Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion

Here's a statement of the obvious: The opinions expressed here are those of the participants, not those of the Mutual Fund Observer. We cannot vouch for the accuracy or appropriateness of any of it, though we do encourage civility and good humor.

    Support MFO

  • Donate through PayPal

Are the risks of Financial Account Aggregation really worth it?

edited December 2022 in Other Investing
In another current MFO thread the issue of safety with respect to financial account aggregation was raised. It seemed to me that this whole topic might deserve a thread of it's own. I'd sure be interested in hearing a range of opinion on this question. For starters, I did find some information regarding this topic, but nothing that specifically went into much detail on the potential security risks.

Here are a couple of excerpts:

From Investopedia

What is Account Aggregation?

How Account Aggregation Works

Account aggregation usually occurs only within a single financial institution. However, certain assets held outside a financial institution may be included if the account holder has agreed to that.

Many personal finance services offer customers the ability to aggregate data from all of their savings, checking, and brokerage accounts, as well as other financial assets across all the institutions with which they do business. These services usually require that users provide account-access information, such as a username and password, for each of the accounts that they wish to include in the aggregation. Using this information, the service "scrapes" or downloads account balances and other data from each account to include in the aggregation.

However, account aggregation software is often allowed only to access balance information and transaction records. And for security reasons, many aggregation services do not permit users to make transactions from within the service.

In addition to aggregating data from savings, checking, brokerage, and other financial accounts, some aggregation services and software—particularly those used by professional financial advisers on behalf of their clients—aggregate additional net-worth data, such as recent home-value estimates. Account aggregation platforms may also categorize cash inflows and outflows.

From "The Balance"

Account aggregation services only give the software permission to view your account balances and transactions, not make transactions. If you actually want to access your money or move it, you would need to sign in to each account's website.

Additionally, the software draws on many advanced security features. For example, if you are logging on from an unknown computer or device, additional authentication will likely be necessary.
I've used account aggregation at Schwab and First Republic Bank for several years now. I did wonder about the potential security risks, but rationalized that if the risks were significant then large banks and brokerages probably wouldn't involve themselves with the service, especially as it's likely there isn't much profit in it. Maybe I'm being too complacent about all of this.



«13

Comments

  • I'd like to be carefree about the matter but I've always felt that any of these financial entities could be hacked at any point in time exposing me to complications with an account at a connected entity. No thanks.
  • I use Personal Capital. Definitely some risk
  • I didn't see any problems with the materials cited in the OP. But don't consider those as 2 independent sources. Dotdash Meredith owns both Investopedia and The Balance. People may have opinions about them, but at Dotdash Meredith, the former is considered more encyclopedic/authoritative and the latter with popular/consumer orientation.

    Most brokerages provide account aggregation as convenience. Look at the fine print whether the brokers' SIPC or excess insurance will cover if account problems arose from 3rd party aggregator and who would have the primary responsibility, broker or aggregator?
  • edited December 2022
    There's risk in anything, anywhere. You either decide what level of risk is reasonably acceptable (and where) or you unplug from the world and go hide in a cave. :)

    I would trust Schwab or PersCap for account aggregation far more than some fintech startup run by a bunch of idealistic and incompetent tech-bros. (*cough* youknowlikeFTX)
  • "There's risk in anything, anywhere. You either decide what level of risk is reasonably acceptable (and where) or you unplug from the world and go hide in a cave."

    @rforno- Yes sir, that nicely summarizes my perspective also. However, since a heavy hitter like Yogi suggested caution in this area I thought that it would be a good idea to see what the general consensus might be. Thanks for your input.
  • Old_Joe said:

    "There's risk in anything, anywhere. You either decide what level of risk is reasonably acceptable (and where) or you unplug from the world and go hide in a cave."

    @rforno- Yes sir, that nicely summarizes my perspective also. However, since a heavy hitter like Yogi suggested caution in this area I thought that it would be a good idea to see what the general consensus might be. Thanks for your input.

