tag:infinitekind.tenderapp.com,2009-01-14:/discussions/online-banking/19804-moneydance-bank-userpassword-save-locationInfinite Kind: Discussion 2022-01-13T06:50:19Ztag:infinitekind.tenderapp.com,2009-01-14:Comment/494336892021-10-13T16:10:34Z2021-10-13T16:10:35ZMoneydance+ Bank User/Password Save Location<div><p>Hi, I'm supportive of moneydance+ as the banks really gave you/us no choice and I'm ok with $2/month to avoid the manual downloads.</p>
<p>However, I'm unclear on where Moneydance+ bank credentials are saved. I've never password protected my MD file as it's not necessary in my environment. When I click Forget Online Passwords, my moneydance+ connections still work without prompting me for a password. So, where is this data stored? In my MD file?</p></div>wamzhskqmhwxphoptag:infinitekind.tenderapp.com,2009-01-14:Comment/494336892021-10-13T16:40:26Z2021-10-14T06:42:48ZMoneydance+ Bank User/Password Save Location<div><p>.</p></div>Stuart Beesley (Mr Toolbox)tag:infinitekind.tenderapp.com,2009-01-14:Comment/494336892021-10-13T17:14:25Z2021-10-13T17:14:25ZMoneydance+ Bank User/Password Save Location<div><p>Read this:<br>
<a href="https://my.plaid.com/help/360043065354-does-plaid-have-access-to-my-credentials">https://my.plaid.com/help/360043065354-does-plaid-have-access-to-my...</a></p>
<p>In addition it’s unclear whether Plaid can initiate payments from your accounts. Some links say it’s read only, others that it can make payments.</p></div>Stuart Beesley (Mr Toolbox)tag:infinitekind.tenderapp.com,2009-01-14:Comment/494336892021-10-13T20:16:30Z2021-10-13T20:16:30ZMoneydance+ Bank User/Password Save Location<div><p>Stuart.</p>
<p>I believe you last sections describe how Plaid works with Open Banking. In the U.S. they could be using a variety of systems, with some I think Plaid would need to hold the username/password, with others it could be tokenised.</p></div>dwgtag:infinitekind.tenderapp.com,2009-01-14:Comment/494336892021-10-13T20:24:37Z2021-10-13T20:24:37ZMoneydance+ Bank User/Password Save Location<div><p>Dwg. I think you are correct. So it depends on your region.</p></div>Stuart Beesley (Mr Toolbox)tag:infinitekind.tenderapp.com,2009-01-14:Comment/494336892021-10-13T20:27:48Z2021-10-13T20:27:48ZMoneydance+ Bank User/Password Save Location<div><p>Post updated accordingly. So for clarity, Plaid may store your userid/password depending on region. But MD never stores it (for md+).</p></div>Stuart Beesley (Mr Toolbox)tag:infinitekind.tenderapp.com,2009-01-14:Comment/494336892021-10-13T20:30:55Z2021-10-13T20:30:56ZMoneydance+ Bank User/Password Save Location<div><p>Thank you for all the replies! My MD file is quite a few security layers deep in my environment but appreciate the recommendation.</p>
<p>I had read that Plaid link but it's quite vague. Agreed that it is region dependent.</p>
<p>So assuming Plaid does have your credentials, the only other layers are the read only and bank-side MFA. Moneydance+ puts a lot of trust in those layers and I'm not sure I agree.</p></div>wamzhskqmhwxphoptag:infinitekind.tenderapp.com,2009-01-14:Comment/494336892021-10-13T20:44:01Z2021-10-13T20:44:01ZMoneydance+ Bank User/Password Save Location<div><p>With the way some banks are moving if people want to have automatic downloads then Moneydance has little choice, the only thing they can do is identify an Aggregator that has the best policy and practices.</p>
<p>In countries initiating Open Banking there is a frame work and legislated requirements so that is a more secure environment but you still need to ensure the aggregator has appropriate privacy polices and practices. I do not see that it would be viable for Moneydance itself to become a registered data recipient in the various countries under Open Banking.</p>
