Using PersonalCapital, Mint, etc.... - and fraud concerns

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills
Post Reply
LarryAllen
Posts: 1131
Joined: Fri Apr 22, 2016 9:41 am
Location: State of Confusion

Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by LarryAllen » Tue Oct 31, 2017 1:36 pm

The ongoing thread where the person's dad lost the $50k IRA to fraudsters has got me investigating more into the subject of what protections different financial institutions have for these types of thefts. The ones I have do say they protect you but do indicate if you give your password out and it's the cause of the theft no coverage. Doing more research on this I do have concerns about using PC, mint, etc... and I love PersonalCapital but I am not feeling reluctant. I found an article that talked about this issue and even has quotes from major banks. I am definitely thinking I might delete my PC account and change all my passwords. Overreaction?

Here's the article and then a few quotes: http://blog.credit.com/2015/06/should-y ... pp-119440/

CHASE:
“If you give out your chase.com User ID and Password, you are putting your money at risk,” says a page titled Guard Your ID and Password. “Some websites and software offer tools to help you with budgeting, managing accounts, investing, or even doing your taxes. But if you’re giving them your chase.com User ID and Password, you could be responsible for money you might lose as a result.”

CAP ONE:
“Sharing your Capital One access credentials (with third parties) may represent a breach by you of applicable [agreement or terms and conditions),” it reads. “One of the reasons that Capital One prohibits this type of sharing is that we may not have any information regarding the use of or security environment around this sensitive information at any third party. If you choose to share account access information with a third party, Capital One is not liable for any resulting damages or losses.”

letsgobobby
Posts: 11675
Joined: Fri Sep 18, 2009 1:10 am

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by letsgobobby » Tue Oct 31, 2017 2:30 pm

This is the primary reason I don’t use an aggregator. I don’t want to give an institution any additional excuses to not make me whole.

User avatar
Ice-9
Posts: 1338
Joined: Wed Oct 15, 2008 12:40 pm
Location: Rockville, MD

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by Ice-9 » Tue Oct 31, 2017 2:36 pm

LarryAllen wrote:
Tue Oct 31, 2017 1:36 pm
CAP ONE:
“Sharing your Capital One access credentials (with third parties) may represent a breach by you of applicable [agreement or terms and conditions),” it reads. “One of the reasons that Capital One prohibits this type of sharing is that we may not have any information regarding the use of or security environment around this sensitive information at any third party. If you choose to share account access information with a third party, Capital One is not liable for any resulting damages or losses.”
Capital One is one of the companies that actually provide a special access code to provide third party software such as Personal Capital instead of your username and password. I'm guessing using the access code instead of login credentials might be an exception for them?

student
Posts: 2672
Joined: Fri Apr 03, 2015 6:58 am

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by student » Tue Oct 31, 2017 2:39 pm

I used Personal Capital but I do not use their aggregator. I enter the info myself. Also there is no need to enter the correct info. If you do not want them to know you have $500,000, just divide all values by 10.

MittensMoney
Posts: 113
Joined: Mon Dec 07, 2015 10:59 pm

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by MittensMoney » Tue Oct 31, 2017 2:43 pm

You're at far greater risk of fraud logging in via your browser every time you want to check. Account theft happens via key loggers, so logging in to an App is better than typing in your credentials on your banks website.

open_circuit
Posts: 228
Joined: Thu Mar 30, 2017 9:20 am

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by open_circuit » Tue Oct 31, 2017 2:50 pm

LarryAllen wrote:
Tue Oct 31, 2017 1:36 pm
I am definitely thinking I might delete my PC account and change all my passwords. Overreaction?
I have never enrolled at any of the aggregation websites for this reason. I won't share or store my passwords online, anywhere.

LarryAllen
Posts: 1131
Joined: Fri Apr 22, 2016 9:41 am
Location: State of Confusion

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by LarryAllen » Tue Oct 31, 2017 2:55 pm

MittensMoney wrote:
Tue Oct 31, 2017 2:43 pm
You're at far greater risk of fraud logging in via your browser every time you want to check. Account theft happens via key loggers, so logging in to an App is better than typing in your credentials on your banks website.
That's a great consideration but if my $3m account is stolen and it's shown to be because someone broke into Mint or PC I am not thinking I would sleep very well based on the banks stated rules. If a keylogger gets in I feel I have a better chance of being made whole. Definitely two sides to consider here. Good input. Thank you. I should add that I love PC but it's definitely food for thought.

overthought
Posts: 203
Joined: Tue Oct 17, 2017 3:44 am

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by overthought » Tue Oct 31, 2017 2:57 pm

I briefly tried out SigFig, based on claims that they were using a special secure API to access TD Ameritrade accounts, and that I only needed to type in my TDA password for it to perform the initial account linking. Their security page also claims that this is a one-time event, but when I changed my password a few minutes later it was no longer able to sync. A long phone call with TDA confirmed that nobody on their side knew about any relationship with SigFig or any special API for non-institutional accounts. An email to SigFig's support account for security questions dated 11 Jul went unanswered, as did the follow-up email 6 Aug.

As far as I can tell, they just store your password and impersonate you with full capabilities, which would be a really blindingly bad idea to trust, given the massive web site security breaches we keep hearing about.

