Do not use Personal Capital

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills
bjs2025
Posts: 17
Joined: Tue May 28, 2019 8:17 am

Re: Do not use Personal Capital

Post by bjs2025 » Tue Jun 18, 2019 10:38 am

I will say, as a 32 year old that is getting finances on track, using PC almost subconsciously assists me in my net worth going up. That might sound stupid but I am always focused on what is going in and out. I think it is a motivating tool and check it frequently. The minute that even the basic service is chargeable I'd be out but as of now I love it.

KyleAAA
Posts: 8423
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Do not use Personal Capital

Post by KyleAAA » Thu Dec 05, 2019 4:56 pm

Paranoia is a very good thing in the security world. There is no reason for their agents to have read access for your accounts, so the principal of least assess would suggest they shouldn't. Their system certainly needs access to perform the service you signed up for, but their advisers do NOT.

Shorty
Posts: 14
Joined: Sat Feb 23, 2019 4:54 pm

Re: Do not use Personal Capital

Post by Shorty » Sat Jul 18, 2020 8:52 pm

I’ve gotten to the point I do not access my accounts from my home computer at all. I use my work computer only as we have very high level IT security.... my chances of a malware issue are exceptionally higher at home.
This rationale makes me cringe! You’re transferring risk in the wrong direction - a douche IT person with admin creds on your box or the network could be bad news in any number of ways...or anyone with physical access and a USB keylogger. You should be able to keep a home computer free of malware. There are lots of mitigating steps to keep you safe - use multifactor auth with your accounts, set up alerts, go through a VPN, keep a separate device than your kids game on. If you’re paranoid, boot to a clean image (eg, LINUX live CD). I’d be wary of treating a computer owned & maintained by someone else, open to physical access as “more secure” for your personal sensitive information and access, with few exceptions.

Shorty
Posts: 14
Joined: Sat Feb 23, 2019 4:54 pm

Re: Do not use Personal Capital

Post by Shorty » Sat Jul 18, 2020 9:05 pm

thx1138 wrote:
Sat Jun 15, 2019 7:49 pm
lepa71 wrote:
Sat Jun 15, 2019 3:00 pm
I could go more into P2P and IPSec and VPN and so on and on but it would make your head spin. There is no such a thing as read-only credentials.
Sure there are. Trip-It has viewer only access for some trips. Vanguard itself has account links in which spouses can view but not trade in the other account. Pretty much every database software in existence can be configured for accounts that can only read but not modify the database. Most VNC and other desktop sharing have separate passwords for view only access.

The issue is very few financial institutions have made this trivial implementation that would enable safer use of aggregators. And really why should we expect them to? It won’t earn them any money and as trivial as it would be to do even trivial things require a fair bit of testing and maintenance while being yet another avenue for a data breach even if you couldn’t move money through such “read only” accounts/credentials.
+1
See options like this from Merrill. Much better. Doesn’t help with privacy on the PC side.

Modern Federated Identity Providers would be better yet. In time...

CycloRista
Posts: 132
Joined: Sun Feb 16, 2020 11:53 am

Re: Do not use Personal Capital

Post by CycloRista » Sun Jul 19, 2020 4:59 am

Shorty wrote:
Sat Jul 18, 2020 8:52 pm
I’ve gotten to the point I do not access my accounts from my home computer at all. I use my work computer only as we have very high level IT security.... my chances of a malware issue are exceptionally higher at home.
This rationale makes me cringe! You’re transferring risk in the wrong direction - a douche IT person with admin creds on your box or the network could be bad news in any number of ways...or anyone with physical access and a USB keylogger. You should be able to keep a home computer free of malware. There are lots of mitigating steps to keep you safe - use multifactor auth with your accounts, set up alerts, go through a VPN, keep a separate device than your kids game on. If you’re paranoid, boot to a clean image (eg, LINUX live CD). I’d be wary of treating a computer owned & maintained by someone else, open to physical access as “more secure” for your personal sensitive information and access, with few exceptions.
Agreed- it shocks me how many employees access highly confidential personal information from work computers (and often times store that data too!). As a 30+ year IT professional, I've always kept work and personal information, applications, online activities, etc. 100% separate.

