Do not use Personal Capital

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills
JBTX
Posts: 7099
Joined: Wed Jul 26, 2017 12:46 pm

Re: Do not use Personal Capital

Post by JBTX »

seawolf21 wrote: Sun Jul 19, 2020 9:42 am I see a lot of responses on technical security but haven’t seen one mentioned on security of being able to monitor all accounts easily on a weekly/daily basis. The ability to easily detect signs of unauthorized transactions earlier is better than an individual who ends up checking their balances once a month which could have been weeks after the fraudulent transaction already took place.
We have multiple credit cards because we pursue bonuses and try to optimize cash back. Just 2 days ago when updating quicken I saw 3 transactions for $100 each on DWs credit card account in unusual places. Happened about a week ago. This has happended in the past. Usually catch them before that. Otherwise I'd be having to login to multiple web sites to check. Usually alerts will help but I get so many sometimes stuff falls through the cracks.
User avatar
abuss368
Posts: 22062
Joined: Mon Aug 03, 2009 2:33 pm
Location: Where the water is warm, the drinks are cold, and I don't know the names of the players!
Contact:

Re: Do not use Personal Capital

Post by abuss368 »

generallyspeaking wrote: Mon Apr 15, 2019 8:23 pm I know many in this community use Personal Capital to manage their finances, particularly investment income.

I used the free tool for the past year and found it really beneficial to see things like my market allocation. However, I went on one of their complimentary wealth management calls and realized that without me giving explicit permission the Personal Capital Wealth Advisor had complete and unrestricted access to my account.

I immediately deleted my account and am not going to use them going forward.

Am I being paranoid?
That is interesting and thank you for sharing. I have considered them over the years and glad you shared this. Honestly we used to use Quicken for over a decade. Over 12 years ago we stopped using Quicken cold and never had a need again. Did not miss the time commitment.
John C. Bogle: “Simplicity is the master key to financial success."
hnd
Posts: 231
Joined: Mon Jun 22, 2020 11:43 am

Re: Do not use Personal Capital

Post by hnd »

i have to believe its been mentioned but every bank and investment company you give money to has access to all of your accounts on their platform. even the lowly fresh out of college teller kid.

i guess i'm not sure what the OP was expecting when you aggregate all that info into a single platform. of course they'll have access to it.
Coltrane75
Posts: 209
Joined: Wed Feb 06, 2019 2:32 pm

Re: Do not use Personal Capital

Post by Coltrane75 »

You're not being paranoid. Companies like them, Mint and other "free" software aren't free. The product is your financial information and the consumer is 3rd parties that use that information for their own ends.

I just download transaction information manually into a spreadsheet on my desktop; I avoid online services. I don't put much value in the features they may offer; graphics, detailed breakdowns, etc. I consider those bait and not useful to me.
cheerfulcharlie
Posts: 18
Joined: Sat Jul 27, 2019 3:22 pm

Re: Do not use Personal Capital

Post by cheerfulcharlie »

birdog wrote: Sun Aug 02, 2020 10:09 am You could go to settings at PC and change the phone number on your profile to a number other than yours. That's what I did. No more phone calls.
I would not recommend this for this for anyone who travels. If you travel out of the country, then Personal Capital requires a phone validation (can't remember if it was text code or a phone call that spoke a code to me but I remember running into this problem). If you have the wrong phone number in your profile, then you won't be able to validate your account for login when out of the country.

I only know this because I tried this once, but had to relent and restore my correct phone number in my profile.

I am usually successful at avoiding their calls. For those times I accidentally get them on the line, I just yell into the phone, "NO ENGRISH!!! NO ENGRISH!!! NO ENGRISH!!!"
econprof
Posts: 35
Joined: Mon Jul 13, 2020 12:26 pm

Re: Do not use Personal Capital

Post by econprof »

In this thread: boomers who don’t know how oauth works.

Short explanation:
- Personal capital does not store your passwords.

- When you log in, it generates a read-only authentication token that allows it to pull data from the bank API.

- Personal Capital cannot log into or change your bank balances or make trades on your behalf.

- Personal Capital CAN see your account data. Of course they can, they show it to you.

- Personal Capital makes money by selling people investment services. Guess what? So do Vanguard, Fidelity, etc. If you don’t want those services, politely say no.

