Vanguard/Yodlee for Aggregation

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills
Topic Author
just1question
Posts: 79
Joined: Thu Mar 21, 2019 1:36 pm

Vanguard/Yodlee for Aggregation

Post by just1question » Thu Sep 05, 2019 11:14 am

I became aware of this service/product through another thread on this forum. Just add it to the loads of information I've learned since joining and lurking here.

The accounts I'm considering aggregating include Vanguard, my and my DW's 401/403 plans, bank (B of A) accounts, and maybe credit cards so we can track expenses. I have a few questions for those who are using or have used Yodlee or similar services/products:

1. How confident are you (or are you not) about security issues involved with sharing passwords from multiple accounts with Yodlee, or for that matter any aggregation service/product?

2. Is there a fee associated with using Yodlee through Vanguard?

3. Vanguard's website says "Account aggregation through vanguard.com is closed to new enrollments. However, it's available to select shareholders." Ok, so does this mean I'm frozen out unless I'm a "select shareholder"?

4. Are there any alternative products/services that you recommend over Yodlee that would suit my purposes?

Thanks.

Pete3
Posts: 95
Joined: Thu Jul 01, 2010 12:10 pm

Re: Vanguard/Yodlee for Aggregation

Post by Pete3 » Thu Sep 05, 2019 2:25 pm

Are there any alternative products/services that you recommend over Yodlee that would suit my purposes?
Not that I would necessarily recommend but there is https://home.personalcapital.com which uses Yodlee on the backend. If you give them your real phone number expect to get phone calls. If you can get access through Vanguard that would be better for sure.

Never used mint but I've heard about it from others : https://www.mint.com/

mhalley
Posts: 7653
Joined: Tue Nov 20, 2007 6:02 am

Re: Vanguard/Yodlee for Aggregation

Post by mhalley » Thu Sep 05, 2019 6:03 pm

I am pretty trusting. I have pc, ynab, sigfig, , emoney, fidelity one view, mint and vanguard.

bluquark
Posts: 870
Joined: Mon Oct 22, 2018 2:30 pm

Re: Vanguard/Yodlee for Aggregation

Post by bluquark » Thu Sep 05, 2019 6:18 pm

just1question wrote:
Thu Sep 05, 2019 11:14 am
1. How confident are you (or are you not) about security issues involved with sharing passwords from multiple accounts with Yodlee, or for that matter any aggregation service/product?
I am not confident in the least. It flies in the face of sound credential management, and I personally refuse to do it either for budgeting or for tax purposes. Aside from the risk of the aggregator getting hacked, it forces you to turn off second-factor auth on the scraped accounts. Unfortunately, there is no alternate to password-based scraping tools because the banks all want to hog data for themselves and won't provide a proper API designed for secure data access by third parties.

That being said, your financial accounts are mostly protected at time of suspicious transfer rather than by login security, so if you weren't using 2nd-factor to begin with and you really need budgeting, it probably only raises your risk level a little bit.

User avatar
ThereAreNoGurus
Posts: 331
Joined: Fri Jan 24, 2014 11:41 pm

Re: Vanguard/Yodlee for Aggregation

Post by ThereAreNoGurus » Thu Sep 05, 2019 6:32 pm

I use Personal Capital (like it a lot) and I'm not worried at all.

All of my accounts have two-factor authentication and it works fine with PC.

So even if somebody obtained my passwords and user-id's they could still not log in. I don't see what the concern is (as long as one employs 2-FA).
Trade the news and you will lose.

cbeck
Posts: 289
Joined: Sun Jun 24, 2012 1:28 am

Re: Vanguard/Yodlee for Aggregation

Post by cbeck » Thu Sep 05, 2019 7:48 pm

just1question wrote:
Thu Sep 05, 2019 11:14 am

1. How confident are you (or are you not) about security issues involved with sharing passwords from multiple accounts with Yodlee, or for that matter any aggregation service/product?
There is no way that anyone here can evaluate the security of yodlee unless he can go in with a team of IT security specialists to do a complete security audit. So, anyone who trusts it is making a faith-based decision. And there may well not be an adverse outcome, but that doesn't make the risk worth taking, because the worst-case outcome is so undesirable.

Much better to run Quicken on your computer and download data from all your banking and investment sites and aggregate it yourself.

rascott
Posts: 1074
Joined: Wed Apr 15, 2015 10:53 am

Re: Vanguard/Yodlee for Aggregation

Post by rascott » Thu Sep 05, 2019 8:08 pm

bluquark wrote:
Thu Sep 05, 2019 6:18 pm
just1question wrote:
Thu Sep 05, 2019 11:14 am
1. How confident are you (or are you not) about security issues involved with sharing passwords from multiple accounts with Yodlee, or for that matter any aggregation service/product?
I am not confident in the least. It flies in the face of sound credential management, and I personally refuse to do it either for budgeting or for tax purposes. Aside from the risk of the aggregator getting hacked, it forces you to turn off second-factor auth on the scraped accounts. Unfortunately, there is no alternate to password-based scraping tools because the banks all want to hog data for themselves and won't provide a proper API designed for secure data access by third parties.

That being said, your financial accounts are mostly protected at time of suspicious transfer rather than by login security, so if you weren't using 2nd-factor to begin with and you really need budgeting, it probably only raises your risk level a little bit.

This is not accurate. PC doesn't even keep your password. They use it to create a token and then it's gone. Just like you don't need use two factor every time you login from a PC that is recognized. And I have two factor auth on all my PC accounts with no issue.

rascott
Posts: 1074
Joined: Wed Apr 15, 2015 10:53 am

Re: Vanguard/Yodlee for Aggregation

Post by rascott » Thu Sep 05, 2019 8:12 pm

cbeck wrote:
Thu Sep 05, 2019 7:48 pm
just1question wrote:
Thu Sep 05, 2019 11:14 am

1. How confident are you (or are you not) about security issues involved with sharing passwords from multiple accounts with Yodlee, or for that matter any aggregation service/product?
There is no way that anyone here can evaluate the security of yodlee unless he can go in with a team of IT security specialists to do a complete security audit. So, anyone who trusts it is making a faith-based decision. And there may well not be an adverse outcome, but that doesn't make the risk worth taking, because the worst-case outcome is so undesirable.

Much better to run Quicken on your computer and download data from all your banking and investment sites and aggregate it yourself.

As I've said before.... you are more at risk logging into your actual accounts directly than you are monitoring them via an aggregator like PC. All it takes is your PC/ browser being infiltrated by spyware to scrape your login info. This doesn't even occur with PC, as they don't keep your login info, it's used once when established and then destroyed.

cbeck
Posts: 289
Joined: Sun Jun 24, 2012 1:28 am

Re: Vanguard/Yodlee for Aggregation

Post by cbeck » Thu Sep 05, 2019 8:25 pm

rascott wrote:
Thu Sep 05, 2019 8:12 pm
cbeck wrote:
Thu Sep 05, 2019 7:48 pm
just1question wrote:
Thu Sep 05, 2019 11:14 am

1. How confident are you (or are you not) about security issues involved with sharing passwords from multiple accounts with Yodlee, or for that matter any aggregation service/product?
There is no way that anyone here can evaluate the security of yodlee unless he can go in with a team of IT security specialists to do a complete security audit. So, anyone who trusts it is making a faith-based decision. And there may well not be an adverse outcome, but that doesn't make the risk worth taking, because the worst-case outcome is so undesirable.

Much better to run Quicken on your computer and download data from all your banking and investment sites and aggregate it yourself.

