Mysterious "Aggregation Partners" - who are they?

AchaarLonache

I am testing Simplifi out, adding accounts now. Some banks use OAuth for authentication, which is great.

Others require that I give my bank credentials to Simplifi - a total NO-NO.

So I tried to get information on how those credentials are stored, and I see Quicken saying it doesn't store them. But someone must storing them (otherwise the connection isn't possible and the new account could not be added), so this is super misleading. I see mention of "aggregation partners" but the partners are not named.

This frankly sends a chill up my spine. Is there documentation anywhere about how my credentials are stored, who stores them, and what kinds of audits and security practices those outfits have been subject to??

Inquiring minds want to know this basic stuff…. Seems like it should be readily available, but it's not.

AchaarLonache

There is no reason Simplifi couldn't be using Fidelity Access, for example. There is NO NEED whatsoever for it to send people's credentials off to a third-party "aggregator." See https://digital.fidelity.com/ftgw/digital/dae/fidelityAccess

There is NEVER a good reason for a third party to be storing individual consumers' login credential for financial providers. It's just insane. Bonkers. These credentials typically have write access to the accounts. To store them for read-only access that Simplifi says is all it needs totally violates one of the most basic IT security principles, "least privilege."

Philk

I concur.

I'd also like to know who the aggregator providers are.

As riddled as I have found Simplifi to be with bugs and shortsighted features…I'd hate to see a major SNAFU from incompetence with my financial data.

RockLee

I don't think it matters who is storing your login credentials, just don't give them out, who is to say someone will be more responsible with them than someone else. If you can't authenticate with OAuth, then pass on that institution.

AchaarLonache

OAuth, @RockLee, is great, but only if I can select the privileges I grant. It looks to me as though I can't do this.

It appears, horrifically, that adding a bank account defaults to a full-access arrangement.

Let me know if that's not right, in your view. Seems that way after my initial testing.

Horrific security practices!

Philk

An interesting article…

https://www.finra.org/investors/insights/be-mindful-data-aggregation-risks

DannyB

From another conversation a few weeks ago: Simplifi Coach wrote, "We're actually testing out both Finicity and Plaid to use as supplementary aggregators. As far as I'm aware, Intuit will still be our primary provider, but we want to have some others in place to fill in the gaps." (Bold and Italics added)

There are a number of data aggregators used by such apps as Q-Simplifi. These include Finicity, Plaid, Envetnet/Yodlee, Akoya and MX Technologies and as noted above, Intuit. If you have used any financial management apps like Q-Simplifi then you have been connected to your bank accounts via one of these services. Like all online data flow and usage there are security risks including having a web account set up directly with your bank.

I have been a Quicken customer for over 20 years, first with Quicken Classic and for the past 2 years using Q-Simplifi. In that time, I have never had any security issues with the aggregator service Quicken uses to connect to my financial institutions. Doesn't mean it can't happen, just that it hasn't happened in the 2 plus decades I've been a customer.

All of my financial institutions send me a notification when my account with them receives an authorization for a third party to make a connection and have access to my financial data. I received these notifications when I first authorized Q-Simplifi via their aggregator, to connect to my accounts. One of my financial institutions migrated to OAuth 2.0 recently and when I reauthorized access for Q-Simplifi I received notification of that connection within seconds of the connection going live. In addition, I can log into each of my financial institutions, and they provide a list of all my connected apps.

Am I vulnerable? Indeed, I am. But I've been vulnerable to theft and fraud for a long time. But so far, using a variety of security measures including monitoring my financial apps and financial institutions, changing log in credentials routinely, limiting my online exposure, etc. I have not fallen victim to fraud or theft. Again, doesn't mean it won't happen, but so far it hasn't.

The only safe move, I guess, is to create you own budgeting tool with a spreadsheet and download your bank data in a form that can be imported into your spreadsheet. Most spreadsheet programs have enough stuff built into them that you can create whatever kind of budget app you want. This way you alone access your bank data and you alone manage it's use in your spreadsheet. As long as no one figures out how to breach your banks security, your online bank account, your personal computer you will be fine… I guess.

Philk

Thanks @DannyB More great information from a Superuser.

I jumped in on this conversation primarily to find out who the aggregators were, and not so much for the risk of providing my information.

I've been testing a lot of different services, and Simplifi does seem to have their bases covered with respect that all my accounts are pulling data, something Quicken Classic does not do. Apparently, redundancy is effective.