- Your CURRENT way of logging into your bank— which for most people is typing their password into a browser — is less secure. Doubly so if (1) you do so over an unsecured network or on your phone, (2) you reuse that password on other sites, or (3) you write that password on a sticky note/in a notebook at your desk.

These gripes are ridiculous and betray a serious lack of understanding of computer security by the posters.
Lastrun
Posts: 331
Joined: Wed May 03, 2017 6:46 pm

Re: Do not use Personal Capital

Post by Lastrun »

econprof wrote: Wed Sep 09, 2020 6:58 am

Short explanation:
- Personal capital does not store your passwords.
I appreciate your post, and yes some of the paranoia here is unfounded.

Sorry if this is a stupid question to your statement above.

If they don't store my login credentials "somewhere" how how do they pull the data?

Stated differently, my login credentials must now be "somewhere else", in addition to say Vanguard, Fidelity or my bank.
hnd
Posts: 231
Joined: Mon Jun 22, 2020 11:43 am

Re: Do not use Personal Capital

Post by hnd »

if you've ever created an account with something using a gmail account. This is the same type of technology. Basically you log into your account, and vanguard, your bank, etc, and tell that system it can send info (not password info) to some application. The bank/VG site then sends that application a token. Then that application sends that token to vanguard or the bank saying i'm authorized. and gets information that you've allowed it to access.

Image
corp_sharecropper
Posts: 333
Joined: Thu Nov 07, 2013 2:36 pm

Re: Do not use Personal Capital

Post by corp_sharecropper »

econprof wrote: Wed Sep 09, 2020 6:58 am In this thread: boomers who don’t know how oauth works.

Short explanation:
- Personal capital does not store your passwords.

- When you log in, it generates a read-only authentication token that allows it to pull data from the bank API.

- Personal Capital cannot log into or change your bank balances or make trades on your behalf.

- Personal Capital CAN see your account data. Of course they can, they show it to you.

- Personal Capital makes money by selling people investment services. Guess what? So do Vanguard, Fidelity, etc. If you don’t want those services, politely say no.

- Your CURRENT way of logging into your bank— which for most people is typing their password into a browser — is less secure. Doubly so if (1) you do so over an unsecured network or on your phone, (2) you reuse that password on other sites, or (3) you write that password on a sticky note/in a notebook at your desk.

These gripes are ridiculous and betray a serious lack of understanding of computer security by the posters.
Well, you're not actually 100% right. Many aggregators, personal capital included, will use screen scraping for financial institutions that don't have an API or where the terms/cost of API access is prohibitive. In which case they absolutely do login to the client portal using the credentials you provide them (why do you think some accounts require your security questions, the same as when you login from a new computer? that wouldn't be necessary if it were a dedicated 3rd party read-only solution) and then their program literally navigates and reads the account information, whether through the page html or even the equivalent of interpreting an screen grab image. This is a known practice by many of the name-brand aggregators. I have an article about exactly this that was published less than a year ago, I will try to find it (might be difficult, we'll see).

That said, I do use PerCap, I find it incredibly useful and informative, and I feel comfortable with the risks involved. I believe it is in their business' best interest to vigilantly protect their customers and safeguard their accounts/credentials. That said, the problem with the status quo (need to scrape client portal screens, client credentials, and thus the same read/write access as a client) is that among institutions/banks/aggregators, they have little incentive to make it easy to safely share read only data with their competitors vs locking the data up for themselves. A proper implementation would be an aggregator/3rd party/read-only portal and allow the customer to grant/revoke access from the client portal at each bank/broker/etc.


ETA: Here, An article about screen scraping brokerages from May 2020: Tired of having their screens scraped, Schwab and Fidelity launch API initiatives to curtail the practice -- rewarding some, but not all scrapers with cleaner data
Lastrun
Posts: 331
Joined: Wed May 03, 2017 6:46 pm

Re: Do not use Personal Capital

Post by Lastrun »

hnd wrote: Wed Sep 09, 2020 11:42 am if you've ever created an account with something using a gmail account. This is the same type of technology. Basically you log into your account, and vanguard, your bank, etc, and tell that system it can send info (not password info) to some application. The bank/VG site then sends that application a token. Then that application sends that token to vanguard or the bank saying i'm authorized. and gets information that you've allowed it to access.
Ok, this helpful but still confusing to me. Two points:

First, my recollection is--it has been several years--that I did indeed give Personal Capital my log in credentials to my bank, credit cards, etc.

