Do not use Personal Capital

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills.
Topic Author
generallyspeaking
Posts: 48
Joined: Wed May 16, 2018 12:57 pm

Re: Do not use Personal Capital

Post by generallyspeaking »

megabad wrote: Tue Apr 16, 2019 1:00 pm
generallyspeaking wrote: Mon Apr 15, 2019 8:23 pm Am I being paranoid?
Maybe. Depends on why you are unhappy. If you are unhappy because the risk of fraud exists, than I would refer you to the articles regarding the Vanguard employee that stole money from client accounts and say that can happen anywhere. If you are unhappy due to lack of privacy, I would point out that you should stop using Google, Apple, browsers and basically all technology. However, if you are concerned due to the legal ambiguity around aggregators, than I am firmly in support of your stance. I don't think the liability has been legally tested and I have no idea if SIPC even applies in the circumstance of an aggregator employee criminal act. In fact, it is not entirely clear to me that the courts would not immediately throwout your case upon hearing you had freely given all your passwords to someone else.
It's partly the third point, but also the fact that a random employee was able to simply pull up my entire account with my explicit permission (yes I know it was in the T&C but that's it).

Even services like Mint have some risk, but it isn't standard business practice for a Mint employee to pull up individual accounts.
User avatar
rhinopylon
Posts: 86
Joined: Mon Apr 02, 2018 10:51 am

Re: Do not use Personal Capital

Post by rhinopylon »

I guess I just don't understand OP's concern. What about your funds at Fidelity or Vanguard or your 401k plan administrator? I'm sure there are people that can look at your accounts within each company if they felt like it. What about when you go to your physical bank and deposit cash? That person pulls your account up and has full view of your relationship with them and has the ability to continue browsing it after you've left.
DonIce
Posts: 1453
Joined: Thu Feb 21, 2019 5:44 pm

Re: Do not use Personal Capital

Post by DonIce »

This thread made me check out personal capital.
grettman
Posts: 768
Joined: Mon Sep 29, 2014 1:47 pm

Re: Do not use Personal Capital

Post by grettman »

Reminds me of the saying that “If you aren’t paying for a product, it is likely because you are the product.”

I can’t imagine giving a company access to my accounts and trust that they won’t abuse the access. There are too many examples of how companies fail to take care of their customer’s data and too many examples of companies doing the wrong thing.
nguy44
Posts: 597
Joined: Sun Jul 09, 2017 1:52 pm

Re: Do not use Personal Capital

Post by nguy44 »

I decided to try Personal Capital, but thanks to this thread I am re-thinking continuing, or at least only using manual accounts ( have only linked a couple of my accounts to it).

In the 2 weeks since I started am account, I first received a text asking if I wanted to talk to them. I replied no thanks, I just wanted to use the tools to see their usefulness, and had no need to have anyone there evaluate my financial situation. Since then I have received 3 "follow up" phone calls and a several "follow-up" emails "just to make sure" I am happy with the service and offering to talk with me.

Not complaining, every action is a learning process :D .
are_cynic
Posts: 99
Joined: Wed Jul 25, 2018 8:14 am

Re: Do not use Personal Capital

Post by are_cynic »

Personal capital also offers app password linking. Meaning that I went onto my brokerage and generated an application specific password that only works for personal capital to pull specific aggregate data in a read only fashion from my brokerage. It cannot be used to log into my brokerage account. If I handed you this password, it would be worthless to you, and it’s not a threat to my security.

Obviously, your bank/broker/card has to offer app passwords to use this feature, and not all do. But if they do, this is a very secure method of linkage.
"Invert, always invert" ~Carl Jacobi
dallasjava
Posts: 94
Joined: Mon Nov 12, 2018 3:50 pm

Re: Do not use Personal Capital

Post by dallasjava »

MittensMoney wrote: Tue Apr 16, 2019 12:32 pm Just to reiterate what's on their privacy page, no employee at Personal Capital has access to your account names or passwords. Everything is read only, your credentials are stored as a Hash, and therefore the risk of someone stealing or moving your money from any of the accounts you've linked is as low as it could be. I think their CTO said something along the lines of "it's safer to log into our software on a regular basis than typing your username/password into your banks web browser." The visibility concern is another issue but at least they aren't selling your data to other businesses.
How can they hash your password? Hashes are one-way. The passwords should be encrypted so they can use them to log on as you.
Last edited by dallasjava on Wed Apr 17, 2019 7:15 am, edited 1 time in total.
johnnyc321
Posts: 164
Joined: Wed Jan 04, 2017 8:24 pm

Re: Do not use Personal Capital

Post by johnnyc321 »

I opened an account at Personal Capital in January. My biggest problem with it so far is the unsolicited calls to get me to speak to their advisors. It is quite annoying and making me want to delete my account.
fatcharlie
Posts: 66
Joined: Wed Aug 06, 2014 11:25 am

Re: Do not use Personal Capital

Post by fatcharlie »

beyou wrote: Tue Apr 16, 2019 1:17 pm For day to day banking, bills look at https://countabout.com/
For investments I use the vanguard portfolio watch, it is an approximation of my AA and can look through to some details.
It tells me my domestic/international breakdown, bonds by duration/credit buckets etc.
No security issue for Vang PW. CountAbout allows you to download/recon from other bank sites or enter manually and recon manually.
No sales calls from either firm.
Same problem - countabout using some aggregator like Yodlee. Yodlee is storing your passwords.
mikeyzito22
Posts: 870
Joined: Sat Dec 02, 2017 4:42 pm

Re: Do not use Personal Capital

Post by mikeyzito22 »

johnnyc321 wrote: Wed Apr 17, 2019 5:48 am I opened an account at Personal Capital in January. My biggest problem with it so far is the unsolicited calls to get me to speak to their advisors. It is quite annoying and making me want to delete my account.
Why are people answering phone calls that they don't recognize?
zlandar
Posts: 597
Joined: Wed Apr 10, 2019 8:51 am

Re: Do not use Personal Capital

Post by zlandar »

PC is like Mint: a financial aggregator site. Their employees cannot just willy-nilly access your personal logins and passwords for your linked accounts. That would be a huge liability risk on their end if such access was allowed.

