurboTax.
By tokenizing each account, it ensures that if a breach of any of those products were to happen, the bank authentication credentials won't be leaked.
As a (reluctant) Quicken user, I was not aware that Express Web Connect credentials are stored on Quicken servers. Do you have anything to back that assertion up?
When using Express Web connect to automate Web connect downloads from your financial institution's Web site, your user name and password are encrypted and, depending on your financial institution's procedures, will be stored on our firewall-protected servers or in your Quicken software. Your financial information is transmitted using secure socket layer technology and is encrypted, so it is unreadable during transmission. It is then stored on our firewall-protected servers and is securely transmitted directly to your desktop computer when you initiate One Step Update. Your information is confidential and is not used for anything other than providing and maintaining the One Step Update service.
This is (probably) not global. Some financial institutions will offer aggregators safer ways of keeping a negotiated connection around. Like most big aggregators, Intuit negotiates with all the major banks individually for both batch and realtime refreshes.
The entire world of aggregation is simultaneously really interesting and rock-boring stupid. I'm surprised we don't see more fintech startups using it more aggressively, even as I am happy this made my former endeavor more acquirable.
Expand the "Express Web Connect / Quicken Connect - Details" section underneath the comparison matrix and you will see this:
* Your login credentials are stored on Intuit-hosted servers. This makes updates faster for you.
* Your financial data is stored on Intuit-hosted servers. This provides a more complete history of your financial transactions than is typical for data stored on financial institution servers.
* We use state-of-the-art security measures to protect your login credentials and your financial data.
----
This is half of why I pay $9.99/mo to use Direct Connect with my Wells Fargo account (that, and having bill pay within Quicken is pretty handy).
There's really no way around it, if Quicken is going to login to your bank account for you, it needs your password in cleartext somewhere on its server.
Intuit owns Mint. Not sure how the banks are going to know the difference between Mint users and Express Web Connect users. Maybe they shut them all down?
In the US they also have a fiduciary requirement to protect your money to the best of their ability. I appreciate that some of the larger banks might actually consider the impact of a data breach at an aggregator but reading this a couple of times it really sounds like a whine that they feel they have to provision more capacity for both their user base + the load put on by the aggregators their user base is using. They don't have a way to charge the aggregator for their use like they do the customer.
If the latter is the real reason they are whining then I expect they will push for a fee than can charge people who access their account through an aggregator much like they charge people who access their account through Quickbooks.
I'd just change banks though. Its trivial when you only have a few bills that need ACH/EDI, and the rest of your payments are on auto-pay on a credit card (which you pay from your checking account). BankSimple (now Simple) let me down so many times during their tech upgrade, I simply moved over to Fidelity for my checking account needs. It took ~15 minutes to change my direct deposit online with my employer, and re-create my bill pay setup.
As a bank, you are a commodity. You simply store the bits that say how many resources I can consume over a moving window of time.
> I appreciate that some of the larger banks might actually consider the impact of a data breach at an aggregator but reading this a couple of times it really sounds like a whine that they feel they have to provision more capacity for both their user base + the load put on by the aggregators their user base is using. They don't have a way to charge the aggregator for their use like they do the customer.
They absolutely charge their aggregators. Most of the aggregators can't screenscrape without permission of the aggregators. Why on earth would you think they can't? Why do you think Mint doesn't need to do MFA for so many banks and can just get away with a user-pass challenge?
This is about holding control of their customer base, plain and simple. They know everyone else, even other banks, are eager to dis-intermediate their customer base. They're spending too much money maintaining branches and offering inferior savings products to compete digitally, so they would rather delay that as long as possible.
I used Mint for a long time, but eventually decided I didn't like them having all my bank login information, including security questions. So I switched to a setup where I download OFX data directly from my banks using a Python script [1], and use Ledger [2] to track spending, balances, etc.
A big bonus of this approach is that I have complete control over the data, so if an import get screwed up somehow I can fix it manually. Mint's "black box" approach is good when everything works flawlessly, but you're stuck doing weird hacks if anything goes wrong or you want to do something it wasn't designed for.