Second, I did not tell, Chase for example, to send a token to Personal Capital for a request for my credit card information.

The way the flow chart looks to me is that in this system I instruct the "client" (Personal Capital) to send a request to Chase (Resource Owner), and then I tell Chase it is OK to share information with Personal Capital, then the token system takes over.

But I do not recall it working in this way, and this also assumes that I understand the chart.
hnd
Posts: 231
Joined: Mon Jun 22, 2020 11:43 am

Re: Do not use Personal Capital

Post by hnd »

Lastrun wrote: Wed Sep 09, 2020 12:40 pm
hnd wrote: Wed Sep 09, 2020 11:42 am if you've ever created an account with something using a gmail account. This is the same type of technology. Basically you log into your account, and vanguard, your bank, etc, and tell that system it can send info (not password info) to some application. The bank/VG site then sends that application a token. Then that application sends that token to vanguard or the bank saying i'm authorized. and gets information that you've allowed it to access.
Ok, this helpful but still confusing to me. Two points:

First, my recollection is--it has been several years--that I did indeed give Personal Capital my log in credentials to my bank, credit cards, etc.

Second, I did not tell, Chase for example, to send a token to Personal Capital for a request for my credit card information.

The way the flow chart looks to me is that in this system I instruct the "client" (Personal Capital) to send a request to Chase (Resource Owner), and then I tell Chase it is OK to share information with Personal Capital, then the token system takes over.

But I do not recall it working in this way, and this also assumes that I understand the chart.
when i log onto personal capital, when i add a bank, i'm logging into that bank and only that bank at that logon screen. But the link i'm using to login has an oauth script that can't see the password but is basically asking for a token. by logging in with this method you are telling Chase or whatever other bank that its ok to send this application certain information. That establishes that token. the token that will fetch your data.

in the google example. many sites will have sign in using google/facebook. when you click that button instead of filling out all the other info, Google is basically interceding as the registrar and as long as you have a Google account that is valid, thats good enough for that application or website. in turn you agree to allow that site/application to utilize some of the info in your google account (asks thinks like can use your contacts list, photos, etc etc). In google settinngs you can review what you've allowed an application access to.
000
Posts: 3261
Joined: Thu Jul 23, 2020 12:04 am

Re: Do not use Personal Capital

Post by 000 »

econprof wrote: Wed Sep 09, 2020 6:58 am - Personal capital does not store your passwords.
- When you log in, it generates a read-only authentication token that allows it to pull data from the bank API.
Wrong, wrong, wrong.

Either Personal Captial or a subcontractor has your password as not all financial institutions have such an API.

Your password is used to login and then the web page is scraped.

This has been discussed upthread.

And no, I am not a boomer.
Godot
Posts: 450
Joined: Fri Jun 08, 2018 3:44 pm
Location: Little Beirut

Re: Do not use Personal Capital

Post by Godot »

econprof wrote: Wed Sep 09, 2020 6:58 am In this thread: boomers who don’t know how oauth works.

Short explanation:
- Personal capital does not store your passwords.

- When you log in, it generates a read-only authentication token that allows it to pull data from the bank API.

- Personal Capital cannot log into or change your bank balances or make trades on your behalf.

- Personal Capital CAN see your account data. Of course they can, they show it to you.

- Personal Capital makes money by selling people investment services. Guess what? So do Vanguard, Fidelity, etc. If you don’t want those services, politely say no.

- Your CURRENT way of logging into your bank— which for most people is typing their password into a browser — is less secure. Doubly so if (1) you do so over an unsecured network or on your phone, (2) you reuse that password on other sites, or (3) you write that password on a sticky note/in a notebook at your desk.