Based on that experience, I will never give out my login credentials again, because they carry the keys to the kingdom. If the broker has a way for me to give third parties a read-only token (like apparently Capital One does), that's a different matter. At least I only have to worry about privacy at that point, rather than security (presumably the broker would take responsibility for any exploit based on a public read-only API intended for use by third parties).
Last edited by overthought on Tue Oct 31, 2017 3:08 pm, edited 2 times in total.

jlcnuke
Posts: 434
Joined: Thu Mar 16, 2017 10:26 am

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by jlcnuke » Tue Oct 31, 2017 2:58 pm

If you choose to share account access information with a third party, Capital One is not liable for any resulting damages or losses
I would guess that someone hacking your accounts and taking money "because you gave an aggregation website your login info" would be only time most would be able to make you liable for the losses. Of course, that's the "bank's" stated policy (and may not match what they would actually do if such a thing happened) and it may or may not represent the FDIC etc policies. I'm personally not worried about it as I've yet to hear of any case where someone used such a service, had their money stolen, and was unable to get their money back as a result of sharing their login info with such sites. I would expect that if any such thing actually happened it would have made the news and we would have heard about it by now. Quicken, Mint, etc have been around and doing this since the dawn of online banking and I've heard zero warnings from any reliable source to date telling me that it isn't safe to do so.

travellight
Posts: 2781
Joined: Tue Aug 12, 2008 5:52 pm
Location: San Diego

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by travellight » Tue Oct 31, 2017 3:34 pm

As one data point, I use mint and had two events several years ago in two different bank accounts where fraudulently activity took place; basically, funds were moved from my bank account to some credit card account the fraudsters used. The amounts were $12,000 to 20,000$.The recipient credit card company took care of it right away and made me whole within a day.

furwut
Posts: 1348
Joined: Tue Jun 05, 2012 8:54 pm

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by furwut » Tue Oct 31, 2017 3:51 pm

Banks can easily mitigate the risk by providing read-only passcodes for account holders to share. One reason they don't, though, is they would rather you come to their site or use their app rather than a 3rd party service - all the better to sell you other products.

I think some of the reason banks issue warnings on this regard is to keep customers corralled.

NewPhoneWhoDis
Posts: 40
Joined: Thu Sep 28, 2017 3:59 pm

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by NewPhoneWhoDis » Tue Oct 31, 2017 3:58 pm

As long as the accounts that you provided access to the aggregator for were personal transaction accounts (checking, savings etc), you would be covered under Regulation E and as long as you notified the bank of the fraud within the prescribed timeframe, the most you could be liable for is $50.

They can put whatever they want in their contracts but when it comes down to federal regulations, we all know who wins.

furwut
Posts: 1348
Joined: Tue Jun 05, 2012 8:54 pm

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by furwut » Tue Oct 31, 2017 4:04 pm

LarryAllen wrote:
Tue Oct 31, 2017 2:55 pm
MittensMoney wrote:
Tue Oct 31, 2017 2:43 pm
You're at far greater risk of fraud logging in via your browser every time you want to check. Account theft happens via key loggers, so logging in to an App is better than typing in your credentials on your banks website.
That's a great consideration but if my $3m account is stolen and it's shown to be because someone broke into Mint or PC I am not thinking I would sleep very well based on the banks stated rules. If a keylogger gets in I feel I have a better chance of being made whole. Definitely two sides to consider here. Good input. Thank you. I should add that I love PC but it's definitely food for thought.
Good Link OP - but since the article you linked also says the consumer is protected (we think :) ) no matter the cause of the negligence it shouldn't matter how your account was hacked. But even if it did, say, I think it would still be up to the bank to proof it was a specific not covered negligence and few hackers leave a calling card saying exactly how they did it.

Jags4186
Posts: 2631
Joined: Wed Jun 18, 2014 7:12 pm

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by Jags4186 » Tue Oct 31, 2017 4:06 pm

If anything Mint/PC helps you prevent fraud. I can see all of my accounts in 1 spot and transactions as they happen. If anything pops up I don’t know about I know about it immediately...not in 3 weeks when my statement shows up. This is especially important if you are into credit card/bank account/brokerage account churning. I have dozens and dozens of accounts that I need to keep track of. Having them all in one spots greatly simplifies my life.

User avatar
Meg77
Posts: 2420
Joined: Fri May 22, 2009 1:09 pm
Location: Dallas, TX
Contact:

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by Meg77 » Tue Oct 31, 2017 4:07 pm

I imagine the banks would have a hard time refusing to deal with any problems arising from hackers to third party sites since they give those sites authorization to pull data. They don't have to do so - and not all do. My husband's 401k plan for example blocks access to Mint and PC and probably all other aggregators (which is super annoying since I can sync all our accounts except for that one, significant one).

However, there's only so much damage a hacker would be able to do even IF the aggregators saved unencrypted password data (which they say they don't) and even IF hackers got in and found it. You can't wire money from a financial institution without verbal authorizations, which will be done using the phone numbers on file. ACH transfers and other "popmoney" type transactions have relatively small daily dollar limits. Also any contact info changes as well as any transfers or beneficiary changes will generate notifications to your email and home address on file.

