The risks of using account aggregators (how they access your accounts).

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills
Post Reply
Topic Author
corp_sharecropper
Posts: 239
Joined: Thu Nov 07, 2013 2:36 pm

The risks of using account aggregators (how they access your accounts).

Post by corp_sharecropper » Sat May 30, 2020 10:17 am

This article came to my attention today and I gotta say, I'm somewhat floored that this is how aggregators work with at least some banks/brokers.. by scraping the screen via the actual client portal. Literally, having a computer program for taking your login credentials, going to your bank/broker website, logging in with your info just as you would, and crawling through the website to capture your account info via the website code/element values and even optical character recognition of screen captures.

https://riabiz.com/a/2020/5/29/tired-of ... eaner-data

In contrast, API access would involve you not necessarily providing the aggregator your credentials, but basically your credentials being passed through to the bank/broker to show that you are authorizing API access to an aggregator (likely just during initial setup), and then the aggregator utilizing their authorization token to securely access read-only data offered via the API.

I guess I just always assumed it was always done via an encrypted, limited/read-only, API. The risks, of scraping screens by directly logging to the client website using client credentials seems beyond what risk I would think a company would want to take on, with so many data breaches/hacking/carelessness/etc, clearly I was wrong. Not to mention the whole thing being fraught with issues of dirty/bad data, hassle of needing a custom solution for every institution that needs to be scraped, and needing to update the methods anytime there is a significant change to the website.

So if you're like me, and had assumed aggregators (eg. Yodlee, ynab, personal capital, mint, emoney, and whatever your own bank may offer) were gathering account data through a secure API, you may want to reassess the risk and/or try to identify which accounts are being accessed via API vs scraping the client portal screen. This isn't to say that a trustworthy/careful/responsible company can't gather data in this way and not expose you, but it certainly makes this more dependent on a variety of humans not making mistakes, both accidental & negligently.

I suppose 2FA would be somewhat of a mitigating solution to the risks, but you're still left with the risks of how they interact with the website once logged in and the fact that your credentials are out there being used except for just a few numerical digits.

FishTaco
Posts: 107
Joined: Sat Jun 08, 2019 7:49 am

Re: The risks of using account aggregators (how they access your accounts).

Post by FishTaco » Sat May 30, 2020 10:31 am

Thanks for sharing this info.

I used to use mint and then personal capital for NW tracking but at some became suspicious of turning over my passwords. This confirms my suspicion. I now only use mint for monthly budgeting only with access to only credit card accounts.

MindBogler
Posts: 989
Joined: Wed Apr 17, 2013 12:05 pm

Re: The risks of using account aggregators (how they access your accounts).

Post by MindBogler » Sat May 30, 2020 10:34 am

It is free so you are the product. Aggregators compromise your security in order to provide a service that practically anyone could recreate in a spreadsheet.

amindu
Posts: 155
Joined: Thu Aug 04, 2016 11:59 am

Re: The risks of using account aggregators (how they access your accounts).

Post by amindu » Sat May 30, 2020 11:22 am

Is the fidelity full view the same as an account aggregator or does it have some additional security layers?

fourwheelcycle
Posts: 867
Joined: Sun May 25, 2014 5:55 pm

Re: The risks of using account aggregators (how they access your accounts).

Post by fourwheelcycle » Sat May 30, 2020 11:33 am

I was not aware Yodlee might be logging in as me and scraping screen data to integrate my outside account info at Vanguard. The only outside accounts I have set up at Vanguard are at Fidelity and Bank of America. After looking around online it appears Fidelity and BoA both have established relationships with Yodlee, so I'm hoping my data is getting to Vanguard through formal data feed agreements, not scraping.

Does anyone know whether this is true? Is it possible Yodlee may have data feed agreements with Fidelity and BoA for some activities but might still be scraping my data for Vanguard's outside account integration?

Edit:

Fidelity says their Full View service is provided by Yodlee: https://scs.fidelity.com/products/check ... re3a.shtml

CanIDoIt
Posts: 1
Joined: Sat May 30, 2020 11:12 am

Re: The risks of using account aggregators (how they access your accounts).