These gripes are ridiculous and betray a serious lack of understanding of computer security by the posters.
Why single out Boomers? Stereotype much?
Estragon: I can't go on like this. | Vladimir: That's what you think. | ― Samuel Beckett, Waiting for Godot
User avatar
willthrill81
Posts: 21369
Joined: Thu Jan 26, 2017 3:17 pm
Location: USA

Re: Do not use Personal Capital

Post by willthrill81 »

econprof wrote: Wed Sep 09, 2020 6:58 am In this thread: boomers who don’t know how oauth works.
Millennial here, and I no longer trust any data aggregators.
“It's a dangerous business, Frodo, going out your door. You step onto the road, and if you don't keep your feet, there's no knowing where you might be swept off to.” J.R.R. Tolkien,The Lord of the Rings
bling
Posts: 634
Joined: Sat Jan 21, 2012 12:49 pm

Re: Do not use Personal Capital

Post by bling »

ever wonder why from time to time it will ask you to log onto a website? right, because there's some new disclaimer you need to accept or some security questions you need to fill out and the scraper is confused.

it's obvious that PC stores your actual username/password. they also likely employ all of the best practices for security, like encryption in flight and at rest, restricted/zero access to servers, firewalls, and all that jazz to protect your data. whether that's safer or not than you logging into your bank account on a free starbucks wifi is for you to decide. convenience is always at odds with security.

i personally use both connected and manual accounts:
  • connected for my credit cards because that's where aggregators are actually useful, breaking down your spending into categories.
  • manual for investments because i will make at most 2 trades a month, because that's how often i get paid. it takes me all of 10 seconds to update my holdings.
Vihoo
Posts: 64
Joined: Wed Jun 05, 2019 11:48 pm

Re: Do not use Personal Capital

Post by Vihoo »

I'll probably stop using it eventually.

Want to see my net worth hit 7 figures on there before I do... 8-)
checkyourmath
Posts: 74
Joined: Wed Nov 18, 2020 12:46 pm

Re: Do not use Personal Capital

Post by checkyourmath »

I stopped using Personal Capital about a year ago when I went all cash. I think for the average bogleheader on here you would be absolutely crazy not to use the it. Knowledge is power! In two seconds you should be able to tell me your fees paid annually and your asset allocation. ETFs crosslist so many different categories that make tracking AA ever more complicated. I also like some of the modeling told tools. Facebook can go pound sand with my data but I will give PC all the data they want for the tools they provide. If you don't feel comfortable with PC you probably should take a pass on using Uncle Google too.
User avatar
sleepysurf
Posts: 419
Joined: Sat Nov 23, 2013 6:59 am
Location: Florida

Re: Do not use Personal Capital

Post by sleepysurf »

I've previously been a satisfied user of their free tools, but the platform has had many more glitches since Empower acquired them. For example, they haven't been able to update one of our banks or Vanguard holdings the past few days, and their asset allocation tool has been a bit wonky. I can't tell if the problem lies at Yodlee/Envestnet, or Empower. In the meantime, I'm updating my Quicken data, and starting to play around again with a custom spreadsheet.
Retired 2018 | ~50/45/5 (partially sliced and diced)
cheerfulcharlie
Posts: 18
Joined: Sat Jul 27, 2019 3:22 pm

Re: Do not use Personal Capital

Post by cheerfulcharlie »

sleepysurf wrote: Sat Nov 21, 2020 6:55 pm I've previously been a satisfied user of their free tools, but the platform has had many more glitches since Empower acquired them.
In the last 2 months, Personal Capital has "lost" a ton of my charges on two of my primary spending accounts (a credit card and a checking account). So, now, all my valuable spending history is lost. My accounts are all refreshing and downloading current data, but there are months with huge holes where dozens and dozens of charges all mysteriously disappeared. Very disappointing.

So, now, I no longer use Personal Capital for tracking spending expenses. I just use it for net worth tracking and quick investment allocation estimates.

For spending tracking, I reluctantly pay Quicken now. With Quicken, all the data gets backed up on my computer and in the cloud, so I don't risk losing any of my spending history. I hate to pay for this, but Personal Capital absolutely can't be trusted to reliably store historical data. And, if I ever want to switch from Quicken to someone else, most of the other service providers will accept the Quicken QIF files and import all of the data, so I suppose if I ever find a better service, I can always easily switch.
Hebell
Posts: 19
Joined: Wed Aug 12, 2020 1:56 am
Location: Boca Raton, FL

Re: Do not use Personal Capital

Post by Hebell »

While I don't use Personal Capital and can not speak of their computer security, it is certainly possible to compare if two passwords match without seeing the password.

Your can take a one-way hash of a password (on the browser side) and pass that gobblygook of characters to Personal Capital.
You cannot recover the real password from the hash.
Likewise the bank can pass the one-way hash of your password back to Personal Capital.