I use both though I have switched mostly to Mint to track accounts and transactions and Vanguard’s portfolio watch to manage investments. PC retirement tool is nice but I don’t find myself using it as much as I have in the past.

Having an app like Mint is useful IMO as you can monitor multiple accounts and transactions. I’ve caught 2 unauthorized transactions on my CCs over the years before the CC company did.
lotusflower
Posts: 323
Joined: Thu Oct 24, 2013 12:32 am

Re: Do not use Personal Capital

Post by lotusflower »

generallyspeaking wrote: Tue Apr 16, 2019 9:40 am My question would be this: would you trust a company like Facebook with all your financial information? They can't take action on it, but they can certainly view all your income, spending habits, budgeting, etc.
Aren't Visa/MC/Amex already selling your spending habits to the highest bidder?
User avatar
beyou
Posts: 6915
Joined: Sat Feb 27, 2010 2:57 pm
Location: If you can make it there

Re: Do not use Personal Capital

Post by beyou »

fatcharlie wrote: Wed Apr 17, 2019 12:57 pm
beyou wrote: Tue Apr 16, 2019 1:17 pm For day to day banking, bills look at https://countabout.com/
For investments I use the vanguard portfolio watch, it is an approximation of my AA and can look through to some details.
It tells me my domestic/international breakdown, bonds by duration/credit buckets etc.
No security issue for Vang PW. CountAbout allows you to download/recon from other bank sites or enter manually and recon manually.
No sales calls from either firm.
Same problem - countabout using some aggregator like Yodlee. Yodlee is storing your passwords.
It is not the same problem. First PC has salespersons calling you to manage your money, aggregators do not do that.
As far as the security, I enter my own transactions here for manual recon. I don't want aggregation, I want to have an online checkbook register
that I can access from anywhere, to see what I think my balance is, include future dated transactions. I inspect/recon the balance for active accounts weekly, others monthly vs the bank website. Personally I would never give my pwd to anyone for any reason for security reason, plus if you download data, then there is no reconciliation, you are just trusting the accuracy of your bank.

As far as sales persons calling, I have a broker (Etrade) and a in the past a bank that would call everytime they see a large deposit and try to sell you things. I told the bank I don't want my data shared with other areas of the bank, and to stop calling me, which they eventually did. These firms were accessing your own data on their servers where it must be (not 3rd party aggregator, but Etrade data on Etrade servers). Etrade calls to sell me managed accounts for every large deposit. I can't seem to stop them from calling but at least the bank stopped. If we can't stop your bank from sharing data good luck with 3rd party aggregators who have little to lose by treating your data poorly.
RamblinDoc
Posts: 276
Joined: Sun Jan 14, 2018 1:26 pm

Re: Do not use Personal Capital

Post by RamblinDoc »

ohai wrote: Mon Apr 15, 2019 11:14 pm You can turn off some setting in Personal Capital to disable the adviser guy who calls you every few months.
I just told him to stop calling and emailing me. I haven't heard from him in over a year...however, I probably just jinxed myself! :shock:

But there is a pop up when you log in tempting you to schedule a call with your advisor. I just close the box.
User avatar
Godot
Posts: 1016
Joined: Fri Jun 08, 2018 3:44 pm
Location: That place.

Re: Do not use Personal Capital

Post by Godot »

generallyspeaking wrote: Mon Apr 15, 2019 8:23 pm I know many in this community use Personal Capital to manage their finances, particularly investment income.

I used the free tool for the past year and found it really beneficial to see things like my market allocation. However, I went on one of their complimentary wealth management calls and realized that without me giving explicit permission the Personal Capital Wealth Advisor had complete and unrestricted access to my account.

I immediately deleted my account and am not going to use them going forward.

Am I being paranoid?
I used PC for the past year to visualize my portfolio as a whole, and feel that tool is much better and has more functionality than Fidelity's "Full View," for example. For five weeks now now I have not been able to get into my account. Customer service reps take more than a week to return emails and as of today have not been able to tell me why I cannot access my account. I've emailed them and told them to delete my account with the various logins, but who knows if they'll do it or not. Not sure what my next step is.
"The day you die is just like any other, only shorter." | ― Samuel Beckett
Topic Author
generallyspeaking
Posts: 48
Joined: Wed May 16, 2018 12:57 pm

Re: Do not use Personal Capital

Post by generallyspeaking »

A few folks on this thread have pointed out that other services (like banks and brokerages) have the same amount of data as PC. While this is true, we also have limited options. We all need banks and brokerages - there's no getting around it.

However, I would personally want to reduce the number of services which have my data and information. PC is just not useful enough for me to risk my funds in any capacity (it also looks like companies like Fidelity don't guarantee losses if you share your credentials: https://www.fidelity.com/security/custo ... -guarantee)
zlandar
Posts: 597
Joined: Wed Apr 10, 2019 8:51 am

Re: Do not use Personal Capital

Post by zlandar »

generallyspeaking wrote: Wed Apr 17, 2019 6:00 pm A few folks on this thread have pointed out that other services (like banks and brokerages) have the same amount of data as PC. While this is true, we also have limited options. We all need banks and brokerages - there's no getting around it.