Post by CanIDoIt » Sat May 30, 2020 11:39 am

API connection can be more secure when done correctly. But it is also about control. I would guess that they charge the aggregators for the use of APIs as the increased load from aggregators on the sites is likely significant.

The article is true but missing an important point. If your login to the site you connect to is encrypted (https) and the whole session
, when you view your banking data is encrypted, then when the aggregators view your data is also encrypted and therefore is no less safe than your sessions when you login to your financial institution.

The worry is that the storage of all of your passwords are stolen from the aggregators site is the important part. For me, that worry is mitigated by 3 important things:

1. It takes to long for me to login to my numerous accounts to check for theft without using the aggregators and therefore is needed for me to be on top of what is happening with my accouts and my second point helps to mitigate this risk (abet takes more time)

2. For every account that allows 2FA ( 2 factor authentication which is when you provide a password and they either txt/sms you another short term key or you have an app like Authy or Google authenticator which is preferred over txt/sms) I set them up so my aggregators can't scrape my accounts without ME providing the 2FA key. (This takes more time but is more secure)

3. The aggregators make money off of your data, how you buy things, invest etc. If they lose users because they get hacked then they may/will fail. They are incentivised to secure your passwords and protect you.

If you don't have the time to login to every account every few days to review transactions then you need an aggregator. For me it is worth the risk to me given the above points.

legionnaire
Posts: 4
Joined: Sun Aug 11, 2019 10:19 am

Re: The risks of using account aggregators (how they access your accounts).

Post by legionnaire » Sat May 30, 2020 12:02 pm

API based data aggregation is a bit more secure than screen scraping for a few reasons,
  1. I can keep separate Credentials I use myself with the bank site, from those the aggregator uses on the API.
  2. The API request/response can be encrypted in transit.
  3. As the owner of the account, if the bank/financial institution shows me which API clients (e.g. aggregator) has access to my data, by account - I can revoke access at my discretion.
But this approach has its downsides:
  1. We assume the aggregator keeps the aggregated data secure.
  2. We assume the aggregator has a robust privacy program with appropriate controls that give me discretion on how they use the aggregated data.

All of this requires both the source financial institution supplying the data and the aggregator be willing to make the necessary investments in building and operating systems that ensure security and privacy. That's debatable.

As to questions others have asked on how a given aggregator gets information from a bank, unless we all ask the aggregator these hard questions consistently, there is no incentive for them to implement such stricter controls and more secure systems.

legionnaire
Posts: 4
Joined: Sun Aug 11, 2019 10:19 am

Re: The risks of using account aggregators (how they access your accounts).

Post by legionnaire » Sat May 30, 2020 12:31 pm

From asking Mint explicitly, they use APIs with Chase; scrape from Fidelity and Amex.

crefwatch
Posts: 446
Joined: Sun Apr 15, 2007 1:07 pm
Location: New Jersey, USA

Re: The risks of using account aggregators (how they access your accounts).

Post by crefwatch » Sat May 30, 2020 12:32 pm

It's very nice to talk about how an IT nerd would properly set this up, but you're not acknowledging that the brokerages and banks don't CARE or even WANT you to be able to do this in a secure way. They have no desire or incentive to implement a secure API for clients, because they don't want you to be able to easily use an outside aggregator. All they care about is keeping your income to them, and making you dependent on their statements.

When I signed up for Vanguard's Consolidated View 25 years ago (now gone ... ), and when I subsequently joined Yodlee, I placed more value on the aggregation than on the loss of security. But I went into it with open eyes. Others may not wish to.

As we have aged, we have consolidated many of our accounts. ("Preparation for reduced capacity", among other things.) Eventually we'll have all our qualified plans at one company, and all our non-qualified plans at one (or two.) Maybe I'll stop using the aggregator then.

legionnaire
Posts: 4
Joined: Sun Aug 11, 2019 10:19 am

Re: The risks of using account aggregators (how they access your accounts).