    Oh I don't dispute YBB's advice! Just offering my 2 cents in general support of the discussion! :)

  • I don't understand the need for XYZ to know what I have at ABC, or vice-versa. And then I have holdings at LMN an QRS. Can't imagine why I would need to bring in a third party.

    I know Vanguard offers to track outside investments. But you have to manually enter the data.

    I'm sure M* is doing something with the portfolio information I have entered over there. I know I am no longer being threatened with the end of that feature.
  • @WABAC- It's not really the need for XYZ to know anything about ABC. It's more about the great convenience of going to XYZ and quickly getting a comprehensive overview of your financials by visiting just one site. This can be quite a convenience, because some sites (JP Morgan Chase, for example) are not particularly user-friendly, and it's nice to be able to see your balances at Chase without jumping through all of their hoops.
  • @Old_Joe I think I'm too lazy, or don't have enough to track.:)
  • edited December 2022
    @WABAC- You raise an interesting perspective- maybe it's me who's being lazy. It's only necessary to set up the XYZ/ABC account reporting linkage once, not each time you visit XYZ. Once set up, XYZ will automatically check with ABC every so often to provide a (more or less) continuous update. It's really very convenient, and quite a time-saver.

    (Of course I could spend less time here on MFO and check each account individually, but what a drag, man.) :)
  • @ Old_Joe

    I have been tempted for years to use Yodelee or the aggregator ( most also use Yodelee) at one of my four brokerages ( don't ask!) but always shied away, as I could not be convinced that giving them my password was safe.

    I have never been able to get them to demonstrate how they limit their ability to access anything other than balances and positions. Your passwords are still stored in their computers and how safe is that?

    Ever so often I would google "Yodelee hack" to see if any had occurred. Haven't done it recently

    When I asked my broker at Morgan Stanley how safe it is, he said he knew nothing about it and MS had no responsibility. I assume Schwab would say the same thing.

    Quicken will download transactions from all brokerages, but the passwords are on your computer and not Quickens. I copy and paste them into the software temporarily just as an added safeguard.

    I think this is safer than going through two third party websites

    Only recently has Schwab required users specifically certify that this Quicken downloading is acceptable. No one else requires this.

    I have been unable to find out is this is due to a security breech, but it is a bit concerning.
  • Thanks for the info, @sma3- appreciate it.
  • It isn't about how safe Schwab or PersCap are. Yodlee can be hacked in which case safeguards from Schwab are meaningless.
  • Yeah, that's kinda what I'm thinking too.
  • Curious as to with how many institutions folks have their investments with? Quick count, I'm with six maybe eight.. my sister who has substantial assets has narrowed down to two or three.

    Is this really a risk question, simplify as you get older to better and easier track your monies?

    Best

    Baseball fan
  • OK, so I've been poking around on the net, and it seems as if there are two related but different ways that we can interface with a financial aggregator. The first is by downloading and using a financial app, of which there are evidently a fair number of different types. In this setup we (the user) interact directly with the aggregator.

    The second does not involve any direct contact with an aggregator. This situation occurs when we utilize a bank or brokerage which we deal with, and authorize them to initiate and maintain an information exchange with another financial entity- could be a mutual fund, a bank, or another brokerage, for example.

    The bank or brokerage which we deal with then utilizes a financial aggregator to perform the data transfers between them and the other institutions that we authorize.

    From what I'm seeing, none of this is guaranteed to be impervious to hacking, but the second method- institution-to-institution- is theoretically less susceptible to a hack than interacting with a financial aggregator directly via a user app. This is because a hacker would have to first breach the financial institution, and then follow that by also breaching the aggregator. It's presumed that this would not go unnoticed, and that intercepting security measures would prevent such a deep penetration of two separate financial institutions.

    Well, maybe. Anyway, that seems to be the general story so far.