Ledger, incidentally, is from the same one who is now maintaining Emacs, if I'm not mistaken.
I have a very similar setup, except using YNAB[0]. I never felt like I really used Mint, besides just going and looking at my balances and (infrequently) thinking, "huh, looks like I'm over-budget again". With this setup, I feel like I'm taking matters into my own hands, which has had a noticeable impact on my spending and planning discipline.
Thanks for the link to your project, looks really useful!
FYI, if you use YNAB with Chase you might find that QFX payee/memo information is garbled. If so, here's a little script that can repair the file by cross-referencing your transactions against the CSV-copy.
YNAB recommends the manual entry of purchases to better understand the relationship between the things you buy and your money. This has helped me be much less impulsive and more aware of the large money sinks in my life (lunch!). Whatever setup works for you to help you budget though, it is great software.
Yep! I did that for awhile, and still do it quite often for purchases while I'm out and about at target, grocery stores, restaurants, bars, and coffee shops. But for me, importing dumps from my banks and going through each transaction to "accept" them is plenty enough for that mental jolt. The tedium of entering names, categories, and prices might be a bit more powerful, but just seeing every transaction is (for me) a 99% achievement of the same goal.
Yeah. I actually really liked Mint, before it I had no idea where my money was going. But the security stuff started to bug me, and there were mounting frustrations with Mint's inflexibility that finally pushed me to go a different direction.
Also, the first link I posted isn't my work, just a nice utility I found. I did roll my own Python for converting OFX to Ledger though, been meaning to clean that up and post it but haven't gotten around to it yet.
Yeah, as I looked at that project more, I suspected that I had been wrong in assuming it was your work. In any case, I hadn't seen it, and appreciated the link.
It absolutely blows my mind that people are happy to hand over their banking credentials to a third party. I would never in a billion years ever have believed it were possible for a firm to succeed predicated on that basis.
I'm pretty sure that doing that in the UK instantly nullifies any protection you have against fraud etc.
I assure you all hackers in the late 90's were saying the same thing about the online banking concept. Here we simultaneously had all kinds of Internet-related security problems in media plus banks telling us to connect our money to the Internet. (Annoyed Picard meme here)
Yeah but you technically also nullify your protection against fraud if you write your PIN on a sticky note or tell it to your partner. The question is whether a bank will use that as an argument, not whether they can.
E.g. Barclays:
"You must memorise your PIN or password ... Never give them to someone else or let someone else use them, or do anything that would let someone else use them, such as writing them down in a way that might be recognised by someone else, keeping the letter carrying a PIN, or giving someone else access to a device like a mobile phone on which the relevant details are stored."
"If you have either deliberately or with gross negligence:
• failed to keep your card, PIN, password, PINsentry or mobile PINsentry generated codes, device or equivalent secure, or
• failed to tell us as soon as possible that you have lost your card (especially if you think someone else might have been able to ind it)
we will not refund any payments made before you tell us that it’s been lost or compromised."
Yeah, but the advantage of OFX is that it is read-only and can use different credentials for authentication (depending on the bank.) Another advantage I forgot to mention is that I couldn't use my bank's 2FA with Mint.
Aahh, I've been moaning for ages that banks should implement a read-only interface for services like Mint; I had no idea that one already existed. I think this is the nail in Mint's coffin for me. Thanks!
This does invite the question of why Mint isn't using (or even just offering) OFX read-only credentials... or do they?
> I didn't like them having all my bank login information, including security questions
I that's the sort of concerns that did in the start-up greplin. They would have access to all your password protected data for any service under the sun.
If the banks cared they would provide either token-based API like oAuth or at the very least, a read-only password for users to give these sites that aren't fully credentialed.
