Do not use Personal Capital

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills
bjs2025
Posts: 17
Joined: Tue May 28, 2019 8:17 am

Re: Do not use Personal Capital

Post by bjs2025 »

I will say, as a 32 year old that is getting finances on track, using PC almost subconsciously assists me in my net worth going up. That might sound stupid but I am always focused on what is going in and out. I think it is a motivating tool and check it frequently. The minute that even the basic service is chargeable I'd be out but as of now I love it.
KyleAAA
Posts: 8584
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Do not use Personal Capital

Post by KyleAAA »

Paranoia is a very good thing in the security world. There is no reason for their agents to have read access for your accounts, so the principal of least assess would suggest they shouldn't. Their system certainly needs access to perform the service you signed up for, but their advisers do NOT.
Shorty
Posts: 54
Joined: Sat Feb 23, 2019 4:54 pm

Re: Do not use Personal Capital

Post by Shorty »

I’ve gotten to the point I do not access my accounts from my home computer at all. I use my work computer only as we have very high level IT security.... my chances of a malware issue are exceptionally higher at home.
This rationale makes me cringe! You’re transferring risk in the wrong direction - a douche IT person with admin creds on your box or the network could be bad news in any number of ways...or anyone with physical access and a USB keylogger. You should be able to keep a home computer free of malware. There are lots of mitigating steps to keep you safe - use multifactor auth with your accounts, set up alerts, go through a VPN, keep a separate device than your kids game on. If you’re paranoid, boot to a clean image (eg, LINUX live CD). I’d be wary of treating a computer owned & maintained by someone else, open to physical access as “more secure” for your personal sensitive information and access, with few exceptions.
Shorty
Posts: 54
Joined: Sat Feb 23, 2019 4:54 pm

Re: Do not use Personal Capital

Post by Shorty »

thx1138 wrote: Sat Jun 15, 2019 7:49 pm
lepa71 wrote: Sat Jun 15, 2019 3:00 pm I could go more into P2P and IPSec and VPN and so on and on but it would make your head spin. There is no such a thing as read-only credentials.
Sure there are. Trip-It has viewer only access for some trips. Vanguard itself has account links in which spouses can view but not trade in the other account. Pretty much every database software in existence can be configured for accounts that can only read but not modify the database. Most VNC and other desktop sharing have separate passwords for view only access.

The issue is very few financial institutions have made this trivial implementation that would enable safer use of aggregators. And really why should we expect them to? It won’t earn them any money and as trivial as it would be to do even trivial things require a fair bit of testing and maintenance while being yet another avenue for a data breach even if you couldn’t move money through such “read only” accounts/credentials.
+1
See options like this from Merrill. Much better. Doesn’t help with privacy on the PC side.

Modern Federated Identity Providers would be better yet. In time...
CycloRista
Posts: 176
Joined: Sun Feb 16, 2020 11:53 am

Re: Do not use Personal Capital

Post by CycloRista »

Shorty wrote: Sat Jul 18, 2020 8:52 pm
I’ve gotten to the point I do not access my accounts from my home computer at all. I use my work computer only as we have very high level IT security.... my chances of a malware issue are exceptionally higher at home.
This rationale makes me cringe! You’re transferring risk in the wrong direction - a douche IT person with admin creds on your box or the network could be bad news in any number of ways...or anyone with physical access and a USB keylogger. You should be able to keep a home computer free of malware. There are lots of mitigating steps to keep you safe - use multifactor auth with your accounts, set up alerts, go through a VPN, keep a separate device than your kids game on. If you’re paranoid, boot to a clean image (eg, LINUX live CD). I’d be wary of treating a computer owned & maintained by someone else, open to physical access as “more secure” for your personal sensitive information and access, with few exceptions.
Agreed- it shocks me how many employees access highly confidential personal information from work computers (and often times store that data too!). As a 30+ year IT professional, I've always kept work and personal information, applications, online activities, etc. 100% separate.

Any decent size workplace is decrypting SSL and inspecting traffic (AKA seeing way more than you would want them to under any circumstances). It has become quite popular to use 3rd party providers of all sorts for this purpose including cloud access security brokers (CASB's), threat intelligence platforms, etc.

I've used Personal Capital for a few years and while the reps may have visibility into whatever one tracks on their site, they do not have "full access" in terms of being able to transfer funds, etc. I was hounded incessantly for a few months and then they finally stopped. I find it to be a useful tool for obtaining reasonably current snapshots of the big picture and looking at long term trends.
seawolf21
Posts: 731
Joined: Tue Aug 05, 2014 7:33 am

Re: Do not use Personal Capital

Post by seawolf21 »

I see a lot of responses on technical security but haven’t seen one mentioned on security of being able to monitor all accounts easily on a weekly/daily basis. The ability to easily detect signs of unauthorized transactions earlier is better than an individual who ends up checking their balances once a month which could have been weeks after the fraudulent transaction already took place.
User avatar
pianos101
Posts: 101
Joined: Thu Oct 26, 2017 1:39 pm

Re: Do not use Personal Capital

Post by pianos101 »

seawolf21 wrote: Sun Jul 19, 2020 9:42 am I see a lot of responses on technical security but haven’t seen one mentioned on security of being able to monitor all accounts easily on a weekly/daily basis. The ability to easily detect signs of unauthorized transactions earlier is better than an individual who ends up checking their balances once a month which could have been weeks after the fraudulent transaction already took place.
This.