My biggest fear would be hackers simply wiping out data at Vanguard or other major institutions such that all account balances suddenly read $0. Informational warfare, if you will. But that's not something the use of my password or account info would enable.
"An investment in knowledge pays the best interest." - Benjamin Franklin

furwut
Posts: 1348
Joined: Tue Jun 05, 2012 8:54 pm

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by furwut » Tue Oct 31, 2017 4:11 pm

Jags4186 wrote:
Tue Oct 31, 2017 4:06 pm
If anything Mint/PC helps you prevent fraud. I can see all of my accounts in 1 spot and transactions as they happen. If anything pops up I don’t know about I know about it immediately...not in 3 weeks when my statement shows up. This is especially important if you are into credit card/bank account/brokerage account churning. I have dozens and dozens of accounts that I need to keep track of. Having them all in one spots greatly simplifies my life.
That was the reason I got started on Mint. But nowadays I find most banks offer some pretty compelling alert settings and I now rely on those, and not Mint, to catch any incipient fraud.

financeguy88
Posts: 57
Joined: Thu Feb 23, 2017 3:58 pm

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by financeguy88 » Tue Oct 31, 2017 4:17 pm

Meg77 wrote:
Tue Oct 31, 2017 4:07 pm
I imagine the banks would have a hard time refusing to deal with any problems arising from hackers to third party sites since they give those sites authorization to pull data. They don't have to do so - and not all do. My husband's 401k plan for example blocks access to Mint and PC and probably all other aggregators (which is super annoying since I can sync all our accounts except for that one, significant one).

However, there's only so much damage a hacker would be able to do even IF the aggregators saved unencrypted password data (which they say they don't) and even IF hackers got in and found it. You can't wire money from a financial institution without verbal authorizations, which will be done using the phone numbers on file. ACH transfers and other "popmoney" type transactions have relatively small daily dollar limits. Also any contact info changes as well as any transfers or beneficiary changes will generate notifications to your email and home address on file.

My biggest fear would be hackers simply wiping out data at Vanguard or other major institutions such that all account balances suddenly read $0. Informational warfare, if you will. But that's not something the use of my password or account info would enable.
My banks don't require verbal authorization but you do need a full debit card number and last 4 digits of social to send a wire. My main defense beyond this is that I don't keep that much percentage of my assets in one bank or brokerage so while it'd suck if a hacker drained the funds from an account it wouldn't wipe me out.

User avatar
munemaker
Posts: 3578
Joined: Sat Jan 18, 2014 6:14 pm

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by munemaker » Tue Oct 31, 2017 5:07 pm

I have never heard of fraud related to any of the aggregators.

User avatar
sleepysurf
Posts: 176
Joined: Sat Nov 23, 2013 6:59 am
Location: Florida

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by sleepysurf » Tue Oct 31, 2017 6:40 pm

I posted this link re Personal Capital security measures in a previous thread... https://www.personalcapital.com/financi ... e/security

Personally, I feel MORE secure using Personal Capital/Yodlee for account aggregation, as I've enabled 2 factor authentication, and opted in for their daily email summary of ALL transactions.
Retired 2018 | ~50/45/5 (partially sliced and diced)

letsgobobby
Posts: 11675
Joined: Fri Sep 18, 2009 1:10 am

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by letsgobobby » Tue Oct 31, 2017 10:04 pm

Meg77 wrote:
Tue Oct 31, 2017 4:07 pm
I imagine the banks would have a hard time refusing to deal with any problems arising from hackers to third party sites since they give those sites authorization to pull data. They don't have to do so - and not all do. My husband's 401k plan for example blocks access to Mint and PC and probably all other aggregators (which is super annoying since I can sync all our accounts except for that one, significant one).

However, there's only so much damage a hacker would be able to do even IF the aggregators saved unencrypted password data (which they say they don't) and even IF hackers got in and found it. You can't wire money from a financial institution without verbal authorizations, which will be done using the phone numbers on file. ACH transfers and other "popmoney" type transactions have relatively small daily dollar limits. Also any contact info changes as well as any transfers or beneficiary changes will generate notifications to your email and home address on file.

My biggest fear would be hackers simply wiping out data at Vanguard or other major institutions such that all account balances suddenly read $0. Informational warfare, if you will. But that's not something the use of my password or account info would enable.
Let's say I log into my own personal Vanguard account and want to take money out. What limits would be placed on me? I'm in the accumulation stage so withdrawing large sums is not something I do regularly, but last year I transferred over $100,000 to my bank account to buy a home. It didn't involve a wire and no phone call was required. It's possible your definition of "relatively small daily dollar limits" and mine are very different.

User avatar
Meg77
Posts: 2420
Joined: Fri May 22, 2009 1:09 pm
Location: Dallas, TX
Contact:

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by Meg77 » Wed Nov 01, 2017 1:58 pm

letsgobobby wrote:
Tue Oct 31, 2017 10:04 pm
Meg77 wrote:
Tue Oct 31, 2017 4:07 pm
I imagine the banks would have a hard time refusing to deal with any problems arising from hackers to third party sites since they give those sites authorization to pull data. They don't have to do so - and not all do. My husband's 401k plan for example blocks access to Mint and PC and probably all other aggregators (which is super annoying since I can sync all our accounts except for that one, significant one).

However, there's only so much damage a hacker would be able to do even IF the aggregators saved unencrypted password data (which they say they don't) and even IF hackers got in and found it. You can't wire money from a financial institution without verbal authorizations, which will be done using the phone numbers on file. ACH transfers and other "popmoney" type transactions have relatively small daily dollar limits. Also any contact info changes as well as any transfers or beneficiary changes will generate notifications to your email and home address on file.