  • stayCalm said:

    It isn't about how safe Schwab or PersCap are. Yodlee can be hacked in which case safeguards from Schwab are meaningless.

    What does that mean ?
  • @davidrmoran- Well, Yodlee is just one of the "aggregators", and stayCalm was referring, in a way, to the explanation that I made above. If you are using a downloaded financial app that involves an aggregator, a hacker could presumably go directly to your account information at Yodlee.

    Again, I'm just trying to sort through all of this along with everyone else. The lack of transparency on the part of all players in this setup isn't helpful. The suggestion seems to be that if you have asked Schwab (for example) to aggregate your accounts, then that account information is somehow safer than if you regularly interact directly with the aggregator. Again, this is why I started this thread- maybe between all of us we can learn a bit more about the risk/benefit ratio involving aggregators.
  • edited December 2022
    Using Yodlee via Schwab vs. using Yodlee or equivalent directly does not offer any additional security. Yodlee is a cloud based service, it can be hacked directly without needing to hack Schwab.

    Note that the account credentials you are providing (either to Schwab or Yodlee directly) are traversing the internet from your machine to Schwab and from Schwab to the aggregator. Yes it is encrypted and all that good stuff but it can be hacked including from bad apple insiders (this is how Capital One was hacked)

    In a cloud based world, hacking is a lot easier than the pre-cloud world because of the distributed nature of all services. In the age of the internet, security and privacy are not realistically possible. Over the last 5-7 years at least 5+ of my accounts with large corporations have been hacked -- Target, Capital One, Home Depot, Experian, etc..

    Hell LastPass recently got hacked, in effect LastPass is the equivalent of an account aggregator but much worse since it has a lot more confidential stuff than just financial accounts.
  • edited December 2022
    If an account aggregator is breached and your account incurs losses as a result,
    the broker may not reimburse you for these losses.

    Fidelity Customer Protection Guarantee

    "Also not covered is any activity by an employer/plan administrator, financial intermediary, or third-party who is authorized by you to access your data (or who received your data as a result of that access), or with whom you've shared or provided access to your username, password, or account number, or from malware or a breach of security that affects the systems of any of those parties."
    Link
  • edited December 2022
    stayCalm said:

    [snip]

    Hell LastPass recently got hacked, in effect LastPass is the equivalent of an account aggregator but much worse since it has a lot more confidential stuff than just financial accounts.

    That's why I'm wary of cloud-based password managers.
    I use KeePass (free, open-source) which stores credentials locally on my PC.
  • Info that @Observant1 provided from Fido is similar to what I have seen at other places too. Please read it carefully. Banks/brokers say that if you share your login with ANYONE, they are no longer responsible. I assume that ANYONE to mean relatives, friends, 3rd party a/c aggregators, etc. Question to ask is who is responsible if something goes wrong?

    I think that my discomfort level about 3rd party aggregators rose significantly years ago when in addition to account# and password, they started asking for info on other forms of authentications - images (this system is getting old), authentication codes, etc.

    As others have noted, there are risks in anything we do. But I decided that this risk from aggregators isn't worth for me. I do use Portfolio services (old M* Portfolio - offline, new M* Investor, Stock Rover) but there too, I don't link my brokerage accounts and rely on manual update of transactions.
  • @yogibearbull

    Do you manually enter each transaction? M* Portfolio still lets you download a file with positions and average price, although M* Investor still refuses to allow this.

    Has anyone heard of any brokerage account hacks?

    I always assumed that if you used Schwab's offer to use an aggregator, the credentials were at the aggregator, not at Schwab, so therefore protected only to extent aggregator protects them. Any hint of a data breach and their business would collapse, but still who knows how good their security is?

    Nor have I been able to document how they claim that they only get transactions and balances without being able to trade, move money etc. Once a hacker got your PW etc, they could do anything they wanted, obviously.

    While I have not tracked it down yet, it would be interesting to compare Schwab policies with a full service broker like Morgan Stanley, where it is impossible to trade without a human being.