Any decent size workplace is decrypting SSL and inspecting traffic (AKA seeing way more than you would want them to under any circumstances). It has become quite popular to use 3rd party providers of all sorts for this purpose including cloud access security brokers (CASB's), threat intelligence platforms, etc.

I've used Personal Capital for a few years and while the reps may have visibility into whatever one tracks on their site, they do not have "full access" in terms of being able to transfer funds, etc. I was hounded incessantly for a few months and then they finally stopped. I find it to be a useful tool for obtaining reasonably current snapshots of the big picture and looking at long term trends.

seawolf21
Posts: 699
Joined: Tue Aug 05, 2014 7:33 am

Re: Do not use Personal Capital

Post by seawolf21 » Sun Jul 19, 2020 9:42 am

I see a lot of responses on technical security but haven’t seen one mentioned on security of being able to monitor all accounts easily on a weekly/daily basis. The ability to easily detect signs of unauthorized transactions earlier is better than an individual who ends up checking their balances once a month which could have been weeks after the fraudulent transaction already took place.

User avatar
pianos101
Posts: 48
Joined: Thu Oct 26, 2017 1:39 pm

Re: Do not use Personal Capital

Post by pianos101 » Sun Jul 19, 2020 10:09 am

seawolf21 wrote:
Sun Jul 19, 2020 9:42 am
I see a lot of responses on technical security but haven’t seen one mentioned on security of being able to monitor all accounts easily on a weekly/daily basis. The ability to easily detect signs of unauthorized transactions earlier is better than an individual who ends up checking their balances once a month which could have been weeks after the fraudulent transaction already took place.
This.

My understanding is that my account passwords are not stored on their servers or something like that? Meaning their employees can’t dig for them. Sure they can see my amounts but they can’t do nada about it.

bpkasl
Posts: 5
Joined: Fri Jul 31, 2020 6:55 am

Re: Do not use Personal Capital

Post by bpkasl » Fri Jul 31, 2020 11:20 am

I checked Personal Capital out today, based on this ongoing discussion, what is a preferred online retirement calculator that can be trusted? We also have access to Financial Engines through Vanguard and the Fidelity Retirement Plan Calculator, maybe those two are enough?
Thanks

yog
Posts: 50
Joined: Wed Jan 15, 2020 12:57 pm

Re: Do not use Personal Capital

Post by yog » Fri Jul 31, 2020 12:25 pm

I have no experience with Vanguards, but I've used every one I could access. Today the on-line planners I use are MaxFi Planner (fee based), I-ORP Extended, Fidelity Retirement Planner, & Personal Capital, in that order.

MaxFi Planner for really detailed planning, plus optimization with multiple scenarios. I-ORP Extended is good for general Roth Conversion strategies and seeing the impact of different planning inputs quickly. Fidelity for quick checks based on our actual account values across multiple market condition outcomes. PC for eye-candy to visualize major events and asset drawdown by asset tax location (traditional, taxable, Roth). All of them have differing limitations, but they all do come out within an acceptable margin of error for us.

MaxFi Planner is the most detailed, but not everyone may benefit from it vs. the others. We did, primarily to verify our SS claiming strategy and validate the outcomes of different Roth conversion strategies given our Federal and State income tax scenarios.

bpkasl
Posts: 5
Joined: Fri Jul 31, 2020 6:55 am

Re: Do not use Personal Capital

Post by bpkasl » Fri Jul 31, 2020 1:07 pm

thanks

MittensMoney
Posts: 215
Joined: Mon Dec 07, 2015 10:59 pm

Re: Do not use Personal Capital

Post by MittensMoney » Fri Jul 31, 2020 1:08 pm

bpkasl wrote:
Fri Jul 31, 2020 11:20 am
I checked Personal Capital out today, based on this ongoing discussion, what is a preferred online retirement calculator that can be trusted? We also have access to Financial Engines through Vanguard and the Fidelity Retirement Plan Calculator, maybe those two are enough?
Thanks
I think you're missing the point of this conversation -- if you can't trust Personal Capital to aggregate your accounts then you simply can't trust aggregating your accounts. Financial Engines, Vanguard, Fidelity, literally every one of these ask you to link your accounts so either none of them are trust-worthy, or all of them are. Vanguard's private client group uses the exact same back-end API service (Yodlee) that Personal Capital does.

