Here’s a summary of the user’s concerns and potential solutions discussed:
- Main Problem: The user is concerned that during a view-only OAuth setup with Fidelity, full account and routing numbers are being shared, which could imply a risk of granting write access instead of just view access.
- Solution Discussion: The user questions why this sensitive information is not masked or hashed and wonders if the developers can change this feature to enhance security.
Achaar0000
01/14/2024 at 08:33:10 PST
I started the process of connecting my Fidelity accounts to Simplifi/Quicken. Fidelity allows this via OAuth, and I can grant view-only access. While reading legalese in the release, I found some alarming language: “Full account number and routing number for your eligible Fidelity accounts in a form that can be used for ACH transactions (electronic debits and credits) to and from your eligible Fidelity account(s).”
Question: Why is this information passed on, in view-only OAuth setup? Why can’t the developers mask or hash this information? If all the routing codes are passed on, then they are in effect granting a form of write access during view-only setup. This makes no sense. Can it be changed by the user?