As I've said before.... you are more at risk logging into your actual accounts directly than you are monitoring them via an aggregator like PC. All it takes is your PC/ browser being infiltrated by spyware to scrape your login info. This doesn't even occur with PC, as they don't keep your login info, it's used once when established and then destroyed.
You are making the completely unwarranted assumption that the likeliest point of compromise is the user's pc. Actually, from the many reports of compromised institutions we know that most accounts that are compromised are attacked at the institution's servers, not your pc, sometimes with an insider accomplice. You may think you know how Yodlee handles your passwords, but, as I pointed out, unless you confirm that with a full security audit, you don't know.

The risk with Yodlee and other aggregators is both an unknown and an excess risk, since you can do your own aggregation on your pc with Quicken, which whatever risk your pc poses, is not increased by doing the downloads yourself.

rascott
Posts: 1074
Joined: Wed Apr 15, 2015 10:53 am

Re: Vanguard/Yodlee for Aggregation

Post by rascott » Thu Sep 05, 2019 9:07 pm

cbeck wrote:
Thu Sep 05, 2019 8:25 pm
rascott wrote:
Thu Sep 05, 2019 8:12 pm
cbeck wrote:
Thu Sep 05, 2019 7:48 pm
just1question wrote:
Thu Sep 05, 2019 11:14 am

1. How confident are you (or are you not) about security issues involved with sharing passwords from multiple accounts with Yodlee, or for that matter any aggregation service/product?
There is no way that anyone here can evaluate the security of yodlee unless he can go in with a team of IT security specialists to do a complete security audit. So, anyone who trusts it is making a faith-based decision. And there may well not be an adverse outcome, but that doesn't make the risk worth taking, because the worst-case outcome is so undesirable.

Much better to run Quicken on your computer and download data from all your banking and investment sites and aggregate it yourself.

As I've said before.... you are more at risk logging into your actual accounts directly than you are monitoring them via an aggregator like PC. All it takes is your PC/ browser being infiltrated by spyware to scrape your login info. This doesn't even occur with PC, as they don't keep your login info, it's used once when established and then destroyed.
You are making the completely unwarranted assumption that the likeliest point of compromise is the user's pc. Actually, from the many reports of compromised institutions we know that most accounts that are compromised are attacked at the institution's servers, not your pc, sometimes with an insider accomplice. You may think you know how Yodlee handles your passwords, but, as I pointed out, unless you confirm that with a full security audit, you don't know.

The risk with Yodlee and other aggregators is both an unknown and an excess risk, since you can do your own aggregation on your pc with Quicken, which whatever risk your pc poses, is not increased by doing the downloads yourself.
YMMV... but for me I feel safer using something like Yodlee to see everything in one spot... much easier to spot an anomaly since I check it almost daily. While without, I might not catch something for months. I've read quite a bit on how these services operate, and personally feel more comfortable with their progress than anything else. (Conjoined with 2 factor auth, of course)

rolandtorres
Posts: 114
Joined: Sat Jan 09, 2016 8:44 pm

Re: Vanguard/Yodlee for Aggregation

Post by rolandtorres » Fri Sep 06, 2019 12:27 am

1. I am confident in the security, assuming you've taken other measures like 2FA as mentioned. What you might want to be wary of is the aggregator's data retention and usage policies. I'm reasonably more confident that Vanguard has no interest in retaining the data for other purposes; I'm less sure that a Personal Capital or Fidelity eMoney aren't using the data in some aggregate form for their own (non-nefarious) biz purposes. Yodlee itself states it sells some aggregated anonymized data to hedge funds.

2. Not that I've seen.

3. Email to ask.

4. Others were mentioned here- Personal Capital and Fidelity eMoney are best for aggregating for investments and Mint is optimized for budgeting/ expense classifying. Both are visually pleasing. The Vanguard implementation is rudimentary and not visually pleasing compared to those but when pulled into the Portfolio Watch tool is suitable for some purposes like understanding allocations.

https://www.bogleheads.org/wiki/Vanguar ... olio_Watch

A project I'm tempted to do is to register on Vanguard as an advisor to look at the tools provided to those- anyone try these?
https://advisors.vanguard.com/VGApp/iip ... lysistools

KyleAAA
Posts: 7593
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Vanguard/Yodlee for Aggregation

Post by KyleAAA » Fri Sep 06, 2019 12:56 am

bluquark wrote:
Thu Sep 05, 2019 6:18 pm
just1question wrote:
Thu Sep 05, 2019 11:14 am
1. How confident are you (or are you not) about security issues involved with sharing passwords from multiple accounts with Yodlee, or for that matter any aggregation service/product?
I am not confident in the least. It flies in the face of sound credential management, and I personally refuse to do it either for budgeting or for tax purposes. Aside from the risk of the aggregator getting hacked, it forces you to turn off second-factor auth on the scraped accounts. Unfortunately, there is no alternate to password-based scraping tools because the banks all want to hog data for themselves and won't provide a proper API designed for secure data access by third parties.

That being said, your financial accounts are mostly protected at time of suspicious transfer rather than by login security, so if you weren't using 2nd-factor to begin with and you really need budgeting, it probably only raises your risk level a little bit.
Personal Capital works with 2fa. It makes you authenticate before syncing the account.

User avatar
nisiprius
Advisory Board
Posts: 39444
Joined: Thu Jul 26, 2007 9:33 am
Location: The terrestrial, globular, planetary hunk of matter, flattened at the poles, is my abode.--O. Henry

Re: Vanguard/Yodlee for Aggregation

Post by nisiprius » Fri Sep 06, 2019 2:44 pm

just1question wrote:
Thu Sep 05, 2019 11:14 am
...1. How confident are you (or are you not) about security issues involved with sharing passwords from multiple accounts with Yodlee, or for that matter any aggregation service/product?...
1) The whole point of a password is not to share it. Period. You just don't. Then you are not faced with a multiplicity of analyses and decisions about whether it is OK to share this password with this entity.

2) An additional factor, which I personally take seriously, is that I have formally signed legal agreements--possibly in real ink on real paper, possibly by "electronic signature," I don't remember--not to share my passwords. I'm breaking my contract e.g. with Vanguard if I do it. Is that ever going to matter? Probably not, but I agreed.

3) You and I have no ability to evaluate the security of the companies we use. They are all going to say that it is safe to give your password to them, what do you expect them to say? But how do you know anything, anything at all, about what they do?

4) Finally, we need to be cognizant that information, once shared, can't be unshared. Time goes on, stuff happens. A company that promises to protect your password and is punctilious about doing it, could change. A good example of this would be what eToys Inc. did
Can a company go back on its customer privacy policy promises when it goes bankrupt? The closeout execs at the defunct online retailer eToys Inc. thought so.

The children's toy, book and software dealer that went under in March previously told customers in its online privacy policy that "eToys respects your privacy. We do not sell, rent, loan or transfer any personal information regarding our customers or their kids to any unrelated third parties. Any information you give us . . . will not be used in ways to which you have not consented."
In fact, their website had a TRUSTe seal on it, certifying that a third party had audited their practices to make sure they were doing what they said. And then, when the business collapsed,
In selling off its assets, however, eToys proposed recently to peddle its customer list, containing customers' personal and financial information...
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.

KyleAAA
Posts: 7593
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Vanguard/Yodlee for Aggregation

Post by KyleAAA » Fri Sep 06, 2019 3:04 pm

cbeck wrote:
Thu Sep 05, 2019 8:25 pm
rascott wrote:
Thu Sep 05, 2019 8:12 pm
cbeck wrote:
Thu Sep 05, 2019 7:48 pm
just1question wrote:
Thu Sep 05, 2019 11:14 am

1. How confident are you (or are you not) about security issues involved with sharing passwords from multiple accounts with Yodlee, or for that matter any aggregation service/product?
There is no way that anyone here can evaluate the security of yodlee unless he can go in with a team of IT security specialists to do a complete security audit. So, anyone who trusts it is making a faith-based decision. And there may well not be an adverse outcome, but that doesn't make the risk worth taking, because the worst-case outcome is so undesirable.