RudyS
Posts: 1902
Joined: Tue Oct 27, 2015 10:11 am

Re: Do not use Personal Capital

Post by RudyS » Fri Jul 31, 2020 1:52 pm

Just a sidelight, but how worried are you folks about giving TurboTax access to your brokerage or bank accounts in order to download 1099's? I suppose one could (and should) change passwords right after preparing the return.

yog
Posts: 50
Joined: Wed Jan 15, 2020 12:57 pm

Re: Do not use Personal Capital

Post by yog » Fri Jul 31, 2020 3:11 pm

MittensMoney wrote:
Fri Jul 31, 2020 1:08 pm
bpkasl wrote:
Fri Jul 31, 2020 11:20 am
I checked Personal Capital out today, based on this ongoing discussion, what is a preferred online retirement calculator that can be trusted? We also have access to Financial Engines through Vanguard and the Fidelity Retirement Plan Calculator, maybe those two are enough?
Thanks
I think you're missing the point of this conversation -- if you can't trust Personal Capital to aggregate your accounts then you simply can't trust aggregating your accounts. Financial Engines, Vanguard, Fidelity, literally every one of these ask you to link your accounts so either none of them are trust-worthy, or all of them are. Vanguard's private client group uses the exact same back-end API service (Yodlee) that Personal Capital does.
The points you make are certainly valid - if you do not trust or understand aggregator services, avoid them completely.

Fidelity's retirement planner works with or without aggregated accounts, or any combination you desire. If you add accounts manually, you can add your holdings either by asset class or by ticker symbol if desired. The other two online planners I mentioned above (MaxFi & I-ORP) do not collect aggregated data, nor do they support planning around detailed investment positions. I-ORP uses general balances by tax location and the highest level of asset class, just stocks & bonds and you will need to project your blended returns by class. MaxFi lets you get a bit more granular by adding individual accounts, but you are still limited to setting projected returns by asset classes. They do support identity of MM accounts, stock accounts, bond accounts, etc., and flagging accounts for reserved spending status. That's certainly useful, but not necessarily required for everyone.

If you use Fidelity's Full View to aggregate accounts, it's using the eMoney Advisor platform, which Fidelity now owns. The full version of eMoney Advisor is used heavily within the professional registered investment advisor community, not just at Fidelity, so their security for data and tokenized encrypted API's is held to a different standard than screen scraping. RIAs are interfacing customer account data into other backend office systems such as customer relationship management, billing, etc. The version of eMoney available to Fidelity's retail clients is the same platform, but stripped down quite a bit and branded as Full View.

H-Town
Posts: 2819
Joined: Sun Feb 26, 2017 2:08 pm

Re: Do not use Personal Capital

Post by H-Town » Fri Jul 31, 2020 3:18 pm

seawolf21 wrote:
Sun Jul 19, 2020 9:42 am
I see a lot of responses on technical security but haven’t seen one mentioned on security of being able to monitor all accounts easily on a weekly/daily basis. The ability to easily detect signs of unauthorized transactions earlier is better than an individual who ends up checking their balances once a month which could have been weeks after the fraudulent transaction already took place.
^ this is one of the reasons I monitor all accounts on a regular basis.

But you should not rely on monitoring all accounts manually. You should set up alerts to your email/phone whenever a transaction is initiated. Then, be sure the alert will pop out to your phone in real time.

SlowMovingInvestor
Posts: 1783
Joined: Sun Sep 11, 2016 11:27 am

Re: Do not use Personal Capital

Post by SlowMovingInvestor » Fri Jul 31, 2020 7:28 pm

RudyS wrote:
Fri Jul 31, 2020 1:52 pm
Just a sidelight, but how worried are you folks about giving TurboTax access to your brokerage or bank accounts in order to download 1099's? I suppose one could (and should) change passwords right after preparing the return.
A number of brokerages these days provide document ID numbers that can be used to do downloads. So it's possible to bypass the use of username/passwords.

I use TT desktop. I would not give TT online access to a brokerage site, even if only for download. I don't give access to bank accounts -- 1099 INTs are trivial to type in.

student
Posts: 4956
Joined: Fri Apr 03, 2015 6:58 am

Re: Do not use Personal Capital

Post by student » Fri Jul 31, 2020 8:04 pm

bpkasl wrote:
Fri Jul 31, 2020 11:20 am
I checked Personal Capital out today, based on this ongoing discussion, what is a preferred online retirement calculator that can be trusted? We also have access to Financial Engines through Vanguard and the Fidelity Retirement Plan Calculator, maybe those two are enough?
Thanks
My experience is that Fidelity Retirement Plan and Personal Capital give very similar results.

