You no longer need to enter your financial institution credentials...

Nothing really has changed. They never needed to show that information before since it was and has always been stored on the aggregation server for the overnight download from the financial institution to the aggregation server so that it can be downloaded by Quicken the next time you did a One Step Update. It may be that you don't understand how Express Web Connect downloads work, if not, see this article:

I don't believe there has been any change in where your EWC passwords are stored. I believe Express Web Connect account passwords have always been stored on the aggregator's servers. The change is that they are no longer available in the Quicken Password Vault.

You didn't provide the names of the financial institutions for EWC accounts; but for most users in your position there would a third option: switch the three accounts to a financial institution that does offer Direct Connect.

If those accounts are checking, savings, or credit card accounts; you could give USAA a try. They are an excellent Fortune 500 company with free Direct Connect for their customers. The only drawback is USAA doesn't accept Online Billpay instructions from Quicken - but Express Web Connect does not work with online billpay from Quicken anyway, so no loss there.

[I do not share your fear of the storage of passwords; I dislike Express Web Connect because it is the most unreliable Connection Method (though I think Quicken has been taking action to try to make it more reliable). The recent rush by financial institutions to use 2-factor authentication, can make EWC much more of a pain than it already has been - but that problem doesn't exist with Direct Connect.]

I agree. I haven't looked at my one and only EWC account in depth, but I suspect that rather than the old screen scrape method, that Quicken has provided financial services companies data tags or other invisible structures to be used for data Quicken needs, along with the equivalent of certain navigation commands.

Thus when things break, it's likely that the financial institution made a change to their web portal and didn't follow through with the standards Quicken specified.

Yes.

It is trivially easy for screen scraping to be screwed up when the financial institution modifies the format of their web site. Sadly, many financial institutions seem not to know or care about that, and a LOT of Quicken users are not aware of it.

One of the early options to improve the Express Web Connect experience was sometimes referred to as "backdoor Web Connect"; where the financial institution (that already offered Web Connect downloads) provided a special "button" that the Intuit Express Web Connect servers could "click" to create Web Connect data (so all the selection and formatting of transactions was accomplished by the existing Web Connect software, rather than screen scraping).

I get the impression that there may be even better approaches available now (or soon). One can only hope; since financial institutions seem increasingly unwilling to spend much, if any, money for their Quicken users.

Thank you splasher and Mr. Pollard. I had no idea that Express Web Connect has had this security/privacy failure all along. I am pleased that Quicken made this evident to me last night.

Two questions.

Does using "Direct Connect" have similar security/privacy issues?

What is "Web Connect?" I have one Bank of America account, last night I disabled online services for that account. I don't think that BofA offers "Direct Connect," as I could not get that to work in Quicken. Then I tried to enable "Web Connect." Quicken complained that "an account with this name already exists." Well of course it exists, I am trying to enable a service for an account that exists.

With Direct Connect, it is between Quicken on your computer and the Financial Institution, no information (IDs, passwords or data) is stored on an aggregation server. There is a new wrinkle in the process though that your Quicken contacts a Quicken server to be redirected to the appropriate FI server, essentially acting as a proxy server, but that doesn't change the fact that the data goes directly from the FI to your computer. As far as implementing Web Connect, when it asks about the account, you have to change the "add" to "link" and select the correct account.

BofA used to offer Direct Connect to all customers; customers with certain account types (that required some minimum balances) got Direct Connect for free; other customers had to pay a monthly fee.

Some years ago, BofA stopped allowing any customer to use Direct Connect who was not already using Direct Connect at the time BofA changed their policy.

I missed the "What is web connect?" question in my response. Web Connect is you logging into the FI's website and downloading a Web Connect .QFX file from their website and importing it yourself. It is obvious that using this process, Quicken NEVER sees your FI's password.

Thank you for posting this. This issue cropped up for me after the prior update (before the most recent update R28.28). I went to run One-Step Update (OSU), looked at the OSU window and said to myself, how am I supposed to run OSU when there is no password field opposite many of the accounts? I thought the most recent update, that I installed today, would have addressed the issue but it did not. Reading this thread has been very illuminating for me since I always typed in my passwords in the OSU window before running OSU and never knew that my passwords had been stored on an aggregation provider's servers. I had always thought that the passwords were sent directly to the financial institution's website and nowhere else since why else would I have to type the passwords into the OSU window?