It's amazing that we can grant revokable, read-only and audited access to our social accounts, but not our bank accounts. Even though the largest aggregators operate under some level of federal supervision (via FFIEC and the OCC), there is an obviously better way. TxPush (http://txpush.org) looks like an initiative in this direction. There will likely be an ongoing need for aggregators to maintain access to laggard financial institutions and possibly to buffer load on the bank servers as consumers use more and more financially connected apps.
> It's amazing that we can grant revokable, read-only and audited access to our social accounts, but not our bank accounts.
The UK is moving in this direction. The ODI/Fingleton report into Data Sharing and Open Data for Banks[1] recommended creating a open banking API standard and suggested using OAuth, using Twitter as an example (see p24 of the report). Work has begun on defining the roadmap towards creating an API standard[2].
Completely agree! I think it is ridiculous that financial institutions don't have a read only password for sharing with accountants, tax advisers and other programs.
The only way that is going to happen is if it is legally required to happen or if banks are financially incentivized to make it happen.
It's absolutely true that offering data migration services decreases bank account stickiness, and that's something everyone is terrified of doing in the finance industry. Customer acquisition costs are so high, I doubt you'd believe me if I explained them to you.
>Customer acquisition costs are so high, I doubt you'd believe me if I explained them to you.
Of course we would believe you. When you use a metric like "customer acquisition costs", you can say pretty much whatever you like.
I'd rather hear something like, "We have such little deployed value at the retail level that no one wishes to contract with us unless we spend a lot of money over here (legalized entrapment codes and marketing)."
This. I've been wanting this sort of thing for ages.
It could actually be extended into a very compelling product; imagine being able to issue not only read-only tokens, but a token which authorizes the bearer to withdraw up to $100/month. Parents could issue such tokens to children for emergencies, or other such situations.
Exactly. Of course it's going to flood their servers if Mint has to crawl through the megabytes of "special offers" bs that banks bombard you with when you log in to the website. Provide a separate API that just delivers account information in a few K of JSON. Problem solved.
Banks are in a strange kind of transition. For years they acted like a retail operation that treated finance as a consumer product. But actually their purpose in the modern world is as infrastructure, more similar to electricity or water. In that sense their is some similarity to cable companies who are fighting to avoid becoming just a dumb pipe.
2008 proved you wrong for the one's that had what the parent referred to. Confess to crimes and crash economy results in $1 trillion bailout, no audits, some fines, and criminal immunity. Doesn't happen every day in industry.
Agreed but it is just postponing the inevitable. The bailout and bankruptcies made their closed-source hierarchical paper system even more highly centralized, while the superior electric medium is doing the exact opposite in becoming more decentralized, distributed, and open source.
Their schemes have been working most of the time since creation of the Fed with usable currency and international uptake.
Using Bitcoin for its intended purpose is like gambling. Similarly for other, popular P2P. So, safe choice is better implementations of centralized model until stable alternatives exist in P2P space.
Note: Nice graphic but the best thing is looking at boards for interlock. Like Project Censored did in their nice Theory of Everything for global elites:
Now you know who they are. We've been able to figure ghe stuff out. Why still these problems? Cuz few give a shit or do anything. If that remains, we screwed in long-term. ;)
I agree with the banks in part. Giving your online account credentials to access your banking information is complete madness. It's a giant security risk that neither company would likely cover if someone got a hold of your login details. This is the reason I purposely never signed up for Mint.
On the second half of the argument. Banks need address the fact that users needs are changing and they want access to their own data, that they own, not the bank. A bank could create an API service with API keys specifically for these types of aggregate services to use. This could be done at first for just read only access, whereby the API does not allow you to transfer funds, etc. It would be a secure interface to access your data from third trusted third parties or your own apps.
A secure standard API would be beneficial to customers, to third party services, and to the banks that offer them. Freeing information inside of hoarding it, when it doesn't belong to them in the first place.
Credit unions could have a major advantage here if they would start using modern tech.
> I agree with the banks in part. Giving your online account credentials to access your banking information is complete madness. It's a giant security risk that neither company would likely cover if someone got a hold of your login details. This is the reason I purposely never signed up for Mint.