DesertMan
Posts: 245
Joined: Tue Dec 07, 2010 12:54 pm

Re: Do not use Personal Capital

Post by DesertMan » Sat Aug 01, 2020 8:17 am

Since they were acquired, Personal Capital has been stalking me constantly with cold calls from "advisors", who want to sell me on their portfolio management. Now knowing that these guys have access to my account without my permission has left a bad taste in my mouth.

Does anyone have a recommendation for an aggregator service that is on pat with PC (and isn't Mint or Fidelity Full View?) Thanks.

MBB_Boy
Posts: 118
Joined: Sat May 12, 2018 4:09 pm

Re: Do not use Personal Capital

Post by MBB_Boy » Sat Aug 01, 2020 12:16 pm

DesertMan wrote:
Sat Aug 01, 2020 8:17 am
Since they were acquired, Personal Capital has been stalking me constantly with cold calls from "advisors", who want to sell me on their portfolio management. Now knowing that these guys have access to my account without my permission has left a bad taste in my mouth.

Does anyone have a recommendation for an aggregator service that is on pat with PC (and isn't Mint or Fidelity Full View?) Thanks.
Really? I haven't had a single call or email from the advisors post acquisition. I've been using them for 4 years now and never had a problem with the advisors. Once, maybe twice a year

User avatar
birdog
Posts: 758
Joined: Fri Apr 07, 2017 1:35 pm

Re: Do not use Personal Capital

Post by birdog » Sun Aug 02, 2020 10:09 am

DesertMan wrote:
Sat Aug 01, 2020 8:17 am
Since they were acquired, Personal Capital has been stalking me constantly with cold calls from "advisors", who want to sell me on their portfolio management. Now knowing that these guys have access to my account without my permission has left a bad taste in my mouth.

Does anyone have a recommendation for an aggregator service that is on pat with PC (and isn't Mint or Fidelity Full View?) Thanks.
You could go to settings at PC and change the phone number on your profile to a number other than yours. That's what I did. No more phone calls.

FIby45
Posts: 38
Joined: Wed Oct 30, 2019 4:41 pm

Re: Do not use Personal Capital

Post by FIby45 » Sun Aug 02, 2020 4:01 pm

Technology entrepreneur here.

No- you likely need not worry w caveats:
1. You should have 2fa set up anyways on all financial accounts. If someone had username and pw does not matter w/o 2fa
2. You should use strong passwords

99% chance PC does not store passwords in a non-hashed manner (I.e. an they store it in a way that even the designer of the system could not see it in database.) That's security 101.

On very slim chance its not done this way- then your 2fa should ensure no breach.

Never use passwords twice

000
Posts: 571
Joined: Thu Jul 23, 2020 12:04 am

Re: Do not use Personal Capital

Post by 000 » Mon Aug 03, 2020 12:52 am

FIby45 wrote:
Sun Aug 02, 2020 4:01 pm
Technology entrepreneur here.

No- you likely need not worry w caveats:
1. You should have 2fa set up anyways on all financial accounts. If someone had username and pw does not matter w/o 2fa
2. You should use strong passwords

99% chance PC does not store passwords in a non-hashed manner (I.e. an they store it in a way that even the designer of the system could not see it in database.) That's security 101.

On very slim chance its not done this way- then your 2fa should ensure no breach.

Never use passwords twice
Nah. No need for the additional exposure, no matter how small.

000
Posts: 571
Joined: Thu Jul 23, 2020 12:04 am

Re: Do not use Personal Capital

Post by 000 » Mon Aug 03, 2020 12:52 am

DesertMan wrote:
Sat Aug 01, 2020 8:17 am
Since they were acquired, Personal Capital has been stalking me constantly with cold calls from "advisors", who want to sell me on their portfolio management. Now knowing that these guys have access to my account without my permission has left a bad taste in my mouth.

Does anyone have a recommendation for an aggregator service that is on pat with PC (and isn't Mint or Fidelity Full View?) Thanks.
I suggest a spreadsheet program on your local computer. You're welcome!

