So far the article Mint.com in 2010 – Is it Safe has received both positive and negative comments. I think that’s good. The goal is to provide an accurate, objective analysis of your security when using Mint.com. Below are some follow-up thoughts to comments I’ve seen so far. Please correct or comment where you see fit.
The Fox News trope in the opening line sets the tone that this is not journalism, but an opinion piece.
> “To date there have been security concerns and questions identified around mint.com.”
Journalism should avoid using “there have been” or “some say”; such phrases signal that what comes next will be an unattributed pot shot.
Not sure if I should be flattered or horrified to be associated with “the media.” This is an objective conversational piece. To state that people have had security concerns around Mint.com to date is an accurate and true statement. Whether or not those concerns are valid is the issue. Which is what the second sentence of the article indicates. Perform a Google search for “is mint.com safe” and you will get 900,000+ search results.
The first attack is on the zip code requirement. “Presumably this means Mint.com … will not be able to effectively send you email and text alerts. On the contrary, this FUD statement was preceded by an attributed statement from Mint: “Mint.com requires your Zip code … to determine the time zone in order to send timely alerts.” If you don’t give them the right time zone, your alerts will be no less effective, you just might find them more inconveniently timed.
It’s an observation on why Mint.com says they need your Zip code. The link to the footnote contains the entire Mint.com statement, no attempt to hide anything there. “Effective” might not have been the best word to use, but the point was the rationale for the requirement sounds dubious. What would an inconveniently timed alert be? And is the assumption then that if you leave your “home” Zip code, Mint.com will not be able to categorize your purchases? What if you purchase a lot online?
…lots of parts of it point out significantly better practices than my banks currently employ.
Recommendations included were:
- Help users have stronger passwords.
- Give users the option to use challenge questions.
- Use an email verification process.
- Lockout accounts after a certain amount of failed attempts.
- Provide some insight into what would be bad/good usernames to use.
- Be PCI compliant.
If a bank didn’t have these features or abilities, I don’t know that I’d consider them credible.
I’m sorry, but this entire article sounds like FUD. I could point out various parts I had issues with, but the bit that bothered me the most was the title of the section “Recommendations to Improve Mint.com’s Security Posture”.
If you have time, please do point out the parts you had issues with, the goal is to make this as objective and informative as possible.
I agree that most of the article is FUD, though the author does have some valid points in the “Security Posture” section (e.g. Mint ought to validate your email address before they depend on it for recovering an account). The author suggests the use of challenge questions; I think on the surface that sounds like a great idea, but most challenge questions can be guessed based on what friends/family know or what a person writes online, and the testing I did with user-provided questions showed that users will write obvious questions or even write a question with an answer that is the question itself.I’m surprised that the author didn’t write more about who has access to the information. I think that’s a very valid question regarding their security and privacy. Additionally, while their data-retention policies seem reasonable (backups and aggregate data), some guidance as to how long those backups are kept and what aggregate data is collected would be informative. In short: the article is a good attempt to review Mint’s security policies, but I think the author should have done a little bit more investigation.
Answers to challenges questions can only be guessed when you use real answers that can be derived from public or known information. Use answers that you make up or know. Having them is better than not, and can at least help the people that are smart about it. I think it’s a valid point that the article didn’t discuss more about who has access to data. Frankly, I was working from the perspective of concerns I had seen expressed to date and information that the average user would be able to gather from Mint.com’s site and use. That was the point however of submitting to a third-party compliance audit such as PCI. That type of audit would help illuminate that type of information and process.
What additional research would be recommended? Again, this was written from the perspective of what an average user would be able to gather from Mint.com’s site and usage.
It boggles the mind that someone would call you out on providing free analysis of a service in which security is essential. The account information and aggregation of transactions is enough to provide quite a bit of financial and potentially credit-record damage to the account holder if misused.
On a slightly different topic, have you taken a look at PayPal’s use of the Versign “credit card” RSA tokens? I was curious enough to pay the $5 to receive the card. It is an interesting device but PayPal does allow bypassing the use of it even when it is tied to an account. So I wonder if the security offered by the device is mostly circumvented in order to maintain convenient access to the account.
I found your discussion of Mint.com to be very illuminating. I had started an account but was concerned about having all of my financial data in one place. After reading your analysis, I agree that Mint.com falls short of the mark, since fairly simple measures like an automatic lock-out after a certain number of failed attempts, and challenge questions before allowing a new password, are missing from their site.
However, I am still looking for some sort of budgeting software to help me keep things on track, as Excel spreadsheets just don’t quite cut it. I was wondering if you’d ever considered looking at Thrive (https://www.justthrive.com), a site that is a lot like Mint.com but does have a challenge question for password reset and automatic lock-out after too many failed attempts. I would love to know your take on it (especially before I give them my financial info!). Thank you for making internet security comprehensible!