The Infinite Kind Blog

The Infinite Kind Blog

Online Banking Privacy and Security

Here at The Infinite Kind we respect your privacy. Most financial software these days “phones home” to report information about yourself or your environment. Many apps even upload your online banking log-in information to their, or a third party’s, servers.

I’d like to clarify something straight away: Moneydance never sends any financial information, statistics, or online banking credentials to any service other than your own financial institution. Your financial data and online banking passwords are only stored encrypted on your computer. If you have enabled syncing, your financial data, but not your online banking passwords, are encrypted before being uploaded, only to the syncing system that you use. Your information is never accessible to anyone unless you copy it and explicitly share it yourself.

This may sound like common sense, but it’s actually unusual. The current trend is personal finance tools that require the sharing of your private financial information with advertisers, unrelated financial services, or simply third party aggregation services. We can assure you that Moneydance will never require such sharing to work. We fiercely believe that your financial information should be secure and only accessible to yourself, your financial institution, and anyone with whom you explicitly choose to share it.

Backstory

Back in the old days (well, the late 90s and 2000s) the predominant method of downloading transactions from a bank via OFX Direct Connect. I’m proud to say that Moneydance was the first indie app to support online banking and bill payment via OFX, and is still one of only a handful that support it.

Open Financial Exchange (OFX) is a standard protocol supported by many banks in the USA. It allows installed apps, such as Moneydance or Quicken, to talk directly to the bank’s servers, download transactions, and manage bill payments. OFX also provides a mechanism for online bill payment: managing payees and creating, modifying or canceling payments.

Some banks provided a more lightweight system in which a desktop app opened an embedded web browser through which you logged into your bank’s web site and downloaded an OFX-formatted file with transaction data. That downloaded data was then intercepted and processed by the app.

The key point is that your passwords were stored locally on your computer and sent only to the bank when a download was requested. There was no middle man and your login credentials stayed private to you and your bank.

Modern Online Banking

Not all banks support direct OFX connections, and some are dropping support for it. In fact, many banks intentionally make it harder for customers to access their data in any way that is readable by software. As a result, companies such as Yodlee have appeared. They thrive on accessing and aggregating financial data and translating it into a software-readable form. They upload and store the user’s online banking credentials and connect to banks by pretending to be the customer, often using a simulated browser. Mint.com was one of their most famous early customers. Mint was subsequently purchased by Intuit, the makers of Quicken. Soon after, both Mint and Quicken were converted to use Express Web Connect, which was Intuit’s version of Yodlee’s service.

These services frequently pretend to be a human sitting at a web browser, logging in to each bank’s web site. They extract the transaction data from the web site or download it directly to their servers where it is aggregated and available to download the next time you connect.

The Problem

These third party services admittedly are convenient; however, there is a huge weakness: you must give them your online banking password, to be stored on their servers. That last statement will set off alarm bells for anyone experienced with online security. Web sites – even the ones to which you login directly – should not be storing your passwords. This is why services with reputable user account systems (Google, Facebook, Twitter, most banks, etc) can never send you your password if you forget: they simply don’t have it. Properly secured services will only store a hash of your password on the server side, not the password itself. I’m confident that third party financial aggregation services such as Intuit’s Express Web Connect and Yodlee encrypt users’ passwords and take security seriously; however, the fact remains that they must possess those passwords in order for their system to work.

I believe there are three main problems here:
Lack of privacy with too many people having access to your financial information
Potential security problem with third party services holding on to your online banking credentials
The fact that customers are often completely unaware of the existence of these third party services and the information they have

Conclusion

Wouldn’t you feel better knowing that the only people who have your bank login details and knowledge of your financial transactions are you and your bank?

Moneydance does not upload your online banking passwords to any service aside from your financial institution. All of your financial information is stored encrypted on your own computer and never shared with any other party services. We mind our own business so you can mind yours.