Someone May be Getting Your Online Bank Statements

Someone has been logging into my online banking account.

Yesterday, after working with my bank to get to the bottom of this I finally found out who was doing it -- and I was dumbfounded.

I first noticed the clandestine activity on Tuesday morning after I had received an e-mail message from my bank. The note confirmed receipt of a request, sent from my online account, to change how my banking statements are delivered. As I had made no such request, I found this somewhat disconcerting.

I immediately logged into my account to see what was going on.

That's when I saw it: In the upper right hand corner of the account summary screen was a status update I'd never noticed before. It read:

Last logged in: 05/03/11 at 2:34 AM.

Everyone in my household had been in bed at that hour, and all of our computers were turned off.

Uh-oh.

As I trolled through my bank accounts, I braced for the worst. But a review of my accounts showed nothing out of the ordinary. There were no suspicious account transfers. No withdrawals. No attempts to change my password or mailing address. But someone had requested a change in my bank statement delivery option and logged into my computer at 2:34 AM that very day. If not a hacker, then who? And if not to steal, then why?

I immediately changed my password and challenge questions and called the bank's online group.

Identifying the Perpetrators

The answer to the banking-statements-request mystery came first. The bank, interested in getting more people to abandon paper statements, had put a one-time message on the login screen asking customers to indiate a preference. It wasn't a pop-up or splashed message, however. Because it wasn't flagged in any way, I probably didn't notice it. And when I entered my account ID and password and hit the RETURN key, the online banking system selected the default option - paper statements - and processed it as a request.

OK, but what about the unauthorized login to my account at 2:34 AM? The online support representive had a question at the ready. "Do you use Mint or Quickbooks?" No, I said, but I do use Quicken for personal finance. Then she explained: If you use the automatic update feature, Quicken downloads your statements from the bank every night, generally between the hours of 2:00 and 3:00 AM.

But my computer was turned off, and, when I do download statements, there's nothing automated about it: Quicken forces me to go through several steps, including entering a master password to open its password vault, which contains my banking user name and password. Only then does it attempt to download my statements.

So the bank's IT group researched the IP address from which the login came. But when she called back later that day the answer left me speechless: The login request was initiated from a server in the intuit.com domain. Intuit, of course, is the maker of Quicken.

Then I remembered: When you ask Quicken to download your statements from your online banking account using Express Web Connect, Intuit downloads your statements from the bank and onto computers its own data center. When I later run Quicken on my PC and authenticate, apparently with my bank, to download my statements, I am actually downloading the data from Intuit's servers.

Intuit is the middleman. Not only does Intuit pull my statements from the bank, based on my decision to enable the one-step update feature in Quicken, but my bank even pays Intuit for the service.

I described how Intuit acts as the middleman with your banking data in a prevous blog. But I thought Intuit pulled down my bank data only when I requested it. Apparently not. According to the bank this process takes place every night between 2 and 3 AM.

Now that I know who comes knocking every night I feel a little bit better. But it would be nice if all of his were disclosed more clearly to the customer when they enable the automated download feature.

Dear Quicken User: Would you like to use our cool automated updates feature, which authorizes Intuit to download all of your financial statements to its secure servers so that we automatically update all of your accounts from all of your financial institutions at once? Or would you prefer to download individual statement update files directly from your financial institutions and import them one at a time?

So who's been logging into your accounts? Now you know.

I appreciate the convenience of Intuit's service. I just wish I had fully understood the service delivery model before I signed up for it. And I'm going to keep using it. But it's still a bit creepy to think about automated servers in a third party's data center downloading all of my banking data in the middle of the night.

Subscribe to the Security Watch Newsletter

Comments