Is YNAB looking at my bank account while I sleep?
Hi everyone--
I've been using YNAB since November and I love it. I predominately use the mobile app on my phone and through a browser on my desktop.
I have a question, and I'm wondering if some of you can chime in, because my financial institution was no help at all.
I logged in to my bank account app via my phone last week and saw that there was a login to my account at 1AM. I was asleep at this time, so it definitely wasn't me. I look at my accounts--all the money is there and accounted for, and all recent transactions make sense. I call my bank's fraud line--they confirm that the login did occur, and that whoever logged in had my user name. I change everything: password, username, set up two step verification; run a scan on my phone for malware, there's nothing there. Okay, I think I've done a good job. Now of course, I have to re-link YNAB to my bank accounts. So I do that. Now every time I want the app to sync, I have to get a second verification. That's okay: anything for added security.
This morning, I log into my bank account through my app, and again someone has accessed my account at 3AM. I call the bank--again, all the money is there, nothing unusual, etc. But they can't confirm for me where the log in came from. I ask if maybe it's the app I'm using that is linked to my account, but they cannot confirm this because apparently they have never heard of such apps (because they are living under rocks?) and also don't track "known devices" in their login records. Both of these logins would have been from a known device.
Unfortunately I hadn't noticed these login times before last Friday and today, so I cannot tell you if this has consistently been happening since I started using YNAB or not. :-(
SO: Is YNAB using my username that I gave it for the convenience of linking, logging into my account in the wee hours of the morning? Thoughts? Guidance? Suggestions for financial institutions that don't keep me on a sub-par customer service call for 40 minutes so I can figure out a potential answer myself? I don't think I'm sleep-walk-checking my bank account in the middle of the night, but who knows...
Please help.
-
We're closing out Bank Importing threads in the forum to make sure these issues are better resolved.
Replies in this thread have been turned off, but if you’re having trouble with your bank, please fill out this form and our Direct Import team will help you get things back up and running! -
I would say, yes, most likely it is ynab(well really their direct connect partner) connecting to your account to check for transactions to download.
-
If you'd like to confirm, disconnect your account for a day or 2 and see if the log ins stop.
-
Herman Good suggestion, thank you!
-
-
I don't know if I can say definitively, but yes, I imagine that was YNAB checking for new transactions. That's how the direct import system works -- you provide the username/password to YNAB (well, technically to YNAB's import partner) and that partner uses that login to programmatically log into the banking site and look for new transactions.
Hopefully this won't always be the case -- some banks are rolling out APIs so (long term) you could provide YNAB with an API key instead of the username/password, but it greatly depends on the bank, and my impression is most US-based banks are pretty backwards/behind.
The current login to the bank's website / parsing the page for new transaction system is just the state of the industry at the moment as far as I understand it.
-
Ben Thanks for chiming in. APIs are something to look forward to!
-
-
Yes, absolutely. I have one of my bank accounts set up to email me whenever the account is accessed, and all the live-long day I get emails about it. I know that's just YNAB happily updating in the background.
-
bevocat Awesome--nice to know I'm not somehow logging in during sleep.
-
Aquamarine Grizzly Now, now, I didn't make any claims about what you were or were not doing in your sleep. That assumes facts not in evidence. 😄 I was merely confirming that YNAB does access your accounts in such a way. For all I know, you could also be engaging in somnambulistic budgeting!
-
-
Hi Aquamarine Grizzly !
Our Direct Import partner is a third party we use for data aggregation. In other words, they communicate with financial institutions to gather transactions—then pass 'em along to us, so you can import them.
The Direct Import partner does need to store your credentials in order to use them to connect to your financial institution to import transactions—but they are encrypted for your protection. They have significant experience handling sensitive information like this as an aggregation provider, but if you are uncomfortable for any reason, the Direct Import feature is completely optional.
The system checks for newly cleared transactions every night during a nightly refresh, and it sounds like that's what's going on here. If you have the IP address, we can confirm whether or not that connection attempt was one made by our Direct Import partner.
Did the security alert or your bank have that information? We’ll also need to know the name of the financial institution this is for.
-
Hey Nicole --thanks for reaching out.
The institution is Wells Fargo, and they were totally baffled. Even though they could see that the login had occurred and that the information had been correct (right Username), they could not confirm that the access had been made by a party not myself (hence my suspicion that I am sleep-walk-checking my budget, though I *really* feel like that's not the case). I'm not getting any emails from WF confirming that I am trying to login, so it must appear to their server that it's business as usual.
However, since I set up two step verification last Friday, my YNAB often tells me it's lost the connection with my bank. I have to try to log in to my WF account, and then go back to YNAB and have an access code sent to me from the app to I can verify and re-link. But the connection seems to be lost the next day. So I'm guessing that second step is interrupting YNAB from auto-populating...but I'm also not getting a notice from my financial institution telling me this third party is checking my account...so it's very confusing. And the WF rep I spoke to had no idea what I was talking about when I tried to describe the YNAB app, so they were clueless when I suggested maybe it was that.
I have taken @herman 's suggestion and unlinked my account to YNAB. Will check over the next few days and see if the activity is still there.
I'm mostly baffled that I've been using the app for several months and didn't notice these log ins earlier. How unobservant!
-
Aquamarine Grizzly It's odd that Wells Fargo doesn't have anymore details. Their system has to recognize who's making an access attempt, but maybe that's information only certain people on their end can see (like the tech department)?
Two factor authentication does tend to break the direct import connection. It requires a passcode or other re-authentication method before new transactions can import.
I second those above, it was most likely our Direct Import partner, but I hope your experiment gives you a more definitive answer! :)
-
Faness I thought it was weird, too! It basically felt like they didn't believe me when I told them it wasn't me logging on. They also weren't being explicit about what they could see--probably because the people I was speaking to couldn't see a lot of details due to security. Ah--the whole thing was frustrating.
Anyway, I'll be checking through out the week to see if those early AM logins occur.
-
Aquamarine Grizzly Definitely let us know! We do check for transactions each night in the overnight hours, and then each time you login if it's been more than 8 hours.
We can always send a list of timestamps over to our Direct Import partner for review, and they can see if it matches on their end, but the only way to officially confirm their activity is via IP address. I'd agree, it does sound like our Direct Import partner though!
-
Chrissy this is kind of a random question, since I don't use direct import, but based off what you said about checking for transactions when the user logs in if it's been more than 8 hrs, what happens if the user never really logs out? Between having the mobile app as the primary way I interact with YNAB, and something about how I have settings on my computer browser, I can't remember the last time I had to enter my password for YNAB to access it.
If I did use direct import, would it only check once a day early in the morning?
-
adriana01 That's a good question. I do use DI extensively for my on budget accounts and I usually just leave the web version open in my browser. I just checked my links and they said last updated 15 hours ago. I then refreshed the page and then a little later, new imports showed up and then when I check my links, they say they were last updated at about the time I refreshed my browser. That's a good thing for me to remember to refresh my page to see updated info.
-
Hi adriana01 !
That's a great question! Like Superbone mentioned, a refresh can trigger the import as well as switching to or opening a different budget. If you're always logged in and the page doesn't refresh, or time-out, or update (anything that essentially causes the page to re-load) the 8-hour check may not occur but the nightly refresh would still take place.
-
Faness Good to know! Thanks!
-
adriana01 Sure thing! :)
-