Much better to run Quicken on your computer and download data from all your banking and investment sites and aggregate it yourself.

As I've said before.... you are more at risk logging into your actual accounts directly than you are monitoring them via an aggregator like PC. All it takes is your PC/ browser being infiltrated by spyware to scrape your login info. This doesn't even occur with PC, as they don't keep your login info, it's used once when established and then destroyed.
You are making the completely unwarranted assumption that the likeliest point of compromise is the user's pc. Actually, from the many reports of compromised institutions we know that most accounts that are compromised are attacked at the institution's servers, not your pc, sometimes with an insider accomplice. You may think you know how Yodlee handles your passwords, but, as I pointed out, unless you confirm that with a full security audit, you don't know.

The risk with Yodlee and other aggregators is both an unknown and an excess risk, since you can do your own aggregation on your pc with Quicken, which whatever risk your pc poses, is not increased by doing the downloads yourself.
It isn't an unwarranted assumption. You are much more likely to be a victim from your own PC than from a Yodlee. Companies that hold financial credentials like Yodlee usually hold certifications which come with audits, so in a sense you do have a team of IT security experts on your side. In particular, Yodlee follows under this standard :https://ithandbook.ffiec.gov/media/1531 ... tement.pdf

Now, they easily pass the audit and then change all their practices. Just because they passed 6 months ago doesn't mean they are still compliant. And just because they are compliant doesn't mean they are hack-proof, but it is likely quite a bit safer than your PC.

cbeck
Posts: 289
Joined: Sun Jun 24, 2012 1:28 am

Re: Vanguard/Yodlee for Aggregation

Post by cbeck » Fri Sep 06, 2019 7:44 pm

KyleAAA wrote:
Fri Sep 06, 2019 3:04 pm
cbeck wrote:
Thu Sep 05, 2019 8:25 pm
rascott wrote:
Thu Sep 05, 2019 8:12 pm
cbeck wrote:
Thu Sep 05, 2019 7:48 pm
just1question wrote:
Thu Sep 05, 2019 11:14 am

1. How confident are you (or are you not) about security issues involved with sharing passwords from multiple accounts with Yodlee, or for that matter any aggregation service/product?
There is no way that anyone here can evaluate the security of yodlee unless he can go in with a team of IT security specialists to do a complete security audit. So, anyone who trusts it is making a faith-based decision. And there may well not be an adverse outcome, but that doesn't make the risk worth taking, because the worst-case outcome is so undesirable.

Much better to run Quicken on your computer and download data from all your banking and investment sites and aggregate it yourself.

As I've said before.... you are more at risk logging into your actual accounts directly than you are monitoring them via an aggregator like PC. All it takes is your PC/ browser being infiltrated by spyware to scrape your login info. This doesn't even occur with PC, as they don't keep your login info, it's used once when established and then destroyed.
You are making the completely unwarranted assumption that the likeliest point of compromise is the user's pc. Actually, from the many reports of compromised institutions we know that most accounts that are compromised are attacked at the institution's servers, not your pc, sometimes with an insider accomplice. You may think you know how Yodlee handles your passwords, but, as I pointed out, unless you confirm that with a full security audit, you don't know.

The risk with Yodlee and other aggregators is both an unknown and an excess risk, since you can do your own aggregation on your pc with Quicken, which whatever risk your pc poses, is not increased by doing the downloads yourself.
It isn't an unwarranted assumption. You are much more likely to be a victim from your own PC than from a Yodlee. Companies that hold financial credentials like Yodlee usually hold certifications which come with audits, so in a sense you do have a team of IT security experts on your side. In particular, Yodlee follows under this standard :https://ithandbook.ffiec.gov/media/1531 ... tement.pdf

Now, they easily pass the audit and then change all their practices. Just because they passed 6 months ago doesn't mean they are still compliant. And just because they are compliant doesn't mean they are hack-proof, but it is likely quite a bit safer than your PC.
You have failed to grasp the concept of excess risk. Let's call the unknown risk you accept by using your computer as R, while the unknown risk you accept by signing up for Yodlee as P. Your new risk, after surrendering your passwords to Yodlee is not P, but R + P, since you are hardly likely to discontinue use of your pc after signing up for Yodlee. So the unknown (and unknowable) rrisk P from Yodlee is a risk that you do not need to take (excess risk) and which you are taking only for the dubious benefit of aggregation, which, as I have pointed out, you can achieve yourself without increasing your current risk R at all.

As a former IT director I have been through external security audits, which I can tell you did not inspire confidence in me. They were always just a bunch of box tickers, who never tried to understand the actual systems in question and their weaknesses.

3-20Characters
Posts: 683
Joined: Tue Jun 19, 2018 2:20 pm

Re: Vanguard/Yodlee for Aggregation

Post by 3-20Characters » Fri Sep 06, 2019 7:54 pm

KyleAAA wrote:
Fri Sep 06, 2019 3:04 pm
It isn't an unwarranted assumption. You are much more likely to be a victim from your own PC than from a Yodlee. Companies that hold financial credentials like Yodlee usually hold certifications which come with audits, so in a sense you do have a team of IT security experts on your side. In particular, Yodlee follows under this standard :https://ithandbook.ffiec.gov/media/1531 ... tement.pdf

Now, they easily pass the audit and then change all their practices. Just because they passed 6 months ago doesn't mean they are still compliant. And just because they are compliant doesn't mean they are hack-proof, but it is likely quite a bit safer than your PC.
Did equifax pass an audit and were their IT security experts on our side (IIRC, their head of IT had a degree in music)? I’ve never had my Mac or iDevice hacked but countless “secure” websites holding my data have been hacked. Sometimes it seems like one a week.

bluquark
Posts: 870
Joined: Mon Oct 22, 2018 2:30 pm

Re: Vanguard/Yodlee for Aggregation

Post by bluquark » Fri Sep 06, 2019 8:25 pm

nisiprius wrote:
Fri Sep 06, 2019 2:44 pm
4) Finally, we need to be cognizant that information, once shared, can't be unshared.
Fortunately, passwords can easily be revoked. Also, you can sign up to https://haveibeenpwned.com/ to be notified the moment one of your passwords is known to have become public due to a database dump. (I recommend everyone in this thread try it. Most people who have been signing up to services on the same email for some time have at least 3 or 4 database breaches to their name.)

3-20Characters
Posts: 683
Joined: Tue Jun 19, 2018 2:20 pm

Re: Vanguard/Yodlee for Aggregation

Post by 3-20Characters » Fri Sep 06, 2019 8:28 pm

bluquark wrote:
Fri Sep 06, 2019 8:25 pm
nisiprius wrote:
Fri Sep 06, 2019 2:44 pm
4) Finally, we need to be cognizant that information, once shared, can't be unshared.
Fortunately, passwords can easily be revoked. Also, you can sign up to https://haveibeenpwned.com/ to be notified the moment one of your passwords is known to have become public due to a database dump. (I recommend everyone in this thread try it. Most people who have been signing up to services on the same email for some time have at least 3 or 4 database breaches to their name.)
Some password managers do this automatically. I know 1Password does (watchtower).
https://watchtower.1password.com/

User avatar
ThereAreNoGurus
Posts: 331
Joined: Fri Jan 24, 2014 11:41 pm

Re: Vanguard/Yodlee for Aggregation

Post by ThereAreNoGurus » Fri Sep 06, 2019 8:39 pm

Your new risk, after surrendering your passwords to Yodlee is not P, but R
I use 2FA. I don't care if Yodlee or anybody else has my password (slight hyperbole) with respect to an increased risk of an intrusion. Also, I will be immediately notified if somebody tries to login with my password. And then I change my password. End of problem. "R" in this case is infinitesimal.
Trade the news and you will lose.

