A lot of us like to use software to manage our financial accounts, budgets and/or investments. It helps keep track of bills, loan, the current value of assets, spending vs income, your current net worth and so forth. This software comes in two basic forms. You either have a local software application or you use some manner of web-based service.
Long before the advent of the web, there were just standalone applications. Intuit's Quicken and Microsoft's Money were the big two with some other less capable things on the fringe. When common, public internet access came around in the early-to-mid 90s, these applications started adding "online access". In order to access your bank or other financial account, there had to be some kind of standardized protocol. So along comes the Open Financial Exchange (OFX) which was precisely that. These programs adopted it and now you could have them download your checking account transactions directly from the bank instead of you having to enter them all manually. Nice and convenient.
In order for this to work, your financial institution had to have already granted you online web access to your account which meant establishing a username and password. And in order for your application to do its thing, you had to enter them there so it could use them. That was no less secure than you typing them in your web browser. In this respect, you can think of the financial application as a very specialized "browser". In both cases, you are running the application on your local, (hopefully) personal computer. Assuming the program and the site use appropriate encryption protocols, you have not leaked your authentication credentials to anyone else.
Moving forward to more recent years, Microsoft finally gave up on Money and retired it. Intuit has put Quicken up for sale, but it still exists and is the only reasonably functional program left for managing investment accounts. All the other applications are just budget managers watching your checking account and credit cards. During the more recent web era, a variety of web sites have come about offering aggregation of your accounts for that big picture view just like the older applications did. Quicken spun off the Mint site, for example. For investors with enough accounts to need help but not enough wealth to have a personal CPA on staff, there are some options like Personal Capital.
All these sites work just like the older applications with one major difference. They store your information in the cloud instead of on your local hard drive. So now you have an order of magnitude larger security risk. In order for these aggregator sites to do their thing, you have to give them your usernames and passwords to all your financial accounts. Yikes! Rather than you entering this information, you give it to them and they use it for you. It's sold as "convenient". But now you have to trust that they don't get hacked either internally from an insider threat or externally by some other bad actor. And a compromise would give the malefactor direct access to your finances. They could transfer money or sell your assets. And unlike simple credit card purchase fraud, no one is going to cover you for this oops. I'll bet if you find and read the EULA, they are not responsible if anything goes wrong.
Even if you assume this risk, there are some technical limitations. I once ran into a problem with Quicken and the OFX interface. You used the same username and password for both the web site login and the OFX, but they had different password policies and the OFX was significantly less robust, so you had to go with the lesser of the two and weaken your overall security. The problem seemed to me like some lazy programmer who didn't want to figure out how to escape all the possible special characters on the keyboard. You could only use a very small subset via OFX, but all of them on the web site.
Another limitation is two-factor authentication. First, a lot of the financial institution sites do not support it. At least not yet. For the ones that do, the applications and aggregation sites do not. If they did, that would still work out for a local application that could query your token or biometric somehow, but not the aggregator sites. And even if you could somehow give them a copy of your second factor, now they have that too which largely defeats the purpose, security-wise.
So while everyone is in a mad rush to webify and cloudify things, this is one area where a local application with local storage and local use of authentication still makes a lot of sense to me. Unfortunately, that's not where we're headed. I personally still limp along with Quicken as best I can but it's far from perfect any more. The last good version was in 1995. Maybe one day I'll get frustrated enough to add a huge module to Gnu Cash and build what I need.
No comments:
Post a Comment