Plaid security?
Yesterday I setup Moneydance+ This morning I had 2 emails from my CU warning of logins on my account.
Log says 1:03 AM & 6:58 AM using Firefox 59.0
Definately was not me at those times and I don't use Firefox regularly. My version of Firefox is 100.0.2
This does not give me a good feeling about using Moneydance+
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
1 Posted by Stuart Beesley ... on 06 Jun, 2022 06:26 PM
Well Plaid has to login to your account. So perhaps it was that?
2 Posted by jes on 06 Jun, 2022 06:29 PM
for reference Log entry, assumably during setup by Plaid:
Yesterday 6:13 PM Firefox 59.0
3 Posted by jes on 06 Jun, 2022 06:29 PM
Stuart Beesley: at 1 AM?
4 Posted by Stuart Beesley ... on 06 Jun, 2022 06:51 PM
I think that Plaid logs into accounts and downloads and caches the data at certain times of the day. Anyway, I’ll bow out and let the experts comment.
5 Posted by jes on 08 Jun, 2022 01:49 AM
I've decided to cancel Moneydance+
I'm seeing way too much access to my CU account, since starting Moneydance+ The activity is not related to whether or not I have opened Moneydance.
No way I would feel comfortable adding my investment account...
Support Staff 6 Posted by Maddy on 08 Jun, 2022 11:59 AM
Hi Jes,
Sorry to hear you have decided against using Moneydance +.
I thought I would mention this anyway, for future reference:
Usually Plaid will redirect your browser to the bank's site which authenticates you directly. Neither Plaid nor Moneydance ever sees your password or even username for that matter. The bank redirects your browser back to Plaid with a token that is used to access your accounts at that bank for some period of time.
As soon as the access token is acquired by the Moneydance+ server, it is encrypted using the public key from your linked data file. That means that only your data file can ever decrypt that access key, and even our server cannot access it.
We made every effort possible to not require the Moneydance+ server at all and have all communication go between Moneydance and your bank or Moneydance and Plaid. Unfortunately, that is simply impossible. So we went with the route where the MD+ server is the smallest most basic piece that sees as little information as possible.
In conclusion, when MD downloads transactions, it has to go through the MD+ server which authenticates your data file's public key and then basically pipes the connection through itself to Plaid which returns your transactions.
(logging nothing)
This specific blog page might be of your interest as well.
I hope this information is helpful. Please let us know if you have further questions or need more assistance.
--
Maddy, Infinite Kind Support
System closed this discussion on 07 Sep, 2022 12:00 PM.