User avatar
CyclingDuo
Posts: 3361
Joined: Fri Jan 06, 2017 9:07 am

Re: Do not use Personal Capital

Post by CyclingDuo » Mon Aug 03, 2020 9:05 am

I don't think it has been mentioned in this specific Personal Capital thread, but the company was recently acquired by Empower Retirement in June. Empower is one of the largest 401k retirement plan providers, so it will be interesting to see how they leverage the PC dashboard and services for their 401k customers. I happen to have a 401k at Empower, so will know firsthand if and when there is some sort of - or if any - crossover.

CyclingDuo
"Everywhere is within walking distance if you have the time." ~ Steven Wright

sschoe2
Posts: 502
Joined: Fri Feb 24, 2017 4:42 pm

Re: Do not use Personal Capital

Post by sschoe2 » Mon Aug 03, 2020 9:19 am

I've been using PC for about 2-3 years. I too was annoyed by sales calls in the beginning but haven't received any in years. I find the tool very useful. I am under no delusion that they are collecting data. Everyone is collecting data, Google, Facebook, Twitter, the credit reporting agencies, the grocery store with "loyalty" cards. I think PC is reasonably secure at least as much as anything else especially with 2FA and read only access. Considering even Garmin got taken for a ransomware attack last week I am not sure anything is totally secure anymore.

KyleAAA
Posts: 8423
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Do not use Personal Capital

Post by KyleAAA » Mon Aug 03, 2020 12:59 pm

sschoe2 wrote:
Mon Aug 03, 2020 9:19 am
I've been using PC for about 2-3 years. I too was annoyed by sales calls in the beginning but haven't received any in years. I find the tool very useful. I am under no delusion that they are collecting data. Everyone is collecting data, Google, Facebook, Twitter, the credit reporting agencies, the grocery store with "loyalty" cards. I think PC is reasonably secure at least as much as anything else especially with 2FA and read only access. Considering even Garmin got taken for a ransomware attack last week I am not sure anything is totally secure anymore.
I solved this problem by simply not answering numbers I'm not familiar with. Do people still answer calls from unknown numbers in 2020? I'm not so sure PC only has read-only access. For Vanguard, for example, they have your login credentials. Why couldn't they use those creds to make transactions? What's stopping them other than the fact that they promise not to?

rascott
Posts: 2151
Joined: Wed Apr 15, 2015 10:53 am

Re: Do not use Personal Capital

Post by rascott » Mon Aug 03, 2020 2:41 pm

KyleAAA wrote:
Mon Aug 03, 2020 12:59 pm
sschoe2 wrote:
Mon Aug 03, 2020 9:19 am
I've been using PC for about 2-3 years. I too was annoyed by sales calls in the beginning but haven't received any in years. I find the tool very useful. I am under no delusion that they are collecting data. Everyone is collecting data, Google, Facebook, Twitter, the credit reporting agencies, the grocery store with "loyalty" cards. I think PC is reasonably secure at least as much as anything else especially with 2FA and read only access. Considering even Garmin got taken for a ransomware attack last week I am not sure anything is totally secure anymore.
I solved this problem by simply not answering numbers I'm not familiar with. Do people still answer calls from unknown numbers in 2020? I'm not so sure PC only has read-only access. For Vanguard, for example, they have your login credentials. Why couldn't they use those creds to make transactions? What's stopping them other than the fact that they promise not to?

You're kidding right?

Why on earth would they even attempt to do such a thing? Defies common sense.

And no, they don't actually have your login info.... so couldn't if they wanted to, this has been discussed many times.

The probability is greater that Vanguard would sell all your securities and pocket your money. Literally.

bloom2708
Posts: 7992
Joined: Wed Apr 02, 2014 2:08 pm
Location: Fargo, ND

Re: Do not use Personal Capital

Post by bloom2708 » Mon Aug 03, 2020 2:46 pm

rascott wrote:
Mon Aug 03, 2020 2:41 pm
You're kidding right?

Why on earth would they even attempt to do such a thing? Defies common sense.

And no, they don't actually have your login info.... so couldn't if they wanted to, this has been discussed many times.

The probability is greater that Vanguard would sell all your securities and pocket your money. Literally.
Of course Vanguard has your login credentials. How would you log in if they didn't check them against what you enter?

