Is YNAB looking at my bank account while I sleep?
I've been using YNAB since November and I love it. I predominately use the mobile app on my phone and through a browser on my desktop.
I have a question, and I'm wondering if some of you can chime in, because my financial institution was no help at all.
I logged in to my bank account app via my phone last week and saw that there was a login to my account at 1AM. I was asleep at this time, so it definitely wasn't me. I look at my accounts--all the money is there and accounted for, and all recent transactions make sense. I call my bank's fraud line--they confirm that the login did occur, and that whoever logged in had my user name. I change everything: password, username, set up two step verification; run a scan on my phone for malware, there's nothing there. Okay, I think I've done a good job. Now of course, I have to re-link YNAB to my bank accounts. So I do that. Now every time I want the app to sync, I have to get a second verification. That's okay: anything for added security.
This morning, I log into my bank account through my app, and again someone has accessed my account at 3AM. I call the bank--again, all the money is there, nothing unusual, etc. But they can't confirm for me where the log in came from. I ask if maybe it's the app I'm using that is linked to my account, but they cannot confirm this because apparently they have never heard of such apps (because they are living under rocks?) and also don't track "known devices" in their login records. Both of these logins would have been from a known device.
Unfortunately I hadn't noticed these login times before last Friday and today, so I cannot tell you if this has consistently been happening since I started using YNAB or not. :-(
SO: Is YNAB using my username that I gave it for the convenience of linking, logging into my account in the wee hours of the morning? Thoughts? Guidance? Suggestions for financial institutions that don't keep me on a sub-par customer service call for 40 minutes so I can figure out a potential answer myself? I don't think I'm sleep-walk-checking my bank account in the middle of the night, but who knows...
I don't know if I can say definitively, but yes, I imagine that was YNAB checking for new transactions. That's how the direct import system works -- you provide the username/password to YNAB (well, technically to YNAB's import partner) and that partner uses that login to programmatically log into the banking site and look for new transactions.
Hopefully this won't always be the case -- some banks are rolling out APIs so (long term) you could provide YNAB with an API key instead of the username/password, but it greatly depends on the bank, and my impression is most US-based banks are pretty backwards/behind.
The current login to the bank's website / parsing the page for new transaction system is just the state of the industry at the moment as far as I understand it.
Hi Aquamarine Grizzly !
Our Direct Import partner is a third party we use for data aggregation. In other words, they communicate with financial institutions to gather transactions—then pass 'em along to us, so you can import them.
The Direct Import partner does need to store your credentials in order to use them to connect to your financial institution to import transactions—but they are encrypted for your protection. They have significant experience handling sensitive information like this as an aggregation provider, but if you are uncomfortable for any reason, the Direct Import feature is completely optional.
The system checks for newly cleared transactions every night during a nightly refresh, and it sounds like that's what's going on here. If you have the IP address, we can confirm whether or not that connection attempt was one made by our Direct Import partner.
Did the security alert or your bank have that information? We’ll also need to know the name of the financial institution this is for.