UPDATE: When you’re done reading this article, please check out the How I Would Try to Hack your Mint.com account article and the follow-up posting for additional comments.

To date there have been security concerns and questions identified around mint.com. This article  is an attempt to objectively research some of those concerns,  separate fact from fiction, and make recommendations where appropriate. My initial answer to “is Mint.com safe”  is both no and yes, depending on what you’re concerned about and what safe means to you.

Mint.com has been around since 2005 according to their website. I’d been hearing more about it over the last year or two. I started researching concerns with their offering starting 3/3/2010. For the purpose of this posting I’ll assume you’re already familiar with what Mint.com is (or you can learn more and then come back.)

Most of the initial articles I found were older, and discussed security  issues that either seemed to have been addressed or we no longer relevant. As Intuit bought Mint.com in the fall of 2009, there seemed to be a lot more information about the acquisition than anything else. A word of caution – don’t confuse any frustration you might feel over the acquisition with the viability and security of the solution itself.

Mint.com User Account Management

Registration Process and Password Length

The current registration page asks for email, zip code, and password. There is no information or recommendations on the registration page for best practices for the user account or password, although the user does receive feedback on the strength of the password. A zip code entry was required, and the page performed format validation on the zip code field as well. When using a Firefox plug-in to view details about the form, additional hidden fields found included time zone, browser type, OS, and reference  to “isYahoo.”

According to an employee forum post, Mint.com requires your Zip code in order to provide accurate categorization of spending and to determine the time zone in order to send timely alerts[1]. Presumably this means Mint.com is unable to accurately categorize transactions if it doesn’t know what Zip code you live in, and will not be able to effectively send you email and text alerts.

Validation for a valid-looking email address was performed, although confirmation of a valid email address was not performed. Further, a registration email was not sent to the account to complete the registration. The new account registration was taken directly to the new account for financial accounts setup. As a result, there was nothing preventing registering another person’s email address.

Passwords were determined to require a minimum of 6 characters and no more than 16 characters. Mixed case and special characters were allowed. Basic  password strength checking appeared to be performed. The password “password” was not allowed and flagged red as “bad,” while the password of “password1” was flagged as green and “ok.”

Forgot Password Process

The forgot password mechanism asks for an email address, appears to check if the email is associated with a valid Mint.com account, and provides  indication if it is not. This provides an opportunity to determine what email accounts have been registered with Mint.com. An email is sent to the submitted email account, containing a reset link. Clicking on the link provides a form to enter a new password. No challenge questions are provided or asked during the process. The reset email states that it is valid for 24 hours. Failed attempts to use the reset link after the 24 hour period seem to confirm that statement.

No Account Lockout

There does not appear to be an account lockout mechanism for multiple failed login attempts. Twenty successive login attempts against a valid account returned an error page but did not prohibit or prevent additional login attempts, nor did it send email notification to the account in question notifying of the multiple failed attempts. The registration process will indicate if you are trying to sign-up with an email that already exists. This means there is a mechanism to determine if specific accounts exist. Combined with the lack of account lockout, there is the opportunity to brute-force a Mint.com account.

Mint.com EULA and Privacy Statements

Mint.com Terms of Service (TOS)

The Mint.com TOS includes statements addressing liability, responsibility, and what they can do with your information.  Mint.com makes money via referrals from advertising and 3rd parties. The identified statements however mean:

• Intuit is not responsible for the validity, accuracy, truthfulness, consistency, or practices of 3rd parties they present to their users, including ones Intuit sponsors[2].
• If you post something to the mint.com forums, Intuit can do whatever they want with it, including license it to someone else and/or make money with it[3].
• If you incur some type of financial loss, identify theft, etc. as a direct result of Inuit’s site or practices, it’s not their fault, you agree to never hold them accountable, and Intuit will never owe you more than $500 as a result[4].

Power Of Attorney

The terms of use page includes a statement about appointing Intuit as your attorney-in-fact[5]. According to an explanation from mymoneyblog.com this means:

“”…without this clause, Mint could not perform their intended service of being a one-stop shop for all of your online financial accounts. They would essentially have to walk up to every single site and ask for permission to be an official portal for them, yet at the same time be released from liability…you are basically giving up some of your rights in exchange for the convenience of having all your accounts checked for you at once. If you are worried about something going wrong with either Mint, a rogue employee, or a malicious hacker getting access to your personal information, then you might consider limiting what accounts you link.”

Privacy Statements

Use and disclosure of your personal information includes:

• Use for market research.
• Providing it to third-party contractors that provide services to Intuit and are bound by these same privacy restrictions.
• Your email address maybe be provided to a co-brand partner as needed.