<p>The choice people can make is to understand and accept the service or to not use the service. use manual downloads and import or indeed manual data entry it thus becomes the users choice at the end of the day, for some convenience and ease is the dominant consideration.</p></div>dwgtag:infinitekind.tenderapp.com,2009-01-14:Comment/494336892021-10-13T20:55:57Z2021-10-13T20:55:59ZMoneydance+ Bank User/Password Save Location<div><p>Totally agreed. Very unfortunate that we're being forced into collective data situations.</p></div>wamzhskqmhwxphoptag:infinitekind.tenderapp.com,2009-01-14:Comment/494336892021-10-13T21:46:39Z2021-10-13T21:46:39ZMoneydance+ Bank User/Password Save Location<div><p>Agree with the very unfortunate. Also, unfortunately, some institutions won't even provide a manual OFX download solution.</p></div>dtdtag:infinitekind.tenderapp.com,2009-01-14:Comment/494336892021-10-13T21:56:31Z2021-10-13T21:56:31ZMoneydance+ Bank User/Password Save Location<div><p>It shows that customer service is not necessarily one of their most important objectives.</p>
<p>Where there is open banking they have been dragged kicking and screaming, of course when the government has the power to ultimately cancel your banking license the choice they have is very stark.</p></div>dwgtag:infinitekind.tenderapp.com,2009-01-14:Comment/494336892021-10-14T06:44:41Z2021-10-14T06:44:41ZMoneydance+ Bank User/Password Save Location<div><p>UPDATED: Several points. Your moneydance dataset is already encrypted with a default passphrase if you don’t set it manually. However, this is useless protection if someone has Moneydance as they can open your data. I strongly suggest you set a MD password (and remember it of course).</p>
<p>The old OFX functions can store your user Id and password within your dataset. But as you are forgetting passwords, then these get wiped. You can for example, use toolbox extension to see all your stored ofx data.</p>
<p>MD+ is different. With MD+, MD never has your bank passwords and never saves them… When you register a connection, you are directed by Plaid to a login web page. Here you log in to your bank. I think it depends by county whether you are entering your password into Plaid, or your bank. In the U.K. (with Open Banking) for example, it’s the bank’s own webpage and not even plaid gets your password. (I would personally be concerned about entering codes into a non-bank webpage!). At this point, where you used the banks own login page, the bank then issues plaid a token - e.g. ahdhdgdgdgdgdv524gsf28mdDGDc524 which is the key(token) to get access to your account. Where you entered your userid/password into a Plaid webpage, I suspect Plaid is storing your details and then generating/issuing MD with a token. The key is anonymous and doesn’t really say who you are. Thus MD needs this key to connect via Plaid to your bank. This key (token) is stored (raw) in your moneydance dataset. MD also stores an encrypted copy of this token on its servers. MD encrypts this token with your dataset’s pub/private keys before saving. Only your keys can decrypt. Each MD dataset will generate a unique private/public key and this is saved in your dataset. Thus within your dataset you are storing your keys and your (anonymous) token. Hence I suggest you set a dataset password. Without your keys, your token cannot be decrypted by MD and you cannot access your accounts. Toolbox will show you some of this information if required, but it will hide confidential key/token data. FYI - your account numbers in MD+/Plaid are also anonymous. So you might have 123456 but the MD+ Reference is shsgsgGHG524GGfsgsg726ZZ for example. Hence the need for the match window.</p>
<p>What I don't know (yet) is whether Plaid passes through the bank token to MD, or whether Plaid always generates it's own token for MD....</p>
<p>So in all practical terms, you hold a token which directs MD+ to Plaid to your bank to your account. But MD and Plaid don’t actually know who you are. Where your bank is issuing tokens, Plaid does not hold your user/password; but in some countries Plaid may store your UserID / password. MD does store your email address on its server, but really uses it to know you are registered. Your dataset needs to be protected as it contains important stuff.</p>
<p>Hope this helps, or was it gobdly gook?</p>
<p>Note: this is all my understanding, and not the official IK response.</p>
<p>(Not support, just a fellow user)</p></div>Stuart Beesley (Mr Toolbox)