Post by legionnaire » Sat May 30, 2020 12:35 pm

crefwatch wrote:
Sat May 30, 2020 12:32 pm
It's very nice to talk about how an IT nerd would properly set this up, but you're not acknowledging that the brokerages and banks don't CARE or even WANT you to be able to do this in a secure way. They have no desire or incentive to implement a secure API for clients, because they don't want you to be able to easily use an outside aggregator. All they care about is keeping your income to them, and making you dependent on their statements.
Fair point. Its always a trade off. Being aware of what happens behind the facade of the aggregator is part of the decision if an aggregator is worth the security trade off.

User avatar
ram
Posts: 1589
Joined: Tue Jan 01, 2008 10:47 pm
Location: Midwest

Re: The risks of using account aggregators (how they access your accounts).

Post by ram » Sat May 30, 2020 12:39 pm

I do not use any of these aggregators.

But I do give turbotax the authority to pull my dividend and capital gains data from Vanguard and Fidelity accounts. Is this equally risky as what the aggregators do or less risky.

If there is a significant risk I am open to doing this manually. It is only once a year.
Ram

User avatar
cheese_breath
Posts: 9558
Joined: Wed Sep 14, 2011 7:08 pm

Re: The risks of using account aggregators (how they access your accounts).

Post by cheese_breath » Sat May 30, 2020 12:39 pm

I aggregate manually with Excel and don't reveal my passwords to anybody.
The surest way to know the future is when it becomes the past.

User avatar
mrspock
Posts: 1073
Joined: Tue Feb 13, 2018 2:49 am
Location: Vulcan

Re: The risks of using account aggregators (how they access your accounts).

Post by mrspock » Sat May 30, 2020 12:43 pm

I use two factor and just enter the tokens when I login to mint to update the account values. Problem solved.

Passwords are antiquated, if you aren't using two factor + password vaults (storing random passwords for each account) you should get with the times. If you aren't super tech savvy buy yourself a Mac and just use Key Chain, it's fully integrated with the OS, your iPhone, iPad and works well (your passwords will auto sync to iCloud -- encrypted of course).

Luckywon
Posts: 947
Joined: Tue Mar 28, 2017 10:33 am

Re: The risks of using account aggregators (how they access your accounts).

Post by Luckywon » Sat May 30, 2020 12:52 pm

I use Mint and love the ability to search transactions and see everything at a glance. I have not heard of anyone materially harmed by a security issue from using mint.com. Until then (and maybe even after, depending on the details), I'm happy to take my chances.

02nz
Posts: 4751
Joined: Wed Feb 21, 2018 3:17 pm

Re: The risks of using account aggregators (how they access your accounts).

Post by 02nz » Sat May 30, 2020 12:57 pm

Nothing is entirely risk-free. For me, the risks associated with using a service like Mint are outweighed by the additional security that it gives me by allowing me to see transactions (even just authorizations on credit cards) at a glance and in near real time. A 15-second peek at Mint every morning allows me to make sure everything's ok. Also, Mint has been around for over a decade, and I'm not aware of any credible report in that time of a security compromise that was traced back to Mint.

rich126
Posts: 1541
Joined: Thu Mar 01, 2018 4:56 pm

Re: The risks of using account aggregators (how they access your accounts).

Post by rich126 » Sat May 30, 2020 1:07 pm

While I do a lot of computer work and hacking type of stuff in the past I try not to obsess over security since it is impossible to be totally safe. I have friends who avoid credit cards, online banking, etc. but at some point you have to weigh security vs. convenience.

I don't view things like online banking that dangerous and think the pros outweigh the cons.

Things that I avoid since I don't view the conveniences as very high to me are:

1. Avoid autobillings/autodebiting from bank accounts except for a few that are hard to avoid like streaming services and possibly a gym. If you are really worried about it, use a separate account with minimal funds in it. I once did that with someone I didn't trust fully.

2. Account aggregators I avoid. I don't see the convenience worth the risk and the fact that the financial institution could use the fact that you gave you information to another party against you. Just not a risk I'm willing to take.

3. I use credit cards, apple pay extensively but avoid debit cards.

4. I avoid things such as Venmo where you either have to pay a service charge or give access to a bank account. I told my lawn guy I'd pay by cash or check but would not use Venmo (after I read the rules) and he was ok with that.