My understanding is that my account passwords are not stored on their servers or something like that? Meaning their employees can’t dig for them. Sure they can see my amounts but they can’t do nada about it.
bpkasl
Posts: 8
Joined: Fri Jul 31, 2020 6:55 am

Re: Do not use Personal Capital

Post by bpkasl »

I checked Personal Capital out today, based on this ongoing discussion, what is a preferred online retirement calculator that can be trusted? We also have access to Financial Engines through Vanguard and the Fidelity Retirement Plan Calculator, maybe those two are enough?
Thanks
yog
Posts: 108
Joined: Wed Jan 15, 2020 12:57 pm

Re: Do not use Personal Capital

Post by yog »

I have no experience with Vanguards, but I've used every one I could access. Today the on-line planners I use are MaxFi Planner (fee based), I-ORP Extended, Fidelity Retirement Planner, & Personal Capital, in that order.

MaxFi Planner for really detailed planning, plus optimization with multiple scenarios. I-ORP Extended is good for general Roth Conversion strategies and seeing the impact of different planning inputs quickly. Fidelity for quick checks based on our actual account values across multiple market condition outcomes. PC for eye-candy to visualize major events and asset drawdown by asset tax location (traditional, taxable, Roth). All of them have differing limitations, but they all do come out within an acceptable margin of error for us.

MaxFi Planner is the most detailed, but not everyone may benefit from it vs. the others. We did, primarily to verify our SS claiming strategy and validate the outcomes of different Roth conversion strategies given our Federal and State income tax scenarios.
bpkasl
Posts: 8
Joined: Fri Jul 31, 2020 6:55 am

Re: Do not use Personal Capital

Post by bpkasl »

thanks
MittensMoney
Posts: 236
Joined: Mon Dec 07, 2015 10:59 pm

Re: Do not use Personal Capital

Post by MittensMoney »

bpkasl wrote: Fri Jul 31, 2020 11:20 am I checked Personal Capital out today, based on this ongoing discussion, what is a preferred online retirement calculator that can be trusted? We also have access to Financial Engines through Vanguard and the Fidelity Retirement Plan Calculator, maybe those two are enough?
Thanks
I think you're missing the point of this conversation -- if you can't trust Personal Capital to aggregate your accounts then you simply can't trust aggregating your accounts. Financial Engines, Vanguard, Fidelity, literally every one of these ask you to link your accounts so either none of them are trust-worthy, or all of them are. Vanguard's private client group uses the exact same back-end API service (Yodlee) that Personal Capital does.
RudyS
Posts: 1980
Joined: Tue Oct 27, 2015 10:11 am

Re: Do not use Personal Capital

Post by RudyS »

Just a sidelight, but how worried are you folks about giving TurboTax access to your brokerage or bank accounts in order to download 1099's? I suppose one could (and should) change passwords right after preparing the return.
yog
Posts: 108
Joined: Wed Jan 15, 2020 12:57 pm

Re: Do not use Personal Capital

Post by yog »

MittensMoney wrote: Fri Jul 31, 2020 1:08 pm
bpkasl wrote: Fri Jul 31, 2020 11:20 am I checked Personal Capital out today, based on this ongoing discussion, what is a preferred online retirement calculator that can be trusted? We also have access to Financial Engines through Vanguard and the Fidelity Retirement Plan Calculator, maybe those two are enough?
Thanks
I think you're missing the point of this conversation -- if you can't trust Personal Capital to aggregate your accounts then you simply can't trust aggregating your accounts. Financial Engines, Vanguard, Fidelity, literally every one of these ask you to link your accounts so either none of them are trust-worthy, or all of them are. Vanguard's private client group uses the exact same back-end API service (Yodlee) that Personal Capital does.
The points you make are certainly valid - if you do not trust or understand aggregator services, avoid them completely.

Fidelity's retirement planner works with or without aggregated accounts, or any combination you desire. If you add accounts manually, you can add your holdings either by asset class or by ticker symbol if desired. The other two online planners I mentioned above (MaxFi & I-ORP) do not collect aggregated data, nor do they support planning around detailed investment positions. I-ORP uses general balances by tax location and the highest level of asset class, just stocks & bonds and you will need to project your blended returns by class. MaxFi lets you get a bit more granular by adding individual accounts, but you are still limited to setting projected returns by asset classes. They do support identity of MM accounts, stock accounts, bond accounts, etc., and flagging accounts for reserved spending status. That's certainly useful, but not necessarily required for everyone.

If you use Fidelity's Full View to aggregate accounts, it's using the eMoney Advisor platform, which Fidelity now owns. The full version of eMoney Advisor is used heavily within the professional registered investment advisor community, not just at Fidelity, so their security for data and tokenized encrypted API's is held to a different standard than screen scraping. RIAs are interfacing customer account data into other backend office systems such as customer relationship management, billing, etc. The version of eMoney available to Fidelity's retail clients is the same platform, but stripped down quite a bit and branded as Full View.
H-Town
Posts: 2868
Joined: Sun Feb 26, 2017 2:08 pm

Re: Do not use Personal Capital

Post by H-Town »

seawolf21 wrote: Sun Jul 19, 2020 9:42 am I see a lot of responses on technical security but haven’t seen one mentioned on security of being able to monitor all accounts easily on a weekly/daily basis. The ability to easily detect signs of unauthorized transactions earlier is better than an individual who ends up checking their balances once a month which could have been weeks after the fraudulent transaction already took place.
^ this is one of the reasons I monitor all accounts on a regular basis.

