Quicken revelation shocks CIO

I was sitting at a table with a half dozen CIOs last month when the topic of Quicken came up. Several of the people at the table used Quicken personal finance software and its Express Web Connect and One Step Update feature, which automatically downloads statement activity from every financial institution you use into the appropriate account registers in Quicken. But only two of us knew that when you use Express Web Connect your bank transaction updates are routed through intermediate servers in Intuit's data center.

At hearing that one CIO's jaw dropped. "You mean my bank statements are being stored on Intuit's servers?"

Another CIO at the table, who worked for a large regional bank, jumped in. "That is correct," he said.

"And we pay Intuit for the service."

I could see the wheels spinning. One Step Update was sequentially downloading transaction activity for every bank, brokerage and mutual find account this CIO had, routing the streams of sensitive financial data through its servers like a long, electronic freight train. It gave him the creeps.

It's not quite as bad as that. I had checked into this before when I was forced to upgrade to Quicken 2009, so I explained ...

How it works

Your local copy of Quicken transmits your bank login ID and encrypted password. The bank authenticates the session and then transmits transaction updates to intermediate servers in Intuit's data center, which then transmit the data back to your personal computer. That data, which is temporarily stored on Intuit's servers, is encrypted and those servers are kept in a separate, locked room, according to a spokesperson. "We maintain the financial institution IDs, route the request to the right financial institution, maintain the financial institution profile, support information, and support contact data for the financial institution." That leads us to the next question...

Why do they do it?

As a service to customers. You can download and import updates packaged in Quicken's QFX file format from your bank one statement at a time. In that case Intuit is not the middleman. But that's time consuming and takes multiple steps. Quicken's One Step Update orchestrates the authentication and download process across multiple accounts and multiple financial institutions. You go away for a coffee, come back and everything is updated. (This service, included with your Quicken purchase, is discontinued after three years unless you upgrade to the latest version. It's a major reason why people feel that they must upgrade. If you're on Quicken 2007 you've probably gotten the notice already.)

If you don't like the idea of your encrypted statement data going through Intuit's servers you can still download all of your updates manually. But if you want the convenience you need to trust Intuit.

The CIO seemed somewhat relieved upon hearing the details but he was still upset that Intuit had not clearly disclosed this to him as a customer before he began using the Express Web Connect feature. I can't say as I blame him, but...

Just take the whole thing, please.

I too have concerns about security, but personally I've had so many problems with Quicken since I upgraded last year that I'd prefer to move the whole shebang into the cloud.

I've had several issues. First I was forced to upgrade from Quicken 2006 to 2009 if I wanted to continue with the Express Web Connect service. Then, shortly after I did so I ran across a bug in Quicken 2009 that prevented some of my accounts from activating properly for the Express Web Connect process. (Eventually, Quicken provided a free upgrade to Quicken 2010, which fixed the problem.)

Then another issue came up: Quicken has difficulty setting up online access for any bank account you create with a zero balance. The workaround: Transfer $1 in prior to setting it up for online access and then reverse the transaction after the fact.

These are just a few of the jarring things that can happen when you upgrade a three-year-old copy of a program to the latest version. In a software as a service model things evolve more gradually and Quicken support has direct access to the application and data, which would save me from being the intermediary.

There are just two problems holding me back from putting my financial life in the cloud. The first is that a full-featured version of Quicken isn't available online yet. The bigger issue, however, is security.

Get real with security

What would it take for me to trust Intuit with my personal finances? It will need to create a separate business unit that's chartered as a financial institution. If Intuit is going to host my entire financial life I want them to be bound by the same privacy and security regulations as my bank. While Intuit offers a privacy policy, it is under no legal obligation once you move sensitive financial information off your bank's servers and onto theirs. That is unacceptable.

Secondly, I want much stronger security than what is offered today with Intuit's entry level Quicken Online and Mint products. I don't just mean encrypted sessions with a user name, password and challenge question authentication, as banks do today. Even some banks are starting to move beyond these basic and inadequate security mechanisms. Users need more sophisticated protections, including an option for two-factor authentication.

Give me that and I'll gladly give up runing Quicken on my local PC, and all of the issues that come along with it, from configuration problems to bugs, backup headaches and upgrade glitches.

Intuit, I'm ready.

Are you?

Quicken: The Saga

Copyright © 2010 IDG Communications, Inc.

Shop Tech Products at Amazon