I also never put all my eggs in any one basket so I have multiple bank accounts, brokerages, credit cards, etc. I don't go overboard but I've seen things in my life where people have lost access to money for a long period of time before eventually getting it (Maryland had a nasty savings and loan probably many decades ago and it took my uncle years to finally get money he had in a CD). I had an issue that thankfully was resolved within ~12 hours where Wells Fargo bill paying system went crazy and they kept paying the same bill over and over until your account was zeroed. I got several emails late at night saying my account was zero which made no sense to me. Fortunately by the time I woke up the next morning it was resolved but I saw stories of people being out and having their ATM/debit card declined. Things like that cause me to diversify despite any minor inconveniences.

Everyone has different risk tolerances, sometimes based on personal experiences and stories.

User avatar
siamond
Posts: 5437
Joined: Mon May 28, 2012 5:50 am

Re: The risks of using account aggregators (how they access your accounts).

Post by siamond » Sat May 30, 2020 1:24 pm

Well, I guess that's (long overdue) good news, but fact is I would NEVER provide access to my investment/retirement accounts to a third-party aggregator. However secure their design might be, I just won't trust it... The tail-end risk is just too high, simple as that.

Plus I just don't feel the need. One can design a very simple Google Sheet tracking the price of mutual funds and ETFs you hold, so you just have to manually populate (and occasionally update) the number of shares you own, et voila, you have an investment tracker. A bit more spreadsheet logic and you can easily check if & when to rebalance. This would be a pain for an active trader, because the list of investments would change too often, but for a passive investor, this is just a breeze.

I do use Mint to aggregate transactions from credit card and banking accounts, because a) I wouldn't properly track my spending budget without such convenience b) the tail risk is much more limited (I can deal with losing $20k, I can't deal with losing $1M...). I would be glad to see proper read-only APIs used for such purpose though.
Last edited by siamond on Sat May 30, 2020 1:27 pm, edited 1 time in total.

student
Posts: 4881
Joined: Fri Apr 03, 2015 6:58 am

Re: The risks of using account aggregators (how they access your accounts).

Post by student » Sat May 30, 2020 1:25 pm

Personally I would never give an aggregator passwords to my accounts. I use Personal Capital and I manually enter the holdings.

illumination
Posts: 666
Joined: Tue Apr 02, 2019 6:13 pm

Re: The risks of using account aggregators (how they access your accounts).

Post by illumination » Sat May 30, 2020 2:02 pm

Can you imagine what a target for hackers this would attract? If this ever was compromised, you'd have to turn your life upside down.

I also don't know that smaller provider like the sort of company that has a service like this can adequately protect people like a major brokerage or bank can with security.

User avatar
FIREchief
Posts: 4561
Joined: Fri Aug 19, 2016 6:40 pm

Re: The risks of using account aggregators (how they access your accounts).

Post by FIREchief » Sat May 30, 2020 2:42 pm

cheese_breath wrote:
Sat May 30, 2020 12:39 pm
I aggregate manually with Excel and don't reveal my passwords to anybody.
^^^this!! 8-)
I am not a lawyer, accountant or financial advisor. Any advice or suggestions that I may provide shall be considered for entertainment purposes only.

Luckywon
Posts: 947
Joined: Tue Mar 28, 2017 10:33 am

Re: The risks of using account aggregators (how they access your accounts).

Post by Luckywon » Sat May 30, 2020 3:48 pm

illumination wrote:
Sat May 30, 2020 2:02 pm

I also don't know that smaller provider like the sort of company that has a service like this can adequately protect people like a major brokerage or bank can with security.
Not sure what you're referring to here but Mint is owned by Intuit which has market cap of $76 billion and is part of SP500.

Luckywon
Posts: 947
Joined: Tue Mar 28, 2017 10:33 am

Re: The risks of using account aggregators (how they access your accounts).