However, I would personally want to reduce the number of services which have my data and information. PC is just not useful enough for me to risk my funds in any capacity (it also looks like companies like Fidelity don't guarantee losses if you share your credentials: https://www.fidelity.com/security/custo ... -guarantee)
"If you grant authority to, or share your Fidelity account access credentials or information with, any persons or entities, their activity will be considered authorized by you."

With that definition anyone using a password manager like Lastpass or Dashlane would also not be covered.

Read the the fine print of the guarantee:

https://wps.retire.fidelity.com/Securit ... Login.html

"Fidelity will determine the type and amount of reimbursement, including whether to replace the securities in your account that were taken, and may seek restitution for reimbursements made under this guarantee from the person(s) or entity that committed the unauthorized activity. We may not provide reimbursement if you are reimbursed, or eligible for reimbursement or other coverage, by others for the unauthorized transactions; for example, by your insurance company.

Fidelity may ask that you assign to it certain rights you may have regarding your loss and to sign a release form as a condition of reimbursement. You may not assign your rights under the guarantee to any other individual or party."

You are relying on Fidelity to be the sole arbitrator of whether you are eligible for any reimbursement and how much. I think the "guarantee" is a slick piece of advertising and should not be confused with real protection like FDIC on a bank account.

If people want to crack into any of my financial accounts they have to either guess my lastpass login/password and defeat the two factor authentication or guess the lastpass generated password for that account like W0#4*^Gd#YT6. They also have to take over my main email account which is protected by 2FA (login/password unique and not in Lastpass) because the brokerage will send an email notifying me of any transaction/password changes. Lastly I have Mint which shows all my linked accounts and transactions and which I regularly check.

There are benefits to having linked accounts: it's much harder for a crook to steal money from one if it triggers multiple notifications that alert the owner.
BlueCable
Posts: 465
Joined: Fri Jun 17, 2016 9:20 am

Re: Do not use Personal Capital

Post by BlueCable »

If you no longer wish Personal Capital to have your login information for your accounts, change your password for those accounts.
User avatar
birdog
Posts: 1509
Joined: Fri Apr 07, 2017 1:35 pm
Location: Anytown, USA

Re: Do not use Personal Capital

Post by birdog »

Godot wrote: Wed Apr 17, 2019 5:54 pm
generallyspeaking wrote: Mon Apr 15, 2019 8:23 pm I know many in this community use Personal Capital to manage their finances, particularly investment income.

I used the free tool for the past year and found it really beneficial to see things like my market allocation. However, I went on one of their complimentary wealth management calls and realized that without me giving explicit permission the Personal Capital Wealth Advisor had complete and unrestricted access to my account.

I immediately deleted my account and am not going to use them going forward.

Am I being paranoid?
I used PC for the past year to visualize my portfolio as a whole, and feel that tool is much better and has more functionality than Fidelity's "Full View," for example. For five weeks now now I have not been able to get into my account. Customer service reps take more than a week to return emails and as of today have not been able to tell me why I cannot access my account. I've emailed them and told them to delete my account with the various logins, but who knows if they'll do it or not. Not sure what my next step is.
Are you saying you can't access your Personal Capital account? If so, I would do more than just request that they delete your account. If you wish to leave PC, I would change all the passwords for every account that was linked to PC. Perhaps you've done that already.
tampaite
Posts: 585
Joined: Wed Feb 18, 2015 8:29 pm

Re: Do not use Personal Capital

Post by tampaite »

Deleting my messages on this forum
Last edited by tampaite on Mon Jun 03, 2019 7:37 am, edited 1 time in total.
User avatar
Godot
Posts: 1016
Joined: Fri Jun 08, 2018 3:44 pm
Location: That place.

Re: Do not use Personal Capital

Post by Godot »

birdog wrote: Thu Apr 18, 2019 8:20 am
Godot wrote: Wed Apr 17, 2019 5:54 pm
generallyspeaking wrote: Mon Apr 15, 2019 8:23 pm I know many in this community use Personal Capital to manage their finances, particularly investment income.

I used the free tool for the past year and found it really beneficial to see things like my market allocation. However, I went on one of their complimentary wealth management calls and realized that without me giving explicit permission the Personal Capital Wealth Advisor had complete and unrestricted access to my account.

I immediately deleted my account and am not going to use them going forward.

Am I being paranoid?
I used PC for the past year to visualize my portfolio as a whole, and feel that tool is much better and has more functionality than Fidelity's "Full View," for example. For five weeks now now I have not been able to get into my account. Customer service reps take more than a week to return emails and as of today have not been able to tell me why I cannot access my account. I've emailed them and told them to delete my account with the various logins, but who knows if they'll do it or not. Not sure what my next step is.
Are you saying you can't access your Personal Capital account? If so, I would do more than just request that they delete your account. If you wish to leave PC, I would change all the passwords for every account that was linked to PC. Perhaps you've done that already.
Zero access. Yes, I've begun changing my passwords.
"The day you die is just like any other, only shorter." | ― Samuel Beckett
lukestuckenhymer
Posts: 274
Joined: Wed May 30, 2018 11:53 am

Re: Do not use Personal Capital

Post by lukestuckenhymer »

I don't use it any more, but I know this was a tacit assumption when I signed up. Once a month, a call came in from the Bay Area and I didn't answer it.