My biggest fear would be hackers simply wiping out data at Vanguard or other major institutions such that all account balances suddenly read $0. Informational warfare, if you will. But that's not something the use of my password or account info would enable.
Let's say I log into my own personal Vanguard account and want to take money out. What limits would be placed on me? I'm in the accumulation stage so withdrawing large sums is not something I do regularly, but last year I transferred over $100,000 to my bank account to buy a home. It didn't involve a wire and no phone call was required. It's possible your definition of "relatively small daily dollar limits" and mine are very different.
I was referring to small bank transfers where you can send money via email/text without any other confirmations. Usually those limits are $500-$1500 per day or maybe $2500 for a commercial checking account, specifically to limit fraud.

With Vanguard you can make larger transfers to your bank account without going through a formal wire process, but only if that account has been connected and verified previously. If a hacker were to login and wanted to get your money, he or she would have to add a new bank account and transfer the funds there - or change the address and request a check to be mailed there. Any sort of change like that requires a verification process which involves emailing you (the account owner) - and waiting a couple of days to get the confirmation small deposits or whatever other authentication method. So presumably you'd have time to sound the alarm unless you just missed the alerts.
"An investment in knowledge pays the best interest." - Benjamin Franklin

Explorer
Posts: 137
Joined: Thu Oct 13, 2016 7:54 pm

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by Explorer » Wed Nov 01, 2017 6:54 pm

Personal Capital's 2 factor authentication is a great way to shoo off imposters. They ask for a code, a name of the computer you are using and a password (is it really 3 factor then? :confused ). And you can see which computer names have access to your account.

So PC seems to guard against the obvious things.

NOW..if someone hacks into their internal database (somehow) and gets into Yodlee to get your credentials.. the brokerages will have their own 'screening' of where money is getting transferred. It has to be to an existing address or an existing account. If a new account is created, you will get an email.

I feel reasonably safe in this electronic world.

I do not link my bank accounts but only my borkerage accounts in PC for this reason.

donfairplay
Posts: 146
Joined: Mon Oct 06, 2008 8:16 pm

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by donfairplay » Wed Nov 01, 2017 9:23 pm

Ya'll are aware that Quicken also counts as an aggregator, just like Personal Capital and Mint, right?

You pays your monies, you takes your chances.
You shares your bank password with computer software or financial cloud aggregators, you takes your chances.

Spreadsheets may come back in vogue any day now.

StlJohn
Posts: 4
Joined: Tue Feb 20, 2018 9:02 pm

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by StlJohn » Tue Feb 20, 2018 9:19 pm

Here is my experience with Personal Capital over the last 14 months. My greatest concern is their apparent failure to protect my login credentials. In short:

> On 2016-12-12, I removed my credit union from the Personal Capital system because failed attempts by Personal Capital/Yodlee caused me to be locked out of my credit union account. Yes, 14 months ago in 2016.

> On 2016-12-15, Yodlee kept trying to access my credit union, I contacted Personal Capital and the logon attempts ceased.

> On 2018-02-15, FOURTEEN MONTHS after I deleted the account from Personal Capital, Yodlee again attempted to logon to my credit union. My credit union logs showed the attempt came from a Yodlee IP address.

> On or about 2018-02-18, after nightmarish attempts to get through to Personal Capital or Yodlee personnel who gave a damn--without my request or permission--Personal Capital deleted my ability to logon to their system. The last communication from them was from James, Feb 16, 5:53 PM PST:

"Hello John,
We have double checked all our databases and did not find any trace of those accounts outside of logs showing the deletion of the accounts with xxxxx Credit Union and we are following up with our aggregation partner, Yodlee to obtain an explanation. "

That is it. I was hoping to get assurance that Yodlee has made sure my credentials and all my financial information was removed. It looks like that is not happening.

User beware. This whole event calls into question the privacy of all of your financial information--any user IDs and passwords you may have shared with Personal Capital may not be protected.

I have all the emails and screen shots for anyone who is interested.

anonymoustycoon
Posts: 7
Joined: Thu May 31, 2018 9:54 pm

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by anonymoustycoon » Sat Jun 02, 2018 5:41 pm

StlJohn wrote:
Tue Feb 20, 2018 9:19 pm
User beware. This whole event calls into question the privacy of all of your financial information--any user IDs and passwords you may have shared with Personal Capital may not be protected.
Any updates since then StlJohn?

arf30
Posts: 326
Joined: Sat Dec 28, 2013 11:55 am

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by arf30 » Sat Jun 02, 2018 6:43 pm

Mint/Yodlee doesn't store your user and password. They use it to authenticate once, then generate a token which is then stored and used to pull future transactions.
Last edited by arf30 on Sat Jun 02, 2018 10:52 pm, edited 1 time in total.

MnD
Posts: 3805
Joined: Mon Jan 14, 2008 12:41 pm

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by MnD » Sat Jun 02, 2018 9:02 pm

This is like item 5001 on my ranked list of 5000 things to worry about about.

Pete3
Posts: 57
Joined: Thu Jul 01, 2010 12:10 pm

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by Pete3 » Mon Jun 04, 2018 9:31 am

arf30 wrote:
Sat Jun 02, 2018 6:43 pm
Mint/Yodlee doesn't store your user and password. They use it to authenticate once, then generate a token which is then stored and used to pull future transactions.
This has never been my experience - if that were true then you could change your password after they had performed their first sync and it would still work which is not the case.

arf30
Posts: 326
Joined: Sat Dec 28, 2013 11:55 am

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by arf30 » Mon Jun 04, 2018 10:11 am

Pete3 wrote:
Mon Jun 04, 2018 9:31 am
arf30 wrote:
Sat Jun 02, 2018 6:43 pm
Mint/Yodlee doesn't store your user and password. They use it to authenticate once, then generate a token which is then stored and used to pull future transactions.
This has never been my experience - if that were true then you could change your password after they had performed their first sync and it would still work which is not the case.
That's because it invalidates the token.