Post by Luckywon » Sat May 30, 2020 3:53 pm

siamond wrote:
Sat May 30, 2020 1:24 pm

I do use Mint to aggregate transactions from credit card and banking accounts, because a) I wouldn't properly track my spending budget without such convenience b) the tail risk is much more limited (I can deal with losing $20k, I can't deal with losing $1M...). I would be glad to see proper read-only APIs used for such purpose though.
I use Mint for all my accounts. My largest accounts are investment accounts at E*trade where I have a "no funds out" lock that requires telephone verification to undo so that is an extra layer of security for me. Similar "lockdown" at Fidelity although that's slightly less robust but certainly enough to make me comfortable.

illumination
Posts: 666
Joined: Tue Apr 02, 2019 6:13 pm

Re: The risks of using account aggregators (how they access your accounts).

Post by illumination » Sat May 30, 2020 4:34 pm

Luckywon wrote:
Sat May 30, 2020 3:48 pm
illumination wrote:
Sat May 30, 2020 2:02 pm

I also don't know that smaller provider like the sort of company that has a service like this can adequately protect people like a major brokerage or bank can with security.
Not sure what you're referring to here but Mint is owned by Intuit which has market cap of $76 billion and is part of SP500.
But Mint is not the only one that does this service. There's smaller startups that would make me nervous. But even a large company would make me unsettled to have access to all my accounts in this way. I just don't see the payoff for the risk. Considering anything is hackable, putting it all on in one place is just too big a target.

User avatar
siamond
Posts: 5437
Joined: Mon May 28, 2012 5:50 am

Re: The risks of using account aggregators (how they access your accounts).

Post by siamond » Sat May 30, 2020 6:39 pm

Luckywon wrote:
Sat May 30, 2020 3:53 pm
My largest accounts are investment accounts at E*trade where I have a "no funds out" lock that requires telephone verification to undo so that is an extra layer of security for me.
Hm. I was curious, but I couldn't find the account setting you're speaking of? Mind elaborating?

KyleAAA
Posts: 8326
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: The risks of using account aggregators (how they access your accounts).

Post by KyleAAA » Sat May 30, 2020 7:11 pm

Yes, it would be extremely easy to do this sort of thing securely if financial institutions would cooperate. A 3-legged oauth2 flow was designed to do this.

Luckywon
Posts: 947
Joined: Tue Mar 28, 2017 10:33 am

Re: The risks of using account aggregators (how they access your accounts).

Post by Luckywon » Sat May 30, 2020 7:33 pm

siamond wrote:
Sat May 30, 2020 6:39 pm
Luckywon wrote:
Sat May 30, 2020 3:53 pm
My largest accounts are investment accounts at E*trade where I have a "no funds out" lock that requires telephone verification to undo so that is an extra layer of security for me.
Hm. I was curious, but I couldn't find the account setting you're speaking of? Mind elaborating?
At E*trade the status is called "no funds out" and can only be activated and deactivated by speaking with a telephone rep and going through verification process. No checks or transfers out of the account can occur while activated.

Similar option at Ameritrade.

Less robust option at Fidelity called "lockdown" I think. this can be activated and deactivated online, with two factor verification by phone/text or email I think. This status blocks transfers out but does not block checks from clearing.

No similar option I'm aware of at Schwab.

JBTX
Posts: 6323
Joined: Wed Jul 26, 2017 12:46 pm

Re: The risks of using account aggregators (how they access your accounts).

Post by JBTX » Sat May 30, 2020 7:53 pm

Has there ever been a case of loss due to aggregator hacking?

Has there ever even been a data breach due to aggregator hacking?

Even if the data was some how "stolen" the fact that someone gets some of my downloaded transaction history isn't the end of the world and not something I'm going to worry about.

The temporarily stored id/pw is more of a theoretical concern, but I have no indication the data is not secure, and even if hacked they'd have to bypass 2FA.

Sure for some manually downloading trx into a spreadsheet isn't a big deal. But if you have a lot of different accounts due to different retirement account types for you and spouse logging into all of those would be a major pain.

Ultimately being able to download all of the data and review in a single application (quicken) weekly provides more security than doing everything manually less frequently.

MnD
Posts: 4607
Joined: Mon Jan 14, 2008 12:41 pm

Re: The risks of using account aggregators (how they access your accounts).