It is likely encrypted and stored where not just any employee can get it, but they have it. It is on their servers.

I could give you my username/password to Personal Capital. Unless you can steal my cell phone, you can't get in to my account.
"We are here to provoke thoughtfulness, not agree with you." Unknown Boglehead

rascott
Posts: 2151
Joined: Wed Apr 15, 2015 10:53 am

Re: Do not use Personal Capital

Post by rascott » Mon Aug 03, 2020 2:53 pm

bloom2708 wrote:
Mon Aug 03, 2020 2:46 pm
rascott wrote:
Mon Aug 03, 2020 2:41 pm
You're kidding right?

Why on earth would they even attempt to do such a thing? Defies common sense.

And no, they don't actually have your login info.... so couldn't if they wanted to, this has been discussed many times.

The probability is greater that Vanguard would sell all your securities and pocket your money. Literally.
Of course Vanguard has your login credentials. How would you log in if they didn't check them against what you enter?

It is likely encrypted and stored where not just any employee can get it, but they have it. It is on their servers.

I could give you my username/password to Personal Capital. Unless you can steal my cell phone, you can't get in to my account.
No it actually is not stored anywhere on their servers whatsoever. It's encrypted at Yodlee.... something that's likely already happening in your life... considering how many financial firms use Yodlee:

"When you enter your bank credentials into Personal Capital, they encrypt it with AES-256 with multi-layer key management, which includes rotating user-specific keys and salts. AES-256 is the Advanced Encryption Standard (AES) and is the gold standard as determined by NIST, the United States National Institute of Standards and Technology. 256 refers to the length of the key used and 256-bits is a longest. It is also the same encryption used by the US Government.
They never store your financial login credentials. That data is encrypted and stored at Envestnet Yodlee, a platform that powers a laundry list of financial services and wealth management tools and companies. Yodless is periodically audited by the Office of the Comptroller of the Currency and their security processes are available here.

As for internal access controls, no one at Personal Capital has access to your credentials. Zero."

https://wallethacks.com/personal-capital-security-safe/

But forget the login stuff. . Kyle implied that PC could possibly go in and make transactions in your account. Which makes no sense. Why would they do such a thing even if they could? (They can't). You can't actually get money out.

PC is owned by Empower.... one of the biggest 401k bookkeepers in the country. Using them for aggregation is no more (probably less) risky than logging into one's Vanguard account from their home PC

CycloRista
Posts: 132
Joined: Sun Feb 16, 2020 11:53 am

Re: Do not use Personal Capital

Post by CycloRista » Mon Aug 03, 2020 3:04 pm

MittensMoney wrote:
Fri Jul 31, 2020 1:08 pm
bpkasl wrote:
Fri Jul 31, 2020 11:20 am
I checked Personal Capital out today, based on this ongoing discussion, what is a preferred online retirement calculator that can be trusted? We also have access to Financial Engines through Vanguard and the Fidelity Retirement Plan Calculator, maybe those two are enough?
Thanks
I think you're missing the point of this conversation -- if you can't trust Personal Capital to aggregate your accounts then you simply can't trust aggregating your accounts. Financial Engines, Vanguard, Fidelity, literally every one of these ask you to link your accounts so either none of them are trust-worthy, or all of them are. Vanguard's private client group uses the exact same back-end API service (Yodlee) that Personal Capital does.
+1 Also consider that other financial institutions you deal with aggregate data so I'm not losing sleep over that aspect with Personal Capital (or elsewhere). You can request to audit account accesses on a periodic basis to determine who has attempted accessing your data I imagine.

You can also enable multi-factor authentication on many platforms and get prompted for a challenge response sent to your mobile device each time you login if you prefer. Here is how to go about that on PC:

https://support.personalcapital.com/hc/ ... ation-MFA-

I've been aggregating data on their site since 2017 and other than getting cold called and spammed for ~6 months, no other signs of shifty behavior (and I am not at all concerned about them somehow trading on my behalf or nefariously).