Pete3
Posts: 57
Joined: Thu Jul 01, 2010 12:10 pm

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by Pete3 » Mon Jun 04, 2018 10:41 am

arf30 wrote:
Mon Jun 04, 2018 10:11 am
Pete3 wrote:
Mon Jun 04, 2018 9:31 am
arf30 wrote:
Sat Jun 02, 2018 6:43 pm
Mint/Yodlee doesn't store your user and password. They use it to authenticate once, then generate a token which is then stored and used to pull future transactions.
This has never been my experience - if that were true then you could change your password after they had performed their first sync and it would still work which is not the case.
That's because it invalidates the token.
Well I know for a fact that they store your username, I switched to PC a while ago but as I recall you could also view your account passwords in Yodlee (you were required to re-enter your Yodlee password to do this) but its been at least a year since I stopped using so maybe that isn't the case anymore - but they were definitely storing the actual passwords in the past.

Technically I don't see how they could only store a generated token that would work unless the financial institution in question supported it via an API which not all would.

lazydavid
Posts: 1887
Joined: Wed Apr 06, 2016 1:37 pm

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by lazydavid » Mon Jun 04, 2018 12:59 pm

Meg77 wrote:
Tue Oct 31, 2017 4:07 pm
You can't wire money from a financial institution without verbal authorizations, which will be done using the phone numbers on file. ACH transfers and other "popmoney" type transactions have relatively small daily dollar limits.
None of this is true. I transfer money between accounts all the time without any sort of verbal authorization, including immediately after adding an account. I have done so using wires on occasion, but typically avoid it due to the fee. And I don't know what your definition of "small" is, but my employer, which is not a bank, regularly transfers hundreds of millions of dollars per day via ACH. This includes hundreds, sometimes thousands of transactions against individual customer accounts that are in multiple hundred-thousand-dollar increments.

MrBeaver
Posts: 240
Joined: Tue Nov 14, 2017 4:45 pm

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by MrBeaver » Mon Jun 04, 2018 1:43 pm

I used to have my Vanguard account connected to a company who used Finicity's aggregator. Vanguard suddenly stopped my online account access. When calling them, their fraud department finally got back to me several days later and claimed they had shut down my access due to 'suspicious activity' they detected. It sounded like they profile the login/pageview/logout statistics for aggregators based on source IP and if the behavior deviates too far from their experienced behavior from known aggregators, they may shut off online access to your account. All told, I was without online access for a couple of weeks while they investigated, and I shut down that aggregator's access as a result of this incident. There were no transactions during this period.

My impression is that the financial institutions have created this problem themselves by delaying or refusing to actually develop secure, read-only APIs because they recognize customer data is getting increasingly monetized and don't want to 'give away information for free' that they might be able to earn money from in the future. Periodically, there is a new government or industry initiative to get financial institutions on board with providing limited-functionality access through APIs, but to my knowledge they have all fizzled out. This looks like the latest one that will likely be defunct within two years:
https://www.sifma.org/resources/news/si ... heir-data/

Can you tell I'm a little bitter in this regard?

afan
Posts: 3923
Joined: Sun Jul 25, 2010 4:01 pm

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by afan » Mon Jun 04, 2018 4:13 pm

I cannot imagine using an aggregator. I don't see any value and there are lots of downsides.
If I really wanted to be able to see all my assets in one place, I would put them all with one company.
I don't do that because I don't want one security breech to put all my money at risk.

I log on and get total values and enter them into a spreadsheet on my computer. I do this 1-4 times per year. Since everything is in broad market index funds, knowing what has been happening to the market from listening to the news tells me what has happened to my investments. More precision than that only comes up when I check the need to rebalance. That is the only reason I check as often as I do but I actually rebalance rarely.
We don't know how to beat the market on a risk-adjusted basis, and we don't know anyone that does know either | --Swedroe | We assume that markets are efficient, that prices are right | --Fama

Pete3
Posts: 57
Joined: Thu Jul 01, 2010 12:10 pm

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by Pete3 » Mon Jun 04, 2018 5:33 pm

afan wrote:
Mon Jun 04, 2018 4:13 pm
I cannot imagine using an aggregator. I don't see any value and there are lots of downsides.
If I really wanted to be able to see all my assets in one place, I would put them all with one company.
I don't do that because I don't want one security breech to put all my money at risk.

I log on and get total values and enter them into a spreadsheet on my computer. I do this 1-4 times per year. Since everything is in broad market index funds, knowing what has been happening to the market from listening to the news tells me what has happened to my investments. More precision than that only comes up when I check the need to rebalance. That is the only reason I check as often as I do but I actually rebalance rarely.
Aggregators can do more than just investment accounts, they can also consolidate bank accounts, credit card accounts, mortgage , utilities, reward accounts - it lets you look at transactions across all your accounts in one place.

User avatar
munemaker
Posts: 3578
Joined: Sat Jan 18, 2014 6:14 pm

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by munemaker » Mon Jun 04, 2018 5:49 pm

MrBeaver wrote:
Mon Jun 04, 2018 1:43 pm
All told, I was without online access for a couple of weeks while they investigated, and I shut down that aggregator's access as a result of this incident.
...
Can you tell I'm a little bitter in this regard?
That's exactly the time I would have called and threatened to move my account to Fidelity, and if they did not immediately restore my account, I would have followed through.