If the gobblygook matches, then you've authenticated your password, and Personal Capital never saw the password, and never received it - or gave it to - the bank.
You can build upon this simple illustration, as banks do, to give read-only access.

Encryption is a lovely thing.
KyleAAA
Posts: 8633
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Do not use Personal Capital

Post by KyleAAA »

econprof wrote: Wed Sep 09, 2020 6:58 am In this thread: boomers who don’t know how oauth works.

Short explanation:
- Personal capital does not store your passwords.

- When you log in, it generates a read-only authentication token that allows it to pull data from the bank API.

- Personal Capital cannot log into or change your bank balances or make trades on your behalf.

- Personal Capital CAN see your account data. Of course they can, they show it to you.

- Personal Capital makes money by selling people investment services. Guess what? So do Vanguard, Fidelity, etc. If you don’t want those services, politely say no.

- Your CURRENT way of logging into your bank— which for most people is typing their password into a browser — is less secure. Doubly so if (1) you do so over an unsecured network or on your phone, (2) you reuse that password on other sites, or (3) you write that password on a sticky note/in a notebook at your desk.

These gripes are ridiculous and betray a serious lack of understanding of computer security by the posters.
I doubt all of the banks PC integrates with use oauth2. Certainly they don't use 3 legged oauth, so they are handling passwords. Whether or not they store it shouldn't give you much additional confidence. In some cases, they probably do store your password to integrate with particularly IT-challenged banks. I don't know what percentage of financial institutions are scraped but I bet it's double digits.
Explorer
Posts: 519
Joined: Thu Oct 13, 2016 7:54 pm

Re: Do not use Personal Capital

Post by Explorer »

KyleAAA wrote: Sat Nov 21, 2020 9:09 pm
econprof wrote: Wed Sep 09, 2020 6:58 am In this thread: boomers who don’t know how oauth works.

Short explanation:
- Personal capital does not store your passwords.

- When you log in, it generates a read-only authentication token that allows it to pull data from the bank API.

- Personal Capital cannot log into or change your bank balances or make trades on your behalf.

- Personal Capital CAN see your account data. Of course they can, they show it to you.

- Personal Capital makes money by selling people investment services. Guess what? So do Vanguard, Fidelity, etc. If you don’t want those services, politely say no.

- Your CURRENT way of logging into your bank— which for most people is typing their password into a browser — is less secure. Doubly so if (1) you do so over an unsecured network or on your phone, (2) you reuse that password on other sites, or (3) you write that password on a sticky note/in a notebook at your desk.

These gripes are ridiculous and betray a serious lack of understanding of computer security by the posters.
I doubt all of the banks PC integrates with use oauth2. Certainly they don't use 3 legged oauth, so they are handling passwords. Whether or not they store it shouldn't give you much additional confidence. In some cases, they probably do store your password to integrate with particularly IT-challenged banks. I don't know what percentage of financial institutions are scraped but I bet it's double digits.
I purposely do not include bank logins in PC. I manually enter the balances. With brokerages, I feel a bit better since it is harder to move money out to a *new* destination.
JS-Elcano
Posts: 136
Joined: Wed Jun 10, 2020 7:29 pm

Re: Do not use Personal Capital

Post by JS-Elcano »

Coltrane75 wrote: Tue Sep 08, 2020 9:06 am You're not being paranoid. Companies like them, Mint and other "free" software aren't free. The product is your financial information and the consumer is 3rd parties that use that information for their own ends.

I just download transaction information manually into a spreadsheet on my desktop; I avoid online services. I don't put much value in the features they may offer; graphics, detailed breakdowns, etc. I consider those bait and not useful to me.
+1

I have tried a few of these services, including PC and Mint. Any benefit completely escapes me. After a few weeks of using them I stopped. I see no benefit whatsoever.

I, too, have a spreadsheet that I use regularly to collect snapshots of my financial picture. Setting it up took me a while but manually entering the information monthly, yearly (depending on what it is) is no big deal. In fact, I enjoy it. My excel workbook has many sheets and complete them as they were designed: biweekly, monthly, year-end. Then I just copy the workbook to start the new year. I have one of these for every year for the past 20 years, almost.

I love numbers :D
Post Reply