bloom2708
Posts: 7992
Joined: Wed Apr 02, 2014 2:08 pm
Location: Fargo, ND

Re: Do not use Personal Capital

Post by bloom2708 » Mon Aug 03, 2020 3:10 pm

rascott wrote:
Mon Aug 03, 2020 2:53 pm

No it actually is not stored anywhere on their servers whatsoever. It's encrypted at Yodlee.... something that's likely already happening in your life... considering how many financial firms use Yodlee:
You are saying Vanguard uses Yodlee? I know consolidators do, but you think Vanguard uses Yodlee?
"We are here to provoke thoughtfulness, not agree with you." Unknown Boglehead

yog
Posts: 50
Joined: Wed Jan 15, 2020 12:57 pm

Re: Do not use Personal Capital

Post by yog » Mon Aug 03, 2020 3:14 pm

bloom2708 wrote:
Mon Aug 03, 2020 3:10 pm
rascott wrote:
Mon Aug 03, 2020 2:53 pm

No it actually is not stored anywhere on their servers whatsoever. It's encrypted at Yodlee.... something that's likely already happening in your life... considering how many financial firms use Yodlee:
You are saying Vanguard uses Yodlee? I know consolidators do, but you think Vanguard uses Yodlee?
Check the FAQs

rascott
Posts: 2151
Joined: Wed Apr 15, 2015 10:53 am

Re: Do not use Personal Capital

Post by rascott » Mon Aug 03, 2020 3:18 pm

bloom2708 wrote:
Mon Aug 03, 2020 3:10 pm
rascott wrote:
Mon Aug 03, 2020 2:53 pm

No it actually is not stored anywhere on their servers whatsoever. It's encrypted at Yodlee.... something that's likely already happening in your life... considering how many financial firms use Yodlee:
You are saying Vanguard uses Yodlee? I know consolidators do, but you think Vanguard uses Yodlee?
No idea about Vanguard (guessing they do)... but many of the largest banks in the country use them to offer services to clients.

bloom2708
Posts: 7992
Joined: Wed Apr 02, 2014 2:08 pm
Location: Fargo, ND

Re: Do not use Personal Capital

Post by bloom2708 » Mon Aug 03, 2020 3:31 pm

Well. I trust/use Vanguard. I trust/use Personal Capital. Everyone does their own thing.
"We are here to provoke thoughtfulness, not agree with you." Unknown Boglehead

KyleAAA
Posts: 8423
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Do not use Personal Capital

Post by KyleAAA » Mon Aug 03, 2020 4:17 pm

rascott wrote:
Mon Aug 03, 2020 2:53 pm
bloom2708 wrote:
Mon Aug 03, 2020 2:46 pm
rascott wrote:
Mon Aug 03, 2020 2:41 pm
You're kidding right?

Why on earth would they even attempt to do such a thing? Defies common sense.

And no, they don't actually have your login info.... so couldn't if they wanted to, this has been discussed many times.

The probability is greater that Vanguard would sell all your securities and pocket your money. Literally.
Of course Vanguard has your login credentials. How would you log in if they didn't check them against what you enter?

It is likely encrypted and stored where not just any employee can get it, but they have it. It is on their servers.

I could give you my username/password to Personal Capital. Unless you can steal my cell phone, you can't get in to my account.
No it actually is not stored anywhere on their servers whatsoever. It's encrypted at Yodlee.... something that's likely already happening in your life... considering how many financial firms use Yodlee:

"When you enter your bank credentials into Personal Capital, they encrypt it with AES-256 with multi-layer key management, which includes rotating user-specific keys and salts. AES-256 is the Advanced Encryption Standard (AES) and is the gold standard as determined by NIST, the United States National Institute of Standards and Technology. 256 refers to the length of the key used and 256-bits is a longest. It is also the same encryption used by the US Government.
They never store your financial login credentials. That data is encrypted and stored at Envestnet Yodlee, a platform that powers a laundry list of financial services and wealth management tools and companies. Yodless is periodically audited by the Office of the Comptroller of the Currency and their security processes are available here.

As for internal access controls, no one at Personal Capital has access to your credentials. Zero."

https://wallethacks.com/personal-capital-security-safe/

But forget the login stuff. . Kyle implied that PC could possibly go in and make transactions in your account. Which makes no sense. Why would they do such a thing even if they could? (They can't). You can't actually get money out.