As someone who collects these daily; I'd rather not collect them. The lengths I have to go to to ensure that they're not a major risk for our product? Significant. It's not a hard problem to solve, but the question is: "do banks want to solve it?" There's not much incentive for big banks to DECREASE account stickiness, and a lot of us waiting for great aggregation tools to totally dis-intermediate the big banks from their customers 8 ways till Tuesday.
But to be honest, financial data is all sort of like this. For example, once someone has your ACH routing and account numbers, the only thing that really stops them from building a fraud factory is the fact that it's difficult to get permission to interact with the ACH network. You need to handle those with at least as much care as bank login info.
And then, there was the MASSIVE fraud spree that everyone who didn't implement yellow path validation for ApplePay opened up. I personally had well over 80k stolen from my account in less than 1 day via that outrageous fraud loop. Thanks, Apple Stores and Chase, for pretending that someone else's fingerprint constitutes my biometric permission.
On the subject of Chase, everyone in the industry was completely shut down without warning at the worst possible time by Chase. We're all pretty spicy about how it was handled.
In my experience (just as a client) Chase is very happy to act unilaterally and without communication. On the other hand, as an ex-client I have the option of just never dealing with them again.
> On the second half of the argument. Banks need address the fact that users needs are changing and they want access to their own data, that they own, not the bank. A bank could create an API service with API keys specifically for these types of aggregate services to use. This could be done at first for just read only access, whereby the API does not allow you to transfer funds, etc. It would be a secure interface to access your data from third trusted third parties or your own apps.
My capital one 360 account does this. I can generate an api key that I give to mint.
> Giving your online account credentials to access your banking information is complete madness. It's a giant security risk
Is it? My bank requires multi-factor confirmation to set up a new payee for electronic transfers and sends several emails for any transfer. You couldn't actually steal any money just by having online banking credentials.
Switching banks isn't easy, unfortunately. Note how banks have very successfully managed to create systems that do not have bank account number portability built in, they even engineered them in such a way that any future desire to implement such portability will meet with very substantial technical roadblocks.
Why not? I've ditched banks a few times. Checking is a commodity product these days... it's not like a banking relationship matters anymore.
In olden times, it might have been a pain. Now most automatic payments hit a credit card, so you aggregate the account changes at that level.
Last time I flipped to get a 1/4 point off my mortgage. I think I had to redirect my utility account and change a few online payment portals for AMEX, etc. Took about 30 minutes, and saved me about $20k over the life of the mortgage.
I have switched banks a couple of times too. In all cases, it has been because the bank took advantage of me when I made a mistake.
It has always been a variation on this same theme.
The last time I changed banks was in 2010.
I had made a mistake and I overdrew my account by $5 or so. That was obviously my fault and I should have been on the hook for one overdraft fee. My bank, reordered my transactions and caused me to incur 5 overdraft fees.
When I called in to complain, they "waived" two of them, leaving me to pay $90 when I should have only had to pay $30.
That was it for me. I opened an account at a Credit Union and left about $5 in the bank account so they'd have to keep paying to send me statements.
That went on for over a year until the bank implemented a $2/mo convenience fee for paper statements. In three months, my account was drained and the bank closed it.
People need to be willing to pick up and leave a bank if the relationship is no longer advantageous.
From the bank's perspective, it's always business and never personal. That's how you have to act in return.
The difficultly, strike that. The complexity occurs when you have setup auto payments.
One just has to handle it like any other transitional period.
You open a new account with a new bank or credit union and start funding it. You watch your existing bank account for recurring or auto payments coming out and work to switch them over to the new bank account. You have to maintain some money in the old bank account and possibly keep it open for several months or a year.
Treat the old account as a temporary savings account with enough money to cover any checks or auto payments that might get drawn against it. After you are certain all auto payments have been transferred or you feel safe and confident then you close the account with the old bank.