Mint.com claims the following as its capabilities to protect your account security and why you’re “safe and secure with mint.com”

• Mint.com uses 128-bit SSL encryption and 24/7 physical security.
• You cannot move money.
• You register anonymously.
• Our alerts increase your financial security.

The first and second claims appear to be legitimate, assuming physical security can be verified. The current Mint.com interface does not provide a mechanism to directly manage account transfers.

The third claim could be false, as this is not a strict control. You can register anonymously, but if you use an email account that contains you name, that is not anonymous. There is also the possibility later on to provide personal and demographic data. So while it is possible to have an anonymous email account, there is no enforced anonymity, and if you do provide additional information, anonymity is no longer absolute.

The fourth claim is false from an account security perspective. While it is true that their alerts can help address fraud and identity theft, it does not affect the protection of your Mint.com account or data.

Account and Data Deletion

With regards to account deletions I interpret the Mint.com security policy to mean that when requested, your account and credentials are deleted, the notion of a connection between you and the data they have about you is severed, and data from their primary servers is removed.  However[6],

• Intuit will keep your data on any other systems, development servers, backups, etc.
• They can also use the data however they see fit, indefinitely.

Bank and Financial Accounts

Financial Lockout

For testing I setup several financial accounts, most experience no technical issues. The last account setup was a bank checking account. Like the other accounts previously configured, this account required the user to provide answers to challenge questions. I correctly entered three answers, and Mint.com began pulling data from the account. Sometime within the next hour, online access to the banking account was locked out, and I had no access to my bank account information. After spending approximately twenty minutes on the phone with the bank’s technical support, my account was found to have been disabled due not to authentication failures but to problems answering the challenge questions. Given that no other authorized users were accessing the account, and that it was highly unlikely that a hacker would have authenticated successfully but failed the challenge questions within the last hour, the assumption was that Mint.com’s data requests had somehow placed the account in a state such that it was forced to lock as a precaution.

Website Non-grata

Research identified various positions that financial institutions had regarding Mint. While I did not research every possible institution and their attitude and policies towards Mint.com, I did find direct reference to customer problems on bank’s forums and official statements including the following:

• Access to customer’s accounts via 3rd parties such as Mint.com was not allowed, but export of data may be allowed.
• Access to accounts such as checking was allowed, but other types of accounts were not (savings, credit, etc.)
• Access was allowed but unsupported.
• Several financial institutions had services similar to Mint.com’s and recommending using the bank’s services instead.

It’s likely that Mint.com generates additional technical support requests and issues for banks and the like, regardless if they support its use or not. In one instance I made an effort to elicit specific instructions and policies from a bank before attempting to connect an account to Mint.com. I asked what I needed to do to allow access to the account, what was allowed, and what I should avoid or do to prevent causing problems with my online access.

The response I received from the bank’s technical support was that the use of Mint.com was unsupported, that the bank was rolling out their own similar functionality, and that I should use the bank’s site instead. After several failed attempts to connect the account in question to Mint.com, I found a preference in the online account settings for said bank account. The settings had to be enabled to allow 3rd-party access to applications such as Quicken. Once enabled, Mint.com was able to pull data from the account.

General Security Concerns with Mint.com

Mint.com’s Security FAQs

The following is a summary distilled from Mint.com’s security FAQs page.  Regardless of Intuit’s compensating controls, some simple answers are:

• Mint.com does store your bank login information on their servers.
• Some Mint.com employees can view your bank account numbers or credit card numbers.
• Mint.com thinks you are not at greater risk of someone stealing your identity by using their service, based on the reasons they state.

Mint.com Security Compared to Online Banking

Mint.com indicates that they are as secure as other online banking, citing examples of their physical and encryption security they have implemented to “protect your identity and your financial information.”  The controls are not uncommon, and for people familiar with data center facilities or hosting services, the physical controls mentioned would be considered the rule rather than the exception. I have also found posts from people stating they were Mint.com employees, and explaining that Mint.com uses Yodlee to facilitate data communications, as do other online banking services, and as a result users incur risk no greater than they already do when using online banking. From what I can tell, this is still a true and accurate statement.

Compromise of Mint.com

One concern cited is that Mint.com itself could be breached or compromised, resulting in exposure of user’s authentication information to their configured accounts. Thinking critically, a breach is not impossible. It is a matter of how probable this would be to occur, and what would have to happen. For example:

• A physical breach of Mint.com’s servers or network.
• A compromise via a website vulnerability.
• A breach from within Mint.com itself via an employee, consultant, etc.