PC is owned by Empower.... one of the biggest 401k bookkeepers in the country. Using them for aggregation is no more (probably less) risky than logging into one's Vanguard account from their home PC
I'm sure PC itself wouldn't do such a thing. Maybe somebody that works there might. It isn't necessary to guess why somebody might want to do such a thing to understand what might be possible, especially since criminals tend to be a creative lot. It isn't nearly as fool-proof as you are implying. I work in the industry and have seen first-hand how quickly the best-laid plans can go awry. It isn't reasonable to say nobody at Personal Capital has access to your credentials. You can say that nobody is SUPPOSED to have access. But sensitive pieces of data are logged errantly all the time, even in HIGHLY REGULATED environments. Safeguards fail for a variety of reasons. Nothing is absolute. Security isn't a policy or even a process, it's a culture. And no culture is perfect. You're making a lot of claims you can't substantiate. I would be willing to bet there have been multiple mistakes made at both PC and Yodlee throughout their history that just weren't exploited, so you haven't heard about them. Every single organization on the planet makes those mistakes occasionally. Even hyper-transparent companies don't report all or even most such instances.

The spiel about 256-bit encryption is a bit of a red herring. Sure, they are encrypted at rest but since they need the plain text credentials to actually authenticate to various platforms, a simple key management issue would expose them all. It isn't like most places where passwords are stored as a one-way hash that can't be decrypted.

Nevermind the fact that by "they" I wasn't necessarily JUST referring to PC, but every entity in the dependency chain.

sschoe2
Posts: 502
Joined: Fri Feb 24, 2017 4:42 pm

Re: Do not use Personal Capital

Post by sschoe2 » Tue Aug 04, 2020 9:58 am

KyleAAA wrote:
Mon Aug 03, 2020 12:59 pm
sschoe2 wrote:
Mon Aug 03, 2020 9:19 am
I've been using PC for about 2-3 years. I too was annoyed by sales calls in the beginning but haven't received any in years. I find the tool very useful. I am under no delusion that they are collecting data. Everyone is collecting data, Google, Facebook, Twitter, the credit reporting agencies, the grocery store with "loyalty" cards. I think PC is reasonably secure at least as much as anything else especially with 2FA and read only access. Considering even Garmin got taken for a ransomware attack last week I am not sure anything is totally secure anymore.
I solved this problem by simply not answering numbers I'm not familiar with. Do people still answer calls from unknown numbers in 2020? I'm not so sure PC only has read-only access. For Vanguard, for example, they have your login credentials. Why couldn't they use those creds to make transactions? What's stopping them other than the fact that they promise not to?
If you don't answer PC will keep calling. If you tell them to bugger off a few times they will stop.

KyleAAA
Posts: 8423
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Do not use Personal Capital

Post by KyleAAA » Tue Aug 04, 2020 10:31 am

sschoe2 wrote:
Tue Aug 04, 2020 9:58 am
KyleAAA wrote:
Mon Aug 03, 2020 12:59 pm
sschoe2 wrote:
Mon Aug 03, 2020 9:19 am
I've been using PC for about 2-3 years. I too was annoyed by sales calls in the beginning but haven't received any in years. I find the tool very useful. I am under no delusion that they are collecting data. Everyone is collecting data, Google, Facebook, Twitter, the credit reporting agencies, the grocery store with "loyalty" cards. I think PC is reasonably secure at least as much as anything else especially with 2FA and read only access. Considering even Garmin got taken for a ransomware attack last week I am not sure anything is totally secure anymore.
I solved this problem by simply not answering numbers I'm not familiar with. Do people still answer calls from unknown numbers in 2020? I'm not so sure PC only has read-only access. For Vanguard, for example, they have your login credentials. Why couldn't they use those creds to make transactions? What's stopping them other than the fact that they promise not to?
If you don't answer PC will keep calling. If you tell them to bugger off a few times they will stop.
I don't answer the next time they call, either. It isn't even a slight annoyance.

Mr.BB
Posts: 1279
Joined: Sun May 08, 2016 10:10 am

Re: Do not use Personal Capital

Post by Mr.BB » Tue Aug 04, 2020 11:22 am

I used PC for a couple of years and just recently deleted my account. I realized that it was pretty much just a duplicate of what Morningstar X-ray gave me, just a little more graphically enhanced, just looking at the same info.
"We are what we repeatedly do. Excellence, then, is not an act, but a habit."

Post Reply