I have told Vanguard this on more than one occasion: I don't feel like they are trying to make things easier for me. I feel like they make things more difficult.

User avatar
tractorguy
Posts: 634
Joined: Wed May 19, 2010 6:32 pm
Location: Chicago Suburb

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by tractorguy » Tue Jun 05, 2018 9:45 am

I have been using an aggregator (Quicken) for decades and have never heard of a case where customer's accounts were hacked as a result of data being leaked out of any aggregator. It sounds to me that with some aggregators and some login methods, the potential exists but I'm cynical and believe that the banks are making a mountain out a molehill of an issue because they realize that they can monetize the information that the aggregators collect. I did a Google search for Chase and Mint and found that as of Jan 2017, Chase and Quicken had reached a deal that allowed Mint to access Chase account using a "new" secure method in return for Intuit agreeing that they would never sell the data they pull from Chase. Other Google hits indicate that the new method was being rolled out in late 2017- early 2018.

I am not a lawyer, but based on a few interactions with attorneys on corporate liability cases, I think the attorneys representing a customer who was not reimbursed for fraud would have a field day in court when questioning the representative from the financial institution. The questions would go something like: "Mr. Fat Cat Bank representative - you say that allowing Mint to access my customer's account invalidates his right to recompense. However isn't it true that your web site gives documentation on how to connect? Can you prove that the hackers who stole his money got their information from Mint? My client is asking for 10X the money stolen as recompense for the pain and suffering caused by him not being able to meet his financial obligations. This is only $x,000,000. How many billions of dollars profit do you estimate that your bank made last year? IMOP, If it went to trial, It would be very hard for any financial institution to convince most juries that they shouldn't pay up.
Lorne

bironology
Posts: 121
Joined: Sun Nov 08, 2015 6:18 pm

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by bironology » Thu Jun 07, 2018 5:06 am

I deleted my PC account today.

1) passwords are definitely stored in some cases. Not for large banks that support standards like SAML and OATH, but smaller ones, almost certainly, the the crudeness by which they scrape your data is 1995 technology.

2) I was always concerned not so much about the risk of an actual hack because of #1, but because of the liability language my financial institutions have regarding this scenario.

3) I'm tired of the phone calls from PC advisors, I'm tired of the ridiculous "alerts" and suggestions like "you have too much cash!", and then the next week "you don't have enough emergency fund!". Really?

4) viewing my investment portfolio, beyond the colorful graphs, does not provide much insight, really. its really fundamental stuff, and the accounts aren't really "aggregated" in the performance views in a way that makes sense to me. This is of course my subjective opinion, but an objective observation is that the asset allocation was pretty off, and I spent hours fixing it with manual allocations. Wasted time on my part.

5) I have all of this in my own super fancy, super useful Excel workbooks. I just liked the pretty, colorful graphs. BTW it takes me all of 20 minutes per month to update my excel workbooks with account balances and equity positions. With PC this got down to 10 minutes - which I was happy with, until...

6) my local bank, where my mortgage and one savings account is at, stopped updating 2 months ago. I traded 15 emails with PC "support". What a joke. Then another, large account from a big bank, stopped updating, except it said it was updating but the balance and transactions were stuck in Groundhog Day. These two problems reminded me that PC has zero SLA with me. They have no obligation to serve me, as I am not a customer.

One more time - when you use PC or Mint, you are NOT the customer. You are the product. You are the product.

And products do not get service. Customers do. The customers are advertisers, except for the advisory service in PC, which I assume is not doing very well, because if it was, they'd have the cash to reinvest in higher quality account linkages or to pressure Yodlee. Clearly that isn't happening because, for me at least, the quality and utility has gone downhill.

Bottom line, the utility PC served be fell below my hassle+risk threshold.

Excel has never let me down. :)

mptfan
Posts: 4792
Joined: Mon Mar 05, 2007 9:58 am

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by mptfan » Fri Nov 30, 2018 11:49 pm

tractorguy wrote:
Tue Jun 05, 2018 9:45 am
I am not a lawyer, but based on a few interactions with attorneys on corporate liability cases, I think the attorneys representing a customer who was not reimbursed for fraud would have a field day in court when questioning the representative from the financial institution.
As you said, you are not a lawyer, so you may not be aware that such a case would never make it to court due to mandatory binding arbitration, a clause that is buried in the account agreement that nobody reads. This means your case will not see the light of day in a courthouse, it will be decided by a private person who is not a judge, and that private person is not required to follow rules of evidence or any legal rules, and you have no right to appeal the decision.

furwut
Posts: 1348
Joined: Tue Jun 05, 2012 8:54 pm

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by furwut » Sat Dec 01, 2018 7:06 am

mptfan wrote:
Fri Nov 30, 2018 11:49 pm
tractorguy wrote:
Tue Jun 05, 2018 9:45 am
I am not a lawyer, but based on a few interactions with attorneys on corporate liability cases, I think the attorneys representing a customer who was not reimbursed for fraud would have a field day in court when questioning the representative from the financial institution.
As you said, you are not a lawyer, so you may not be aware that such a case would never make it to court due to mandatory binding arbitration, a clause that is buried in the account agreement that nobody reads. This means your case will not see the light of day in a courthouse, it will be decided by a private person who is not a judge, and that private person is not required to follow rules of evidence or any legal rules, and you have no right to appeal the decision.
Presumably there are federal and state bank regulations that protect the consumer and can not be waived away by an arbitration agreement. IIRC I once read an interview with one FDIC commissioner (?) and, when asked about the warnings banks have issued on aggregators, she dismissed them.

