Well, if they have my login and pw, they still need an auth token from my phone.  So, after they spoof my phone##, they can finally login into my Vanguard account.  Now, they put the order to liquidate.  OK, that doesn't happen immediately, so they also need to get the login/pw from my gmail account and again spoof my phone number for two step auth.  Then they can intercept the emails and I wouldn't know my funds got liquidated.

 

So, yes it is concerning that one user had continued login attempts to update his account, however, in the grand scheme of things, I'm not too worried.  Use a program like Lastpass and two step auth and you should be fine.

 

Speaking of 2FA, I've found that many if not most aggregators (including PC, Mint, TIAA 360, Filethis, Quicken, et al) don't play well with 2FA.  Or more accurately, 2FA doesn't play well with them.  It's a constant battle getting messages about "your bank is asking for a confirmation code" etc.

As far as giving these aggregators the keys to the kingdom (i.e., your login credentials) the only bank I know that does this right is CapitalOne 360.  They allow you to generate a token that can be used by aggregators to gain READ-ONLY access to your account.  This is, or at least could be, critical.  You don't need to give the aggregator your real signon password, so no hacker or rogue employee could ever mess with your accounts.

 

 

I used Quicken for many, many years and really liked it.  When I moved to Mac and they started the subscription model I dumped them.

I use iBank now.  It's ok.  Not as good as the old Quicken versions, but very usable.

I have used Mint and Personal Capital, but they kept having troubles downloading all of my accounts; especially Vanguard.  So I don't use/like them.

For my annual summary, I just use Excel.