There are plenty of reasons not to use Personal Capital besides security. It's a lousy, buggy platform that sometimes refuses to update your balances for weeks. You're better served creating your own net worth tracker on a spreadsheet. I update mine twice a month.
chambers136
Posts: 274
Joined: Tue Feb 28, 2017 8:49 am

Re: Do not use Personal Capital

Post by chambers136 »

I recently manually loaded all of my accounts in PC. Due to having accounts transferred from a former adviser, we have way more funds than I'd like. PC does a really nice job of helping me figure out my asset allocation. I am not comfortable giving the account login info, but the nice thing is, I don't have to. They don't even know my last name. It's a bit less convenient this way, but to me it was obvious that they would be calling and have access to view the account so I limited the info I gave them.
User avatar
IcedDog
Posts: 52
Joined: Wed Jul 18, 2018 8:55 pm
Location: Michigan

Re: Do not use Personal Capital

Post by IcedDog »

This gives a pretty good breakdown of their security...

https://wallethacks.com/personal-capital-security-safe/

Seems more than adequate. I like Personal Capital's interface, I find the info useful, and I don't get any solicitation calls (a couple initially, but that was it).
User avatar
willthrill81
Posts: 32250
Joined: Thu Jan 26, 2017 2:17 pm
Location: USA
Contact:

Re: Do not use Personal Capital

Post by willthrill81 »

rhinopylon wrote: Tue Apr 16, 2019 2:27 pm I guess I just don't understand OP's concern. What about your funds at Fidelity or Vanguard or your 401k plan administrator? I'm sure there are people that can look at your accounts within each company if they felt like it. What about when you go to your physical bank and deposit cash? That person pulls your account up and has full view of your relationship with them and has the ability to continue browsing it after you've left.
I believe the OP's concern is that he doesn't like PC's advisors having visible access to all of his linked accounts, which they do. Also, many have a bigger concern, which is that hackers will somehow get your IDs and passwords to potentially gain access to your investment accounts. Given the regular reports of data breaches, I think that there is merit to this concern, regardless of the security measures that PC has in place.
The Sensible Steward
jriding
Posts: 204
Joined: Tue Jan 15, 2013 1:06 pm
Location: CO

Re: Do not use Personal Capital

Post by jriding »

nguy44 wrote: Tue Apr 16, 2019 4:05 pm I decided to try Personal Capital, but thanks to this thread I am re-thinking continuing, or at least only using manual accounts ( have only linked a couple of my accounts to it).

In the 2 weeks since I started am account, I first received a text asking if I wanted to talk to them. I replied no thanks, I just wanted to use the tools to see their usefulness, and had no need to have anyone there evaluate my financial situation. Since then I have received 3 "follow up" phone calls and a several "follow-up" emails "just to make sure" I am happy with the service and offering to talk with me.

Not complaining, every action is a learning process :D .
You can remove your phone number from your account and stop receiving calls/texts.
dacalo
Posts: 156
Joined: Mon Mar 28, 2016 11:09 pm

Re: Do not use Personal Capital

Post by dacalo »

I've been using Personal Capital for last couple of years and I sleep well at night. I would imagine they have access to my financial info but I would imagine that is the whole point of their service.
LmG7119
Posts: 504
Joined: Sat Mar 05, 2016 4:12 pm

Re: Do not use Personal Capital

Post by LmG7119 »

You guys do understand that they are not storing your passwords in clear text. I bet they are not storing them at all. Your credentials are used to initiate to connection to other financial institutions then a token gets generated between 2 of them, that gets stored in their system and it is used to pull information out other accounts. Tokens do expire that is why you sometimes have to re-enter your credentials.

I'm in IT I have done quite a bit of e-commerce security including PCI and SOX compliance. All financial institutions are heavily audited and regulated. It is not enough to break into one, like PC, and do the damage to all accounts. Most APIs are read-only and you can't withdraw or move money around without additional permissions. Almost all companies have access logs and event logs triggers to prevent unauthorized access. That PC adviser would have requested an internal security token to access your information with a reason and with his/her supervisor approval. You agreed to a meeting and that would be a reason for the supervisor to give a token to an adviser. You have to agree that by them knowing your full picture they would be able to help you better and without it, they would be useless.

Nobody will tell you that security is 100% bulletproof but you can mitigate it very well with adopting standard thing like password change frequency etc...

:sharebeer
cj2018
Posts: 205
Joined: Tue Jun 12, 2018 3:49 pm

Re: Do not use Personal Capital

Post by cj2018 »

lepa71 wrote: Sat Jun 15, 2019 12:39 pm You guys do understand that they are not storing your passwords in clear text. I bet they are not storing them at all. Your credentials are used to initiate to connection to other financial institutions then a token gets generated between 2 of them, that gets stored in their system and it is used to pull information out other accounts. Tokens do expire that is why you sometimes have to re-enter your credentials.

I'm in IT I have done quite a bit of e-commerce security including PCI and SOX compliance. All financial institutions are heavily audited and regulated. It is not enough to break into one, like PC, and do the damage to all accounts. Most APIs are read-only and you can't withdraw or move money around without additional permissions. Almost all companies have access logs and event logs triggers to prevent unauthorized access. That PC adviser would have requested an internal security token to access your information with a reason and with his/her supervisor approval. You agreed to a meeting and that would be a reason for the supervisor to give a token to an adviser. You have to agree that by them knowing your full picture they would be able to help you better and without it, they would be useless.

Nobody will tell you that security is 100% bulletproof but you can mitigate it very well with adopting standard thing like password change frequency etc...

:sharebeer
Thanks for attempting to elaborate more on the technical aspect of how "internet" login work these days :oops: .

