Last week, in the middle of the first wave of snow that hit Seattle, I tried to download banking transactions from my credit union, BECU (once dedicated to Boeing employees), using Quicken 2006 for Mac and received an odd error. I assumed something had broken, staff was away, and gave up. But the problem persisted, and I sent email to the bank to find out why.
The answer was surprising, and it apparently took BECU some research, too. Quicken 2007 for Mac (the current release) and earlier versions lack support for a newer, ostensibly more rigorous method of ensuring that a secured Web site is really the site it claims to be. There’s a thread at the Quicken Community site about this BECU issue (scroll to the bottom for current messages).
Digital Certificates — Here’s the deal. BECU, like all financial institutions, uses SSL/TLS to protect connections between a Web browser or Quicken and its Web site. SSL/TLS connections use digital certificates designed to enable the exchange of a unique session encryption key that can’t be snooped upon.
A Web site obtains a certificate from a certificate authority (CA), such as VeriSign, and that authority uses a cryptographic process to sign the certificate. The CA’s signature can be checked against signatures that are preloaded into operating systems and browsers to help users confirm they are really connected to the proper site.
Thus, when your browser requests the first page from a secure Web site, it first receives the site’s certificate and validates it by checking that the signature of the CA is valid. If so, the encrypted connection proceeds; if it fails, you’re warned. (For more intimate details, read Chris Pepper’s “Securing Communications with SSL/TLS: A High-Level Overview,” 2007-06-25.)
BECU started using an Extended Validation (EV) certificate from VeriSign right when I started having problems. EV certificates are intended to solve a problem of identity and trust. When a CA issues a normal certificate, they perform very little validation that the person asking for the certificate is the correct entity.
That can allow criminals to obtain certificates that fraudulently associate a company name with another domain. If users check that certificate, they see the expected company name even if the domain is unfamiliar. (Click or double click the lock icon in most Web browsers to display the certificate data, which shows the registrant’s name and a few other pieces of non-technical data.)
EV certificates require that the issuing CA perform much more extensive confirmation of the requesting person and organization, checking the ownership of the domain name for which the certificate is requested, and other factors. (Even with EV validation, SSL/TLS isn’t a perfect way to ensure security. Dan Kaminsky’s discovery of a flaw in DNS that made it possible for an attacker to provide an alternate IP address for a given domain name lookup – like www.tidbits.com – also showed how vulnerable SSL/TLS certificates were when DNS was vulnerable. See “Apple Fails to Patch Critical Exploited DNS Flaw,” 2008-07-24.)
A regular SSL/TLS certificate can cost $30 to $500; an EV certificate adds a few hundred dollars on top of that. It makes perfect sense that banks would opt for EV certificates to avoid any potential of misdirection or fraud.
In a Web browser, a site that uses an EV certificate typically shows extra information in the location bar, often the name of the company in white on a green background. Firefox 3, Safari 3.2, Opera 9.5, Internet Explorer 7, and Google Chrome are among the browsers that support EV. (For more information on EV certificates and Web browsers, see Rich Mogull’s “Are Safari’s New Anti-Phishing Features Useful?,” 2008-11-18.)
Quicken’s Problem — Quicken 2007 for Mac and earlier versions apparently lack the necessary smarts to handle an EV certificate correctly. This is confusing, because EV is an extension to SSL/TLS – it adds an extra field, but isn’t fundamentally different from regular SSL/TLS. Older browsers work just fine with EV certificates, even when they can’t interpret the extra information.
This likely means that Intuit has a bug in Quicken’s SSL/TLS processing system that’s triggered by an EV certificate’s extra data.
BECU’s statement (sent in email as part of their customer service response to me) reads, “We have contacted Intuit and are actively working on a solution to accommodate our Quicken for Mac users. I apologize, but at this time we do not have an ETA on when this function will be available for you again.”
A Quicken spokesperson that I contacted explained that they are aware of the problem, and have a fix in the works. They’re already working with BECU – as the credit union said – to test the patched version. But, the spokesperson noted, few banks are using EV certificates yet for this purpose, and other banks’ plans are far enough off that a patched version will be available before they switch.
Intuit said that the fix is in testing, and will be released “as soon as possible, within the next couple of months.” I can see how the company doesn’t want to over-promise, but I hope it’s sooner rather than later. A “couple of months” is a long time to be without online banking.
While the problem affects all recent versions of Quicken for Mac, Intuit is committing only to a fix for Quicken 2007, although the spokesperson said the company would like to cover multiple previous releases, too.
In a follow-up email from BECU customer support, I was told, however, that Intuit had told BECU that they would not be updating Quicken for Mac, and that a new package called Quicken Financial Life for Mac would be its replacement, and include EV support. This new package is due in mid-2009; it’s in beta testing now. I expect that the response I got from Intuit is more accurate, but that BECU was also told that newer software would be on the way.
BECU also said that they’re moving from the OFX (Open Financial Exchange) format, which is over a decade old, to QFX (Quicken Financial Exchange) format that’s derived from OFX but using Quicken-specific extensions. QFX can be imported directly by older versions of Quicken for Mac.