Post by MnD » Sun May 31, 2020 10:10 am

I've been using aggregators for many years and don't worry about this at all.
These conversations remind me of the "risk" of wash sales using different mutual funds.
Fraud risk is very prevalent with credit card and debit cards, even for cards that have never left a locked drawer.
Phishing is getting increasingly sophisticated.

The consumer and businesses with 2nd rate customer financial info security are the weak link in financial fraud, not professional aggregation services.
70/30 AA for life, Global market cap equity. Rebalance if fixed income <25% or >35%. Weighted ER< .10%. 5% of annual portfolio balance SWR, Proportional (to AA) withdrawals.

acegolfer
Posts: 1970
Joined: Tue Aug 25, 2009 9:40 am

Re: The risks of using account aggregators (how they access your accounts).

Post by acegolfer » Sun May 31, 2020 10:16 am

corp_sharecropper wrote:
Sat May 30, 2020 10:17 am
This article came to my attention today and I gotta say, I'm somewhat floored that this is how aggregators work with at least some banks/brokers.. by scraping the screen via the actual client portal. Literally, having a computer program for taking your login credentials, going to your bank/broker website, logging in with your info just as you would, and crawling through the website to capture your account info via the website code/element values and even optical character recognition of screen captures.

https://riabiz.com/a/2020/5/29/tired-of ... eaner-data

In contrast, API access would involve you not necessarily providing the aggregator your credentials, but basically your credentials being passed through to the bank/broker to show that you are authorizing API access to an aggregator (likely just during initial setup), and then the aggregator utilizing their authorization token to securely access read-only data offered via the API.

I guess I just always assumed it was always done via an encrypted, limited/read-only, API. The risks, of scraping screens by directly logging to the client website using client credentials seems beyond what risk I would think a company would want to take on, with so many data breaches/hacking/carelessness/etc, clearly I was wrong. Not to mention the whole thing being fraught with issues of dirty/bad data, hassle of needing a custom solution for every institution that needs to be scraped, and needing to update the methods anytime there is a significant change to the website.

So if you're like me, and had assumed aggregators (eg. Yodlee, ynab, personal capital, mint, emoney, and whatever your own bank may offer) were gathering account data through a secure API, you may want to reassess the risk and/or try to identify which accounts are being accessed via API vs scraping the client portal screen. This isn't to say that a trustworthy/careful/responsible company can't gather data in this way and not expose you, but it certainly makes this more dependent on a variety of humans not making mistakes, both accidental & negligently.

I suppose 2FA would be somewhat of a mitigating solution to the risks, but you're still left with the risks of how they interact with the website once logged in and the fact that your credentials are out there being used except for just a few numerical digits.
A simple way to test whether the aggregator is using a API/token versus logging in/scrapping is after you link your bank account, change the bank password. If the aggregator continues to update data, then it's not using the password you gave to login. For example, mint doesn't use password for major banks.

acegolfer
Posts: 1970
Joined: Tue Aug 25, 2009 9:40 am

Re: The risks of using account aggregators (how they access your accounts).

Post by acegolfer » Sun May 31, 2020 10:19 am

FishTaco wrote:
Sat May 30, 2020 10:31 am
Thanks for sharing this info.

I used to use mint and then personal capital for NW tracking but at some became suspicious of turning over my passwords. This confirms my suspicion. I now only use mint for monthly budgeting only with access to only credit card accounts.
Depends on bank. For example, mint.com continues to update data, even after you change BofA, Citi password.

acegolfer
Posts: 1970
Joined: Tue Aug 25, 2009 9:40 am

Re: The risks of using account aggregators (how they access your accounts).

Post by acegolfer » Sun May 31, 2020 10:28 am

siamond wrote:
Sat May 30, 2020 1:24 pm
Well, I guess that's (long overdue) good news, but fact is I would NEVER provide access to my investment/retirement accounts to a third-party aggregator. However secure their design might be, I just won't trust it... The tail-end risk is just too high, simple as that.

Plus I just don't feel the need. One can design a very simple Google Sheet tracking the price of mutual funds and ETFs you hold, so you just have to manually populate (and occasionally update) the number of shares you own, et voila, you have an investment tracker. A bit more spreadsheet logic and you can easily check if & when to rebalance. This would be a pain for an active trader, because the list of investments would change too often, but for a passive investor, this is just a breeze.