After the initial round of research, I could find no reference to where the Mint.com website(s) were hosted, who manages their physical security, specific security controls they use, or third-party reports such as PCI, NIST, or SAS 70 compliance. The statement of 24/7 security could mean that the doors and racks are always locked, or that there are armed guards and escorts at all times. As a result, as an average user of their services, the only evidence that I can find attesting to the quality of Mint.com’s physical security is their statement that it is safe.

There is specific information cited regarding website testing that is performed routinely against Mint.com:

“Mint.com has received the VeriSign security seal.”

This is a slightly disingenuous statement. The seal is not an award. When customers purchase an SSL certificate from Verisign, they can place the graphic of the seal on their website as a means to confirm that the certificate for the site is valid. Verisign’s FAQ on the topic states, “Site visitors click on the seal to verify your site information in real time…The VeriSign Secured Seal is included with your VeriSign SSL Certificate purchase. After you purchase your certificate, simply download and install the seal.” Mint.com continues:

“We also employ Hackersafe to test our site daily.”

The Hackersafe link redirects to a McAfee SECURE site report page. According to McAfee, the daily scan checks the Mint.com website for “possible personal information access, links to dangerous sites, phishing, and other online dangers.” This appears to apply to the website only, not to the technology, data, or functionality behind the site. The scan result is validation that Mint.com does not contain bogus or harmful links or scripts. It is not clear if the scanning applies to pages and content that are available after authentication, or if deeper testing and vulnerability is performed.

With regards to an internal breach, consider the following statistics:

• According to the Ponemon Institute, 69 percent of organizations reported serious data leaks caused by either malicious employee activities or non-malicious employee error[7].
• Specifically, according to the Computer Security Institute (CSI) in San Francisco, California, approximately 60 to 80 percent of network misuse incidents originate from the inside network[8].
• When internal hacks occur, they tend to be nastier, with 50 percent blamed on IT staff themselves…honest network admins are obsessed with outdated ideas of perimeter security. Had data security been looked at within the network, almost nine out of ten data breaches could have been avoided[9].

The actual percentages are up for debate, but the concern is valid. Sources of serious breaches are more often insider attacks. These attacks are typically more damaging given the type of access typically afforded, and that they may go undetected for longer periods of time. If there were ever to be a breach of Mint.com itself it’s likely to be the result of an insider attack. This is another reason that third-party security validation can be beneficial.

However in several postings on Mint’s previous official forum, Mint.com employees explained why they are not required to be PCI compliant. Statements included,

• “We do not need to be PCI compliant because we don’t store credit card numbers.“
• “As has been discussed before, we don’t store credit card or bank account numbers. Usernames and passwords are also not stored on Mint.”
• “Mint is GLB compliant.”

Other Mint.com statements however contradict the rejection of compliance, referencing how user’s bank credentials and credit card numbers are stored safely, and how they control employee access to that information[10].

The FTC states: the Gramm-Leach-Bliley(GLB) Act seeks to protect consumer financial privacy. Its provisions limit when a “financial institution” may disclose a consumer’s “nonpublic personal information” to non-affiliated third parties. The law covers a broad range of financial institutions, including many companies not traditionally considered to be financial institutions because they engage in certain “financial activities.”[11]

Compromise of Your Financial Information

A more likely issue to be concerned with is the compromise of your Mint.com account, not Mint.com itself.

The following are true statements about Mint.com:

• Users are not forced to use strong passwords.
• Users are responsible for maintaining the confidentiality of their Login ID and Password.
• Depending on the information you have provided Mint.com or the purchases you make, access to your account can reveal
  • a list of your bank account names, their balances, and APR
  • a list of your credit cards, their balances, and APR
  • a list of your loans, their balances, and APR
  • investment account names, balances, and performance
  • your cell phone number
  • an additional email account you use
  • where you live
  • where you frequently buy gas
  • where you get your groceries
  • if your kids are in daycare
  • if you are having health issues
  • the type of car you own/drive
  • valuable property you may own
  • how much in debt you are
  • how old you are
  • marital status
  • education level
  • how many people live with you
  • your credit score

Mint.com’s policies state, “At no time do we ask you for information that would be required for a hacker to steal your identity, such as your full name, bank account numbers, credit card numbers, billing address.” While it is true that this type of personally identifiable information is not required, depending on the type of information you provide, some of that data is collected directly and indirectly. When managing your Mint.com profile, the site states, “Tell us about yourself so we can improve the financial advice we provide.” The information requested includes general demographic information. Other profile settings provide a place to enter additional email addresses and a cell phone number.

It is possible for Mint.com to incorrectly present to a user a link to false or potentially harmful site. Early in 2009, Mint.com incorrectly presented the wrong URLs for two financial institutions, Horizon Credit Union Credit Cards and Deutsche Bank, the latter of which supposedly went to an unknown entity in Russia, resulting in users incorrectly sending authentication information. A Mint.com employee stated this was an issue with the information provided by their data partner, and that there was no risk as the connection attempt failed at the data partner.

It’s also possible for a user to incorrectly enter their email address, as there is currently no email verification process. In February of 2008, someone supposedly received an email from mint.com regarding a forgotten password reset. The person in question stated they were not a mint.com user, but completed the password reset process out of curiosity. As there are no challenge questions, they were then able to set a new password for the account, login, and see the other person’s financial information. In February 2009 Mint.com acknowledged the potential flaw stating they were looking to add an email confirmation process.

Conclusion

This article started out asking, “is mint.com safe?” The answer is both no and yes, depending on how risk-averse you are, how savvy you are about protecting your browser traffic and authentication information, about and what safe means to you. A better way to pose the question might be, “what bad things could happen if I use Mint.com?” The end of this section includes follow-up recommendations.

Weigh Benefits Against Risks

To take the position that Mint.com is safe because the technology behind it as secure as other online banking would be short-sighted, as it doesn’t consider additional factors. Technology is only one part of the equation. Use cases and execution is a different matter.

There is one glaring risk that I have not seen addressed: potentially all your financial information is in one place, your Mint.com account.  This is not the case with other online banking. Protection of your information is only as good as the username and password you use, and how disciplined you are at protecting your browser data. Valid Mint.com accounts can be determined via trial and error, and apparently can be brute-forced without restriction. Although miscreants would not have write access to your accounts, they would have a significant amount of financial, debt, and commerce information about you that could be used for social engineering, blackmail, or tools to aid in future financial attacks.

Consider Mint.com’s stated limitation of liability and the impact on your accounts and liabilities. Confirm that accounts you may add do not result in any type of transaction fee to establish connectivity or provide data to a third party such as Mint.com. As you are technically granting a third party access to your accounts, confirm that your financial institutions will not invalidate your limitation of liability should a breach occur.

Also consider that if you use Mint.com’s email and text notifications, reports, alerts, and financial data sent and are capable of leaking plaint-text (unencrypted) financial information should those messages be read or intercepted by others. The same is true for mobile devices such as iPhones or Android phones that may have a Mint.com app running on them.

Trust and Credibility

Ultimately trust and credibility is more a subjective matter. For a person to state they refuse to use Mint.com because they just don’t trust “them” is not invalid, but it’s also not objective. A good example I found of why someone did not trust Mint.com was because at the time they could find no contact information for the company anywhere on the site. Another example cited Mint.com’s liability policies as concerning. Another saw inaccuracies with transaction categorization and assumed security was poor as well. People may confuse quality of service or how well the tool does what they want with good security, and vice versa. The site could be extremely secure, but if people feel they are treated poorly or perceive other actions the company takes as less than credible, that may transfer to concerns about security as well.

I found several of the Mint.com statements and examples listed above dubious, lacking in credibility, or contradictory, such as some of their Terms of Service, PCI non-compliance, and why a Zip code is required. Does this mean that when you travel outside your “home” Zip code, Mint.com won’t work? Someone could test it by setting up 2 different accounts with identical financial setups but radically different Zip codes, and see how they fare.

Also concerning is the fact that Mint.com has had several years to address some fairly basic but critical web security process issues, but they do not appear to be implemented.

Recommendations to Improve Mint.com’s Security Posture

The following are recommendations identified as a result of research. The hope is that Mint.com either already has some of this work underway or will release it in the near future.

• User Registration and Account Management
  • Require email confirmation to complete registration to help prevent identity theft.
  • Provide the option to enable enhanced security features.
  • Provide the option for challenge questions.
  • When registering, provide recommendations for what to use for a username.
  • Provide a scale for password strength, not just OK or Good.
  • Allow for longer passwords.
  • Provide the option to force user password resets.
  • Provide the option to use something other than email address for a username.
• Account Security and Notification
  • Provide the option for feedback to a user indicating attempted brute force attacks or multiple failed login attempts.
  • Provide the option for account lockout mechanism/process.
  • Add challenge questions to the password reset process.
• Terms of Service and Privacy
  • Clarify the information that is collected during registration. Previous claims stated “only email address” although the current registration process appears to indicate that additional information is being collected.
  • Vet, validate, and assume responsibility for 3rd parties to provide a level of trust and assurance to users.
  • Review policies for consistency.
• Controls and Validation
  • Become PCI compliant to provide a level of trust and assurance to users.
  • Complete a 3rd-party penetration test and publish the results.

Follow Jason on Twitter @jason_owens and subscribe to the RSS feed.

FOOTNOTES
1. Employee forum post: “We only use your Zip Code to improve your experience. There are two main reasons why Mint requires your zip code as part of the Registration process for the Service. First, this allows the Service to provide you with accurate automated categorization of your spending by improving our ability to identify merchants both nationally and locally. Second, Mint needs to determine the appropriate time zone in order to send you timely personal finance alerts as part of the Service.”↑
2. In connection with Intuit Offers, the Service will provide links to other web sites belonging to Intuit advertisers and other third parties. Intuit does not endorse, warrant or guarantee the products or services available through the Intuit Offers (or any other third-party products or services advertised on or linked from our site), whether or not sponsored, and Intuit is not an agent or broker or otherwise responsible for the activities or policies of those web sites. Intuit does not guarantee that the loan, investment, plan or other service terms, rates or rewards offered by any particular advertiser or other third party on Mint.com are actually the terms that may be offered to you if you pursue the offer or that they are the best terms or lowest rates available in the market. http://www.mint.com/privacy/terms/↑
3. By submitting content to us, you represent that you have all necessary rights and hereby grant us a perpetual, worldwide, non-exclusive, royalty-free, sublicenseable and transferable license to use, reproduce, distribute, prepare derivative works of, modify, display, and perform all or any portion of the content in connection with Mint.com and our business, including without limitation for promoting and redistributing part or all of the site (and derivative works thereof) in any media formats and through any media channels. You also hereby grant each User a non-exclusive license to access your posted content through Mint.com, and to use, reproduce, distribute, prepare derivative works of, display and perform such content as permitted through the functionality of Mint.com and under this Agreement…You agree that we may use any feedback, suggestions, or ideas you post in any way, including in future modifications of the Service, other products or services, advertising or marketing materials. You grant us a perpetual, worldwide, fully transferable, sublicensable, non-revocable, fully paid-up, royalty free license to use the feedback you provide to us in any way. http://www.mint.com/privacy/terms/↑
4. INTUIT SHALL IN NO EVENT BE RESPONSIBLE OR LIABLE TO YOU OR TO ANY THIRD PARTY…INTUIT’S LIABILITY TO YOU FOR ANY CAUSE WHATEVER AND REGARDLESS OF THE FORM OF THE ACTION, WILL AT ALL TIMES BE LIMITED TO $500.00 (FIVE HUNDRED UNITED STATES DOLLARS)…You shall defend, indemnify and hold harmless Intuit and its officers, directors, shareholders, and employees, from and against all claims and expenses… http://www.mint.com/privacy/terms/↑
5. “…you grant Intuit a limited power of attorney, and appoint Intuit as your attorney-in-fact and agent, to access third party sites, retrieve and use your information with the full power and authority to do and perform each thing necessary in connection with such activities, as you could do in person. YOU ACKNOWLEDGE AND AGREE THAT WHEN INTUIT IS ACCESSING AND RETRIEVING ACCOUNT INFORMATION FROM THIRD PARTY SITES, INTUIT IS ACTING AS YOUR AGENT, AND NOT AS THE AGENT OF OR ON BEHALF OF THE THIRD PARTY.”↑
6. “When you request us to delete your account for the Service, your data will be permanently expunged from our primary production servers and further access to your account will not be possible. We will also promptly disconnect any connection we had established to your Account Information and delete all account credentials. However, portions of your data, consisting of aggregate data derived from your Account Information, may remain on our production servers indefinitely. Your data may also remain on a backup server or media. Intuit keeps these backups to ensure our continued ability to provide the Service to you in the event of malfunction or damage to our primary production servers. We also reserve the right to use any aggregated or anonymous data derived from or incorporating your personal information.”↑
7. http://www.itsecurity.com/features/the-top-5-internal-security-threats-041207/↑
8. http://www.networkworld.com/subnets/cisco/050109-ch1-ccna-security.html↑
9. http://www.pcworld.com/businesscenter/article/147098/insider_threat_exaggerated_study_says.html↑
10. “Your bank account and credit card numbers are stored securely. Your information may be seen by technical personnel in accordance with specified procedures and safeguards governing access in order to operate, develop and improve the Service.” http://www.mint.com/privacy/faq/↑
11. For more information on GLB  compliance, see the FTC’s website for details.↑

Related Posts:

• Is DeleteMe an Internet Undo Button?
• Interview With Abine
• Abine To Protect Online Privacy
• How I Would Try to Hack Your Mint.com Account
• RSA’s SecurID Breach and What You Can Do Right Now