But you should not rely on monitoring all accounts manually. You should set up alerts to your email/phone whenever a transaction is initiated. Then, be sure the alert will pop out to your phone in real time.
SlowMovingInvestor
Posts: 1824
Joined: Sun Sep 11, 2016 11:27 am

Re: Do not use Personal Capital

Post by SlowMovingInvestor »

RudyS wrote: Fri Jul 31, 2020 1:52 pm Just a sidelight, but how worried are you folks about giving TurboTax access to your brokerage or bank accounts in order to download 1099's? I suppose one could (and should) change passwords right after preparing the return.
A number of brokerages these days provide document ID numbers that can be used to do downloads. So it's possible to bypass the use of username/passwords.

I use TT desktop. I would not give TT online access to a brokerage site, even if only for download. I don't give access to bank accounts -- 1099 INTs are trivial to type in.
student
Posts: 5159
Joined: Fri Apr 03, 2015 6:58 am

Re: Do not use Personal Capital

Post by student »

bpkasl wrote: Fri Jul 31, 2020 11:20 am I checked Personal Capital out today, based on this ongoing discussion, what is a preferred online retirement calculator that can be trusted? We also have access to Financial Engines through Vanguard and the Fidelity Retirement Plan Calculator, maybe those two are enough?
Thanks
My experience is that Fidelity Retirement Plan and Personal Capital give very similar results.
DesertMan
Posts: 295
Joined: Tue Dec 07, 2010 12:54 pm

Re: Do not use Personal Capital

Post by DesertMan »

Since they were acquired, Personal Capital has been stalking me constantly with cold calls from "advisors", who want to sell me on their portfolio management. Now knowing that these guys have access to my account without my permission has left a bad taste in my mouth.

Does anyone have a recommendation for an aggregator service that is on pat with PC (and isn't Mint or Fidelity Full View?) Thanks.
MBB_Boy
Posts: 195
Joined: Sat May 12, 2018 4:09 pm

Re: Do not use Personal Capital

Post by MBB_Boy »

DesertMan wrote: Sat Aug 01, 2020 8:17 am Since they were acquired, Personal Capital has been stalking me constantly with cold calls from "advisors", who want to sell me on their portfolio management. Now knowing that these guys have access to my account without my permission has left a bad taste in my mouth.

Does anyone have a recommendation for an aggregator service that is on pat with PC (and isn't Mint or Fidelity Full View?) Thanks.
Really? I haven't had a single call or email from the advisors post acquisition. I've been using them for 4 years now and never had a problem with the advisors. Once, maybe twice a year
User avatar
birdog
Posts: 758
Joined: Fri Apr 07, 2017 1:35 pm

Re: Do not use Personal Capital

Post by birdog »

DesertMan wrote: Sat Aug 01, 2020 8:17 am Since they were acquired, Personal Capital has been stalking me constantly with cold calls from "advisors", who want to sell me on their portfolio management. Now knowing that these guys have access to my account without my permission has left a bad taste in my mouth.

Does anyone have a recommendation for an aggregator service that is on pat with PC (and isn't Mint or Fidelity Full View?) Thanks.
You could go to settings at PC and change the phone number on your profile to a number other than yours. That's what I did. No more phone calls.
FIby45
Posts: 79
Joined: Wed Oct 30, 2019 4:41 pm

Re: Do not use Personal Capital

Post by FIby45 »

Technology entrepreneur here.

No- you likely need not worry w caveats:
1. You should have 2fa set up anyways on all financial accounts. If someone had username and pw does not matter w/o 2fa
2. You should use strong passwords

99% chance PC does not store passwords in a non-hashed manner (I.e. an they store it in a way that even the designer of the system could not see it in database.) That's security 101.

On very slim chance its not done this way- then your 2fa should ensure no breach.

Never use passwords twice
000
Posts: 2765
Joined: Thu Jul 23, 2020 12:04 am

Re: Do not use Personal Capital

Post by 000 »

FIby45 wrote: Sun Aug 02, 2020 4:01 pm Technology entrepreneur here.

No- you likely need not worry w caveats:
1. You should have 2fa set up anyways on all financial accounts. If someone had username and pw does not matter w/o 2fa
2. You should use strong passwords

99% chance PC does not store passwords in a non-hashed manner (I.e. an they store it in a way that even the designer of the system could not see it in database.) That's security 101.

On very slim chance its not done this way- then your 2fa should ensure no breach.

Never use passwords twice
Nah. No need for the additional exposure, no matter how small.
000
Posts: 2765
Joined: Thu Jul 23, 2020 12:04 am

Re: Do not use Personal Capital

Post by 000 »

DesertMan wrote: Sat Aug 01, 2020 8:17 am Since they were acquired, Personal Capital has been stalking me constantly with cold calls from "advisors", who want to sell me on their portfolio management. Now knowing that these guys have access to my account without my permission has left a bad taste in my mouth.

Does anyone have a recommendation for an aggregator service that is on pat with PC (and isn't Mint or Fidelity Full View?) Thanks.
I suggest a spreadsheet program on your local computer. You're welcome!
User avatar
CyclingDuo
Posts: 3675
Joined: Fri Jan 06, 2017 9:07 am

Re: Do not use Personal Capital

Post by CyclingDuo »

I don't think it has been mentioned in this specific Personal Capital thread, but the company was recently acquired by Empower Retirement in June. Empower is one of the largest 401k retirement plan providers, so it will be interesting to see how they leverage the PC dashboard and services for their 401k customers. I happen to have a 401k at Empower, so will know firsthand if and when there is some sort of - or if any - crossover.