I do use Mint to aggregate transactions from credit card and banking accounts, because a) I wouldn't properly track my spending budget without such convenience b) the tail risk is much more limited (I can deal with losing $20k, I can't deal with losing $1M...). I would be glad to see proper read-only APIs used for such purpose though.
Wow, you do almost exactly what I do. I only link CC accounts to mint.com so that I can download all transactions from multiple accounts in 1 click. For bank/brokerage accounts, I export transactions as CSV from each FI website. Then my spreadsheet imports all these downloaded CSV and auto analyze every investments/income/spending to the penny.

User avatar
siamond
Posts: 5437
Joined: Mon May 28, 2012 5:50 am

Re: The risks of using account aggregators (how they access your accounts).

Post by siamond » Sun May 31, 2020 11:31 am

acegolfer wrote:
Sun May 31, 2020 10:28 am
Wow, you do almost exactly what I do. I only link CC accounts to mint.com so that I can download all transactions from multiple accounts in 1 click. For bank/brokerage accounts, I export transactions as CSV from each FI website. Then my spreadsheet imports all these downloaded CSV and auto analyze every investments/income/spending to the penny.
Actually, I do exactly what you describe at the end of the year (and sometimes mid-year), to archive a detailed snapshot as well as a full history of transactions. And yes, I download the Mint transactions in a budget spreadsheet to further massage the data, as Mint reporting capabilities are rather weak. I really like Mint classification properties (not perfect, but pretty good) and it helps to makes it work on banking transactions too.

I enjoy the convenience of being able to check the status of my combined portfolio in just one click though, hence my little Google spreadsheet (I do NOT subscribe to the "don't peak" philosophy!). Plus it automatically checks rebalancing bands and shoots me an e-mail if needs be, which satisfies my nerdy tendencies... :wink:

FishTaco
Posts: 107
Joined: Sat Jun 08, 2019 7:49 am

Re: The risks of using account aggregators (how they access your accounts).

Post by FishTaco » Thu Jun 04, 2020 7:52 am

acegolfer wrote:
Sun May 31, 2020 10:19 am

Depends on bank. For example, mint.com continues to update data, even after you change BofA, Citi password.
How are they able to continue to update your data without your password?

Edit: NVM, answer is in the previous post.
Last edited by FishTaco on Thu Jun 04, 2020 7:56 am, edited 1 time in total.

FishTaco
Posts: 107
Joined: Sat Jun 08, 2019 7:49 am

Re: The risks of using account aggregators (how they access your accounts).

Post by FishTaco » Thu Jun 04, 2020 7:56 am

acegolfer wrote:
Sun May 31, 2020 10:16 am

A simple way to test whether the aggregator is using a API/token versus logging in/scrapping is after you link your bank account, change the bank password. If the aggregator continues to update data, then it's not using the password you gave to login. For example, mint doesn't use password for major banks.
Lol, probably good then. I found it was a stretch for mint.com to update many of my accounts even with the proper password.

Eno Deb
Posts: 172
Joined: Sun Feb 03, 2019 4:08 pm

Re: The risks of using account aggregators (how they access your accounts).

Post by Eno Deb » Thu Jun 04, 2020 10:55 am

Brian Krebs recently reported that criminals are using account aggregators to circumvent 2-factor authentication (since some of the aggregators have privileged access without requiring the second factor):
https://krebsonsecurity.com/2019/08/the ... passwords/

Another aspect that should be considered is privacy. Even though many services can now link to your bank accounts, behind the scenes there are only a few providers that are used to access the banks (mainly Plaid and Yodlee). When you use any service that links to your bank account, one of these providers scrapes everything they can from the bank web page (rather than limiting the collection to information relevant to the particular service that the customer has requested). That includes years of financial transactions, unrelated accounts, personal profile information and everything else that can be accessed through a bank's web site. The providers' primary business is datamining and selling the customers' data for profit. Note that those fintech companies are not subject to the same privacy regulations as banks.
https://www.forbes.com/sites/nizangpack ... -hurt-you/

Post Reply