Choosing an Online Account Aggregator

mrviner

Hi, I've been using Egg Money Manager to see all my online bank accounts in one place for a few years now. I find it a bit clunky and am sick of needing Internet Explorer to use it so I'd like to move on to something better.

I've found 6 services in the UK which apparently do the same job:

• www. lovemoney.com/onlinebanking/
• money.strands.com
• www. moneydashboard.com/
• www2.firstdirect.com/1/2/ourservices/internet-banking-plus
• yodlee.com/ymc_home.shtml
• www. ewise.com.au/accunity/aa/home.asp
  

my questions are:

• which do people recommend?
• which is most established/popular/reliable?
• what different features do they provide?
• do some of them share backend technology?

Thanks!

premierfella

There have been a number of threads on account aggregators, which usually end up in a discussion about security issues and breaching bank terms and conditions.

The only one on your list I haven't really looked at in the past is moneystrands, the reason being that it uses Yodlee as the backend and Yodlee itself is perfectly servicable (although there are a fair number of smaller UK banks and building societies not on Yodlee's list).

LeeSouthEast

There was a good one, but it went under a while back. Can't even remember what it was called now! But I agree, I don't trust anyone with my login details except me. I aggregate myself in Excel

KingElvis

If you know systems infrastructure and how it works, the security implications of giving your details to a third party are immense.

I have worked in these systems for over twenty years and would never, ever give my details ESPECIALLY over the Internet...https 443 be damned.

I wouldn't be able to sleep at night.

LeeSouthEast

SSL/TLS is all very well, but that only covers data in transit (ignoring MITM for the minute). You'll find I suspect all of them would store your details unencrypted on the other end. No thanks!

KingElvis

LeeSouthEast wrote: »

SSL/TLS is all very well, but that only covers data in transit (ignoring MITM for the minute). You'll find I suspect all of them would store your details unencrypted on the other end. No thanks!

Agreed, I shudder to think about the back end systems and its security and integrity, no to mention the people who work on them :eek:

heloid

Ok guys, paranoia overtaking rational thought.

None of them store your details unencrypted on the other end, internet security 101, reputable sites (like even this site!) have got that down, they store a hash version of your password etc.
Almost all store your details in an encrypted container on your PC so if someone gets your login details they still can't use the account fraudulently unless they're in your house (do you trust your family members? ) or robbed you of it.
HTTPS is very secure (why do all banks use it otherwise??), browser implementations of the protocol are where it is let down however. If you're using a browser released in the last year you are perfectly safe. Given the time and effort it takes to break in to to https/SSL it's very unlikely you'll be the target of a random attack, someone would have to pick on your specifically.

No standard phishing attack will hurt you unless you use the same password for everything.

I'm not saying these things are safe but they aren't as bad as people make them out to be.

KingElvis

^^ would you use one?

heloid

I use First Direct's and I have no issues doing so. I know the risks of it's use and I think they're acceptable (working in the IT risk and security department of a financial institution helps I guess). Mainly because I look after my laptop and I know I can do it properly. Also I am the only person who uses it. Also I trust First Direct, probably not the other ones (although Egg use the same software I think).
If I used a family computer or a public computer (no way in hell) I'd have more misgivings certainly.

Olipro

arguably the biggest player in this market is Yodlee - http://moneycenter.yodlee.com (supports US and UK accounts)

They basically provide their system to most other aggregation services, including Lovemoney, although it is worth noting that these "middle-men" tend to customise it a bit so it is also entirely possible that you would find you prefer lovemoney.com's offering to the original Yodlee. there's also moneydashboard.com which again, uses Yodlee.

Given that it's free to sign up to them all, I'd say to just register and see how you like the overall layout then decide which one you'll add your accounts to.

mrviner

heloid wrote: »

I use First Direct's and I have no issues doing so. I know the risks of it's use and I think they're acceptable (working in the IT risk and security department of a financial institution helps I guess). Mainly because I look after my laptop and I know I can do it properly. Also I am the only person who uses it. Also I trust First Direct, probably not the other ones (although Egg use the same software I think).
If I used a family computer or a public computer (no way in hell) I'd have more misgivings certainly.

So does First Direct (like Egg) use ActiveX, i.e. require IE then? Are there any services that don't use ActiveX/Internet Explorer? If so what do they use on the client side?

heloid wrote: »

Ok guys, paranoia overtaking rational thought.

None of them store your details unencrypted on the other end, internet security 101, reputable sites (like even this site!) have got that down, they store a hash version of your password etc.
Almost all store your details in an encrypted container on your PC so if someone gets your login details they still can't use the account fraudulently unless they're in your house (do you trust your family members? ) or robbed you of it.
HTTPS is very secure (why do all banks use it otherwise??), browser implementations of the protocol are where it is let down however. If you're using a browser released in the last year you are perfectly safe. Given the time and effort it takes to break in to to https/SSL it's very unlikely you'll be the target of a random attack, someone would have to pick on your specifically.

No standard phishing attack will hurt you unless you use the same password for everything.

I'm not saying these things are safe but they aren't as bad as people make them out to be.

Thanks for your viewpoint heloid, as a developer I think I agree with you.

In my understanding there are two types of encryption: reversible and non-reversible.

Passwords will be stored on a server (like for this forum) in a non-reversible way called a hash.

A toy example of a hashing process that is non-reversible: "convert each letter to a number (A=1, B=2, ...) then add all the numbers up. It's impossible to go back from a hash of say 27 to a password, because it could have come from 'AZ' (1+26) or 'ABX' (1+2+24) etc etc. Then when you type in your password to login the same process is done on that and it checks if it's equal to the the stored hash. This is why you should never trust a website that will email you your password, it means they still have it stored in recoverable plaintext form. Whereas a best practice site will not know your password.

A service that logs in to your online bank accounts (whether from a server or software on your PC) cannot use this style of encryption, because they need the plaintext password to login for you. They encrypt your bank password using another password you give them. For this reason, use a strong, unique password for your aggregation software.

Anyway, thanks for the advice so far, thought I'd return the favour with that little explanation :-)