How Secure is Mint.com?
Leo Laporte brought up a really good point on this week’s TWiT. Should we (the users) surrender our bank account numbers and passwords to Mint? Mint, for those who don’t know, is an online money management tool that will supposedly save you money and allow you to keep a really close eye on the money you spend. The only question is security.Banks and credit card firms spend millions, if not hundreds of millions on keeping people’s information safe, but they still end up misplacing a “laptop” with account numbers of a few thousand people. A relative works for a company that creates applications for credit card processors. They get 10,000 attempted breaches a DAY and they don’t even use or have any legit credit card information. If the big companies are having trouble keeping information safe, then why should we trust Mint?
Like me, most think of Mint as another web service, but it’s a web service that uses (and could someday lose) your account numbers. Personally, I had put my PayPal account into Mint to try it out because my bank account didn’t work in Mint. Now I’m glad it didn’t work. We need to remember that for every good website there are a hundred more that are trying to access your information maliciously. I’m not saying Mint is going to ever lose your money, but a close eye should be kept on them.
I don’t want to surrender my information for better deals or a cool interface no matter how good the deal or how slick the interface is. Want a much safer alternative? Try an application like Quicken or just use your banks online banking site.
October 10th, 2007 at 7:42 am
[...] LOR3N wrote a fantastic post today on “How Secure is Mint.com?”Here’s ONLY a quick extractBanks and credit card firms spend millions, if not hundreds of millions on keeping people’s information safe, but they still end up misplacing a “laptop” with account numbers of a few thousand people. A relative works for a company that … [...]
October 11th, 2007 at 2:58 am
I brought this point up when it was still n beta. I don’t trust it. I don’t even give all my info to my wife
January 29th, 2008 at 2:21 pm
It gets its data from your banks interface correct?
In any case, banks need to open up their data with a secure, non-proprietary api for things like this. The developer of moneydance personal finance manager has been trying to get banks to allow his program to do the same function for years without the extreme cost.
January 29th, 2008 at 2:22 pm
I should have said banks web interface
March 10th, 2008 at 5:42 pm
I signed up for Mint. I thought I’d be able to use nicknames for my accounts, credit cards, and loans. I was stunned when they asked for my bank account numbers, passwords, etc.
They are using Yodlee as their back-end, saying Mint does not store your info. However, they “access” your info and accounts “from time to time” to update your Mint account.
They require a lot of faith in their encryption and security.
For now… not a chance.
March 14th, 2008 at 7:21 am
The developer of monkeydance personal finance manager has been trying to get banks to allow his program access for years. I bet that someday banks will be forced to have some kind of universal api that works with every bank (securely of course)
March 14th, 2008 at 7:26 am
Whoops, I meant to say moneydance. Steve Ballmerian slip.
April 14th, 2008 at 4:50 pm
I gave it a try. It doesn’t do enough to warrant my trust. Plus they say they do not store your info but, as a web app builder, I have to point out that it is impossible for them NOT to store your info. It is stored in some format, possibly in an encrypted format, but that encrypted format is obviously a format that can be used to access your account info…otherwise, how do they do it? think about it. Also, here is the thing that scared me away. I used the Forgot Password feature. It sent me an email and the link in the email takes you right to a place where you can change your password. No extra security features. So if somebody hijacks your email (which is soo much easier than you might think) they will be able to quickly get all your mint info just by clicking a couple links. WATCHOUT.
BTW, another security tip. If you use your email address as a login at ANY site, never use the same password for as you need for your login. Your password is often stored in a raw format in a db where admins can just see it, and log directly into your email account. I have seen this with my own eyes, databases with thousands of email address / password combos, where probably 50% are using the same password as their email yahoo or gmail account.
April 14th, 2008 at 9:37 pm
Thanks for your input Jeremy. It’s only a matter of time before Mint is hacked into. I had a card that I used with Mint, but I got it changed very soon after.