CyclingDuo
"Save like a pessimist, invest like an optimist." - Morgan Housel
sschoe2
Posts: 525
Joined: Fri Feb 24, 2017 4:42 pm

Re: Do not use Personal Capital

Post by sschoe2 »

I've been using PC for about 2-3 years. I too was annoyed by sales calls in the beginning but haven't received any in years. I find the tool very useful. I am under no delusion that they are collecting data. Everyone is collecting data, Google, Facebook, Twitter, the credit reporting agencies, the grocery store with "loyalty" cards. I think PC is reasonably secure at least as much as anything else especially with 2FA and read only access. Considering even Garmin got taken for a ransomware attack last week I am not sure anything is totally secure anymore.
KyleAAA
Posts: 8584
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Do not use Personal Capital

Post by KyleAAA »

sschoe2 wrote: Mon Aug 03, 2020 9:19 am I've been using PC for about 2-3 years. I too was annoyed by sales calls in the beginning but haven't received any in years. I find the tool very useful. I am under no delusion that they are collecting data. Everyone is collecting data, Google, Facebook, Twitter, the credit reporting agencies, the grocery store with "loyalty" cards. I think PC is reasonably secure at least as much as anything else especially with 2FA and read only access. Considering even Garmin got taken for a ransomware attack last week I am not sure anything is totally secure anymore.
I solved this problem by simply not answering numbers I'm not familiar with. Do people still answer calls from unknown numbers in 2020? I'm not so sure PC only has read-only access. For Vanguard, for example, they have your login credentials. Why couldn't they use those creds to make transactions? What's stopping them other than the fact that they promise not to?
rascott
Posts: 2347
Joined: Wed Apr 15, 2015 10:53 am

Re: Do not use Personal Capital

Post by rascott »

KyleAAA wrote: Mon Aug 03, 2020 12:59 pm
sschoe2 wrote: Mon Aug 03, 2020 9:19 am I've been using PC for about 2-3 years. I too was annoyed by sales calls in the beginning but haven't received any in years. I find the tool very useful. I am under no delusion that they are collecting data. Everyone is collecting data, Google, Facebook, Twitter, the credit reporting agencies, the grocery store with "loyalty" cards. I think PC is reasonably secure at least as much as anything else especially with 2FA and read only access. Considering even Garmin got taken for a ransomware attack last week I am not sure anything is totally secure anymore.
I solved this problem by simply not answering numbers I'm not familiar with. Do people still answer calls from unknown numbers in 2020? I'm not so sure PC only has read-only access. For Vanguard, for example, they have your login credentials. Why couldn't they use those creds to make transactions? What's stopping them other than the fact that they promise not to?

You're kidding right?

Why on earth would they even attempt to do such a thing? Defies common sense.

And no, they don't actually have your login info.... so couldn't if they wanted to, this has been discussed many times.

The probability is greater that Vanguard would sell all your securities and pocket your money. Literally.
bloom2708
Posts: 8171
Joined: Wed Apr 02, 2014 2:08 pm
Location: Fargo, ND

Re: Do not use Personal Capital

Post by bloom2708 »

rascott wrote: Mon Aug 03, 2020 2:41 pm You're kidding right?

Why on earth would they even attempt to do such a thing? Defies common sense.

And no, they don't actually have your login info.... so couldn't if they wanted to, this has been discussed many times.

The probability is greater that Vanguard would sell all your securities and pocket your money. Literally.
Of course Vanguard has your login credentials. How would you log in if they didn't check them against what you enter?

It is likely encrypted and stored where not just any employee can get it, but they have it. It is on their servers.

I could give you my username/password to Personal Capital. Unless you can steal my cell phone, you can't get in to my account.
"We are here to provoke thoughtfulness, not agree with you." Unknown Boglehead
rascott
Posts: 2347
Joined: Wed Apr 15, 2015 10:53 am

Re: Do not use Personal Capital

Post by rascott »

bloom2708 wrote: Mon Aug 03, 2020 2:46 pm
rascott wrote: Mon Aug 03, 2020 2:41 pm You're kidding right?

Why on earth would they even attempt to do such a thing? Defies common sense.

And no, they don't actually have your login info.... so couldn't if they wanted to, this has been discussed many times.

The probability is greater that Vanguard would sell all your securities and pocket your money. Literally.
Of course Vanguard has your login credentials. How would you log in if they didn't check them against what you enter?

It is likely encrypted and stored where not just any employee can get it, but they have it. It is on their servers.

I could give you my username/password to Personal Capital. Unless you can steal my cell phone, you can't get in to my account.
No it actually is not stored anywhere on their servers whatsoever. It's encrypted at Yodlee.... something that's likely already happening in your life... considering how many financial firms use Yodlee:

"When you enter your bank credentials into Personal Capital, they encrypt it with AES-256 with multi-layer key management, which includes rotating user-specific keys and salts. AES-256 is the Advanced Encryption Standard (AES) and is the gold standard as determined by NIST, the United States National Institute of Standards and Technology. 256 refers to the length of the key used and 256-bits is a longest. It is also the same encryption used by the US Government.
They never store your financial login credentials. That data is encrypted and stored at Envestnet Yodlee, a platform that powers a laundry list of financial services and wealth management tools and companies. Yodless is periodically audited by the Office of the Comptroller of the Currency and their security processes are available here.