ARoseByAnyOtherName
Posts: 323
Joined: Wed Apr 26, 2017 12:03 am

Re: Vanguard/Yodlee for Aggregation

Post by ARoseByAnyOtherName » Fri Sep 06, 2019 10:09 pm

rascott wrote:
Thu Sep 05, 2019 8:08 pm
This is not accurate. PC doesn't even keep your password. They use it to create a token and then it's gone. Just like you don't need use two factor every time you login from a PC that is recognized. And I have two factor auth on all my PC accounts with no issue.
For the record I don’t believe this is true. Or, perhaps more accurately, it may be true but misleading.

I do believe it’s true that *Personal Capital* doesn’t store your external account passwords. They just pass them through to their third party aggregation provider, which I think is either Yodlee or Plaid. (Or maybe they don’t even ever see your account passwords because they load their aggregation provider UI in something like an iframe, I don’t know. But the end results are similar.)

However my understanding is that Yodlee/Plaid actually *do* store your account credentials, for some accounts. I believe that these aggregators do authenticate to SOME institutions through a token-based/OAuth method (likely the bigger players like Chase/BoA/etc), BUT not all. They still connect to some (many?) using a stored username/password.

If anyone knows firsthand whether the above is right or wrong please let me know, I’d love to understand more about how this works.

ARoseByAnyOtherName
Posts: 323
Joined: Wed Apr 26, 2017 12:03 am

Re: Vanguard/Yodlee for Aggregation

Post by ARoseByAnyOtherName » Fri Sep 06, 2019 10:15 pm

bluquark wrote:
Fri Sep 06, 2019 8:25 pm
nisiprius wrote:
Fri Sep 06, 2019 2:44 pm
4) Finally, we need to be cognizant that information, once shared, can't be unshared.
Fortunately, passwords can easily be revoked.
This is a really important point that tends to get lost in these aggregator discussions.

If something happens, and I get scared that Personal Capital has my username and password for Merrill Lynch I can, like, just go change my Merril Lynch password. And maybe my username too.

Now this definitely doesn’t eliminate the security risk. I’m not claiming that. But it’s an important means of mitigating risk in some situations that shouldn’t be overlooked.

User avatar
ThereAreNoGurus
Posts: 331
Joined: Fri Jan 24, 2014 11:41 pm

Re: Vanguard/Yodlee for Aggregation

Post by ThereAreNoGurus » Fri Sep 06, 2019 10:39 pm

ARoseByAnyOtherName wrote:
Fri Sep 06, 2019 10:09 pm
rascott wrote:
Thu Sep 05, 2019 8:08 pm
This is not accurate. PC doesn't even keep your password. They use it to create a token and then it's gone. Just like you don't need use two factor every time you login from a PC that is recognized. And I have two factor auth on all my PC accounts with no issue.
For the record I don’t believe this is true. Or, perhaps more accurately, it may be true but misleading.

I do believe it’s true that *Personal Capital* doesn’t store your external account passwords. They just pass them through to their third party aggregation provider, which I think is either Yodlee or Plaid. (Or maybe they don’t even ever see your account passwords because they load their aggregation provider UI in something like an iframe, I don’t know. But the end results are similar.)

However my understanding is that Yodlee/Plaid actually *do* store your account credentials, for some accounts. I believe that these aggregators do authenticate to SOME institutions through a token-based/OAuth method (likely the bigger players like Chase/BoA/etc), BUT not all. They still connect to some (many?) using a stored username/password.

If anyone knows firsthand whether the above is right or wrong please let me know, I’d love to understand more about how this works.
Why don't you try contacting PC and ask them? I once contacted them on a weekend and was very surprised to get a response and then another response to a follow-up question that same weekend. Here is their contact page (however, you will need to login): https://www.personalcapital.com/company/contact

Edited to add:

Nevermind! I think this page answers the question?! https://support.personalcapital.com/hc/ ... edentials-

According to that page, userid's and passwords are encrypted at the browser or mobile phone app level, so there is no way anybody else can use them unless they take the time and expense to decrypt the passwords... good luck with that.

It's actually very simple and very secure... I'm impressed. (It should be basic IT practice, however)

P.S. Technically that would also mean your password is not being shared (whether it means that legally, I can't say).
Trade the news and you will lose.

ARoseByAnyOtherName
Posts: 323
Joined: Wed Apr 26, 2017 12:03 am

Re: Vanguard/Yodlee for Aggregation

Post by ARoseByAnyOtherName » Fri Sep 06, 2019 10:56 pm

ThereAreNoGurus wrote:
Fri Sep 06, 2019 10:39 pm
Why don't you try contacting PC and ask them? I once contacted them on a weekend and was very surprised to get a response and then another response to a follow-up question that same weekend. Here is their contact page (however, you will need to login): https://www.personalcapital.com/company/contact

Edited to add:

Nevermind! I think this page answers the question?? https://support.personalcapital.com/hc/ ... edentials-

According to that page, userid's and passwords are encrypted at the browser or mobile phone app level, so there is no way anybody else can use them unless they take the time and expense to decrypt the passwords... good luck with that.
That page says "No individual at Personal Capital has access to any client credentials. Our system is designed such that not a single employee could pull them even if they tried."

But it doesn't say anything about their account aggregators. Also, to the original point, it does imply that they do store account credentials.

User avatar
ThereAreNoGurus
Posts: 331
Joined: Fri Jan 24, 2014 11:41 pm

Re: Vanguard/Yodlee for Aggregation

Post by ThereAreNoGurus » Fri Sep 06, 2019 11:05 pm

ARoseByAnyOtherName wrote:
Fri Sep 06, 2019 10:56 pm
ThereAreNoGurus wrote:
Fri Sep 06, 2019 10:39 pm
Why don't you try contacting PC and ask them? I once contacted them on a weekend and was very surprised to get a response and then another response to a follow-up question that same weekend. Here is their contact page (however, you will need to login): https://www.personalcapital.com/company/contact

Edited to add:

Nevermind! I think this page answers the question?? https://support.personalcapital.com/hc/ ... edentials-

According to that page, userid's and passwords are encrypted at the browser or mobile phone app level, so there is no way anybody else can use them unless they take the time and expense to decrypt the passwords... good luck with that.
That page says "No individual at Personal Capital has access to any client credentials. Our system is designed such that not a single employee could pull them even if they tried."

But it doesn't say anything about their account aggregators. Also, to the original point, it does imply that they do store account credentials.
According to this link: https://support.personalcapital.com/hc/ ... f-Security

"We encrypt your credentials and personal data with military-grade encryption algorithms -- 256-bit AES, to be specific. Even if someone could penetrate the data center, your data would remain secure."

Edited to add:

I think the credentials stored there are at least as safe as they are at most any other site one has an online account login (eg., Vanguard, your bank, etc.)
Trade the news and you will lose.

rascott
Posts: 1074
Joined: Wed Apr 15, 2015 10:53 am

Re: Vanguard/Yodlee for Aggregation

Post by rascott » Fri Sep 06, 2019 11:12 pm

ThereAreNoGurus wrote:
Fri Sep 06, 2019 11:05 pm
ARoseByAnyOtherName wrote:
Fri Sep 06, 2019 10:56 pm
ThereAreNoGurus wrote:
Fri Sep 06, 2019 10:39 pm
Why don't you try contacting PC and ask them? I once contacted them on a weekend and was very surprised to get a response and then another response to a follow-up question that same weekend. Here is their contact page (however, you will need to login): https://www.personalcapital.com/company/contact

Edited to add:

Nevermind! I think this page answers the question?? https://support.personalcapital.com/hc/ ... edentials-

According to that page, userid's and passwords are encrypted at the browser or mobile phone app level, so there is no way anybody else can use them unless they take the time and expense to decrypt the passwords... good luck with that.
That page says "No individual at Personal Capital has access to any client credentials. Our system is designed such that not a single employee could pull them even if they tried."