RockLee

@AchaarLonache You're right that you are limited to what kind of authorization you can grant to third parties (for example which accounts are exposed), this is really a bank issue, but it is still read only access. If your OAuth tokens are somehow compromised they cannot be used to start wiring money out of your account. OAuth implementations may also restrict connections to only the authorized institution.

Normally a bank is responsible for account compromises. But, there is a legal grey area with banks that if you simply give out your login credentials to third parties, then a bank may not be liable, and sucks to be you! The Bank can argue that by giving out your login you allow the third party to empty your account.

Some accounts provide third party read only logins which works for me.

Unfortunately, this is all a little tech heavy, and many users (most) won't know the difference between giving their login credentials directly to a third part vs. logging into you bank through OAuth to grant authorization to third parties.

Coach Natalie

Hey everyone, Quicken Simplifi currently uses Intuit for its aggregation. Although we are testing out Plaid and Finicity for dual aggregation, this is very limited at this time.

Our support article here has more info on how Quicken Simplifi connects to your bank: https://help.simplifimoney.com/en/articles/5687989-how-does-quicken-simplifi-connect-to-my-bank

And our support article here has more info on the OAuth API connections: https://help.simplifimoney.com/en/articles/6997452-new-and-improved-way-to-connect-to-your-financial-institution-oauth-api

I hope this helps provide additional insight!

-Coach Natalie

ajbopp

@Coach Natalie "we are testing out Plaid and Finicity for duel aggregation"

This is one of the best typos I have seen in a long time! :) dual

Philk

@Coach Kristina Big fan of your transparency, thank you for the information!

I believe a big reason all my accounts are connecting with Simplifi is due to the use of PLAID, as I have had success with other providers who use PLAID. I also believe a big problem I had with Quicken Classic, was that they were not using PLAID.

Maybe Simplifi could employ multiple Bill Connect providers to aggregate our bills, as that area is woefully inadequate with just Billgo.com/Prism.

Coach Natalie

@ajbopp, lol — thanks!

@Philk, you are set up with Intuit for aggregation in Quicken Simplifi. And I believe they are looking at other Service Providers for Bill Connect due to the inadequacies. 🤞

-Coach Natalie

UrsulaA

Thanks @Coach Natalie for your help.

Also, I wrote to privacy@quicken.com and asked about Quicken's SOC certification. Edgar replied to me confirming Quicken is SOC 2 Certified.

The certification means that the organization has procedures that consider cybersecurity to manage data and protect the interests of both customers and the organization, Quicken.

More info: https://www.forbes.com/sites/forbesbusinesscouncil/2022/09/28/soc-2-certificationthe-everything-guide/?sh=7f38e16f531c

AchaarLonache

So, folks, Plaid is just as bad as everyone else: In many cases they store your actual credentials.

Yes, they pound the 'encryption' issue. They say they encrypt everything. But this is beside the point. It has to be unencrypted to be used. So yes, they may encrypt your credentials while doing nothing. But they have decryption keys to decrypt as needed and those decryption keys can be stolen.

The only way to be secure IS NOT TO GIVE OUT YOUR CREDENTIALS TO THIRD PARTIES AT ALL, whether Plaid, Intuit, or anyone else. It's necessary for those firms to work out OAuth or other arrangements with banks, payment networks, vendors, etc. that allow us (the holders of the accounts) to specify what permissions should be granted.

The security situation is an utter mess, and I know this is not the fault of Simplifi. But all you consumers of Simplifi services need to be aware that any time you give Simplifi you credentials (that is, you are not redirected to the actual bank or other provider to authenticate) YOU ARE HANDING YOUR CREDENTIALS OVER TO A THIRD PARTY to be hacked eventually. (Sooner or later everyone is hacked.)

Richard

UrsulaA

https://community.simplifimoney.com/discussion/comment/22019#Comment_22019

Hi @Coach Natalie - Will we get an update on when an alternate provider for Bill Connect is available on this thread? I bookmarked this thread. Or will the update come along via https://community.simplifimoney.com/categories/updates-from-the-product-team ?

Marc Aronson

A bit aboout me: I just started using Quicken Simplifi about a week ago. I've used both Mint and Quicken Desktop in the past and have been downloading my financial data for over 20 years using either Quicken Desktop or Mint.

The question of security is top of mind for me. When using quicken desktop, I connected all accounts, including brokerage accounts, as the credential were stored on my computer, and I stored all of my Quicken data in a cryptomator-encrypted drive.