I primarily use a credit union but I do have a checking account with a regional bank that I use strictly for auto payments, this makes it easy to make sure there's enough money in the account and to transition away in the future should the bank displease me.
I don't do automatic payments.
I won't do automatic payments.
It doesn't benefit me so I don't do it.
They day after payday, I sit down and determine which bills are due and I pay them electronically. It doesn't matter which bank account I use because I handle them individually, every payday.
I could switch banks today and my process wouldn't be interrupted at all.
If by "automatic payments" you mean ACH direct withdrawals, the benefit is "I don't have to remember to pay my bill."
The disadvantage is "An outside entity can remove an arbitrary amount of money from my account at any time, keep it for an indeterminate amount of time, then return it without penalty."
I could see have a charge automatically applied to a credit card (where you're able to dispute it, if necessary). I cannot imagine why anyone would ever want to set up direct withdrawals.
I used to occasionally game banks for their account sign-up bonuses. You quickly learn how to set up your accounts so that it takes minimal effort to switch to something else.
A few tips to stay nimble and cover your bases during bank changes:
1) Don't use any bill payment services
2) Any automatic payments you do online, set them up for your credit card if you can (I'd recommend this anyway to take advantage of rewards)
3) Keep a detailed list of where your bank accounts details are stored for auto or manual deposits and withdrawals so when it comes time to change accounts, you have a good checklist to follow.
3) Think about setting up a permanent "home base" account that you can transfer money in and out of from other banks. The idea is that you'll always have this account, so it can be used to pay bills, write checks, day-to-day, etc. and you just funnel your direct deposits from other banks into this one.
> Why not? I've ditched banks a few times. Checking is a commodity product these days... it's not like a banking relationship matters anymore.
Depends on what position you're in, and how you've previously organized your finances. If you still write checks, you have to leave the old account open with enough funds and wait for all of those to clear. If you have things pointing at your bank debit/credit card, you need to change those and wait for any outstanding charges to clear. If you have direct deposit of a paycheck, you'd need to change that. And any services hooked up to your bank account via the usual "tell us the number of pennies we just transferred in and back out of your account" need re-hooking.
Good point. I have a "no debit card" policy and don't do automatic payments, with 4 exceptions (mortgage, auto insurance, house insurance, electric/gas company)
The first three are paid from a dedicated account. The electric company pays me to do pay automatically, so I do. :)
Sure, but those are the kinds of steps you take once you've realized you want to limit how much gets tied to your bank account. Similarly, once you go through the pain once of switching email addresses away from an ISP email address, you might move to a provider-independent address. But in both cases, you might not know that the first time.
It's also a regulation / regulatory capture issue. The UK has a switching regulation set up so that all you have to do is go into the new bank and tell them your account number at the old bank. All scheduled deposits and withdrawals switch over with no further effort on your behalf.
(Then again, they also don't have things like paper checks anymore.)
Switching banks is complete PIA. However, services like Mint could eventually make it much easier to do. Today, they aggregate and analyze data across multiple across multiple accounts. As they start get into executing transactions, it will be become much easier for people to simply "repoint" transactions.
Well, the age of your checking/savings does not matter. You could just leave your old credit card open and never use it (although this does creates some minor but annoying extra cognitive load).
Banks are ruled by iron fist, old school systems that effectively get a long line of innovation only when needed. Think Cobol, 2000 year issues. Millions were spent on the infrastructure eons ago, and the idea of innovation goes exactly against what they stand up for - stingy, Scrooge type ideals. I don't blame them, but tech eventually moves around ideas like this. Think again of the automotive industry, and why don't we have 1 billion new ideas extended to the most vast product producing machine in the country ... unions, old school profit engines (pardon the pun), and the sticky idea that innovation will disrupt it. Tesla is basically the ONLY car dealer to shake the crust off, because its THAT much better of a tech innovator. Not without the fight from big-auto though. It's just how these machines work, however because banking online and new startup FDIC innovation driven banks work WAY BETTER than these dinosaurs. Lucky for me, my bank doesn't even have branches ... so I get my dough back from the ATMs I use, within reason mind you. Online services are STELLAR, because of the reinvestment into tech vs. traditional banks. Ah, I hope they ALL die to be honest.