April 21st, 2008 at 8:24 pm
Is it possible to store the info in a hashed form, where it is only one-way encrypted? I guess that depends on how yodlee works exactly. Shouldn’t the mint.com sock puppets and astroturfers be somewhere close by?
Use a different password for paypal, the bank, ebay, etc….
May 14th, 2008 at 2:46 pm
[...] Eh, found this thread and decided not to use it. How Secure is Mint.com? at r3fresh.com [...]
August 28th, 2008 at 3:47 am
Agreed! I was skeptical of the safety of Mint.com, and this confirmed it for me. Thx!
September 4th, 2008 at 5:11 pm
Can’t trust this new site just yet especially when it requires banking passwords.
Nooopppp!!
December 4th, 2008 at 8:18 pm
I think id rather stick with the old, notebook and calc on my computer.
December 6th, 2008 at 4:30 pm
Anyone who is going to use mint should set up a read only account with there bank if that is possible and use that just to be safe. Mint should clarify what it means when it says they do not store your bank account username and password. There’s only 2 technically feasible way to do this. Either it is stored, but is encrypted or some kind of federated banking security is in place where the password is sent directly to the bank to verify the account and then the bank gives them back some kind of key that lets mint into the account.
December 9th, 2008 at 1:14 pm
I have used Mint since beta. Before, I used yodlee, and before that MS Money. I love Mint and don’t have a problem giving it my bank account information. Here’s why:
1) I spend about 5 minutes a week managing my money, and I manage it more closely than most of my peers and coworkers. Mint is very easy to use and gives you just the right amount of detail.
2) Mint is powered behind the scenes by Yodlee, which is a *big* name in the banking industry. For those who say it is impossible that Mint doesn’t store login credentials, you should read the Mint terms of service and privacy policy – it explains it there. Yodlee is the company that does the online banking systems for a majority of the banks out there, and are about as trustworthy security-wise as any company on the web.
Frankly, the amount of time I save using Mint is worth way more than the minor risk of having my passwords stolen. I pity anyone still banking by paper. (More than 70% of all identity theft is still done the old way – looting people’s garbage and snail mail.)
As a side note, to those who are wondering how Mint (or rather Yodlee) works – there is a banking API (google OFX), they don’t just go out and use the web interface. That would be silly.
December 22nd, 2008 at 1:53 pm
I recently signed up for Mint. It is so easy to use and takes the grunt work out of managing your finances. It is incredibly powerful in terms of accumulating all of your accurate, up to date information. The automation is really amazing. I think the best feature is the budgeting, that can help keep you on track financially. It categorizes all your credit card transactions (and other accounts) and then plugs them into a budget framework you create, so you can see if you spent to much this month on groceries or gas.
Also, you can setup your email preferences to be notified of any unusual transactions on any accounts you list with Mint. For example, you can set up your preferences to recieve an email if there is a transcation larger than $1000 on your CC. So, Mint can actually help prevent identity theft, etc.
If you’re really concerned about password safety, etc. just change the password on your bank account or credit card account once a quarter, or whenever you feel like it.
Besides, “the only thing we have to fear is fear itself”!
December 22nd, 2008 at 1:56 pm
One more nice thing, Mint will send you email reminders when your CC payment is due, mortgage payment, etc. How sweet is that! No more late payment charges of $40!
January 4th, 2009 at 11:41 pm
I’ve just recently signed up for Mint. I really love it but security concerns me.
At the same time though, I have not yet found an alternative that works like Mint does. If I had to do everything Mint does manually I would simply never do it.
January 26th, 2009 at 11:34 pm
WOW!!! I was going to sign up with mint.com, thanks to everybody on this site I am not going to even try it!! That was my first thought when I read, they don’t save any of your information, bull crap!! No way, they have to save it in some format. Permalink thanks for sharing your knowledge and to help me making a decision. Now I can go to bed without having to think, should I set up an account with mint.com or not? The only problem though, I am a big money spender. I need help because I think I am sick, i just have to buy something, no matter what, to feel good.
sad!!