When I read this entire thread, i can't help but think about the scene where one Old Senator Asks How Facebook Remains Free, Mark Zuckerberg Smirks: ‘We Run Ads’. Check it out here: https://www.youtube.com/watch?v=n2H8wx1aBiQ

Let me try to make this even easier for non tech-savvy retirees to understand:
  • No internet services companies actually store the raw text of your beloved passwords
  • What's being stored is the salted and hashed string/token which is mathematically impossible to reverse-engineer: google how one-way hashing work
  • Even if Google or PC's database got hacked, all the hackers can see is some gibberish strings that they can not use to actually login to your account

Yes, PC employees have access to the actual financial numbers being pulled from different sources, but that's to be expected. That's the same thing as employees at Google/Facebook who have access to all personal data you provided, or employees at WhatsApp or Apple or WeChat or Tinder who have access to all your personal texts/messages. Don't like it? Don't use it. End of story.
LmG7119
Posts: 504
Joined: Sat Mar 05, 2016 4:12 pm

Re: Do not use Personal Capital

Post by LmG7119 »

I agree with one caveat. If it has been encrypted then it can be decrypted. It is just a matter of time and compute power. (cough NSA cough) :D
deltaneutral83
Posts: 2455
Joined: Tue Mar 07, 2017 3:25 pm

Re: Do not use Personal Capital

Post by deltaneutral83 »

lepa71 wrote: Sat Jun 15, 2019 1:44 pm I agree with one caveat. If it has been encrypted then it can be decrypted. It is just a matter of time and compute power. (cough NSA cough) :D
Good maybe the govt will see all our index positions and then suggest that for pensions instead of expensive mangers.
jacksonm
Posts: 234
Joined: Tue Oct 16, 2018 11:48 am

Re: Do not use Personal Capital

Post by jacksonm »

I use PC and don't mind that they have access to all of my data. That is the whole point. I have to put the salesman off every year or two but it isn't that hard.

In regards to the danger of giving them your login credentials, it may be true that they don't store passwords in clear text and that there are other safeguards in place but the fact is they DO have the ability to login to your accounts somehow. And having done that, what guarantee is there on the financial institution side of things that they have read-only access? That is the only thing that bothers me. I would much prefer it if the financial institutions would provide a separate set of credentials for read-only access. You could then give those credentials to aggregators like PC and not have to worry that somebody will be able to actually transact business in your account.
LmG7119
Posts: 504
Joined: Sat Mar 05, 2016 4:12 pm

Re: Do not use Personal Capital

Post by LmG7119 »

jacksonm wrote: Sat Jun 15, 2019 2:55 pm I use PC and don't mind that they have access to all of my data. That is the whole point. I have to put the salesman off every year or two but it isn't that hard.

In regards to the danger of giving them your login credentials, it may be true that they don't store passwords in clear text and that there are other safeguards in place but the fact is they DO have the ability to login to your accounts somehow. And having done that, what guarantee is there on the financial institution side of things that they have read-only access? That is the only thing that bothers me. I would much prefer it if the financial institutions would provide a separate set of credentials for read-only access. You could then give those credentials to aggregators like PC and not have to worry that somebody will be able to actually transact business in your account.
I could go more into P2P and IPSec and VPN and so on and on but it would make your head spin. There is no such a thing as read-only credentials.
michaeljc70
Posts: 10843
Joined: Thu Oct 15, 2015 3:53 pm

Re: Do not use Personal Capital

Post by michaeljc70 »

generallyspeaking wrote: Mon Apr 15, 2019 9:08 pm
HEDGEFUNDIE wrote: Mon Apr 15, 2019 8:53 pm What exactly is the issue here?

Of course they have visibility into your accounts, how else would the advisor provide you with advice?
Although they can have access, I should have the ability to control that access.
So, you want some of their services for free and want to hinder their attempts to make any money? It is a business. I'm sure it is in their TOS. Try telling Facebook you don't want any ads or Google they cannot see your emails.
jacksonm
Posts: 234
Joined: Tue Oct 16, 2018 11:48 am

Re: Do not use Personal Capital

Post by jacksonm »

lepa71 wrote: Sat Jun 15, 2019 3:00 pm
jacksonm wrote: Sat Jun 15, 2019 2:55 pm I use PC and don't mind that they have access to all of my data. That is the whole point. I have to put the salesman off every year or two but it isn't that hard.

In regards to the danger of giving them your login credentials, it may be true that they don't store passwords in clear text and that there are other safeguards in place but the fact is they DO have the ability to login to your accounts somehow. And having done that, what guarantee is there on the financial institution side of things that they have read-only access? That is the only thing that bothers me. I would much prefer it if the financial institutions would provide a separate set of credentials for read-only access. You could then give those credentials to aggregators like PC and not have to worry that somebody will be able to actually transact business in your account.
I could go more into P2P and IPSec and VPN and so on and on but it would make your head spin. There is no such a thing as read-only credentials.
I know. I'm saying I wish there was. It wouldn't be foolproof but at least it would make me feel better about giving out my credentials.

I'm not privvy to what's going on behind the scenes, because obviously I am not supposed to be, but I would like to think that the financial institutions actually do have some way of distinguishing an online aggregator from a customer login and restricting access appropriately.

For the record I have had experience with two major data breeches in companies I used to work for before I retired. You have probably heard of one of them. The other wasn't as much publicized but ended up being even more costly. Both were inside jobs. The more famous one involved a data base administrator stealing data and selling it. The other involved somebody removing all of the limits on ATM transactions, allowing people all over the world to drain ATM's dry.
thx1138
Posts: 1164
Joined: Fri Jul 12, 2013 2:14 pm

Re: Do not use Personal Capital

Post by thx1138 »

lepa71 wrote: Sat Jun 15, 2019 3:00 pm I could go more into P2P and IPSec and VPN and so on and on but it would make your head spin. There is no such a thing as read-only credentials.
Sure there are. Trip-It has viewer only access for some trips. Vanguard itself has account links in which spouses can view but not trade in the other account. Pretty much every database software in existence can be configured for accounts that can only read but not modify the database. Most VNC and other desktop sharing have separate passwords for view only access.