One odd thing is that my wife and I each have a Chase credit card account. In the OSU window, my wife's account shows the gold key icon and no password field while my account has no gold key icon and does show a password field to fill in. Why that is, I have no idea.

Pure speculation here. Perhaps your wife's account is configured to use Express Web Connect, and your account is configured to use Direct Connect. If I am right, you do have the option of configuring Quicken to use Direct Connect on your wife's account.

I have several Chase accounts and I think they are all configured to use Direct Connect: I still have to enter a password.

You're correct, David!

When I first ran into the "problem", I tried deactivating my wife's Chase account and then re-activated it. Her account must have been set up with Express Web Connect since the procedure did not bring back the password field opposite her account in the OSU window.

Now I have to decide which method I want to use for our accounts. ;) Like you, I'm leary of having all my financial passwords together on an aggregator's server.

For years I've been doing the following (perhaps unnecessarily complicated):

To pay bills, I usually log onto the payee website and pay it there with a saved checking account. I then record the bill as paid in Quicken from the Scheduled Transaction List.

For payees that either do not have a website, have a poor website or charge a fee for paying online on their website, I log onto our bank's website and use their bill-pay system.

To download transactions from our bank, I log onto the bank website and download the transactions into a QFX file (Web Connect method). Clicking on the downloaded file imports the transactions into Quicken. Our bank uses two-factor authentication.

Over twenty years ago, I used CheckFree by Intuit to pay bills electronically. I had several bad experiences with some payees receiving my payments late and charging me late fees. Some credit card companies at the time did not handle electronic payments correctly. I did get most of the late fees reversed, but it turned into such a hassle that in 1999 I stopped the service and went back to mailing checks. I came away from that mess vowing never again to pay bills from Quicken.

Perhaps it's time to re-look at how I'm doing things!

Paying bills by mailing checks?????  WTF!!!!!     ALL the utility companies that I know of gladly accept preauthorized debiting of bank account AND/OR automated repeated credit card billing. Set it up ONCE and it is automatically done month by month WITHOUT you having to do dick all. Aside from examining the monthly statement for accuracy.

I was talking about 20 years ago after our disaster with CheckFree, when electronic bill payments were not quite perfected. Back then, for an example, Capital One was not set up for electronic payments. CheckFree had to mail them a check. Sounds crazy, but that's how it was ? and they were not the only one.

We rarely write checks today and haven't for years. There are still some companies, mostly local but also including some insurance companies (!), that do not take credit cards and/or electronic payments. I write checks only if I must.

With only two exceptions (maid and gardener who I pay in person by check), I never write checks and pay all bills electronically through Quicken. I never mail checks, and hardly ever mail anything else (in fact I hardly ever use stamps for anything other than Christmas cards to a few people).

I've been doing this for many years--I don't remember exactly how long, but I think it's well ever twenty years. I've never had a problem with payees receiving my payments late

Yes, that's what I do, not just for utility companies, but also for credit card companies, etc.--for anybody I can do that with. Not only is it easier, but it has two other advantages:

1. it takes care of my having to worry about paying bills on time if they arrive while I'm away on vacation.
2. the bills automatically get paid exactly on their due date. I don't have to either remember to pay them on time or pay them early.

Likewise.  And if they did go through the bank or credit-card account late, it's be THEIR problem as it is THEIR staff who maintain the billing system, not the bank, not the credit-card company, and certainly not me. My role, aside from maintaining sufficient funds in the bank account and paying the credit card balances, ended once I turned over payments to their pre-authorized methods.

And what is REALLY great, at least up here, Ken, is that there are NO FEES for them doing that. One credit company, though, insists on giving me E statements rather than paper statements...so I have to remember to go online to check the accuracy of the E-statement.

That is PRECISELY the argument I made to Capital One back in 1997, Sharx335, and it was the only company that refused to waive the late fee. CheckFree maintained that they sent the payments out timely and Capital One basically didn't care. After several more mishaps involving more back-and-forth with several companies, I finally canceled the CheckFree service since it just wasn't worth the hassle. Things have come a long way since then; I'm now a bit irritated whenever I actually do have to write a check. ;)

I would have canceled Capital One.

Speaking of writing checks, despite what I said, quoted above, I wrote a check yesterday. It was for real estate tax on my house. I could have paid it electronically, but there was a charge for doing that, so I didn't. The stamp was cheaper.

So I was wrong; there are three exceptions, not two. Maybe there are even a few others I've forgotten, but not many