But it doesn't say anything about their account aggregators. Also, to the original point, it does imply that they do store account credentials.

According to this link: https://support.personalcapital.com/hc/ ... f-Security

"We encrypt your credentials and personal data with military-grade encryption algorithms -- 256-bit AES, to be specific. Even if someone could penetrate the data center, your data would remain secure."

Edited to add:

I think the credentials stored there are at least as safe as they are at most any other site one has an online account login (eg., Vanguard, your bank, etc.)
I'm very comfortable with their setup. As I said before, I think there is a good argument to be made that using one of these actually makes you more secure, not less. You are basically getting a free constant monitoring service. And I'm not having to login to 10 different accounts to check them, constantly.
Last edited by rascott on Fri Sep 06, 2019 11:15 pm, edited 1 time in total.

User avatar
ThereAreNoGurus
Posts: 331
Joined: Fri Jan 24, 2014 11:41 pm

Re: Vanguard/Yodlee for Aggregation

Post by ThereAreNoGurus » Fri Sep 06, 2019 11:14 pm

Yes, that's an interesting observation and I'm inclined to agree with it.
Trade the news and you will lose.

furwut
Posts: 1536
Joined: Tue Jun 05, 2012 8:54 pm

Re: Vanguard/Yodlee for Aggregation

Post by furwut » Sat Sep 07, 2019 12:11 am

I used Mint for many years. Good tool for allowing one to see the big picture budget wise.

Never paid Mint anything. They say the costs of providing the service is met by advertising (never saw much) and commission on click thru to advertisers (never accepted any of those offers either). I came to believe the real business model is packaging and selling the reams of financial data you are letting them see.

KyleAAA
Posts: 7593
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Vanguard/Yodlee for Aggregation

Post by KyleAAA » Sat Sep 07, 2019 12:02 pm

3-20Characters wrote:
Fri Sep 06, 2019 7:54 pm
KyleAAA wrote:
Fri Sep 06, 2019 3:04 pm
It isn't an unwarranted assumption. You are much more likely to be a victim from your own PC than from a Yodlee. Companies that hold financial credentials like Yodlee usually hold certifications which come with audits, so in a sense you do have a team of IT security experts on your side. In particular, Yodlee follows under this standard :https://ithandbook.ffiec.gov/media/1531 ... tement.pdf

Now, they easily pass the audit and then change all their practices. Just because they passed 6 months ago doesn't mean they are still compliant. And just because they are compliant doesn't mean they are hack-proof, but it is likely quite a bit safer than your PC.
Did equifax pass an audit and were their IT security experts on our side (IIRC, their head of IT had a degree in music)? I’ve never had my Mac or iDevice hacked but countless “secure” websites holding my data have been hacked. Sometimes it seems like one a week.
They did not pass this sort of audit, no. I'm curious how you would even know if your Mac had been compromised. It's very likely you'd have no idea.

KyleAAA
Posts: 7593
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Vanguard/Yodlee for Aggregation

Post by KyleAAA » Sat Sep 07, 2019 12:06 pm

cbeck wrote:
Fri Sep 06, 2019 7:44 pm
KyleAAA wrote:
Fri Sep 06, 2019 3:04 pm
cbeck wrote:
Thu Sep 05, 2019 8:25 pm
rascott wrote:
Thu Sep 05, 2019 8:12 pm
cbeck wrote:
Thu Sep 05, 2019 7:48 pm


There is no way that anyone here can evaluate the security of yodlee unless he can go in with a team of IT security specialists to do a complete security audit. So, anyone who trusts it is making a faith-based decision. And there may well not be an adverse outcome, but that doesn't make the risk worth taking, because the worst-case outcome is so undesirable.

Much better to run Quicken on your computer and download data from all your banking and investment sites and aggregate it yourself.

As I've said before.... you are more at risk logging into your actual accounts directly than you are monitoring them via an aggregator like PC. All it takes is your PC/ browser being infiltrated by spyware to scrape your login info. This doesn't even occur with PC, as they don't keep your login info, it's used once when established and then destroyed.
You are making the completely unwarranted assumption that the likeliest point of compromise is the user's pc. Actually, from the many reports of compromised institutions we know that most accounts that are compromised are attacked at the institution's servers, not your pc, sometimes with an insider accomplice. You may think you know how Yodlee handles your passwords, but, as I pointed out, unless you confirm that with a full security audit, you don't know.

The risk with Yodlee and other aggregators is both an unknown and an excess risk, since you can do your own aggregation on your pc with Quicken, which whatever risk your pc poses, is not increased by doing the downloads yourself.
It isn't an unwarranted assumption. You are much more likely to be a victim from your own PC than from a Yodlee. Companies that hold financial credentials like Yodlee usually hold certifications which come with audits, so in a sense you do have a team of IT security experts on your side. In particular, Yodlee follows under this standard :https://ithandbook.ffiec.gov/media/1531 ... tement.pdf

Now, they easily pass the audit and then change all their practices. Just because they passed 6 months ago doesn't mean they are still compliant. And just because they are compliant doesn't mean they are hack-proof, but it is likely quite a bit safer than your PC.
You have failed to grasp the concept of excess risk. Let's call the unknown risk you accept by using your computer as R, while the unknown risk you accept by signing up for Yodlee as P. Your new risk, after surrendering your passwords to Yodlee is not P, but R + P, since you are hardly likely to discontinue use of your pc after signing up for Yodlee. So the unknown (and unknowable) rrisk P from Yodlee is a risk that you do not need to take (excess risk) and which you are taking only for the dubious benefit of aggregation, which, as I have pointed out, you can achieve yourself without increasing your current risk R at all.

As a former IT director I have been through external security audits, which I can tell you did not inspire confidence in me. They were always just a bunch of box tickers, who never tried to understand the actual systems in question and their weaknesses.
LOL, no, I have not failed to grasp the concept. As somebody who has actually built systems that needed to pass certain hurdles, the audits were not box checking exercises. Every line of code was examined.

student
Posts: 4141
Joined: Fri Apr 03, 2015 6:58 am

Re: Vanguard/Yodlee for Aggregation

Post by student » Sat Sep 07, 2019 1:14 pm

I will never "share" password on such a site. I manually entered my portfolio to a site such as Personal Capital, and I update it on a regular basis.

User avatar
ThereAreNoGurus
Posts: 331
Joined: Fri Jan 24, 2014 11:41 pm

Re: Vanguard/Yodlee for Aggregation

Post by ThereAreNoGurus » Sat Sep 07, 2019 1:51 pm

student wrote:
Sat Sep 07, 2019 1:14 pm
I will never "share" password on such a site. I manually entered my portfolio to a site such as Personal Capital, and I update it on a regular basis.
For portfolio tracking, why not use a site like morningstar.com? It's free. Once you've entered your portfolio you should not need to perform manual updates except for buy/sell transactions. Morningstar will post dividend and distribution updates without having to manually input them.
Last edited by ThereAreNoGurus on Sat Sep 07, 2019 2:25 pm, edited 3 times in total.
Trade the news and you will lose.

lws
Posts: 82
Joined: Tue Apr 25, 2017 6:12 pm

Re: Vanguard/Yodlee for Aggregation

Post by lws » Sat Sep 07, 2019 1:52 pm

Sometimes the benefit of a convenience is not worth the cost.
Sometimes it is.
Some of us will be our own aggregators.
Some of us will trust others.
We are all free to choose.