The issue is very few financial institutions have made this trivial implementation that would enable safer use of aggregators. And really why should we expect them to? It won’t earn them any money and as trivial as it would be to do even trivial things require a fair bit of testing and maintenance while being yet another avenue for a data breach even if you couldn’t move money through such “read only” accounts/credentials.
LmG7119
Posts: 504
Joined: Sat Mar 05, 2016 4:12 pm

Re: Do not use Personal Capital

Post by LmG7119 »

thx1138 wrote: Sat Jun 15, 2019 7:49 pm
lepa71 wrote: Sat Jun 15, 2019 3:00 pm I could go more into P2P and IPSec and VPN and so on and on but it would make your head spin. There is no such a thing as read-only credentials.
Sure there are. Trip-It has viewer only access for some trips. Vanguard itself has account links in which spouses can view but not trade in the other account. Pretty much every database software in existence can be configured for accounts that can only read but not modify the database. Most VNC and other desktop sharing have separate passwords for view only access.

The issue is very few financial institutions have made this trivial implementation that would enable safer use of aggregators. And really why should we expect them to? It won’t earn them any money and as trivial as it would be to do even trivial things require a fair bit of testing and maintenance while being yet another avenue for a data breach even if you couldn’t move money through such “read only” accounts/credentials.
If you would read my earlier post you would see that password are not used for systems integration. Those are only used for connection initialization and verification, after that it is all token based. Same is done for credit cards authorizations. Nobody stores your real credit card info after initial authentication. The systems integrate complicatedly different that front end systems do.
thx1138
Posts: 1164
Joined: Fri Jul 12, 2013 2:14 pm

Re: Do not use Personal Capital

Post by thx1138 »

lepa71 wrote: Sat Jun 15, 2019 9:48 pm
thx1138 wrote: Sat Jun 15, 2019 7:49 pm
lepa71 wrote: Sat Jun 15, 2019 3:00 pm I could go more into P2P and IPSec and VPN and so on and on but it would make your head spin. There is no such a thing as read-only credentials.
Sure there are. Trip-It has viewer only access for some trips. Vanguard itself has account links in which spouses can view but not trade in the other account. Pretty much every database software in existence can be configured for accounts that can only read but not modify the database. Most VNC and other desktop sharing have separate passwords for view only access.

The issue is very few financial institutions have made this trivial implementation that would enable safer use of aggregators. And really why should we expect them to? It won’t earn them any money and as trivial as it would be to do even trivial things require a fair bit of testing and maintenance while being yet another avenue for a data breach even if you couldn’t move money through such “read only” accounts/credentials.
If you would read my earlier post you would see that password are not used for systems integration. Those are only used for connection initialization and verification, after that it is all token based. Same is done for credit cards authorizations. Nobody stores your real credit card info after initial authentication. The systems integrate complicatedly different that front end systems do.
Ah, sorry didn’t see the earlier post so I misunderstood the context in which you were replying. Good explanation, thanks!
HawkeyePierce
Posts: 2351
Joined: Tue Mar 05, 2019 9:29 pm
Location: Colorado

Re: Do not use Personal Capital

Post by HawkeyePierce »

lepa71 wrote: Sat Jun 15, 2019 9:48 pm
thx1138 wrote: Sat Jun 15, 2019 7:49 pm
lepa71 wrote: Sat Jun 15, 2019 3:00 pm I could go more into P2P and IPSec and VPN and so on and on but it would make your head spin. There is no such a thing as read-only credentials.
Sure there are. Trip-It has viewer only access for some trips. Vanguard itself has account links in which spouses can view but not trade in the other account. Pretty much every database software in existence can be configured for accounts that can only read but not modify the database. Most VNC and other desktop sharing have separate passwords for view only access.

The issue is very few financial institutions have made this trivial implementation that would enable safer use of aggregators. And really why should we expect them to? It won’t earn them any money and as trivial as it would be to do even trivial things require a fair bit of testing and maintenance while being yet another avenue for a data breach even if you couldn’t move money through such “read only” accounts/credentials.
If you would read my earlier post you would see that password are not used for systems integration. Those are only used for connection initialization and verification, after that it is all token based. Same is done for credit cards authorizations. Nobody stores your real credit card info after initial authentication. The systems integrate complicatedly different that front end systems do.
This is not the case for credit cards. Yes, merchants usually don’t store full card information but their service providers certainly do. Whether that’s a payment gateway or recurring billing provider, someone in the chain is keeping the full card info on hand.
sschoe2
Posts: 792
Joined: Fri Feb 24, 2017 3:42 pm

Re: Do not use Personal Capital

Post by sschoe2 »

When I just created the account a few years ago I got a few sales calls pitching advisory services. I let them know I wasn't interested and haven't received any since. I just get some nags from their website that they can lower taxes or reduce risk while maintaining returns if I go with their PAS. I find it a good tool.
Pete3
Posts: 266
Joined: Thu Jul 01, 2010 12:10 pm

Re: Do not use Personal Capital

Post by Pete3 »

lepa71 wrote: Sat Jun 15, 2019 12:39 pm You guys do understand that they are not storing your passwords in clear text. I bet they are not storing them at all. Your credentials are used to initiate to connection to other financial institutions then a token gets generated between 2 of them, that gets stored in their system and it is used to pull information out other accounts. Tokens do expire that is why you sometimes have to re-enter your credentials.
Unless you have direct knowledge that they are not storing the passwords you should not guess that they are not.