The fact that Intuit owns Mint was a big part of the reason I finally caved and signed up. They're not inexperienced with dealing with private information.
Yes, on the "banks should be required to provide a secure, open feed" (though good luck in the one chosen resembling any modern format).
But... securing information of this kind is not rocket science. Sharding secrets into multiple tokens split across minimal service machines, etc. It's just that best practices are so rarely followed.
They don't have to store it in plain text, but they do need to store it with reversible encryption (as opposed to hashing) so that they can use it to login to the bank's website.
Right, that's my point. There is no technical requirement to be stored as plain-text.
Though I would imagine that encryption, by definition, is two-way (encrypt, decrypt).
As an aside, do merchant account API services provide a secure-token service to store credit card information? That is, I enter in my VISA credit-card, click "save" and Amazon.com gets a unique token back that identifies this credit card. When I later go to purchase an item, Amazon uses this token to with VISA to charge my card? IIRC, that is how Stripe works, but I wonder if each credit card manufacturer now supports this, as part of PCI compliance.
Translatable to plaintext without user provided information is still plaintext.
When a website stores the hash of your password on their servers for you to authenticate against they have no way to recover your plaintext password without brute-forcing the hash. They can verify that the password you sent them is correct but they can't tell you your password.
If, Mint say, encrypts your password on their servers with their own key then they still have the plaintext password because the process is reversible to them.
To do this right, Mint would be given a piece of information, say an OAuth token, which would allow them to authenticate to your bank without them knowing the password you use to log in.
They're not storing "plaintext." They're storing the "ciphertext." The fact that you can decrypt ciphertext to obtain plaintext, does not mean you are storing plaintext. You can certainly derive plaintext from it, but the actual plaintext, that is, the input to an encryption algorithm, is not stored.
If an attacker gets a database, but does not have access to the encryption key, they do not have your plaintext password.
-----
I agree, a more preferred way would be for MINT to use OAuth type data delegation. However, they're beholden to what the banks themselves support, and most do not support anything other than account impersonation via username/password.
I must be a bit odd. I prefer to manually enter all my transactions in my journal. I don't want it automated. Any time I've automated it, I have become complacent. I feel, in order to properly manage my finances, there must be some pain. Don't get me wrong, I use SW. I just don't use SW that is automated.
I think you're right and that there should be some pain. My version of this is taking a full list of transactions and tagging them individually from electronic exports. This way any expense isn't reconciled until it's tagged. This can be done mostly automatically but some are unrecognized/unique expenses. The unrecognized are the ones that probably matter the most in terms of managing my finances, dinning out, random items from amazon, etc. I have to review and recognize everything which makes me monitor the most important aspects where I might have spent my money poorly.
This brings up a really important question. Are your banking transactions your's or the bank's? I know in Europe the law says that you own your transactions, but I'm not sure if the US has clarity either way.
I'm leaving SF to travel around the US for 6-12 months, which means I need to switch off the local credit union that I'm currently using. I may as well choose something that will work for the indefinite future, including whereever I land next (it will be in the US).
Any recommendations? I'd prefer an organization that was less culpable for the financial crisis.
Is your credit union a member of CO-OP? this allows you to bank at any credit union in the nation that is a member. Some stuff can be challenging, like getting a loan, or getting a replacement bank card immediately. I'm living a state away from mine, with very few problems.
If you're looking for a checking account, I highly recommend Charles Schwab. They've always had excellent customer service, a pretty modern tech presence, and best of all you can use any ATM anywhere in the world without worrying about fees—they'll reimburse you for any fees charged.
My bank's web portal actually provides a good aggregator service for the checking/savings/investment/loan accounts I have both there and elsewhere. I find it very convenient when I do my monthly "what are the state of my finances" spread sheet.