3-20Characters
Posts: 683
Joined: Tue Jun 19, 2018 2:20 pm

Re: Vanguard/Yodlee for Aggregation

Post by 3-20Characters » Sat Sep 07, 2019 2:44 pm

KyleAAA wrote:
Sat Sep 07, 2019 12:02 pm
3-20Characters wrote:
Fri Sep 06, 2019 7:54 pm
KyleAAA wrote:
Fri Sep 06, 2019 3:04 pm
It isn't an unwarranted assumption. You are much more likely to be a victim from your own PC than from a Yodlee. Companies that hold financial credentials like Yodlee usually hold certifications which come with audits, so in a sense you do have a team of IT security experts on your side. In particular, Yodlee follows under this standard :https://ithandbook.ffiec.gov/media/1531 ... tement.pdf

Now, they easily pass the audit and then change all their practices. Just because they passed 6 months ago doesn't mean they are still compliant. And just because they are compliant doesn't mean they are hack-proof, but it is likely quite a bit safer than your PC.
Did equifax pass an audit and were their IT security experts on our side (IIRC, their head of IT had a degree in music)? I’ve never had my Mac or iDevice hacked but countless “secure” websites holding my data have been hacked. Sometimes it seems like one a week.
They did not pass this sort of audit, no. I'm curious how you would even know if your Mac had been compromised. It's very likely you'd have no idea.
That’s akin to saying I don’t know that there’s not a monster under my bed because I haven’t looked (or I looked whilst he was hiding elsewhere). I’ve been a Mac user since the early 80s and have seen zero evidence of any our Macs being compromised since OS X. If it walks like a duck and quacks like a duck...

student
Posts: 4141
Joined: Fri Apr 03, 2015 6:58 am

Re: Vanguard/Yodlee for Aggregation

Post by student » Sat Sep 07, 2019 2:46 pm

ThereAreNoGurus wrote:
Sat Sep 07, 2019 1:51 pm
student wrote:
Sat Sep 07, 2019 1:14 pm
I will never "share" password on such a site. I manually entered my portfolio to a site such as Personal Capital, and I update it on a regular basis.
For portfolio tracking, why not use a site like morningstar.com? It's free. Once you've entered your portfolio you should not need to perform manual updates except for buy/sell transactions. Morningstar will post dividend and distribution updates without having to manually input them.
I like Personal Capital's asset allocation view and retirement forecast. Otherwise, Morningstar works too.

User avatar
ThereAreNoGurus
Posts: 331
Joined: Fri Jan 24, 2014 11:41 pm

Re: Vanguard/Yodlee for Aggregation

Post by ThereAreNoGurus » Sat Sep 07, 2019 3:16 pm

student wrote:
Sat Sep 07, 2019 2:46 pm
ThereAreNoGurus wrote:
Sat Sep 07, 2019 1:51 pm
For portfolio tracking, why not use a site like morningstar.com? It's free. Once you've entered your portfolio you should not need to perform manual updates except for buy/sell transactions. Morningstar will post dividend and distribution updates without having to manually input them.
I like Personal Capital's asset allocation view and retirement forecast. Otherwise, Morningstar works too.
Sounds good. Thx for the response!
Trade the news and you will lose.

brianH
Posts: 321
Joined: Wed Aug 12, 2009 12:21 pm

Re: Vanguard/Yodlee for Aggregation

Post by brianH » Sat Sep 07, 2019 3:33 pm

bluquark wrote:
Thu Sep 05, 2019 6:18 pm
I am not confident in the least. It flies in the face of sound credential management, and I personally refuse to do it either for budgeting or for tax purposes. Aside from the risk of the aggregator getting hacked, it forces you to turn off second-factor auth on the scraped accounts. Unfortunately, there is no alternate to password-based scraping tools because the banks all want to hog data for themselves and won't provide a proper API designed for secure data access by third parties.
I can't speak for other banks, but I am a software engineer at a financial firm, and we did provide an OAuth2-based token flow to access an API. However, the aggregators (many of whom are listed in this thread) had zero interest in it. They have teams of people that are used to storing 2FA cookies (bad idea) and scraping HTML.

From this lack of concern over doing things the 'right way', and my extensive experience with security, no, I do not use any aggregation services. I'd be less concerned if I could, say, give a read-only password to my Vanguard account, but giving these data aggregation firms the master keys to my kingdom is beyond foolish, in my professional opinion.

frcabot
Posts: 211
Joined: Mon Mar 26, 2018 12:59 am

Re: Vanguard/Yodlee for Aggregation

Post by frcabot » Sat Sep 07, 2019 3:59 pm

Some sites (like Betterment) allow one to create app-specific passwords that are read only. More companies should support this. The app-specific passwords (for aggregators and the like) can also be individually revoked.

Another important thing to consider is that 2FA using SMS is actually very insecure. As the recent Twitter CEO hack proved, SMS can easily be intercepted (and it doesn’t even require much sophistication). Moreover, for websites that allow one to reset passwords just using SMS verification, that’s even more insecure. The only 2FA worth anything is the Authenticator hash-based tokens (separate token for each site).

Ultimately, I do use aggregators but I think the likelihood of my accounts specifically being hacked is extremely low, and even if they were, I feel confident that the financial institution would compensate me for any losses.

KyleAAA
Posts: 7593
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Vanguard/Yodlee for Aggregation

Post by KyleAAA » Sat Sep 07, 2019 5:07 pm

3-20Characters wrote:
Sat Sep 07, 2019 2:44 pm
KyleAAA wrote:
Sat Sep 07, 2019 12:02 pm
3-20Characters wrote:
Fri Sep 06, 2019 7:54 pm
KyleAAA wrote:
Fri Sep 06, 2019 3:04 pm
It isn't an unwarranted assumption. You are much more likely to be a victim from your own PC than from a Yodlee. Companies that hold financial credentials like Yodlee usually hold certifications which come with audits, so in a sense you do have a team of IT security experts on your side. In particular, Yodlee follows under this standard :https://ithandbook.ffiec.gov/media/1531 ... tement.pdf

Now, they easily pass the audit and then change all their practices. Just because they passed 6 months ago doesn't mean they are still compliant. And just because they are compliant doesn't mean they are hack-proof, but it is likely quite a bit safer than your PC.
Did equifax pass an audit and were their IT security experts on our side (IIRC, their head of IT had a degree in music)? I’ve never had my Mac or iDevice hacked but countless “secure” websites holding my data have been hacked. Sometimes it seems like one a week.
They did not pass this sort of audit, no. I'm curious how you would even know if your Mac had been compromised. It's very likely you'd have no idea.
That’s akin to saying I don’t know that there’s not a monster under my bed because I haven’t looked (or I looked whilst he was hiding elsewhere). I’ve been a Mac user since the early 80s and have seen zero evidence of any our Macs being compromised since OS X. If it walks like a duck and quacks like a duck...
My point was that it’s extremely unlikely you would have any way to know, so even if you had been compromised you would see zero evidence of it.

