Not a security expert. Just my 2 cents, having recently started using an aggregator.Hello,
I have been tracking my portfolio in Excel: 80% in four funds (more or less Ferri) and 20% in individual stocks. I reinvest all dividends where possible. Updating the individual stocks is tedious so my idea is to:
Link my account once per quarter.
Download the updates.
Immediately revoke access and change my password.
Repeat.
Am I missing a gotcha (I do not want on-going access to the accounts)?
Thank for your thoughts.
1. Whatever aggregator you use, do the linking on a regular browser. Don't use the mobile app. This eliminates the possibility of malicious app code scraping things. The latest systems in iOS / Android to prevent webview scraping are good, and most apps don't even use those scary webviews anymore, opting to bump you into a session owned by the native browser (the app has no access to your cookies, keyboard inputs, etc). But there can always be a security hole.
2. Don't allow linking based on scraping. If there isn't an official read-only API, it's truly dangerous. There should be some kind of consent screen within your financial institution's website.
3. I prefer to use an aggregator that I pay for. I want to purchase a product, and not be the product.
4. Even with read-only access, being able to verify those little ACH test deposits is a scary vulnerability. It may not be as big a deal to you since you since you plan to de-link immediately. But it's a scary thing I've just decided to live with for now. I hope they exclude those from the read-only API one day.
Statistics: Posted by vfinx — Wed Jul 03, 2024 1:42 am — Replies 15 — Views 2474
