Moneydance+ security question

phil23's Avatar

phil23

07 Dec, 2021 03:42 PM

I'm considering subscribing to Moneydance+. I completely understand why IK has been somewhat reluctantly forced to offer the service - that's just the way the financial world is moving at the moment. However, I'm still trying to understand the communication path between Plaid's servers and bank "X" (non-specific example name).

The way I understand the architecture is that no matter how secure MD servers are and the user-to MD server communications are, ultimately the Plaid server must login to bank "X" using clear-text credentials and perform a screen-scrape?? The Plaid website is not descriptive on this small, but important point.

If I'm correct, it implies that Plaid is storing my bank "X" password - hopefully encrypted - but nonetheless storing it!! Not just *one* bank password, but *every* password for any MD account signed-up with Moneydance+. Seems a lot like the old deal with Quicken to me. If any hacker infiltrates Plaid they'll have the "keys to the kingdom" of every users financial account.

I'm in the US, BTW.

Am I missing anything here??

Thanks in advance.

  1. 1 Posted by dwg on 07 Dec, 2021 07:51 PM

    dwg's Avatar

    It depends on the bank and the Banks's system is the simple answer.

    If a bank only offers OFX, downloads, or screen scraping must be used then indeed Plaid would have to log on to retrieve your data.

    It then is your call whether to use Moneydance+, use direct OFX if available or to download and import transactions yourself. It is a question of if you want convenience or security. It seems many just want convenience.

    If the bank is however using something like FDX then they do not have your username/password. How this works is that you logon to your bank via Plaid and an access token is specifically granted to Plaid by you using this process - a token that can be revoked at any time. Thus Plaid uses this security token to retrieve the transaction information.

  2. Support Staff 2 Posted by Maddy on 08 Dec, 2021 02:55 PM

    Maddy's Avatar

    Hi Phil,
    Thank you for contacting Moneydance support.

    According to Sean - the lead developer, "using an aggregator does have privacy implications in that customer transaction data (descriptions amounts, and sometimes additional metadata) goes through the aggregators' servers. On the other hand, the security is often much better than with OFX in that for many banks you will authenticate directly with the bank, including using 2-factor authentication. The aggregators and Moneydance are granted a token that provides access for a certain period of time. In those cases neither Moneydance nor the aggregator will have your password and often not even your username. For connections through Plaid, even Moneydance has no idea of your name, password, or other login credentials.

    We chose Plaid specifically for their better privacy policy regarding end-user data. They do not share or distribute your data in any way according to the people we've talked to there as well as their privacy policy which you can find here: https://plaid.com/legal/#end-user-privacy-policy

    I will reiterate that we will never force anyone to use the aggregation. We will never require a subscription to use Moneydance and the current direct OFX connections. We will continue to look for and implement more direct ways to connect to banks while preserving your privacy."

    I hope this information is helpful. Please let us know if you have further questions or need more assistance.

    --
    Maddy, Infinite Kind Support

  3. 3 Posted by phil23 on 08 Dec, 2021 05:22 PM

    phil23's Avatar

    Thanks to both dwg and Maddy for your responses.

    Again, I believe that IK has had to make some excruciating tradeoffs to continue to offer automated connections to financial institutions. I also accept - at face value - that Plaid honors it's privacy policies to the best of their ability.

    I'm just looking for "eyes wide open" info before I jump-in, since bad things can happen despite everyone's best effort and intent. So I'm not looking forward to my financial institutions shutting-down their OFX servers!

    /phil23

  4. Support Staff 4 Posted by Maddy on 09 Dec, 2021 08:49 AM

    Maddy's Avatar

    You are welcome, Phil!

    I'll close this discussion for now, but do not hesitate to contact us again, if you need further assistance.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ We would like to take the opportunity to wish you a lovely festive period!
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    --
    Maddy, Infinite Kind Support

  5. Maddy closed this discussion on 09 Dec, 2021 08:49 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac