Mint.com in 2010 – Is it Safe?

UPDATE: When you’re done reading this article, please check out the How I Would Try to Hack your Mint.com account article and the follow-up posting for additional comments.

To date there have been security concerns and questions identified around mint.com. This article  is an attempt to objectively research some of those concerns,  separate fact from fiction, and make recommendations where appropriate. My initial answer to “is Mint.com safe”  is both no and yes, depending on what you’re concerned about and what safe means to you.

Mint.com has been around since 2005 according to their website. I’d been hearing more about it over the last year or two. I started researching concerns with their offering starting 3/3/2010. For the purpose of this posting I’ll assume you’re already familiar with what Mint.com is (or you can learn more and then come back.)

Most of the initial articles I found were older, and discussed security  issues that either seemed to have been addressed or we no longer relevant. As Intuit bought Mint.com in the fall of 2009, there seemed to be a lot more information about the acquisition than anything else. A word of caution – don’t confuse any frustration you might feel over the acquisition with the viability and security of the solution itself.

Mint.com User Account Management

Registration Process and Password Length

The current registration page asks for email, zip code, and password. There is no information or recommendations on the registration page for best practices for the user account or password, although the user does receive feedback on the strength of the password. A zip code entry was required, and the page performed format validation on the zip code field as well. When using a Firefox plug-in to view details about the form, additional hidden fields found included time zone, browser type, OS, and reference  to “isYahoo.”

According to an employee forum post, Mint.com requires your Zip code in order to provide accurate categorization of spending and to determine the time zone in order to send timely alerts[1]. Presumably this means Mint.com is unable to accurately categorize transactions if it doesn’t know what Zip code you live in, and will not be able to effectively send you email and text alerts.

Validation for a valid-looking email address was performed, although confirmation of a valid email address was not performed. Further, a registration email was not sent to the account to complete the registration. The new account registration was taken directly to the new account for financial accounts setup. As a result, there was nothing preventing registering another person’s email address.
Money Girl's 10 Steps to a Debt Free Life
Passwords were determined to require a minimum of 6 characters and no more than 16 characters. Mixed case and special characters were allowed. Basic  password strength checking appeared to be performed. The password “password” was not allowed and flagged red as “bad,” while the password of “password1″ was flagged as green and “ok.”

Forgot Password Process

The forgot password mechanism asks for an email address, appears to check if the email is associated with a valid Mint.com account, and provides  indication if it is not. This provides an opportunity to determine what email accounts have been registered with Mint.com. An email is sent to the submitted email account, containing a reset link. Clicking on the link provides a form to enter a new password. No challenge questions are provided or asked during the process. The reset email states that it is valid for 24 hours. Failed attempts to use the reset link after the 24 hour period seem to confirm that statement.

No Account Lockout

There does not appear to be an account lockout mechanism for multiple failed login attempts. Twenty successive login attempts against a valid account returned an error page but did not prohibit or prevent additional login attempts, nor did it send email notification to the account in question notifying of the multiple failed attempts. The registration process will indicate if you are trying to sign-up with an email that already exists. This means there is a mechanism to determine if specific accounts exist. Combined with the lack of account lockout, there is the opportunity to brute-force a Mint.com account.

Mint.com EULA and Privacy Statements

Mint.com Terms of Service (TOS)

The Mint.com TOS includes statements addressing liability, responsibility, and what they can do with your information.  Mint.com makes money via referrals from advertising and 3rd parties. The identified statements however mean:

  • Intuit is not responsible for the validity, accuracy, truthfulness, consistency, or practices of 3rd parties they present to their users, including ones Intuit sponsors[2].
  • If you post something to the mint.com forums, Intuit can do whatever they want with it, including license it to someone else and/or make money with it[3].
  • If you incur some type of financial loss, identify theft, etc. as a direct result of Inuit’s site or practices, it’s not their fault, you agree to never hold them accountable, and Intuit will never owe you more than $500 as a result[4].

Power Of Attorney

The terms of use page includes a statement about appointing Intuit as your attorney-in-fact[5]. According to an explanation from mymoneyblog.com this means:

“”…without this clause, Mint could not perform their intended service of being a one-stop shop for all of your online financial accounts. They would essentially have to walk up to every single site and ask for permission to be an official portal for them, yet at the same time be released from liability…you are basically giving up some of your rights in exchange for the convenience of having all your accounts checked for you at once. If you are worried about something going wrong with either Mint, a rogue employee, or a malicious hacker getting access to your personal information, then you might consider limiting what accounts you link.”

Privacy Statements

Use and disclosure of your personal information includes:

  • Use for market research.
  • Providing it to third-party contractors that provide services to Intuit and are bound by these same privacy restrictions.
  • Your email address maybe be provided to a co-brand partner as needed.

Mint.com claims the following as its capabilities to protect your account security and why you’re “safe and secure with mint.com

  • Mint.com uses 128-bit SSL encryption and 24/7 physical security.
  • You cannot move money.
  • You register anonymously.
  • Our alerts increase your financial security.

The first and second claims appear to be legitimate, assuming physical security can be verified. The current Mint.com interface does not provide a mechanism to directly manage account transfers.

The third claim could be false, as this is not a strict control. You can register anonymously, but if you use an email account that contains you name, that is not anonymous. There is also the possibility later on to provide personal and demographic data. So while it is possible to have an anonymous email account, there is no enforced anonymity, and if you do provide additional information, anonymity is no longer absolute.

The fourth claim is false from an account security perspective. While it is true that their alerts can help address fraud and identity theft, it does not affect the protection of your Mint.com account or data.

Account and Data Deletion

With regards to account deletions I interpret the Mint.com security policy to mean that when requested, your account and credentials are deleted, the notion of a connection between you and the data they have about you is severed, and data from their primary servers is removed.  However[6],

  • Intuit will keep your data on any other systems, development servers, backups, etc.
  • They can also use the data however they see fit, indefinitely.

Bank and Financial Accounts

Financial Lockout

For testing I setup several financial accounts, most experience no technical issues. The last account setup was a bank checking account. Like the other accounts previously configured, this account required the user to provide answers to challenge questions. I correctly entered three answers, and Mint.com began pulling data from the account. Sometime within the next hour, online access to the banking account was locked out, and I had no access to my bank account information. After spending approximately twenty minutes on the phone with the bank’s technical support, my account was found to have been disabled due not to authentication failures but to problems answering the challenge questions. Given that no other authorized users were accessing the account, and that it was highly unlikely that a hacker would have authenticated successfully but failed the challenge questions within the last hour, the assumption was that Mint.com’s data requests had somehow placed the account in a state such that it was forced to lock as a precaution.

Website Non-grata

Research identified various positions that financial institutions had regarding Mint. While I did not research every possible institution and their attitude and policies towards Mint.com, I did find direct reference to customer problems on bank’s forums and official statements including the following:

  • Access to customer’s accounts via 3rd parties such as Mint.com was not allowed, but export of data may be allowed.
  • Access to accounts such as checking was allowed, but other types of accounts were not (savings, credit, etc.)
  • Access was allowed but unsupported.
  • Several financial institutions had services similar to Mint.com’s and recommending using the bank’s services instead.

It’s likely that Mint.com generates additional technical support requests and issues for banks and the like, regardless if they support its use or not. In one instance I made an effort to elicit specific instructions and policies from a bank before attempting to connect an account to Mint.com. I asked what I needed to do to allow access to the account, what was allowed, and what I should avoid or do to prevent causing problems with my online access.

The response I received from the bank’s technical support was that the use of Mint.com was unsupported, that the bank was rolling out their own similar functionality, and that I should use the bank’s site instead. After several failed attempts to connect the account in question to Mint.com, I found a preference in the online account settings for said bank account. The settings had to be enabled to allow 3rd-party access to applications such as Quicken. Once enabled, Mint.com was able to pull data from the account.

General Security Concerns with Mint.com

Mint.com’s Security FAQs

The following is a summary distilled from Mint.com’s security FAQs page.  Regardless of Intuit’s compensating controls, some simple answers are:

  • Mint.com does store your bank login information on their servers.
  • Some Mint.com employees can view your bank account numbers or credit card numbers.
  • Mint.com thinks you are not at greater risk of someone stealing your identity by using their service, based on the reasons they state.

Mint.com Security Compared to Online Banking

Mint.com indicates that they are as secure as other online banking, citing examples of their physical and encryption security they have implemented to “protect your identity and your financial information.”  The controls are not uncommon, and for people familiar with data center facilities or hosting services, the physical controls mentioned would be considered the rule rather than the exception. I have also found posts from people stating they were Mint.com employees, and explaining that Mint.com uses Yodlee to facilitate data communications, as do other online banking services, and as a result users incur risk no greater than they already do when using online banking. From what I can tell, this is still a true and accurate statement.

Compromise of Mint.com

One concern cited is that Mint.com itself could be breached or compromised, resulting in exposure of user’s authentication information to their configured accounts. Thinking critically, a breach is not impossible. It is a matter of how probable this would be to occur, and what would have to happen. For example:

  • A physical breach of Mint.com’s servers or network.
  • A compromise via a website vulnerability.
  • A breach from within Mint.com itself via an employee, consultant, etc.

After the initial round of research, I could find no reference to where the Mint.com website(s) were hosted, who manages their physical security, specific security controls they use, or third-party reports such as PCI, NIST, or SAS 70 compliance. The statement of 24/7 security could mean that the doors and racks are always locked, or that there are armed guards and escorts at all times. As a result, as an average user of their services, the only evidence that I can find attesting to the quality of Mint.com’s physical security is their statement that it is safe.

There is specific information cited regarding website testing that is performed routinely against Mint.com:

“Mint.com has received the VeriSign security seal.”

This is a slightly disingenuous statement. The seal is not an award. When customers purchase an SSL certificate from Verisign, they can place the graphic of the seal on their website as a means to confirm that the certificate for the site is valid. Verisign’s FAQ on the topic states, “Site visitors click on the seal to verify your site information in real time…The VeriSign Secured Seal is included with your VeriSign SSL Certificate purchase. After you purchase your certificate, simply download and install the seal.” Mint.com continues:

“We also employ Hackersafe to test our site daily.”

The Hackersafe link redirects to a McAfee SECURE site report page. According to McAfee, the daily scan checks the Mint.com website for “possible personal information access, links to dangerous sites, phishing, and other online dangers.” This appears to apply to the website only, not to the technology, data, or functionality behind the site. The scan result is validation that Mint.com does not contain bogus or harmful links or scripts. It is not clear if the scanning applies to pages and content that are available after authentication, or if deeper testing and vulnerability is performed.

With regards to an internal breach, consider the following statistics:

  • According to the Ponemon Institute, 69 percent of organizations reported serious data leaks caused by either malicious employee activities or non-malicious employee error[7].
  • Specifically, according to the Computer Security Institute (CSI) in San Francisco, California, approximately 60 to 80 percent of network misuse incidents originate from the inside network[8].
  • When internal hacks occur, they tend to be nastier, with 50 percent blamed on IT staff themselves…honest network admins are obsessed with outdated ideas of perimeter security. Had data security been looked at within the network, almost nine out of ten data breaches could have been avoided[9].

The actual percentages are up for debate, but the concern is valid. Sources of serious breaches are more often insider attacks. These attacks are typically more damaging given the type of access typically afforded, and that they may go undetected for longer periods of time. If there were ever to be a breach of Mint.com itself it’s likely to be the result of an insider attack. This is another reason that third-party security validation can be beneficial.

However in several postings on Mint’s previous official forum, Mint.com employees explained why they are not required to be PCI compliant. Statements included,

  • We do not need to be PCI compliant because we don’t store credit card numbers.
  • “As has been discussed before, we don’t store credit card or bank account numbers. Usernames and passwords are also not stored on Mint.”
  • “Mint is GLB compliant.”

Other Mint.com statements however contradict the rejection of compliance, referencing how user’s bank credentials and credit card numbers are stored safely, and how they control employee access to that information[10].

The FTC states: the Gramm-Leach-Bliley(GLB) Act seeks to protect consumer financial privacy. Its provisions limit when a “financial institution” may disclose a consumer’s “nonpublic personal information” to non-affiliated third parties. The law covers a broad range of financial institutions, including many companies not traditionally considered to be financial institutions because they engage in certain “financial activities.”[11]

Compromise of Your Financial Information

A more likely issue to be concerned with is the compromise of your Mint.com account, not Mint.com itself.

The following are true statements about Mint.com:

  • Users are not forced to use strong passwords.
  • Users are responsible for maintaining the confidentiality of their Login ID and Password.
  • Depending on the information you have provided Mint.com or the purchases you make, access to your account can reveal
    • a list of your bank account names, their balances, and APR
    • a list of your credit cards, their balances, and APR
    • a list of your loans, their balances, and APR
    • investment account names, balances, and performance
    • your cell phone number
    • an additional email account you use
    • where you live
    • where you frequently buy gas
    • where you get your groceries
    • if your kids are in daycare
    • if you are having health issues
    • the type of car you own/drive
    • valuable property you may own
    • how much in debt you are
    • how old you are
    • marital status
    • education level
    • how many people live with you
    • your credit score

Mint.com’s policies state, “At no time do we ask you for information that would be required for a hacker to steal your identity, such as your full name, bank account numbers, credit card numbers, billing address.” While it is true that this type of personally identifiable information is not required, depending on the type of information you provide, some of that data is collected directly and indirectly. When managing your Mint.com profile, the site states, “Tell us about yourself so we can improve the financial advice we provide.” The information requested includes general demographic information. Other profile settings provide a place to enter additional email addresses and a cell phone number.

It is possible for Mint.com to incorrectly present to a user a link to false or potentially harmful site. Early in 2009, Mint.com incorrectly presented the wrong URLs for two financial institutions, Horizon Credit Union Credit Cards and Deutsche Bank, the latter of which supposedly went to an unknown entity in Russia, resulting in users incorrectly sending authentication information. A Mint.com employee stated this was an issue with the information provided by their data partner, and that there was no risk as the connection attempt failed at the data partner.

It’s also possible for a user to incorrectly enter their email address, as there is currently no email verification process. In February of 2008, someone supposedly received an email from mint.com regarding a forgotten password reset. The person in question stated they were not a mint.com user, but completed the password reset process out of curiosity. As there are no challenge questions, they were then able to set a new password for the account, login, and see the other person’s financial information. In February 2009 Mint.com acknowledged the potential flaw stating they were looking to add an email confirmation process.

Conclusion

This article started out asking, “is mint.com safe?” The answer is both no and yes, depending on how risk-averse you are, how savvy you are about protecting your browser traffic and authentication information, about and what safe means to you. A better way to pose the question might be, “what bad things could happen if I use Mint.com?” The end of this section includes follow-up recommendations.

Weigh Benefits Against Risks

To take the position that Mint.com is safe because the technology behind it as secure as other online banking would be short-sighted, as it doesn’t consider additional factors. Technology is only one part of the equation. Use cases and execution is a different matter.

There is one glaring risk that I have not seen addressed: potentially all your financial information is in one place, your Mint.com account.  This is not the case with other online banking. Protection of your information is only as good as the username and password you use, and how disciplined you are at protecting your browser data. Valid Mint.com accounts can be determined via trial and error, and apparently can be brute-forced without restriction. Although miscreants would not have write access to your accounts, they would have a significant amount of financial, debt, and commerce information about you that could be used for social engineering, blackmail, or tools to aid in future financial attacks.

Consider Mint.com’s stated limitation of liability and the impact on your accounts and liabilities. Confirm that accounts you may add do not result in any type of transaction fee to establish connectivity or provide data to a third party such as Mint.com. As you are technically granting a third party access to your accounts, confirm that your financial institutions will not invalidate your limitation of liability should a breach occur.

Also consider that if you use Mint.com’s email and text notifications, reports, alerts, and financial data sent and are capable of leaking plaint-text (unencrypted) financial information should those messages be read or intercepted by others. The same is true for mobile devices such as iPhones or Android phones that may have a Mint.com app running on them.

Trust and Credibility

Ultimately trust and credibility is more a subjective matter. For a person to state they refuse to use Mint.com because they just don’t trust “them” is not invalid, but it’s also not objective. A good example I found of why someone did not trust Mint.com was because at the time they could find no contact information for the company anywhere on the site. Another example cited Mint.com’s liability policies as concerning. Another saw inaccuracies with transaction categorization and assumed security was poor as well. People may confuse quality of service or how well the tool does what they want with good security, and vice versa. The site could be extremely secure, but if people feel they are treated poorly or perceive other actions the company takes as less than credible, that may transfer to concerns about security as well.

I found several of the Mint.com statements and examples listed above dubious, lacking in credibility, or contradictory, such as some of their Terms of Service, PCI non-compliance, and why a Zip code is required. Does this mean that when you travel outside your “home” Zip code, Mint.com won’t work? Someone could test it by setting up 2 different accounts with identical financial setups but radically different Zip codes, and see how they fare.

Also concerning is the fact that Mint.com has had several years to address some fairly basic but critical web security process issues, but they do not appear to be implemented.

Recommendations to Improve Mint.com’s Security Posture

The following are recommendations identified as a result of research. The hope is that Mint.com either already has some of this work underway or will release it in the near future.

  • User Registration and Account Management
    • Require email confirmation to complete registration to help prevent identity theft.
    • Provide the option to enable enhanced security features.
    • Provide the option for challenge questions.
    • When registering, provide recommendations for what to use for a username.
    • Provide a scale for password strength, not just OK or Good.
    • Allow for longer passwords.
    • Provide the option to force user password resets.
    • Provide the option to use something other than email address for a username.
  • Account Security and Notification
    • Provide the option for feedback to a user indicating attempted brute force attacks or multiple failed login attempts.
    • Provide the option for account lockout mechanism/process.
    • Add challenge questions to the password reset process.
  • Terms of Service and Privacy
    • Clarify the information that is collected during registration. Previous claims stated “only email address” although the current registration process appears to indicate that additional information is being collected.
    • Vet, validate, and assume responsibility for 3rd parties to provide a level of trust and assurance to users.
    • Review policies for consistency.
  • Controls and Validation
    • Become PCI compliant to provide a level of trust and assurance to users.
    • Complete a 3rd-party penetration test and publish the results.

Follow Jason on Twitter @jason_owens and subscribe to the RSS feed.

FOOTNOTES
1. Employee forum post: “We only use your Zip Code to improve your experience. There are two main reasons why Mint requires your zip code as part of the Registration process for the Service. First, this allows the Service to provide you with accurate automated categorization of your spending by improving our ability to identify merchants both nationally and locally. Second, Mint needs to determine the appropriate time zone in order to send you timely personal finance alerts as part of the Service.”
2. In connection with Intuit Offers, the Service will provide links to other web sites belonging to Intuit advertisers and other third parties. Intuit does not endorse, warrant or guarantee the products or services available through the Intuit Offers (or any other third-party products or services advertised on or linked from our site), whether or not sponsored, and Intuit is not an agent or broker or otherwise responsible for the activities or policies of those web sites. Intuit does not guarantee that the loan, investment, plan or other service terms, rates or rewards offered by any particular advertiser or other third party on Mint.com are actually the terms that may be offered to you if you pursue the offer or that they are the best terms or lowest rates available in the market. http://www.mint.com/privacy/terms/
3. By submitting content to us, you represent that you have all necessary rights and hereby grant us a perpetual, worldwide, non-exclusive, royalty-free, sublicenseable and transferable license to use, reproduce, distribute, prepare derivative works of, modify, display, and perform all or any portion of the content in connection with Mint.com and our business, including without limitation for promoting and redistributing part or all of the site (and derivative works thereof) in any media formats and through any media channels. You also hereby grant each User a non-exclusive license to access your posted content through Mint.com, and to use, reproduce, distribute, prepare derivative works of, display and perform such content as permitted through the functionality of Mint.com and under this Agreement…You agree that we may use any feedback, suggestions, or ideas you post in any way, including in future modifications of the Service, other products or services, advertising or marketing materials. You grant us a perpetual, worldwide, fully transferable, sublicensable, non-revocable, fully paid-up, royalty free license to use the feedback you provide to us in any way. http://www.mint.com/privacy/terms/
4. INTUIT SHALL IN NO EVENT BE RESPONSIBLE OR LIABLE TO YOU OR TO ANY THIRD PARTY…INTUIT’S LIABILITY TO YOU FOR ANY CAUSE WHATEVER AND REGARDLESS OF THE FORM OF THE ACTION, WILL AT ALL TIMES BE LIMITED TO $500.00 (FIVE HUNDRED UNITED STATES DOLLARS)…You shall defend, indemnify and hold harmless Intuit and its officers, directors, shareholders, and employees, from and against all claims and expenses… http://www.mint.com/privacy/terms/
5. ”…you grant Intuit a limited power of attorney, and appoint Intuit as your attorney-in-fact and agent, to access third party sites, retrieve and use your information with the full power and authority to do and perform each thing necessary in connection with such activities, as you could do in person. YOU ACKNOWLEDGE AND AGREE THAT WHEN INTUIT IS ACCESSING AND RETRIEVING ACCOUNT INFORMATION FROM THIRD PARTY SITES, INTUIT IS ACTING AS YOUR AGENT, AND NOT AS THE AGENT OF OR ON BEHALF OF THE THIRD PARTY.”
6. ”When you request us to delete your account for the Service, your data will be permanently expunged from our primary production servers and further access to your account will not be possible. We will also promptly disconnect any connection we had established to your Account Information and delete all account credentials. However, portions of your data, consisting of aggregate data derived from your Account Information, may remain on our production servers indefinitely. Your data may also remain on a backup server or media. Intuit keeps these backups to ensure our continued ability to provide the Service to you in the event of malfunction or damage to our primary production servers. We also reserve the right to use any aggregated or anonymous data derived from or incorporating your personal information.”
7. http://www.itsecurity.com/features/the-top-5-internal-security-threats-041207/
8. http://www.networkworld.com/subnets/cisco/050109-ch1-ccna-security.html
9. http://www.pcworld.com/businesscenter/article/147098/insider_threat_exaggerated_study_says.html
10. ”Your bank account and credit card numbers are stored securely. Your information may be seen by technical personnel in accordance with specified procedures and safeguards governing access in order to operate, develop and improve the Service.” http://www.mint.com/privacy/faq/
11. For more information on GLB  compliance, see the FTC’s website for details.

Related Posts:

1 Star2 Stars3 Stars4 Stars5 Stars (72 votes, average: 4.81 out of 5)
Loading ... Loading ...
Follow Jason on Twitter @jason_owens

Comments

  1. Wow. Well thought out and well research article. I use Mint and liked learning a little bit more.

  2. Sir, I am amazed and grateful for the in-depth analysis that you’ve performed. I have wondered about their security (since I saw them launch at TC40) and have been hesitant to take the plunge. I cannot describe how awesome and enlightening this post is. You are the man, thank you.

  3. Awesome article: well done and complete! Thanks for sharing this!

  4. Thank you very much for your efforts, an outstandind analysis rarely we found on net

  5. Very informative post! Thanks for the research, the recommendation, and the footnotes. Don’t think I’ll sign up for Mint any time soon but good to have a clearer knowledge of its pros and cons.

  6. One interesting thing to note is that Mint.com is built upon Yodlee’s platform. Yodlee offers MoneyCenter (moneycenter.yodlee.com) which is similar to Mint. I haven’t checked the TOS to see if they are similar but it would be interesting to do so.

    I use MoneyCenter and have found it valuable enough to continue to do so. Your analysis is interesting — the lack of email account confirmation is a disappointment.

  7. Great post…

  8. Great analysis. Would like to see you do the same for Quicken.

  9. Great Post! Well researched, thorough!

  10. To clear that using Yodlee Money Center is not any safer, this is an excerpt from their user agreement (part VI point A, see also B and C).

    “YOU EXPRESSLY UNDERSTAND AND AGREE THAT: YOUR USE OF THE YODLEE MONEYCENTER AND ALL INFORMATION, PRODUCTS, SERVICES AND OTHER CONTENT (INCLUDING THAT OF THE PROCESSOR BANK AND THIRD PARTIES) INCLUDED IN OR ACCESSIBLE FROM THE Yodlee MoneyCenter IS AT YOUR SOLE RISK.”

    Why would you want to put your life savings on the line in exchange for a service, no matter how good? If they could control the risk, the would offer to limit your liability, like credit card companies do. I believe they make efforts to reduce risk, but it’s either too high or uncertain for them to offer any form of indemnification. I used mint for some time before coming to my senses. It’s an incredibly valuable service, but you are giving access to your life savings and retirement prospects to someone who, despite the tough talk, won’t take any responsibility. Don’t listen to their talk, look where their money is.

  11. Here is an interesting CNET video of an interview with Mint.com founder Aaron Patzer:

    http://cnettv.cnet.com/mint-ceo-aaron-patzer/9742-1_53-50076867.html

    The video provides a few more details about Mint.com security that aren’t mentioned on their web site or above.

    For example, Aaron briefly discusses the hardware encryption system they use inside their data center. I would be interested to know more about that hardware product.

  12. Great analysis. I use mint.com and am going to stop soon. I was suspicious of their security and find it to be criminal they found a way around being pci compliant. Your comments about them having had time to resolve these issues is very true. They’ll probably wait until there is a massive breach and it’s too late to make the correct adjustments to properly secure their site.

  13. Who in their right mind would give up all their financial info to some website in cyberspace ? People will never learn lol Why don’t you just hand them your wallet and keys to your house why don’t you.

    • LOL! I kinda second this. I am one of those people who have very little to no trust in stuff like this.
      From the article it all looks and sounds like the safest thing on earth but still …. nahhhhhh.

      I have used it before and now instead of updating my accounts I think I am deleting them. I’ll manage my bank accounts and assets myself. That’s why I am an accounting major I guess,lol

    • Could not agree more. I would love to use the service as I am sure it is an excellent tool and hugely time saving…but common folks! Give a company full access to all your money with no protection if something did happen??? Not for me.

  14. Thank you for this well researched article.
    It is sounds like a good website. I got freaked out when it asked my account number and password. I just don’t think I feel comfortable about giving this much power to anybody. Even though, each of our account might get hack at some point , it is much easier than, if mint.com gets hacked into. than u have to deal with all your banking being hacked. So no thanks …I pass for now. I would do this if it was offered by my bank.

  15. This was great analysis, the most through I have seen on Mint security overall. I do feel it glosses over the relationship with Yodlee, and I believe that to be the weak link. I don’t doubt that Yodlee prides itself on its security, however I am with AP on this when and would never put my life savings at risk to use Mint or Yodlee.

    That said, some simple measures could solve this problem. For instance, having read only credentials or a read only token at financial institutions that sites like Yodlee or Mint could use would be a better approach.

    Financial institutions generally state on their sites that you should never give your credentials to anyone, and in general I agree. With banking there are a few more protections, I have less money in those accounts, and I watch them every day so it is a bit less of a concern to me. With brokerage / 401k, my life savings is there and someone could potentially clean it out before I noticed. So given that I am not sending my credentials to Mint.

  16. good article, You’ve brought up some good points that I haven’t thought of before.

    I think if we watch any movies like mission impossible, we’ll know that there is no absolute secure way for anything.

    There are always ways to hack an software/service whether it’s web based like mint, yodlee, or desktop based like quickbooks, sage etc.

    I do think that it’s more risky to use software that contains your actual bank account information. Simply because if my service account was hacked, then it would means people will be able to know my bank account numbers and possibly encrypted passwords. And with the account numbers and a forged identity, it’s easy to gain access to money in the accounts.

    But then again, softwares/services like that free us from recording transactions manually, and for most people it’s worth the risk.

    To avoid privacy issue we can use desktop softwares like ibank, quickbooks desktop verison. I personally use accpal.com simply because it only asks for email, and it allows users to record transactions in whatever ways. Which means it will not be possible for the data to be sold to 3rd party because user data is unless it’s in an uniform standard.

    perhaps the best way of all time to avoid privacy and security issue, is to use excel. Excel can accomplish a lot and we can encrypt the excel file to keep it secure.

    I think we can safely say that the more features we want, the less secure and privacy we are going to get.

  17. First, I commend you on a very thorough review.

    You point out some glaring holes in this site, but some of them are basic — privacy statements are BS.. But so can terms of use statements.. But I agree, words are words – they don’t enforce.

    With regards to recommendations:
    1) Registration confirmation e-mail: These are really pointless. All they do is ensure that the person who created the account has access to the account. If you recommend creating a dummy account soley for mint.com (and this is what an attacker would do), then you’ve gained nothing from this registration confirmation e-mail from a security perspective (confirming it is a reachable address is another issue).

    2) Challenge Questions: These are no different then passwords. What I’d love to see, is a site like this that used OTP like an RSA Soft Token app. This would be the perfect gateway for it.

    3) Get PCI Compliant: Overrated. Get secure, and you’ll be compliant. Be compliant, doesn’t mean you are secure. Sure, it means the consumer MAY have someone to go after (even if it is a class action, the time frame and amount might not be worth it if there are no real damages which could be proven).

    Nice job, though.

    • ApSec,
      I think you missed the point of the recommendations:
      1) The registration email guarantees that I don’t mistype the email address like in the case described. I have a popular_name@popular_domain.com address and i’ve lost track of how many registrations are done in that name. I probably could enter it into most websites as ‘lost password’ field and receive someone else’s account.

      2) Challenge questions are an interesting thing – they are good when they are used as second passwords. Some of my financial companies require them whenever they browser/cookie from last login is missing. That increases security. (Though I’m very impressed with my bank that uses RSA token generator)

      3) PCI compliance helps to know that someone is auditing their security – since you can’t do it yourself. As has been shown – trusting their word isn’t sufficient, so a compliance would be a good alternative.

  18. Wow, I’m so glad that I flipped out when they asked for my account info and searched for an article like this and the subsequent “How I would try to hack your mint.com account” post that you wrote. I think I will stick to doing financials the old-fashioned way–through Excel :D

  19. Amazing post. I was about to sign up for Mint, but got scared about giving them my bank login information! I’m going to send this to my Mint-crazy friends and family!