3-20Characters
Posts: 683
Joined: Tue Jun 19, 2018 2:20 pm

Re: Vanguard/Yodlee for Aggregation

Post by 3-20Characters » Sat Sep 07, 2019 5:08 pm

KyleAAA wrote:
Sat Sep 07, 2019 5:07 pm
3-20Characters wrote:
Sat Sep 07, 2019 2:44 pm
KyleAAA wrote:
Sat Sep 07, 2019 12:02 pm
3-20Characters wrote:
Fri Sep 06, 2019 7:54 pm
KyleAAA wrote:
Fri Sep 06, 2019 3:04 pm
It isn't an unwarranted assumption. You are much more likely to be a victim from your own PC than from a Yodlee. Companies that hold financial credentials like Yodlee usually hold certifications which come with audits, so in a sense you do have a team of IT security experts on your side. In particular, Yodlee follows under this standard :https://ithandbook.ffiec.gov/media/1531 ... tement.pdf

Now, they easily pass the audit and then change all their practices. Just because they passed 6 months ago doesn't mean they are still compliant. And just because they are compliant doesn't mean they are hack-proof, but it is likely quite a bit safer than your PC.
Did equifax pass an audit and were their IT security experts on our side (IIRC, their head of IT had a degree in music)? I’ve never had my Mac or iDevice hacked but countless “secure” websites holding my data have been hacked. Sometimes it seems like one a week.
They did not pass this sort of audit, no. I'm curious how you would even know if your Mac had been compromised. It's very likely you'd have no idea.
That’s akin to saying I don’t know that there’s not a monster under my bed because I haven’t looked (or I looked whilst he was hiding elsewhere). I’ve been a Mac user since the early 80s and have seen zero evidence of any our Macs being compromised since OS X. If it walks like a duck and quacks like a duck...
My point was that it’s extremely unlikely you would have any way to know, so even if you had been compromised you would see zero evidence of it.
If you say so.

KyleAAA
Posts: 7593
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Vanguard/Yodlee for Aggregation

Post by KyleAAA » Sat Sep 07, 2019 5:09 pm

3-20Characters wrote:
Sat Sep 07, 2019 5:08 pm
KyleAAA wrote:
Sat Sep 07, 2019 5:07 pm
3-20Characters wrote:
Sat Sep 07, 2019 2:44 pm
KyleAAA wrote:
Sat Sep 07, 2019 12:02 pm
3-20Characters wrote:
Fri Sep 06, 2019 7:54 pm


Did equifax pass an audit and were their IT security experts on our side (IIRC, their head of IT had a degree in music)? I’ve never had my Mac or iDevice hacked but countless “secure” websites holding my data have been hacked. Sometimes it seems like one a week.
They did not pass this sort of audit, no. I'm curious how you would even know if your Mac had been compromised. It's very likely you'd have no idea.
That’s akin to saying I don’t know that there’s not a monster under my bed because I haven’t looked (or I looked whilst he was hiding elsewhere). I’ve been a Mac user since the early 80s and have seen zero evidence of any our Macs being compromised since OS X. If it walks like a duck and quacks like a duck...
My point was that it’s extremely unlikely you would have any way to know, so even if you had been compromised you would see zero evidence of it.
If you say so.
I do.

ARoseByAnyOtherName
Posts: 323
Joined: Wed Apr 26, 2017 12:03 am

Re: Vanguard/Yodlee for Aggregation

Post by ARoseByAnyOtherName » Sat Sep 07, 2019 8:41 pm

rascott wrote:
Fri Sep 06, 2019 11:12 pm
ThereAreNoGurus wrote:
Fri Sep 06, 2019 11:05 pm
ARoseByAnyOtherName wrote:
Fri Sep 06, 2019 10:56 pm
ThereAreNoGurus wrote:
Fri Sep 06, 2019 10:39 pm
Why don't you try contacting PC and ask them? I once contacted them on a weekend and was very surprised to get a response and then another response to a follow-up question that same weekend. Here is their contact page (however, you will need to login): https://www.personalcapital.com/company/contact

Edited to add:

Nevermind! I think this page answers the question?? https://support.personalcapital.com/hc/ ... edentials-

According to that page, userid's and passwords are encrypted at the browser or mobile phone app level, so there is no way anybody else can use them unless they take the time and expense to decrypt the passwords... good luck with that.
That page says "No individual at Personal Capital has access to any client credentials. Our system is designed such that not a single employee could pull them even if they tried."

But it doesn't say anything about their account aggregators. Also, to the original point, it does imply that they do store account credentials.

According to this link: https://support.personalcapital.com/hc/ ... f-Security

"We encrypt your credentials and personal data with military-grade encryption algorithms -- 256-bit AES, to be specific. Even if someone could penetrate the data center, your data would remain secure."

Edited to add:

I think the credentials stored there are at least as safe as they are at most any other site one has an online account login (eg., Vanguard, your bank, etc.)
I'm very comfortable with their setup. As I said before, I think there is a good argument to be made that using one of these actually makes you more secure, not less. You are basically getting a free constant monitoring service. And I'm not having to login to 10 different accounts to check them, constantly.
I was originally reacting to the statement “PC doesn't even keep your password. They use it to create a token and then it's gone.” Based on the information from PC’s website linked above it’s safe to say that’s not true, that they do indeed store your password.

They do state that usernames and passwords are encrypted at rest and in transit, which I certainly hope to be the case. But it’s worth noting that credentials stored at PC are probably less secure Then other sites that have an online account login. Website or mobile passwords are almost always stored on backend databases as a one-way hash, while passwords stored at PC must be able to be unencrypted and transformed back into the actual password for use by Yodlee/Plaid.

All that said, I do use You Need A Budget which aggregates all my NON-investment accounts, and I’m perfectly comfortable using it. I wouldn’t use Mint as I suspect they would package and sell my financial data. For investment tracking I currently use a spreadsheet but will soon start fully using Fidelity Full View. I have most of my investments with Fidelity so using one of their products for investment aggregation is the right amount of risk/benefit for me personally. YMMV of course!

User avatar
ThereAreNoGurus
Posts: 331
Joined: Fri Jan 24, 2014 11:41 pm

Re: Vanguard/Yodlee for Aggregation

Post by ThereAreNoGurus » Sat Sep 07, 2019 8:56 pm

ARoseByAnyOtherName wrote:
Sat Sep 07, 2019 8:41 pm

All that said, I do use You Need A Budget which aggregates all my NON-investment accounts...
I'll have to check it out and see how it compares to PC. I like PC, but I'm curious... Always good to have a Plan B, C, etc.

Prior to using PC, I was using one of my bank's expense tracking apps. It wasn't bad, but then the entire site was redone and it all sucks now... haha.
Trade the news and you will lose.

ARoseByAnyOtherName
Posts: 323
Joined: Wed Apr 26, 2017 12:03 am

Re: Vanguard/Yodlee for Aggregation

Post by ARoseByAnyOtherName » Sat Sep 07, 2019 9:22 pm

ThereAreNoGurus wrote:
Sat Sep 07, 2019 8:56 pm
ARoseByAnyOtherName wrote:
Sat Sep 07, 2019 8:41 pm

All that said, I do use You Need A Budget which aggregates all my NON-investment accounts...
I'll have to check it out and see how it compares to PC. I like PC, but I'm curious... Always good to have a Plan B, C, etc.
You Need A Budget is very focused on month-to-month budgeting and expenses rather than investment tracking. When I was using PC a few years ago it did both investment tracking and budgeting, though I found it to be stronger for investment tracking.

I'm happy with You Need A Budget (YNAB) for budgeting though I do think it's overly complicated in some ways. I would never think to use it for investment tracking. My experience with PC was the opposite, it's month to month budgeting tools didn't seem all that great (but might work fine for people with more straightforward needs).

One advantage of YNAB to me is that it's a paid service, while PC is free. This may seem odd but with a paid service you're the customer, while with free services... well we know how that goes. Plus the fee is quite modest, ~$85 a year IIRC.

xavierr
Posts: 36
Joined: Sun May 05, 2019 11:24 am
Contact:

Re: Vanguard/Yodlee for Aggregation

Post by xavierr » Sun Sep 08, 2019 8:00 am

brianH wrote:
Sat Sep 07, 2019 3:33 pm
I can't speak for other banks, but I am a software engineer at a financial firm, and we did provide an OAuth2-based token flow to access an API. However, the aggregators (many of whom are listed in this thread) had zero interest in it.
[...]
From this lack of concern over doing things the 'right way', and my extensive experience with security, no, I do not use any aggregation services.
[...]
I'm not trying to influence the debate one way or another, but to add some color, one of the reason the aggregators don't always use bank's API is that the API's functionality is often limited, whereas, screen scraping provides full access to all of the user's data.