As for internal access controls, no one at Personal Capital has access to your credentials. Zero."

https://wallethacks.com/personal-capital-security-safe/

But forget the login stuff. . Kyle implied that PC could possibly go in and make transactions in your account. Which makes no sense. Why would they do such a thing even if they could? (They can't). You can't actually get money out.

PC is owned by Empower.... one of the biggest 401k bookkeepers in the country. Using them for aggregation is no more (probably less) risky than logging into one's Vanguard account from their home PC
CycloRista
Posts: 176
Joined: Sun Feb 16, 2020 11:53 am

Re: Do not use Personal Capital

Post by CycloRista »

MittensMoney wrote: Fri Jul 31, 2020 1:08 pm
bpkasl wrote: Fri Jul 31, 2020 11:20 am I checked Personal Capital out today, based on this ongoing discussion, what is a preferred online retirement calculator that can be trusted? We also have access to Financial Engines through Vanguard and the Fidelity Retirement Plan Calculator, maybe those two are enough?
Thanks
I think you're missing the point of this conversation -- if you can't trust Personal Capital to aggregate your accounts then you simply can't trust aggregating your accounts. Financial Engines, Vanguard, Fidelity, literally every one of these ask you to link your accounts so either none of them are trust-worthy, or all of them are. Vanguard's private client group uses the exact same back-end API service (Yodlee) that Personal Capital does.
+1 Also consider that other financial institutions you deal with aggregate data so I'm not losing sleep over that aspect with Personal Capital (or elsewhere). You can request to audit account accesses on a periodic basis to determine who has attempted accessing your data I imagine.

You can also enable multi-factor authentication on many platforms and get prompted for a challenge response sent to your mobile device each time you login if you prefer. Here is how to go about that on PC:

https://support.personalcapital.com/hc/ ... ation-MFA-

I've been aggregating data on their site since 2017 and other than getting cold called and spammed for ~6 months, no other signs of shifty behavior (and I am not at all concerned about them somehow trading on my behalf or nefariously).
bloom2708
Posts: 8171
Joined: Wed Apr 02, 2014 2:08 pm
Location: Fargo, ND

Re: Do not use Personal Capital

Post by bloom2708 »

rascott wrote: Mon Aug 03, 2020 2:53 pm
No it actually is not stored anywhere on their servers whatsoever. It's encrypted at Yodlee.... something that's likely already happening in your life... considering how many financial firms use Yodlee:
You are saying Vanguard uses Yodlee? I know consolidators do, but you think Vanguard uses Yodlee?
"We are here to provoke thoughtfulness, not agree with you." Unknown Boglehead
yog
Posts: 108
Joined: Wed Jan 15, 2020 12:57 pm

Re: Do not use Personal Capital

Post by yog »

bloom2708 wrote: Mon Aug 03, 2020 3:10 pm
rascott wrote: Mon Aug 03, 2020 2:53 pm
No it actually is not stored anywhere on their servers whatsoever. It's encrypted at Yodlee.... something that's likely already happening in your life... considering how many financial firms use Yodlee:
You are saying Vanguard uses Yodlee? I know consolidators do, but you think Vanguard uses Yodlee?
Check the FAQs
rascott
Posts: 2347
Joined: Wed Apr 15, 2015 10:53 am

Re: Do not use Personal Capital

Post by rascott »

bloom2708 wrote: Mon Aug 03, 2020 3:10 pm
rascott wrote: Mon Aug 03, 2020 2:53 pm
No it actually is not stored anywhere on their servers whatsoever. It's encrypted at Yodlee.... something that's likely already happening in your life... considering how many financial firms use Yodlee:
You are saying Vanguard uses Yodlee? I know consolidators do, but you think Vanguard uses Yodlee?
No idea about Vanguard (guessing they do)... but many of the largest banks in the country use them to offer services to clients.
bloom2708
Posts: 8171
Joined: Wed Apr 02, 2014 2:08 pm
Location: Fargo, ND

Re: Do not use Personal Capital

Post by bloom2708 »

Well. I trust/use Vanguard. I trust/use Personal Capital. Everyone does their own thing.
"We are here to provoke thoughtfulness, not agree with you." Unknown Boglehead
KyleAAA
Posts: 8584
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Do not use Personal Capital

Post by KyleAAA »

rascott wrote: Mon Aug 03, 2020 2:53 pm
bloom2708 wrote: Mon Aug 03, 2020 2:46 pm
rascott wrote: Mon Aug 03, 2020 2:41 pm You're kidding right?

Why on earth would they even attempt to do such a thing? Defies common sense.

And no, they don't actually have your login info.... so couldn't if they wanted to, this has been discussed many times.

The probability is greater that Vanguard would sell all your securities and pocket your money. Literally.
Of course Vanguard has your login credentials. How would you log in if they didn't check them against what you enter?

It is likely encrypted and stored where not just any employee can get it, but they have it. It is on their servers.