  20. Thanks for your analysis. I was considering whether to use Mint, since I really do need to analyze my financial situation better. Now that I know what the risks are (which is less than I where my imagination took me initially), I will go ahead and try the software. If I don’t find it useful, I’ll go and change my bank passwords and delete the account. Thanks for this well written piece!

  21. The extremely low limitation of liability is reason #1 for me not to use this for my private financial information. In the event that a rogue employee or electronic attacker were to obtain and misuse or cause to be misused that information, I get $500. Say a disgruntled employee sells my bank password to a drug cartel and they help themselves to thousands of dollars in my bank account, leaving me broke (and possibly in debt thanks to minimum balance fees, NSFs, etc.). My restitution from Mint.Com is $500. That is, only if I can convince them to accept even that paltry amount of liability.

    No thanks. I like to keep my money, and anyone who seriously feels the same way should not be using any third-party web site to access their bank accounts. Local app? Sure, maybe, if you can make sure it’s not “phoning home”, which you might not be able to. But definitely not a website whose activity you can’t possibly monitor, unless that website accepts FULL liability.

    If you hire a real-life CPA to take care of your accounts, that person is bonded and fully liable for anything they do that causes unauthorized damage to your accounts. Until SaaS takes on that same level of liability, they are not a suitable tool.

  22. Excellent review, addressed all the issues I would have had to look up manually. Thanks!

  23. This was very helpful and so in depth. Thank you so much, I’m going to follow your blog from now on!

    - Willow

  24. Thanks for the review, it was very detailed and offered a lot of good points.

    For the people who want Mint.com to be insured and bonded and all that good stuff…. the reason why a CPA can do that is because you pay them. You’re not paying anything for Mint.com, if you want that type of insurance, then why not pay for a service that does. You get what you pay for.

    Everyone in this day and age does their banking online, if a hacker gets your password off your computer (which is more likely to happen than a hacker getting it off Mint.com, in my opinion) and wipes your accounts clean, do you think your bank will refund you all that money? Why would they?

    If this ever happened, Mint would be out of a job, and I am under no illusions that hackers don’t exist but a lot of this theory is just to create fear. Like another poster suggested, if you don’t want to open yourself up to vulnerabilities, use Excel. If you don’t want to use Excel and want more features, you will have to trust a site like this (unless you want to pay money for a professional). Also, if a hacker gets your account information, any transfers done out of your account and in to another will take days. Any good bank will call you to confirm a transfer that includes your whole life savings. Brokerage firms will require you usually to do several extra steps to add a bank account and take several days to do your first transfer. Mint would know they were breached and notify you via email or phone and you can change your passwords. It’s not like the movies where the hacker instantly connects, gets your bank account info and transfers money in .01 seconds. It takes days!! To test it, add a bank account number to one of your checking or savings and transfer money between banks. It will take you at least 2 days.

    My advice is to relax. If you are looking for a good alternative to Excel that doesn’t cost any money, sign up. If you feel uncomfortable putting your 401k/stocks accounts on, leave them off and add your CC’s and bank account. Technology these days makes it hard for these types of hacks to go through and by the time a hacker gets through to your account, Mint will know they have been breached and will notify you.

  25. Great read! I’ll just keep downloading my bank transactions myself. :)

  26. Mint.com is seriously flawed. For months now, they have been sending me warnings that I haven’t logged on in 6 months, even though I do every week. I notified mint.com 4 months ago and they still say they’re working on it.

    They posted a payment to my PayPal account as a negative instead of a positive. When I asked them about it, their response was that I could edit it if I wanted to. (!!?)

    If their software is this flawed, I am worried about trusting them with my financial data.

  27. What an outstanding review. After I signed up at Mint.com
    via best money management apps I realized I should probably look up
    how secure it is. Im glad I was smart enough to at least take a
    look around at reviews and to read further into detail. Has
    Mint.com from what you have seen taken and further steps to further
    secure their services?From what I could tell the account set up was
    still as simple as email, email conformation, Zip, password,
    password conformation and agreeing to terms.

  28. I’m puzzled why Mint doesn’t promote the use of read-only credentials as another poster mentioned. ING provides these (http://helpcenter.ingdirect.com/ingd/Topic.aspx?category=FINANCE1) for financial tools like Mint. I’d be comfortable in using Mint in this way, allowing it to see my transactions as I do with Quicken.

  29. Good stuff….thanks for helping me to make an informed
    decision.

  30. wow, great post. thank you. I set up my mint account yesterday and then I did the backward thing….and researched their ‘security-ness’ and found your article and immediate deleted my bank accounts and closed my account for good…thank you!!!

    I should never have opened my account in the first place…now I am wondering if they still have my account info ie account numbers, passwords and security answers…I seriously hope not!

  31. Great analysis! I use TurboTax from Intuit and trust them. I infer that Mint is as safe as TurboTax. However your warnings have awakened my paranoid gene.

    I continue to ponder…

  32. Thanks a lot for this analysis. I was thinking about signing up for Mint.com, but came to my senses about the stupidity of giving some free web service basically admin access to my financial accounts. Until the day my financial institutions provide read-only logins for Mint.com-type services to use, ain’t gonna happen!

