Read-Only or Viewer Access to Bank Accounts
I am evaluating Simplifi.
I want to confirm something and make sure it's not just me. It looks to me that when I add a bank account, it adds that account with full access, including the ability to transfer money in and out.
Is this actually correct?
If so, this is pretty horrific as a default. Risk management people will tell you to go by a principle that IT security calls "least privilege." So we should be able to select what level of privileges we allow explicitly, and if we want view-only or read-only access, that should be an option, probably the default.
It may be that the lack of any ability (that I can see) to do this is the fault of the banks and credit card companies. Their APIs and OAuth setups may not allow it.
If that is the case, some conversations are in order with the banks.
Otherwise, consumers are simply handing over full rights to their bank accounts to Simplifi (or whatever third parties they contract with - and who knows where that leads). This is a horrific default - if my assessment is correct.
If I'm understanding this all wrong, can someone tell me?
Comments
-
@AchaarLonache, thanks for posting your inquiry to the Community!
To clarify, Quicken Simplifi does not currently offer a funds transfer or bill pay service. When you connect to your banks in Quicken Simplifi, you'll just receive transactional and balance data.
I hope this helps!
-Coach Natalie
0 -
Ah, I see what you are saying, and it's correct, I presume - but beside the point.
If I hand over my bank credentials to Simplifi, and they are then passed on to Intuit, Plaid, or some other service, those credentials (even if Simplifi does not use them to post or write transactions) are write credentials and could be used by anyone who happened upon them to initiate transactions.
Think of it this way: If I give my daughter my bank login ID and password, she may agree not to change anything and only look (read-only). But if her boyfriend sees them on a sticky note and takes them home and uses them, he may not have similar scruples. (This is a made-up scenario, of course.). My point is that any time credentials are stored anywhere, they can be hacked. Best practice is never to store them as such, but rather only to store read-only OAuth tokens.
Everyone gets hacked eventually, and the only way to be safe is to make it so write-capable usernames and password are never collected at all. Encryption is irrelevant, because we all know that in order to use the credentials (like if Simplifi wants to sync my bank accounts), the credentials must be decrypted. That is, decryption keys are stored and used. So a hacker potentially can steal those, compromising my credentials.
The right thing to do is never to store the credentials.0 -
Simplifi is working on the following which improves security and reliability. I am aware of the risk using an app like Simplifi brings. I believe that the reward of using the app, including reviewing activity outweighs the risk for me.
Simplifi User Since Nov 2023
Minter 2014-2023
Questionable Excel before 2014 to present
1 -
I keep hearing folks with no apparent risk management or IT security background assure me that it’s fine to be giving my investment and banking credentials out to a third party and that “it’s worth it.” lol. IMHO this is never a super smart idea, even if it’s tempting. No business is safe from hacking. Holding millions of sensitive user credentials creates a super attractive honeypot for bad actors. That’s why one of the most fundamental rules everyone gets in all standard corporate IT training is: Don’t give out your passwords.
0 -
OAuth API does not require a user to share credentials with Simplifi. Most of my banks use OAuth. I believe my risk is OK given the reward of not managing everything manually. To each their own.
Simplifi User Since Nov 2023
Minter 2014-2023
Questionable Excel before 2014 to present
1 -
Right, but not everything used OAuth. And the things that do don't all use read-only credentials.
There are a lot of services that require a password to be stored by the mysterious "aggregator."
0 -
was there ever a resolution to this ? If not I will cancel my membership
0 -
@Sengoku, thanks for posting!
What particularly are you looking for a resolution to? More details on how Quicken Simplifi connects to banks can be found here:
And we also have an article here that goes over the OAuth API banks:
Please let us know so we can best assist!
-Coach Natalie
0 -
@Sengoku The problem here is deep, and it's not truly Simplifi's fault.
For a lot of banks and brokers, there are two ways for you to connect them to your Simplifi app. One is perfectly awful and you should never do it: That is to simply give them your username and password, and hope that there's never a hack or a rogue employee at Intuit (Simplifi's "aggregation partner").
The other way they can do this only works if the bank or broker offers it, and it looks to you pretty much like the first method. One of the complaints I have about Simplifi is, actually, that they aren't clear about when you are using which method.
In any event, that second way of connecting a bank or broker to your Simplifi app is via OAuth. To use OAuth, you go through the same screen with the same warning - the same screen as with method (1) above. But after that you are then redirected to your actual bank or broker, who then lets you log in and grant access. When you use this second method, Simplifi isn't getting your actual username and password. Behind the scenes an OAuth token gets generated. And that token is used, not your username and password.
But here's the kicker: That token may end up granting Simplifi the same privileges as your original username and password. Or it may grant them lesser, "view-only" or "read-only" privileges. That part is up to Simplifi and the bank or broker. In a lot of cases the bank or broker grants Simplifi too many privileges. I was just going through legal language associated with my brokerage, and they say, explicitly, that they grant Simplifi "full account number and routing number for your eligible Fidelity accounts in a form that can be used for ACH transactions (electronic debits and credits) to and from your eligible Fidelity account(s)." I don't have any idea why they couldn't mask this information or use what security people call a "hash."
Anyway, again, this is not all Simplifi's fault. It's a problem that's endemic within the financial industry. The best we can hope for is that Simplifi exerts some pressure on banks and brokers to clean up their acts and reduce privileges they grant to the minimum needed in order for the app to work.
I don't understand why risk management staff and regulators haven't been all over this.0 -
Seems to me the best solution to your concerns is to not use any service that does not meet your security requirements. I don’t think harping on this community forum will solve your deep concerns. If you are truly serious about your digital security concerns I suspect you shouldn’t be using any electronic or digital banking period. You should do all your banking and investing first hand with your banks and brokers. Hope that helps.
Danny
Simplifi user since 01/22
”Budget: a mathematical confirmation of your suspicions.” ~A.A. Latimer2 -
Generally, If you choose to use a financial software like Simplifi - or any online software - you have to trust that they’re working toward securing your data as best they can. If you don’t trust that, then don’t hand over your credentials and just expect to do things manually. That’s the only real option you have. Right now, I have six (6) notice of ‘data breach letters’ that I’m not sure what to do with short of changing passwords - not blaming Simplifi; none are from them - just goes with living in today’s hyper complex world. The best I can hope for is to wait impatiently for the technology, security options, and security providers to catch up. Yes OAuth will help, but complaining won’t get Simplifi to move any faster.
@AchaarLonache , you made a great point that “Anyway, again, this is not all Simplifi's fault. It's a problem that's endemic within the financial industry.”
Simplifi’s bit is to constantly be trying to improve connections to make them faster and more secure…I see them doing that. Sure, there’s still work to do.
Chris
Spreadsheet user since forever.
Quicken Desktop user since 2014.
Quicken Simplifi user since 2021.1