I understand what you are saying about tokens but given the wide variety of institutions they support, it is highly unlikely that that is universally the case, it is more likely that they are actually entering your passwords into the various web sites and scraping the results. AFAIK PC is using the same technology as Yodlee and Yodlee definitely stored your password and did a lot of web site scraping.
LmG7119
Posts: 504
Joined: Sat Mar 05, 2016 4:12 pm

Re: Do not use Personal Capital

Post by LmG7119 »

If you think each bank has developed its own systems then you know nothing about modern IT and systems integrations. Most of the banks lease systems. It is either SaaS or PaaS and IaaS. This is done for liability, security, and connectivity. Nobody will developed their own Fair Isaac system because of the cost and ongoing support requirements Banks get integrated into those systems. I believe I have read somewhere that PC actually uses Yodlee as backend.

But what do I know with only 30ish years in IT.
Pete3
Posts: 266
Joined: Thu Jul 01, 2010 12:10 pm

Re: Do not use Personal Capital

Post by Pete3 »

lepa71 wrote: Mon Jun 17, 2019 9:11 am If you think each bank has developed its own systems then you know nothing about modern IT and systems integrations. Most of the banks lease systems. It is either SaaS or PaaS and IaaS. This is done for liability, security, and connectivity. Nobody will developed their own Fair Isaac system because of the cost and ongoing support requirements Banks get integrated into those systems. I believe I have read somewhere that PC actually uses Yodlee as backend.

But what do I know with only 30ish years in IT.
I was a long-time Yodlee user and participated in their forums so I know for a fact that they were screen scraping because when a web site stopped working the Yodlee staff explained that was the problem (changes in the web site). You could also view your password in the clear in Yodlee so that proves they were storing your password, not just a token.
LmG7119
Posts: 504
Joined: Sat Mar 05, 2016 4:12 pm

Re: Do not use Personal Capital

Post by LmG7119 »

I'm not talking about Yodlee front end UI. I'm talking about Yodlee back end integration that they sell as a service integration layer. There no "screen scraping" for web site under SSL. You call center person who makes $12.50/h has no idea what is going on on the backend.
KarenC
Posts: 264
Joined: Mon Apr 27, 2015 7:25 am

Re: Do not use Personal Capital

Post by KarenC »

Pete3 wrote: Mon Jun 17, 2019 10:15 am
lepa71 wrote: Mon Jun 17, 2019 9:11 am If you think each bank has developed its own systems then you know nothing about modern IT and systems integrations. Most of the banks lease systems. It is either SaaS or PaaS and IaaS. This is done for liability, security, and connectivity. Nobody will developed their own Fair Isaac system because of the cost and ongoing support requirements Banks get integrated into those systems. I believe I have read somewhere that PC actually uses Yodlee as backend.

But what do I know with only 30ish years in IT.
I was a long-time Yodlee user and participated in their forums so I know for a fact that they were screen scraping because when a web site stopped working the Yodlee staff explained that was the problem (changes in the web site). You could also view your password in the clear in Yodlee so that proves they were storing your password, not just a token.
The info is a bit vague (and possibly out of date) but here are some bits from a 2013 article in an Australian publication with the then chief strategy and development officer, Joe Polverari:
Digital First: Where do you stand on direct bank feeds versus screen scraping?

Yodlee: The conversation is about data feeds or data acquisition, which is screen scraping or html data gathering. We take 85 percent of our data on a volume basis from most of the biggest financial institutions in the world and give it to 50 million end users on a data fed basis, not screen scraping.

Digital First: Is that 85 percent in Australia as well?

Yodlee: No, that’s outside in Australia. That 15 percent is what we call the long tail. The ANZ Bank is one data source, but it has multiple account types and we cover all those as well. We have over 10,000 data sources in over 100,000 account types, all represented in our data utility, 85 percent of which on a volume basis get delivered through feeds.
I would gather from this that Yodlee will use screen scraping when there isn't a "data feed" available, and it appears that only happens in ~15% of the time (outside of Australia).

Later on they talk about how Yodlee handles credentials:
Yodlee: Let’s talk about our technology. Users input their credentials and we never actually see it. And people like Xero never actually see it. They enter it into an interface and when they hit send it gets encrypted and separated from that point. It’s hashed all the way back through the hardware. It’s not just software encryption, it’s all the way down into the boxes themselves.

We store you as a user with a Yodlee ID. You have a password and a credential that is hashed and exists somewhere else and is matched to your user ID, and then your transaction and financial data they sit somewhere else encrypted all the way through to the hardware.

We don’t know where you are in those four instances, but when someone like Xero delivers a service that is specific to a user it all comes right back together only at the point it is presented to that user.

So then you have a philosophical question. Have I or have I not disclosed my credentials? Or have I disclosed only something that is an encrypted hash of someone’s credential as it exists in the Yodlee network? We have done everything possible from a user and a bank perspective.
"The first principle is that you must not fool yourself—and you are the easiest person to fool." — Richard P. Feynman
afan
Posts: 8191
Joined: Sun Jul 25, 2010 4:01 pm

Re: Do not use Personal Capital

Post by afan »

I do not use any such service, precisely because I do not want there to exist a list of all my accounts anywhere out side of my immediate control. I would never contemplate giving login ability to some third party. I would not tell them account numbers. I would not even tell them at which institutions I have accounts.

I don't see the point in checking my balances every month, let alone every day. I check investment balances once or twice a year. No use for a daily tally.

What am I going to do with this information? Not trade based on what the markets did yesterday. Not borrow or move money around on a daily basis.

I have investments set on auto pilot. I know my regular income and expenses. Unusual receipts get invested manually. Unusual expenses are covered by cash reserves.

I assume that all online systems will be hacked. It has happened too often to too many sites to think otherwise. By keeping a variety of accounts at a variety of institutions it will be harder for one hack to expose too much of my information.