Yodlee / Plaid need to have the most complete data set because:
1) Their paying customers (Personal Capital, Vangard, Fidelity, etc.) need as much data granularity as possible in order for the end user (i.e. the retail investor) to derive value from their tools.
2) Their business model relies on monetizing anonymized data

Xavier

xavierr
Posts: 36
Joined: Sun May 05, 2019 11:24 am
Contact:

Re: Vanguard/Yodlee for Aggregation

Post by xavierr » Sun Sep 08, 2019 8:01 am

brianH wrote:
Sat Sep 07, 2019 3:33 pm
I can't speak for other banks, but I am a software engineer at a financial firm, and we did provide an OAuth2-based token flow to access an API. However, the aggregators (many of whom are listed in this thread) had zero interest in it.
[...]
From this lack of concern over doing things the 'right way', and my extensive experience with security, no, I do not use any aggregation services.
[...]
I'm not trying to influence the debate one way or another, but to add some color, one of the reason the aggregators don't always use bank's API is that the API's functionality is often limited, whereas, screen scraping provides full access to all of the user's data.

Yodlee / Plaid need to have the most complete data set because:
1) Their paying customers (Personal Capital, Vangard, Fidelity, etc.) need as much data granularity as possible in order for the end user (i.e. the retail investor) to derive value from their tools.
2) Their business model relies on monetizing anonymized data

Xavier

xavierr
Posts: 36
Joined: Sun May 05, 2019 11:24 am
Contact:

Re: Vanguard/Yodlee for Aggregation

Post by xavierr » Sun Sep 08, 2019 8:15 am

ARoseByAnyOtherName wrote:
Sat Sep 07, 2019 8:41 pm
All that said, I do use You Need A Budget which aggregates all my NON-investment accounts, and I’m perfectly comfortable using it. I wouldn’t use Mint as I suspect they would package and sell my financial data.
Out of curiosity, what makes you think YNAB won't monetize their anonymized data set the way Mint does? Mint is older and better known so it's a known fact by now that they monetize their anonymized data set, but I'd be curious to get confirmation that YNAB does not.

In the posts I've read on YNAB's monetization, their didn't seem to be consensus one way or another:
https://www.reddit.com/r/ynab/comments/ ... d_privacy/

brianH
Posts: 321
Joined: Wed Aug 12, 2009 12:21 pm

Re: Vanguard/Yodlee for Aggregation

Post by brianH » Sun Sep 08, 2019 9:34 am

xavierr wrote:
Sun Sep 08, 2019 8:00 am
brianH wrote:
Sat Sep 07, 2019 3:33 pm
I can't speak for other banks, but I am a software engineer at a financial firm, and we did provide an OAuth2-based token flow to access an API. However, the aggregators (many of whom are listed in this thread) had zero interest in it.
[...]
From this lack of concern over doing things the 'right way', and my extensive experience with security, no, I do not use any aggregation services.
[...]
I'm not trying to influence the debate one way or another, but to add some color, one of the reason the aggregators don't always use bank's API is that the API's functionality is often limited, whereas, screen scraping provides full access to all of the user's data.
Though not true in my organization's case, I understand that reasoning. However, from a security perspective, that means that they have to do some less-that-ideal things like asking the user for their 2FA code, and then storing the resulting cookie value along with the username/password. Back when security questions were popular, the aggregators would ask for every question and answer you gave to allow them to answer them for you.

In any case, you're giving these aggregation companies the ability to fully impersonate you on your financial sites. You have to trust that their undisclosed security techniques, practices, and controls are implemented well. If they were Google, with their multi-million dollar security budget and 100s of the best security experts in the world working for them, that would be one thing. However, let's just say that I'm not overly impressed with what I've seen in my interactions with these data aggregation firms.

User avatar
ThereAreNoGurus
Posts: 331
Joined: Fri Jan 24, 2014 11:41 pm

Re: Vanguard/Yodlee for Aggregation

Post by ThereAreNoGurus » Sun Sep 08, 2019 10:06 am

brianH wrote:
Sun Sep 08, 2019 9:34 am

Though not true in my organization's case, I understand that reasoning. However, from a security perspective, that means that they have to do some less-that-ideal things like asking the user for their 2FA code, and then storing the resulting cookie value along with the username/password.
Under this situation, doesn't the token's authority expire in 10 minutes (the same as most 2FA auth codes)?
Trade the news and you will lose.

brianH
Posts: 321
Joined: Wed Aug 12, 2009 12:21 pm

Re: Vanguard/Yodlee for Aggregation

Post by brianH » Sun Sep 08, 2019 12:28 pm

ThereAreNoGurus wrote:
Sun Sep 08, 2019 10:06 am
brianH wrote:
Sun Sep 08, 2019 9:34 am

Though not true in my organization's case, I understand that reasoning. However, from a security perspective, that means that they have to do some less-that-ideal things like asking the user for their 2FA code, and then storing the resulting cookie value along with the username/password.
Under this situation, doesn't the token's authority expire in 10 minutes (the same as most 2FA auth codes)?
The way this typically works is that the 2nd-factor code you enter then sets a cookie on that device that is valid for 90 days (or whatever.) This allows you to skip the 2nd-factor code step for subsequent logins. Most sites expose this via a checkbox which allows you to not set that cookie if you are on a shared device, for example.

Because the data aggregators want to be able to log in without your manual interaction, they save this cookie in their database. If they did not store it, and had to ask you for a code each time, many of the security concerns would be moot. However, that would pretty much defeat the purpose, because you would need to enter 2F codes for each of the accounts they were aggregating every time you wanted to refresh account data.

User avatar
ThereAreNoGurus
Posts: 331
Joined: Fri Jan 24, 2014 11:41 pm

Re: Vanguard/Yodlee for Aggregation

Post by ThereAreNoGurus » Sun Sep 08, 2019 4:17 pm

brianH wrote:
Sun Sep 08, 2019 12:28 pm
ThereAreNoGurus wrote:
Sun Sep 08, 2019 10:06 am
brianH wrote:
Sun Sep 08, 2019 9:34 am

Though not true in my organization's case, I understand that reasoning. However, from a security perspective, that means that they have to do some less-that-ideal things like asking the user for their 2FA code, and then storing the resulting cookie value along with the username/password.
Under this situation, doesn't the token's authority expire in 10 minutes (the same as most 2FA auth codes)?
The way this typically works is that the 2nd-factor code you enter then sets a cookie on that device that is valid for 90 days (or whatever.) This allows you to skip the 2nd-factor code step for subsequent logins. Most sites expose this via a checkbox which allows you to not set that cookie if you are on a shared device, for example.

Because the data aggregators want to be able to log in without your manual interaction, they save this cookie in their database. If they did not store it, and had to ask you for a code each time, many of the security concerns would be moot. However, that would pretty much defeat the purpose, because you would need to enter 2F codes for each of the accounts they were aggregating every time you wanted to refresh account data.
Interesting... thx for the explanation.

With my PC account, I'm a bit perplexed. Every brokerage/bank account I have listed there, has 2F, and requires me to login with my user-id/credentials and 2F challenges to refresh the account, EXCEPT for Vanguard!

I prefer having to login, because it seems much more secure to me. Also, PC stores the individual holdings so as long as there were no significant changes in the accounts, I can see my portfolio's total balance (excluding up-to-date bank balances, which is fine with me).

I am going to drop a note to PC and find out if there is a way to require re-login each time with my Vanguard accounts. Very strange. Hopefully there is a simple answer involving a setting or some such. I searched, but could not find anything.
Trade the news and you will lose.

Post Reply