February 2nd, 2009 at 11:02 pm
I have been using mint for about 3 months now. At first i didnt really keep too close an eye and did close my account because i didnt feel safe enough and there wasnt a benefit.
i have since put the app on my iphone. i probably check my accounts at least once a day. Between my couple credit cards, joint accounts, personal savings and checking and even mortgage, i save a ton of time.
because of how frequently i check everything, i now dont feel unsafe. in fact i feel more secure knowing that i can see EVERYTHING that occurs each and every day. also budgeting is great.
i think for those who feel that mint.com may not be safe, you should consider the alternatives. well… ther arent any. yeah they ask for all your information but how else would they be able to give you up to the minute tracking on your finances.
i dont think anything is fully secure, heck someone could get some of your sensitive info through the mail. at least with mint, you’ll see what’s going on before your monthly statement.
March 18th, 2009 at 7:44 pm
I read the information on their privacy page, and it sounds good enough to me. At first I was very paranoid, but I agree that you’re probably more at risk from someone going thru your garbage can than anything happening thru mint
http://www.mint.com/privacy/
March 19th, 2009 at 12:04 am
@dalas V
I’ve changed my opinion on the issue. I still worry a little bit, but there are worse things I could be doing. To be honest though, Mint is great, but I almost never use it anyways.
March 19th, 2009 at 10:59 am
Mint.com is absolutely awesome! This is the breakthrough!
March 21st, 2009 at 9:21 pm
I’ve been using Mint for about a year now and it has seriously saved me so much time in organizing all my accounts that I have scattered everywhere. I was using Quicken before Mint and Mint just makes it so much easier to update and its free!
Now I was very skeptical about the security at first as well, but after a closer look, I don’t think a thief could really do much harm because I have all my accounts set up to notify me by email or text for any online transaction. They would only be able to move money from one of MY accounts to another one of MY accounts anyways. And even then I need to authorize through email or text. So first sign of foul play and I’ll just call the bank. Still probably not for everyone, but for me, the time it saves me with organization is worth it.
March 26th, 2009 at 10:13 am
The concern for security is understandable, but couldn’t you have the same concern if you use Quicken or MS Money? If you get a virus on your PC, you’re just as exposed to someone using that info to get into your accounts. Furthermore, online banking typically doesn’t show your entire account number.
April 18th, 2009 at 7:13 pm
But then again, why put your information on the computer where its vulnerable to keyloggers and trojans. I would rather have mint.com protecting my information that quicken. Sure it might get stolen, but its free (unlike quicken, which many banks charge you to use) and it allows you up to date information on transactions (which increases security). Your not liable for unauthorized charges and most banks will, if reported on time, refund any unauthorized transactions with a 50$ deductible.
May 5th, 2009 at 4:14 pm
“the only thing we have to fear is fear itself”
really? So bad things DON’T happen to good people after all?
it wasn’t true when FDR said and its still not.
June 8th, 2009 at 9:40 am
Who to trust, and how much to trust them, is certainly an important question in the online financial space. I actually get a couple of Thrive (www.justthrive.com) users a week that call up and ask about security, and I always tell them that I’m very glad they called: consumers that ask about this sort of thing are good consumers.
And that is part of it right there: you can pick up a phone and call Thrive. The phone literally sits on my desk, and if I’m in a meeting or elsewhere, someone else will answer it – we’re here to help you. If you live in NYC or are visiting, come by the office and visit: you can meet the team that is building the product you love.
I think there are a couple of things to keep in mind when using a personal finance site online (be it Thrive, Wesabe, or any of the dozen other options), and many have been reviewed in these comments. I’m going to try to address a few as well, but keep in mind I can only speak for Thrive – Mint (and likely does) operate their security differently.