So far, I have only connected my checking account and my credit card accounts to Simplifi. I have not connected any of my brokerage accounts, as that is where the majority of my assets are and, like others, I am concerned about security.

I've read the various Simplifi articles referenced earlier in this thread and I've tried connecting Vanguard, Charles Schwab & Fidelity.

My 2 questions are:

1. Based on the nature of the login screens it appears that Simplifi's aggregation partner is storing my username & password for Vanguard. For Charles Schwab & Fidelity it looks like they are using OAuth and never have access to my username & password. Is this correct?
2. Are the OAuth connections restricted to read-only transactions on all financial institutions where Simplifi uses OAuth? If so, who enforces it being read-only — Simplifi or the financial institution? I am trying to understand what the risk is if the OAuth token is someone stolen.

Thank you in advance for any insights that can be provided,

Marc

Coach Natalie

@Marc Aronson, our support article here has the details on how Quicken Simplifi connects with your bank: https://help.simplifimoney.com/en/articles/5687989-how-does-quicken-simplifi-connect-to-my-bank

For the OAuth API connections, I believe we use the bank's-hosted server to connect, so credentials would not be stored by our service provider as stated in the article.

I hope this helps!

-Coach Natalie

AchaarLonache

@Coach Natalie I don't think you're 'getting' the question that @Marc Aronson is asking.

He's asking if the OAuth tokens being generated for Vanguard and Schwab request write access or read-write access. It's something you'll need to check with developers on.

He's worried about a scenario in which, even though Simplifi preaches hard that they don't write to Vanguard, Schwab, etc., write OAuth credentials are issued by the provider, and if compromised could be used by a third party (or by a malicious employee at Simplifi) to write to his accounts, i.e., drain his funds.

(And all those sweet, innocent people who think Simplifi could never do such a thing, please note that I'm not accusing them of anything. Everyone gets rogue employees now and then, and the trick is to construct systems to limit the damage they can do. That's what Marc's question is getting at. And I don't think it's been adequately answered. It may require escalation to the DevOps or Security people. It would be great, once we have an answer, that it was something passed around to coaches generally. Security is super important.)

Coach Natalie

@AchaarLonache, unfortunately, I don't have the answer to your question regarding the OAuth tokens for Vanguard and Schwab having write or read-write access. Since the APIs are developed and managed by the banks themselves, and I'm sure vary from bank to bank, I'd suggest contacting the bank directly with your inquiry.

Sorry for not having a better answer, but I hope this helps!

-Coach Natalie

Marc Aronson

@Coach Natalie, I had already read that article. Unfortunately, it does not clearly answer my question. I will pursue the question with Vanguard.

Can you confirm that I am correct that Simplifi is not currently using oauth authentication for Vanguard, and if that is the case, what the timeline is for doing so? Given Vanguard's market share and the increased security of using oauth vs. collecting usernames and passwords, I am hoping that this already on the roadmap.

@AchaarLonache, your interpretation if my question is correct. I am currently limiting my use of Simplifi to credit card accounts and my checking account, which limits my potential exposure. I have yet to decide if I will use Simplifi in the long-term…

Marc

kai4387

@Marc Aronson It's easy to check for yourself when setting up the sync. If the process takes you to the institution's website and you provide your credentials directly to the institution, it's OAuth.

If you get an "app password" or similar reduced priviledge credentials feature with your institution, your bank provides an official way for aggregators like Simplifi to fetch your data, even though it's not OAuth.

Specifically for Vanguard, when setting up the sync, it explicitly states that it uses Intuit to fetch data and you provide your normal credentials through Simplifi, so Simplifi currently does not use OAuth for Vanguard. AFAIK, Vanguard does not provide OAuth functionality, so Vanguard will have to provide that before Simplifi can do anything.

As an alternative, you could try setting up a separate Vanguard user, grant read-only access to your accounts, and provide Simplifi the credentials of that user. I don't invest with Vanguard so I can't personally try it, but might be worth a shot.

Both OAuth and "app password" access is controlled by the institution providing access. By providing Simplifi a special credential/token for access that is different from your normal credentials, the institution knows that it's a third-party and can provide the exact privileges that the institution intends. For Schwab and Fidelity, they both state that their OAuth third-party access is read-only.

https://www.schwab.com/legal/third-party-terms https://www.fidelity.com/security/fidelity-access-data-security

Marc Aronson

@kai4387, thank you for clearly answering my questions — I very much appreciate it.

I was under the impression that vanguard does have oauth support, but will double-check that.