I could give you my username/password to Personal Capital. Unless you can steal my cell phone, you can't get in to my account.
No it actually is not stored anywhere on their servers whatsoever. It's encrypted at Yodlee.... something that's likely already happening in your life... considering how many financial firms use Yodlee:

"When you enter your bank credentials into Personal Capital, they encrypt it with AES-256 with multi-layer key management, which includes rotating user-specific keys and salts. AES-256 is the Advanced Encryption Standard (AES) and is the gold standard as determined by NIST, the United States National Institute of Standards and Technology. 256 refers to the length of the key used and 256-bits is a longest. It is also the same encryption used by the US Government.
They never store your financial login credentials. That data is encrypted and stored at Envestnet Yodlee, a platform that powers a laundry list of financial services and wealth management tools and companies. Yodless is periodically audited by the Office of the Comptroller of the Currency and their security processes are available here.

As for internal access controls, no one at Personal Capital has access to your credentials. Zero."

https://wallethacks.com/personal-capital-security-safe/

But forget the login stuff. . Kyle implied that PC could possibly go in and make transactions in your account. Which makes no sense. Why would they do such a thing even if they could? (They can't). You can't actually get money out.

PC is owned by Empower.... one of the biggest 401k bookkeepers in the country. Using them for aggregation is no more (probably less) risky than logging into one's Vanguard account from their home PC
I'm sure PC itself wouldn't do such a thing. Maybe somebody that works there might. It isn't necessary to guess why somebody might want to do such a thing to understand what might be possible, especially since criminals tend to be a creative lot. It isn't nearly as fool-proof as you are implying. I work in the industry and have seen first-hand how quickly the best-laid plans can go awry. It isn't reasonable to say nobody at Personal Capital has access to your credentials. You can say that nobody is SUPPOSED to have access. But sensitive pieces of data are logged errantly all the time, even in HIGHLY REGULATED environments. Safeguards fail for a variety of reasons. Nothing is absolute. Security isn't a policy or even a process, it's a culture. And no culture is perfect. You're making a lot of claims you can't substantiate. I would be willing to bet there have been multiple mistakes made at both PC and Yodlee throughout their history that just weren't exploited, so you haven't heard about them. Every single organization on the planet makes those mistakes occasionally. Even hyper-transparent companies don't report all or even most such instances.

The spiel about 256-bit encryption is a bit of a red herring. Sure, they are encrypted at rest but since they need the plain text credentials to actually authenticate to various platforms, a simple key management issue would expose them all. It isn't like most places where passwords are stored as a one-way hash that can't be decrypted.

Nevermind the fact that by "they" I wasn't necessarily JUST referring to PC, but every entity in the dependency chain.
sschoe2
Posts: 525
Joined: Fri Feb 24, 2017 4:42 pm

Re: Do not use Personal Capital

Post by sschoe2 »

KyleAAA wrote: Mon Aug 03, 2020 12:59 pm
sschoe2 wrote: Mon Aug 03, 2020 9:19 am I've been using PC for about 2-3 years. I too was annoyed by sales calls in the beginning but haven't received any in years. I find the tool very useful. I am under no delusion that they are collecting data. Everyone is collecting data, Google, Facebook, Twitter, the credit reporting agencies, the grocery store with "loyalty" cards. I think PC is reasonably secure at least as much as anything else especially with 2FA and read only access. Considering even Garmin got taken for a ransomware attack last week I am not sure anything is totally secure anymore.
I solved this problem by simply not answering numbers I'm not familiar with. Do people still answer calls from unknown numbers in 2020? I'm not so sure PC only has read-only access. For Vanguard, for example, they have your login credentials. Why couldn't they use those creds to make transactions? What's stopping them other than the fact that they promise not to?
If you don't answer PC will keep calling. If you tell them to bugger off a few times they will stop.
KyleAAA
Posts: 8584
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Do not use Personal Capital

Post by KyleAAA »

sschoe2 wrote: Tue Aug 04, 2020 9:58 am
KyleAAA wrote: Mon Aug 03, 2020 12:59 pm
sschoe2 wrote: Mon Aug 03, 2020 9:19 am I've been using PC for about 2-3 years. I too was annoyed by sales calls in the beginning but haven't received any in years. I find the tool very useful. I am under no delusion that they are collecting data. Everyone is collecting data, Google, Facebook, Twitter, the credit reporting agencies, the grocery store with "loyalty" cards. I think PC is reasonably secure at least as much as anything else especially with 2FA and read only access. Considering even Garmin got taken for a ransomware attack last week I am not sure anything is totally secure anymore.
I solved this problem by simply not answering numbers I'm not familiar with. Do people still answer calls from unknown numbers in 2020? I'm not so sure PC only has read-only access. For Vanguard, for example, they have your login credentials. Why couldn't they use those creds to make transactions? What's stopping them other than the fact that they promise not to?
If you don't answer PC will keep calling. If you tell them to bugger off a few times they will stop.
I don't answer the next time they call, either. It isn't even a slight annoyance.
Mr.BB
Posts: 1390
Joined: Sun May 08, 2016 10:10 am

Re: Do not use Personal Capital

Post by Mr.BB »

I used PC for a couple of years and just recently deleted my account. I realized that it was pretty much just a duplicate of what Morningstar X-ray gave me, just a little more graphically enhanced, just looking at the same info.
"We are what we repeatedly do. Excellence, then, is not an act, but a habit."
DesertMan
Posts: 295
Joined: Tue Dec 07, 2010 12:54 pm

Re: Do not use Personal Capital

Post by DesertMan »

000 wrote: Mon Aug 03, 2020 12:52 am
DesertMan wrote: Sat Aug 01, 2020 8:17 am Since they were acquired, Personal Capital has been stalking me constantly with cold calls from "advisors", who want to sell me on their portfolio management. Now knowing that these guys have access to my account without my permission has left a bad taste in my mouth.