  33. …Wow…reading this woke me up and made me realize that the huge amount of knowledge I don’t have with regards to how to be secure online is enough to fill a book…! The sheer entanglement involved with learning what to know left me with a huge feeling of hopeless, never-ending confusion…! To note, when I did my 5 minute registration, my radar somehow snapped on when it asked me for the first bank password and ID…so I stopped right then and there. I did some googling and found this article, and now I’m even sorry I gave Mint my email address..! Indeed, my next stop is to see what Excel templates I can download and once and for all be shut of this nonsense. Bruce Schneier is correct…until we start holding those responsible for our security accountable in ways that make them liable, we are vulnerable no matter what. Thank you so much for providing as clear of a review as you did…how rare these days it is to find resources such as yours…you are to be commended, sir.

  34. sorry. too lazy/time-concerned to read every word, but mint.com is a “read-only” service, so does that make it safe? thank you.

  35. Awesome article man…. very insightful.. thx!

  36. Poor analysis, leaves the most fundamental question unanswered.

    You enter your login credentials via Mint. If they are hacked and used to drain your brokerage account, who covers your losses? All my brokerage accounts say that they will not cover losses if I give my login credentials to a third party who allows the breach. So does Mint cover the losses?

  37. Thank you Sir!! I am glad I read this before joining Mint. Excellent article!

  38. I would NOT use Mint again. If you ever have a problem forget about getting it resolved. MINT SUPPORT IS ABSOLUTELY TERRIBLE!!!!!! There is no support phone number, only email. My Mint has not been working for a month now and they are doing nothing to fix it.

    • Sorry to hear that Nate. To be fair, the focus of this article is their security. However, if you did have a user security-related issue, it begs the question, what would the response be.

  39. How secure is Mint when a mistyped email gives a stranger access to your bank transaction history?

    http://satisfaction.mint.com/mint/topics/security_hole-bq00a

  40. Mint.com sucks because the Everything Else Category is messed up. When you click on it, it lists the budget accounts instead of the individual transactions. I don’t have time to scroll through each budget account to see the individual transactions Also on the phone app, you can’t click on the Everything Else Category to show your recent transactions like your other budgets. This would help alot to put the transactions into the right category since it automatically puts things into the Everything Else Category that doesn’t have a budget. This unbelievably horrible. Typical Intuit product. Man, this is a great idea but their software engineers just suck as seen in this example and in Quickbooks.

    • John, I can understand some of the frustration with how the tool works at times. In what ways do you feel the usability issues might affect security or the protection of your information?

  41. Would you consider writing more of these articles? Like the new Sony Playstation Network agreement this 2012.
    Great reading!

  42. great analysis. to avoid the risk, i use a simple windows app called spending viewer ( http://spendingviewer.apphb.com ) that is local to my computer and feel safe. I download the transactions my banks manually and upload them to this tool. it automatically assigns categories..i only needed to set up category the first time for a store.

  43. Wow, that is one hell of a detailed article. Much appreciated. Funny enough, a lot of your points I was thinking about just before getting to you making them. In terms of relative levels of security and protection. I wish more people put this much thought and effort into their articles on the web.

  44. WOW! What a well-researched article to alert us to the dangers of online (cloud) services, especially when they are financial services. You’ve provided us all with a perspective not found elsewhere (such as mint.com responses or short reviews of the service).

    >>Recommendations?<<
    What would you recommend to individuals seeking to keep track of their budget?

    Many thanks for sharing your expertise!

  45. “I have also found posts from people stating they were Mint.com employees, and explaining that Mint.com uses Yodlee to facilitate data communications, as do other online banking services, and as a result users incur risk no greater than they already do when using online banking. From what I can tell, this is still a true and accurate statement.”

    This part does not sound right. When you do online banking, banks or any other companies do not need to store your original password. The authentication is done through comparing password hash. The password to hash value is a one way conversion, that means no one is able to convert it back to original password (if the password is strong).

    With Mint.com, the original password is stored somewhere, and anyone or software with access to it is able to poke into your account.

  46. Very well said, awesome research but don’t you think that other more applications are more unsecured than this? All you said here is possible. Positive and negative comments… But you have to think that no application nowadays are secure. Except for private applications/Software owned by Rich or popular ones. (Even those are not really that secured and can get more attention to hackers.)

    Nice article though.. Good job.

  47. I opened an account and before adding any bank info, I deleted the account. I went back to login using the same credentials and the system said “That account has been deleted.”.

    So even if you delete your account, they still have your info.

  48. Great article. Clear, objective assessments and compelling – 3 years later! I like the features in Mint, but really have to consider the all-eggs-one-basket risk…

Trackbacks

  1. [...] full post on Hacker News If you enjoyed this article, please consider sharing it! Tagged with: 2010 • [...]

  2. [...] far the article Mint.com in 2010 – Is it Safe has received both positive and negative comments. I think that’s good. The goal is to provide [...]

  3. [...] not matter. But understand what people could learn about you if they did get access – see the account compromise section in the linked article for [...]

  4. [...] For a more in-depth look on Mint’s security, online security expert Jason Owens asks the same question: Is Mint.com Safe? [...]

Speak Your Mind

*