mptfan
Posts: 4792
Joined: Mon Mar 05, 2007 9:58 am

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by mptfan » Sat Dec 01, 2018 7:10 am

furwut wrote:
Sat Dec 01, 2018 7:06 am
mptfan wrote:
Fri Nov 30, 2018 11:49 pm
tractorguy wrote:
Tue Jun 05, 2018 9:45 am
I am not a lawyer, but based on a few interactions with attorneys on corporate liability cases, I think the attorneys representing a customer who was not reimbursed for fraud would have a field day in court when questioning the representative from the financial institution.
As you said, you are not a lawyer, so you may not be aware that such a case would never make it to court due to mandatory binding arbitration, a clause that is buried in the account agreement that nobody reads. This means your case will not see the light of day in a courthouse, it will be decided by a private person who is not a judge, and that private person is not required to follow rules of evidence or any legal rules, and you have no right to appeal the decision.
Presumably there are federal and state bank regulations that protect the consumer and can not be waived away by an arbitration agreement.
I'm sorry to say that your presumption is not correct. It's not that the protections are "waived away," it's that the consumer has waived the right to go to court.

Trust me, I get that this is shocking, and I get that it doesn't seem to make sense and you probably don't believe it is true, but it is true. And I'm a practicing attorney.

furwut
Posts: 1348
Joined: Tue Jun 05, 2012 8:54 pm

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by furwut » Sat Dec 01, 2018 7:34 am

mptfan wrote:
Sat Dec 01, 2018 7:10 am
furwut wrote:
Sat Dec 01, 2018 7:06 am
mptfan wrote:
Fri Nov 30, 2018 11:49 pm
tractorguy wrote:
Tue Jun 05, 2018 9:45 am
I am not a lawyer, but based on a few interactions with attorneys on corporate liability cases, I think the attorneys representing a customer who was not reimbursed for fraud would have a field day in court when questioning the representative from the financial institution.
As you said, you are not a lawyer, so you may not be aware that such a case would never make it to court due to mandatory binding arbitration, a clause that is buried in the account agreement that nobody reads. This means your case will not see the light of day in a courthouse, it will be decided by a private person who is not a judge, and that private person is not required to follow rules of evidence or any legal rules, and you have no right to appeal the decision.
Presumably there are federal and state bank regulations that protect the consumer and can not be waived away by an arbitration agreement.
I'm sorry to say that your presumption is not correct. It's not that the protections are "waived away," it's that the consumer has waived the right to go to court.

Trust me, I get that this is shocking, and I get that it doesn't seem to make sense and you probably don't believe it is true, but it is true. And I'm a practicing attorney.
Here’s what the originally linked article by the OP had to say on the liability:
What the Law Has to Say

Those risks aren’t completely clear, however. Federal banking regulations concerning unauthorized electronic funds transfers are very consumer-friendly. Consumer liability for losses is capped at $50 or $500, depending on how quickly a consumer reports fraud once it is discovered. Even negligence doesn’t increase the consumer’s liability, banking regulators have said. For example, even writing a PIN code on a debit card doesn’t increase the consumers’ liability if the card is stolen and used to make withdrawals.

“Negligence by the consumer cannot be used as the basis for imposing greater liability than is permissible,” the rules say. “Thus, consumer behavior that may constitute negligence under state law…does not affect the consumer’s liability for unauthorized transfers.”
The rules go on to say that banks cannot impose additional liability on consumers.

“The extent of the consumer’s liability is determined solely by the consumer’s promptness in reporting the loss or theft of an access device. Similarly, no agreement between the consumer and an institution may impose greater liability on the consumer for an unauthorized transfer than the limits provided in Regulation E.”
Chi Chi Wu, a banking regulation expert with the National Consumer Law Center, said consumers victimized by theft of credentials from a third-party site would enjoy the same protections as a consumer who divulged their passwords to a hacker.
“The same principles apply,” she said.

Of course writing a PIN code — or falling for a phishing email — is not a direct parallel to intentionally sharing login credentials with a third-party site. Until there is a high-profile test case, it’s hard to say what might happen. For any consumer hit by such a crime, there’s certain to be a big hassle, even if a bank ultimately refunds their money – out of a legal obligation, or free will.

SlowMovingInvestor
Posts: 916
Joined: Sun Sep 11, 2016 11:27 am

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by SlowMovingInvestor » Sat Dec 01, 2018 7:37 am

Pete3 wrote:
Mon Jun 04, 2018 10:41 am
arf30 wrote:
Mon Jun 04, 2018 10:11 am
Pete3 wrote:
Mon Jun 04, 2018 9:31 am
arf30 wrote:
Sat Jun 02, 2018 6:43 pm
Mint/Yodlee doesn't store your user and password. They use it to authenticate once, then generate a token which is then stored and used to pull future transactions.
This has never been my experience - if that were true then you could change your password after they had performed their first sync and it would still work which is not the case.
That's because it invalidates the token.
Well I know for a fact that they store your username, I switched to PC a while ago but as I recall you could also view your account passwords in Yodlee (you were required to re-enter your Yodlee password to do this) but its been at least a year since I stopped using so maybe that isn't the case anymore - but they were definitely storing the actual passwords in the past.