Does anyone have a recommendation for an aggregator service that is on pat with PC (and isn't Mint or Fidelity Full View?) Thanks.
I suggest a spreadsheet program on your local computer. You're welcome!
I'm an Excel power user but I don't have time for manual data entry. Any other suggestions?
000
Posts: 2765
Joined: Thu Jul 23, 2020 12:04 am

Re: Do not use Personal Capital

Post by 000 »

DesertMan wrote: Thu Aug 06, 2020 7:41 pm
000 wrote: Mon Aug 03, 2020 12:52 am
DesertMan wrote: Sat Aug 01, 2020 8:17 am Since they were acquired, Personal Capital has been stalking me constantly with cold calls from "advisors", who want to sell me on their portfolio management. Now knowing that these guys have access to my account without my permission has left a bad taste in my mouth.

Does anyone have a recommendation for an aggregator service that is on pat with PC (and isn't Mint or Fidelity Full View?) Thanks.
I suggest a spreadsheet program on your local computer. You're welcome!
I'm an Excel power user but I don't have time for manual data entry. Any other suggestions?
For me (mostly passive portfolio), the only data entry is inputting market prices for a few funds, which I just do whenever I need to know.

But I believe Excel can be programmed to lookup stock prices. I don't use Excel specifically, but maybe someone else on here does.

Sadly, I am not aware of any program you can run exclusively on your local machine to download and present the data from your financial accounts like PC and other online tools do.
yog
Posts: 108
Joined: Wed Jan 15, 2020 12:57 pm

Re: Do not use Personal Capital

Post by yog »

000 wrote: Thu Aug 06, 2020 7:45 pm
DesertMan wrote: Thu Aug 06, 2020 7:41 pm
000 wrote: Mon Aug 03, 2020 12:52 am
DesertMan wrote: Sat Aug 01, 2020 8:17 am Since they were acquired, Personal Capital has been stalking me constantly with cold calls from "advisors", who want to sell me on their portfolio management. Now knowing that these guys have access to my account without my permission has left a bad taste in my mouth.

Does anyone have a recommendation for an aggregator service that is on pat with PC (and isn't Mint or Fidelity Full View?) Thanks.
I suggest a spreadsheet program on your local computer. You're welcome!
I'm an Excel power user but I don't have time for manual data entry. Any other suggestions?
For me (mostly passive portfolio), the only data entry is inputting market prices for a few funds, which I just do whenever I need to know.

But I believe Excel can be programmed lookup stock prices. I don't use Excel specifically, but maybe someone else on here does.

Sadly, I am not aware of any program you can run exclusively on your local machine to download and present the data from your financial accounts like PC and other online tools do.
I don't use these, but believe they might fit the use case:

Microsoft's Money in Excel - need Office365 subscription - uses Plaid (Visa) as the connector for aggregation
Intuit Quicken - subscription, but has local install - uses their own APIs I believe
jajlrajrf
Posts: 141
Joined: Sun Feb 09, 2020 6:15 pm

Re: Do not use Personal Capital

Post by jajlrajrf »

000 wrote: Thu Aug 06, 2020 7:45 pm Sadly, I am not aware of any program you can run exclusively on your local machine to download and present the data from your financial accounts like PC and other online tools do.
Investment Account Manager 3 comes close. But Personal Capital is still better.
SlowMovingInvestor
Posts: 1824
Joined: Sun Sep 11, 2016 11:27 am

Re: Do not use Personal Capital

Post by SlowMovingInvestor »

FIby45 wrote: Sun Aug 02, 2020 4:01 pm 99% chance PC does not store passwords in a non-hashed manner (I.e. an they store it in a way that even the designer of the system could not see it in database.) That's security 101.
But they would need to decrypt it before presenting to the financial companies site (assuming no long lived tokens). So they must have a decryption key, (possibly account specific, possibly a master). Their servers must have some mechanism for decrypting it, so the designer of the system might not be able to see it in the database, but might be able to get access if he/she can get the decryption key. Very unlikely since the decryption key is likely well protected, but still possible.
KyleAAA
Posts: 8584
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Do not use Personal Capital

Post by KyleAAA »

FIby45 wrote: Sun Aug 02, 2020 4:01 pm
99% chance PC does not store passwords in a non-hashed manner (I.e. an they store it in a way that even the designer of the system could not see it in database.) That's security 101.
No. A hash doesn't mean the designer of the system could not obtain a plain-text password. By definition, you'd have to use a 2-way hash and that secret sits somewhere. It's an extra step, but for an internal engineer that wouldn't be an impediment that couldn't be overcome. Whether they could obtain it without leaving an audit trail, that's a separate question. Probably, though.
User avatar
CalculatedRisk
Posts: 196
Joined: Tue Sep 11, 2018 8:04 pm

Re: Do not use Personal Capital

Post by CalculatedRisk »

The real solution here would be for financial institutions, such as Vanguard, Fidelity, etc, to provide the option of read-only accounts. That way, I have a login/pass that I use to make changes to my account (purchase/sell/transfer) and I have another login/password that is read-only that I can share with PC and whoever else.

The read-only account has access to see what the accounts hold, but not to make any changes—no purchases, sales, or transfers.

That would solve most people’s concerns. I doubt they’ll allow for creation of read-only accounts because it disincentivized users from regularly using their platform.

