I want to know more about what financial login information HelloWallet retains about me after I add an account. Does HelloWallet either:
A) Retain my financial institution login information in a manner allowing my password to be retrieved (even if the data storage is encrypted)
B) Retain my financial institution login information in a manner that doesn’t allow my password to be retrieved (such as storing a salted and hashed version of the password such as salt+ SHA256(password) or some variant
C) Not retain my financial login institution information at all but instead retain a unique token issued by the financial institution that is used to retrieve my information that expires when I change my password at the finical institution.
D) Some other type of data retention / authentication.
Great question! The answer is C, but the token comes from Yodlee not directly from the financial institution.
We partner with Yodlee to provide aggregation services for an individual’s financial accounts. We are extremely confident in Yodlee’s security. They are not just a typical technology provider. Your bank probably uses Yodlee services. In other words, people have probably used Yodlee without even knowing it. A few hundred financial institutions use Yodlee. Citibank uses Yodlee, as does JPMorganChase and Bank of America. Yodlee is examined by a multi-agency group led by the Office of the Comptroller of the Currency (part of the US Treasury). The work is guided by the FFIEC (Federal Financial Institutions Examination Council) IT Examination Handbook. Yodlee provides support for accessing account information at thousands of financial institutions.
This is currently how an account is linked using Yodlee. A HelloWallet user selects a financial institution from a list within the HelloWallet application. HelloWallet provides this financial institution name to Yodlee, which in return provides the form input requirements specific to that institution. The form is then generated dynamically by our app and presented to the user. The user enters the credentials on this form and the form values are sent via HTTPS from the client browser to HelloWallet and then on to Yodlee in real-time. All data are encrypted in transit. Besides encryption, we also have controls in place between our servers and Yodlee’s including co-brand authentication and source IP-based access control. While the input form is generated by us, we do not store the provided form values in our environment. Also, the Yodlee API we use does not permit the movement of money, it only allows read-only access to information. Not even the individual user can move or initiate the movement of money using HelloWallet.
This question has received the maximum number of answers.