»For Schwab and Fidelity, they both state that their OAuth third-party access is read-only

Thanks for providing the links. I just read through the Schwab document and I don't see where it states that the API is read-only, but it does contain the following statement:

»Other account details and information, such as routing and account number, data utilized to validate account ownership and move money out of your account or for other account transactions, and investment, checking, and savings account statements

Even if the API is read-only, it looks like the third party now has sufficient information to initiate the movement of money, probably because the data gives them enough knowledge to pass a verification request. Is this how you read it?

To be clear, I am not suggesting the quicken would deliberately move my money. The issue is if someone is hacked are an employee falls victim to an exploit…

Marc

kai4387

@Marc Aronson Schwab doesn't use the specific word "read-only", but they state that the terms is "to allow that Third Party Provider to access and use your Account Information". They do not allow third-parties to perform actions on your account. And yes, I have the same understanding as you do for how the read access could be used to move money out.

The read-only access alone doesn't directly grant others to make actions on your account, but it does provide a way to get through some common protections for linking external accounts like "verify amount of 2 small deposits" since read access includes your account's transaction history. A common question in identity verification process is verifying your mortgage company and monthly payment. Transaction read access could grant an attacker such information. An attacker could possibly open a checking account in your name, link to your account, and do an ACH withdrawal from the fraudulent account with just a little bit more personal info.

One way to defend against these is for institutions to provide more granular permissions like "only allow access to account balance", which will also limit the usefulness of the information. You could consider using one institution that provides all the financial accounts and tools you need so you never have to provide third-party access. Fidelity is actually pretty close to achieving that, although I would hate to have all of my eggs in one basket. The best way would be for institutions to implement a standard API to verify account ownership in a more secure way, but that is not going to happen anytime soon.

But your concern is also valid for any system that you use. Even if you manually enter transaction details into a spreadsheet, your data could be vulnerable from hackers into your PC/mac, rogue employees at your cloud storage provider, the spreadsheet app developer, etc. You have to trust many third-party entities, the institutions themselves, and yourself.

For me personally, a service like Simplifi is a must for keeping track of my money. I also have enough trust in Simplifi that they have decent security practices. I value the convenience of being able to check transactions across all my accounts in one place, and that is worth the trade-off of adding Simplifi into my trust circle. And if not Simplifi, I would just have to trust some other service anyway.

UrsulaA

@kai4387 - your last paragraph outlines my sentiment. I do not have the time to download 10 or so CSV files for my accounts, use Excel to normalize the format, and track items manually. I tried years ago and could not stick with tracking or a budget.

Also, setting up alerts with your banks and brokers helps detect fraud before it gets out of hand. I have alerts set up to let me know about any transaction occurring in my bank, investment accounts (alerts for cash movements), and credit cards. Also, my credit reports have a security freeze and accounts have MFA.

Coach Natalie

@Marc Aronson, I don't see Vanguard listed as one of our OAuth API banks, and we haven't been made aware of any plans to migrate to this type of connection for them. Our list of OAuth API banks can be found here: https://help.simplifimoney.com/en/articles/6997452-new-and-improved-way-to-connect-to-your-financial-institution-oauth-api

-Coach Natalie

Marc Aronson

@kai4387, @UrsulaA and @Coach Natalie, all very helpful information and perspectives, thank you,

Marc

AchaarLonache

@Marc Aronson You were talking about Vanguard and Schwab. I'm looking carefully now at Fidelity's OAuth disclaimer/legal language, and they say Simpifi gets, "Full account number and routing number for your eligible Fidelity accounts in a form that can be used for ACH transactions (electronic debits and credits) to and from your eligible Fidelity account(s)."

WIth Vanguard, as you saw, it's even worse. You have (as far as I can tell) to literally hand over your credentials to Simplifi (via Intuit). That is, you are doing the thing that you are never, ever supposed to do: Give away the keys to your financial kingdom to a third party. Can't imagine anyone with any sense would take on this risk. (Side note: It's lovely that so many people here are so trusting at a time when hacks and breaches are at all-time highs.)

In fairness, to Simplifi, they are fighting an uphill battle with banks, brokers, etc., whose technology base isn't always up to date.

If Intuit and Simplify can apply leverage B2B with firms like Fidelity and Vanguard, what I'd say is: Pressure them to provide truly view-only OAuth credentials that provide data that can't be misused when that inevitable Intuit hack or rogue employee action happens that compromises our credentials. The key isn't to be careful with people's bank and investment account information. The key is simply not to store information that could be misused.