Edit: I’m a big fan of PC, but I manually enter in my financials so that I don’t have to give them my passwords.
KyleAAA
Posts: 8584
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Do not use Personal Capital

Post by KyleAAA »

CalculatedRisk wrote: Fri Aug 07, 2020 5:51 pm The real solution here would be for financial institutions, such as Vanguard, Fidelity, etc, to provide the option of read-only accounts. That way, I have a login/pass that I use to make changes to my account (purchase/sell/transfer) and I have another login/password that is read-only that I can share with PC and whoever else.

The read-only account has access to see what the accounts hold, but not to make any changes—no purchases, sales, or transfers.

That would solve most people’s concerns. I doubt they’ll allow for creation of read-only accounts because it disincentivized users from regularly using their platform.

Edit: I’m a big fan of PC, but I manually enter in my financials so that I don’t have to give them my passwords.
That's a horrible solution. The real solution is for financial institutions to join the 21st century and provide a modern API infrastructure. No read-only account necessary, just scope the access token to read-only.

The industry solved this problem in 2007
https://en.m.wikipedia.org/wiki/OAuth
User avatar
CalculatedRisk
Posts: 196
Joined: Tue Sep 11, 2018 8:04 pm

Re: Do not use Personal Capital

Post by CalculatedRisk »

KyleAAA wrote: Sat Aug 08, 2020 10:43 pm That's a horrible solution. The real solution is for financial institutions to join the 21st century and provide a modern API infrastructure. No read-only account necessary, just scope the access token to read-only.

The industry solved this problem in 2007
https://en.m.wikipedia.org/wiki/OAuth
A read-only account would be “horrible”? I’d take that over the nothing I have now.
KyleAAA
Posts: 8584
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Do not use Personal Capital

Post by KyleAAA »

CalculatedRisk wrote: Sun Aug 09, 2020 1:17 am
KyleAAA wrote: Sat Aug 08, 2020 10:43 pm That's a horrible solution. The real solution is for financial institutions to join the 21st century and provide a modern API infrastructure. No read-only account necessary, just scope the access token to read-only.

The industry solved this problem in 2007
https://en.m.wikipedia.org/wiki/OAuth
A read-only account would be “horrible”? I’d take that over the nothing I have now.
Yes, it would be a poor solution and unnecessarily complex and expensive for everyone involved. The 21st century beckons.
Shorty
Posts: 54
Joined: Sat Feb 23, 2019 4:54 pm

Re: Do not use Personal Capital

Post by Shorty »

Your understanding is technically correct, but I don't think you'd like the implications. Giving the most possible benefit of the doubt that everyone is doing what they claim:
- Personal Capital does not store your credentials (username/password). However, someone (Yodlee?) does on their behalf.
- To test this: "grant access" to a given 3rd party site (I tested with Schwaab). Change the password on the Schwaab side. Personal Capital immediately can not access. Change it back - access granted. Clearly no access tokens are being used.
- "View only" access of aggregated data is granted to PC employees (by design). This does not give them access to your accounts. This is the "privacy" aspect that has been discussed. You agree to their EULA - nothing hidden here.
- Your username/password are being stored and processed externally. These are said to be handled responsibly (e.g. encrypted both "in motion" and "at rest", etc). They claim lots of audits, inspections, etc - this is where you implicitly trust someone else with your sensitive data. However, almost by definition (unless they have some crazy homomorphic encryption scheme or something wild not advertised - not likely) these are used at some point in the clear (e.g in memory on the Yodlee servers). So your credentials are being stored (encryped), and used (decrypted) somewhere. I believe an attack (including insider threat) on Yodlee would compromise these credentials. They're in the business of making that difficult. I am only assured by the fact that we haven't heard of a massive compromise in the news.
- A better approach would be if financial organizations provided limited use credentials - either username/pass, SSL certificate, etc, with limited, user-manageable permissions (account read-only, no transactions, heavily audited). They could also "allow" access to named aggregation services (e.g. PC).
- Another "better approach" would leverage "federated identity" providers based on modern tech (SAML, OpenID connect) such as: Okta, Duo, etc. Even the way Facebook/Google will be your identity source, best with "multi-factor" authentication (like using your smartphone, Google Authenticator, etc).

Am I missing something?

[/quote]
My understanding is that my account passwords are not stored on their servers or something like that? Meaning their employees can’t dig for them. Sure they can see my amounts but they can’t do nada about it.
[/quote]
angelescrest
Posts: 1084
Joined: Tue May 27, 2008 10:48 am
Location: Texas

Re: Do not use Personal Capital

Post by angelescrest »

cj2018 wrote: Sat Jun 15, 2019 1:34 pm Yes, PC employees have access to the actual financial numbers being pulled from different sources, but that's to be expected. That's the same thing as employees at Google/Facebook who have access to all personal data you provided, or employees at WhatsApp or Apple or WeChat or Tinder who have access to all your personal texts/messages. Don't like it? Don't use it. End of story.
So how is it that Apple’s employees have access to messages sent on their customer’s devices?
User avatar
CardinalRule
Posts: 475
Joined: Sun Jan 15, 2017 11:01 am
Location: United States

Re: Do not use Personal Capital

Post by CardinalRule »

I do not trust aggregators - not that the companies are untrustworthy, but I am not willing to take the risk of a security breach.

I do my own aggregation, using Quicken, downloading daily.
Post Reply