I neither keep passwords online nor allow my browser to remember them.

It is a hassle for me and it will be a hassle for hackers.

PC and the like hold no appeal.
We don't know how to beat the market on a risk-adjusted basis, and we don't know anyone that does know either | --Swedroe | We assume that markets are efficient, that prices are right | --Fama
rascott
Posts: 2957
Joined: Wed Apr 15, 2015 10:53 am

Re: Do not use Personal Capital

Post by rascott »

This thread cracks me up....here's a good primer on security at PC....and why you are less safe logging into your own accounts from your browser than you are using PC to monitor them:

https://wallethacks.com/personal-capital-security-safe/

So if one is really concerned with hacking they shouldn't be using ANY online access to any financial institution.
Pete3
Posts: 266
Joined: Thu Jul 01, 2010 12:10 pm

Re: Do not use Personal Capital

Post by Pete3 »

rascott wrote: Mon Jun 17, 2019 8:59 pm This thread cracks me up....here's a good primer on security at PC....and why you are less safe logging into your own accounts from your browser than you are using PC to monitor them:

https://wallethacks.com/personal-capital-security-safe/

So if one is really concerned with hacking they shouldn't be using ANY online access to any financial institution.
I use PC so my reply is somewhat of devil's advocate but that article is weak. They basically are saying PC doesn't have your credentials so its safe! Well they also say that PC is powered by Yodlee and Yodlee does have your credentials so in other words instead of focusing on the safety of PC (which is nothing more than a re-branded front-end for the Yodlee service offering) the article should be looking at the safety/security of Yodlee which admittedly does have your credentials.

The same is true for their point about read-only access to your accounts, sure PC only has read-only access but Yodlee does not. They have the same login credentials that you use, so obviously they can initiate any transaction with your account that you can, subject to whatever additional verification steps your financial institution may or may not require.

And sure, its much easier for a hacker to get a hold of credentials from an end-users computer then hacking Yodlee but Yodlee has to be a very tempting target since it would have the credentials for so many users at so many different financial institutions, its like comparing robbing a 7-eleven versus a federal reserve bank.

Also consider the terms of service of many financial institutions which plainly state that if you share your account credentials with anyone else (e.g. Yodlee) then you are not protected if someone fraudulently accesses your account - whether that would hold up in court I don't know.

All that being said, if you many accounts and want to monitor them frequently which is a wise decision (we're not only talking about investment accounts here - checking/savings/credit card accounts too) then using an aggregation site like PC is probably worth the very slight risk of Yodlee being hacked.
rascott
Posts: 2957
Joined: Wed Apr 15, 2015 10:53 am

Re: Do not use Personal Capital

Post by rascott »

Pete3 wrote: Tue Jun 18, 2019 6:37 am
rascott wrote: Mon Jun 17, 2019 8:59 pm This thread cracks me up....here's a good primer on security at PC....and why you are less safe logging into your own accounts from your browser than you are using PC to monitor them:

https://wallethacks.com/personal-capital-security-safe/

So if one is really concerned with hacking they shouldn't be using ANY online access to any financial institution.
I use PC so my reply is somewhat of devil's advocate but that article is weak. They basically are saying PC doesn't have your credentials so its safe! Well they also say that PC is powered by Yodlee and Yodlee does have your credentials so in other words instead of focusing on the safety of PC (which is nothing more than a re-branded front-end for the Yodlee service offering) the article should be looking at the safety/security of Yodlee which admittedly does have your credentials.

The same is true for their point about read-only access to your accounts, sure PC only has read-only access but Yodlee does not. They have the same login credentials that you use, so obviously they can initiate any transaction with your account that you can, subject to whatever additional verification steps your financial institution may or may not require.

And sure, its much easier for a hacker to get a hold of credentials from an end-users computer then hacking Yodlee but Yodlee has to be a very tempting target since it would have the credentials for so many users at so many different financial institutions, its like comparing robbing a 7-eleven versus a federal reserve bank.

Also consider the terms of service of many financial institutions which plainly state that if you share your account credentials with anyone else (e.g. Yodlee) then you are not protected if someone fraudulently accesses your account - whether that would hold up in court I don't know.

All that being said, if you many accounts and want to monitor them frequently which is a wise decision (we're not only talking about investment accounts here - checking/savings/credit card accounts too) then using an aggregation site like PC is probably worth the very slight risk of Yodlee being hacked.


Yeah, that's kind of the broader point...no?

What's more likely....an end user getting some type of phishing based malware on their computer.... which then tracks actual logins to accounts? Or a place like Yodlee being hacked without any notice? To your point....when has the Federal Reserve Bank been robbed...vs a house down the street?

I firmly believe using a site like PC and then reviewing it frequently is the safest way to monitor accounts online. If one is too concerned with that....they shouldn't use ANY online accounts.

I've gotten to the point I do not access my accounts from my home computer at all. I use my work computer only as we have very high level IT security.... my chances of a malware issue are exceptionally higher at home.
Topic Author
generallyspeaking
Posts: 48
Joined: Wed May 16, 2018 12:57 pm

Re: Do not use Personal Capital

Post by generallyspeaking »

My (personal) issue was never with the underlying security of PC or any online vendor. It was the fact that humans at PC not only have access to all my data, but that they are actively using that to solicit business. That's the issue (whether or not they call me once a year is also not particularly relevant). And I understand this is how they make money, but I wanted to flag it for other users so that they are aware that someone is actively going through their account to figure out how to sell them something. Now this doesn't bother most of the posters on this thread and that's totally fine, but if I'd known this before I had signed up I wouldn't have done it.
Post Reply