    You would think your money is safer at Morgan Stanley, but getting access to an account illegally would still allow transfers out without a human involved. However, adding a new account requires two factor authorization, and trial deposits just as it does at Schwab.

    I doubt your broker monitors accounts so carefully that they would alert you to something unusual

    But neither Schwab nor Morgan Stanley will allow you to set alerts to notify you of all account activity; Schwab will send trade alerts, but not deposit, withdrawal alerts and MS only sends balance alerts. You get an email if there is a trade, but not what it is.

    I assume ( but I do not know) that since Schwab requires a manual sell order to raise cash, they would not transfer money out of the account without the sell order being placed ( and maybe settled too?), if your cash balance is low. I don't think you would be notified of the trade until it occurred.

    My bank and credit card text me every time there is any activity of $0.01 or more. If brokerages had this function, it would be added security that nothing could happen without your knowledge.

    Of course, you might hear about the fake trial deposits and intervene in time, but you might not. And once the money leaves, being told about it a few seconds later would not stop it leaving. With the ease of money transfer today, your money would probably be in Nigeria before you opened the email or logged on to see what was happening.

    In the past, when I asked about risks , Personal Capital rep claims aggregating everything would increase security because you could see any new transactions immediately.

    Does anyone have any experience with this?
  • edited December 2022
    @sma3, it does take some time to initially enter portfolios; .csv files can also be used. But then, updating transactions manually is simpler.

    I imported all M* Portfolios into Stock Rover (SR). It is a bit tricky, but I have described details/steps elsewhere.

    Old M* Portfolios are still active & may remain so in 2023. I don't plan to use the new M* Investor UNLESS M* adds some portfolio analytics - there is almost none now.

    A good thing is that M* Portfolios automatically update for dividends (reinvestment or in cash). Unfortunately, this needs to be done manually at SR - somewhat tedious to do & keep up.

    Both M* Investor & SR have linking option to brokerages to update positions, but I will not be using that.

  • edited December 2022
    >> Yodlee can be hacked directly

    What I am asking (as of all imagined harms) is how would this work? what would happen? what are the steps and the mechanism? and if a bad actor "gets into" yodlee systems, then what? what are the consequences? our login information gets revealed and ... we get robbed? accounts depleted? what have the losses been? has this kind of worst-case thing ever happened?

    Note the mechanisms here and human involvements, for example:

    https://carnegieendowment.org/specialprojects/protectingfinancialstability/timeline
  • edited December 2022
    A hack of Yodlee is no different than a hack of LastPass.

    Using stolen credentials the attacker can liquidate your portfolio and move money out of the brokerage account.

    For example if your Robinhood account got hacked, an attacker can buy crypto and transfer it to their wallet within a matter of minutes.
  • OK, we seem to be saying that an aggregator such as Yodlee just adds another window of opportunity for a hacker. But couldn't a hacker do pretty much the same thing at any on-line bank, mutual fund or broker? After all, all of those place have our credentials stored also.
  • edited December 2022
    Correct, Yodlee is another attack surface.

    From a social engineering hack angle, Yodlee is a very attractive target.
  • Many on-line banking and brokerages require two-factor authentication. How does hacking get around this mechanism?
  • edited December 2022
    Old_Joe said:

    OK, we seem to be saying that an aggregator such as Yodlee just adds another window of opportunity for a hacker. But couldn't a hacker do pretty much the same thing at any on-line bank, mutual fund or broker? After all, all of those place have our credentials stored also.


    Yes, a hacker can compromise your credentials at a bank, broker, or Yodlee.
    But Yodlee and other account aggregators are not required to view accounts or execute transactions.
    Using account aggregators provides another opportunity for the "bad guys" to infiltrate your accounts.
    If an investor incurs losses due to an account aggregator breach, these losses may not be reimbursed.
    Not worth the additional risk in my opinion...


Sign In or Register to comment.