Technically I don't see how they could only store a generated token that would work unless the financial institution in question supported it via an API which not all would.
If a token (without an expiry) can be used to pull future transactions indefinitely, then it's nearly the equivalent of a username/password in any case if stolen (with the possible difference that maybe this can only be used to download transactions, not initiate them).

I do not use an online aggregator because I don't want to put all my eggs in one basket. There are various ways that these sites could be using to reduce risk of loss of username/passwords, but I'm not willing to take the risk. And I don't use TurboTax online either.

I do use Quicken Desktop, but that password vault is local.

mptfan
Posts: 4792
Joined: Mon Mar 05, 2007 9:58 am

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by mptfan » Sat Dec 01, 2018 8:13 am

Furwut,

Yes there are laws that protect consumers on the books. But here is the rub...in most cases consumers cannot go to court to enforce those laws due to mandatory binding arbitration clauses that are buried in account agreements. I know you may not think that is the way it is, or that it should be that way, but it is.

https://www.citizen.org/article/mandato ... businesses

https://www.epi.org/publication/the-arb ... -epidemic/

https://www.washingtonpost.com/blogs/pl ... c3349a5677

furwut
Posts: 1348
Joined: Tue Jun 05, 2012 8:54 pm

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by furwut » Sat Dec 01, 2018 11:41 am

mptfan wrote:
Sat Dec 01, 2018 8:13 am
Furwut,

Yes there are laws that protect consumers on the books. But here is the rub...in most cases consumers cannot go to court to enforce those laws due to mandatory binding arbitration clauses that are buried in account agreements. I know you may not think that is the way it is, or that it should be that way, but it is.

https://www.citizen.org/article/mandato ... businesses

https://www.epi.org/publication/the-arb ... -epidemic/

https://www.washingtonpost.com/blogs/pl ... c3349a5677
The general issue with arbitration clauses is well known. But I do not believe that a company could successfully enforce a provision of an arbitration agreement on an issue where Federal regulations specifically say they may not. In this case, the banking regulation expert quoted in the article points to existing rules that limit a consumer’s liability.

If it were the case that arbitration could trump existing law, then, any employer could legally pay less than Federal minimum wage simply by pointing to an employee contract backed by an arbitgration agreement.

aristotelian
Posts: 4904
Joined: Wed Jan 11, 2017 8:05 pm

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by aristotelian » Sat Dec 01, 2018 12:18 pm

I have used both without any security problem. However, I abandoned Mint due to bugs in double counting various accounts and such, and I ultimately decided that PC did not provide anything useful beyond eye candy to justify the risk.

TheHouse7
Posts: 394
Joined: Fri Jan 13, 2017 2:40 am

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by TheHouse7 » Sat Dec 01, 2018 12:31 pm

student wrote:
Tue Oct 31, 2017 2:39 pm
I used Personal Capital but I do not use their aggregator. I enter the info myself. Also there is no need to enter the correct info. If you do not want them to know you have $500,000, just divide all values by 10.
Thank you so much for the suggestion! I'm going to try using PC for the first time this weekend because of you. :beer
"PSX will always go up 20%, why invest in anything else?!" -Father-in-law early retired.

mptfan
Posts: 4792
Joined: Mon Mar 05, 2007 9:58 am

Re: Using PersonalCapital, Mint, etc.... - and fraud concerns

Post by mptfan » Sat Dec 01, 2018 12:33 pm

furwut wrote:
Sat Dec 01, 2018 11:41 am
The general issue with arbitration clauses is well known. But I do not believe that a company could successfully enforce a provision of an arbitration agreement on an issue where Federal regulations specifically say they may not. In this case, the banking regulation expert quoted in the article points to existing rules that limit a consumer’s liability.
You are missing the point. There are no federal regulations that prevent a company from enforcing an arbitration agreement against a consumer. Quite to the contrary, there is a federal law called the Federal Arbitration Act (FAA) which specifically says that arbitration agreements are enforceable, and the Supreme Court has upheld that law in various consumer contexts.

Here is what you are missing... federal law explicitly permits companies to enforce arbitration agreements. It's not that consumers don't have certain consumer protections, they do, it's that consumers often have to attempt to enforce those protections through private arbitration as opposed to the courts. You are making the mistake of focusing on the substance of the consumer protection regulations and you are ignoring the very important issue of how and where those protections may be enforced... i.e. in private arbitration, or in the courts.

Unfortunately most people, even most otherwise well educated people, are simply being fooled by the pernicious nature of mandatory binding arbitration clauses in consumer disputes. Even when the issue is explicitly explained to people, they still don't get how their right to go to court has been pulled out from beneath them without even realizing it. It seems as if it is so hard to believe that people refuse to believe it even though it is happening.

Here is another article on the subject...

The U.S. Supreme Court made clear this week that, regardless of what the Constitution says about a consumer's right to sue, businesses are absolutely entitled to block people from banding together and taking a dispute to court.

It was the court's latest ruling in favor of arbitration, rather than class-action lawsuits, as a preferred method for resolving issues between companies and their customers — which is exactly how the business world wants it.
...
A 2007 report by Public Citizen found that over a four-year period, arbitrators ruled in favor of banks and credit card companies 94% of the time in disputes with California consumers. Arbitrators' fees typically are paid by the business involved in a disagreement.


https://www.latimes.com/business/la-fi- ... olumn.html

Post Reply