Thrive, like Mint, uses Yodlee for our back end aggregation. A couple of people have expressed concerns about what gets passed back and forth and how secure the encryption is. In general, I like to explain the data transfer in terms of the credit card statement you get in the mail: that’s the kind of information that goes back and forth between Thrive and Yodlee. When you first sign up, we established a secure connection between Thrive, Yodlee, and your bank. After that, Thrive does not store your username, password, or an account number, just a random string of characters that is your userid. Yodlee sends us a statement of your transactions and we match that up with your userid.
So in reality, what is getting passed is substantially less than what is on the bank statement you get in the mail. Mail statement has your account number (we don’t use that), your name (we don’t pass that), your address (we don’t pass that), etc.
So there are two data-loss situations. In one case, you Thrive account credentials are hacked and someone can log in as you. What can they see? Your balances, your transactions, what types of accounts you have, and what banks you use. Damaging information, to be sure. But they don’t have your bank passwords or logins, they can’t change anything at your bank or move any money around. They can only view some sensitive information about you, which they could get straight from your mailbox – it is the same information on any paper statement you receive.
The other data-loss situation is a hacking of our servers, not just your account. The same information is available, but on a vastly larger number of people.
I’m not suggesting that there is no security risk and that people shouldn’t be wary: as I said before, being cautious with your info makes you a good consumer. Everyone has to choose for themselves, based on the positives and negatives, of joining a site like Thrive. And honestly, if someone understands all the considerations and still chooses not to use Thrive, we’re totally fine with that – it isn’t for everyone and some people are less comfortable than others. I simply care that people understand what they are and aren’t making accessible by using such a site, and all the things they stand to gain.
June 29th, 2009 at 4:53 pm
thanks for the info you’ve posted, there is just so much info out there and this is such a tiresome topic to research
July 29th, 2009 at 8:41 am
I did not read all of the comments…
but the way things are headed, all apps will be in the cloud soon enough…. Quicken even has a free webservice that does nearly the same thing as Mint.com…
I personally like Just Thrives ideas so far, they have real people that you can talk to, and they also do collect for contact information, supposedly so that you can be contacted in the event of a data breach.
Just my 2 cents.
August 9th, 2009 at 9:56 pm
Mint was a life saver during my recent east coast – west coast relocation. I was able to juggle my money without bouncing checks or maxing credit cards.
Yes, maybe they “misplace” your info. So it might happen to any other bank. I keep an eye on transactions and I block opening new credit lines.
September 1st, 2009 at 10:09 am
The only problem I really have with their TOS, is that in case of a identity problem, they hold themselves with no responsibility. Meaning you are SOL…
All financial institutions need to be required to make customers aware of ANY!! information breaches… Mint.com included.
September 21st, 2009 at 9:24 pm
For those of you who are paranoid, please think about this: If someone is going to hack Yodlee (Where your bank account info is stored for mint.com) with miraculous ease, which probably won’t happen as such, then why couldn’t they just use the same tactics on YOUR bank’s databases? They both use the same encryption right? Okay then.
And for those of you who use Quicken and MS Money, those programs also connect to the internet to sync information in one way or another. The only way you’re truly safe with Quicken or MS Money is to have an isolated computer (as in, not hooked up to the internet AT ALL, EVER) with such information on it. Now, given that, probably 95% of computers in the world are connected to the internet with a lot less security than Yodlee or your bank. Not to mention, if someone burglarized your house and took this isolated computer, your files and/or hard drive are not encrypted either; but are with Yodlee and banks.
Just think about it. If you’re truly worried about getting hijacked on the interwebz then just use pen, paper, and a fireproof safe in the closet that’s bolted to the floor. There is no pure secureness in the digital age.
October 22nd, 2009 at 9:24 pm
I think this is certainly a cool device but I am one of those paranoid people who is worried about even giving out your ss # for a credit check at the iphone store.
I decided not to use mint because eventually people if not already will be trying to get bank information through Mint. I mean if they are doing it to the banks themselves then why not a 3rd party.
In any case I feel safer on the computer with my virus scanner and malware protection running. I consider myself very good with computers and build them. I think you have to be relatively wreckless to get a virus if you protect yourself with the right security tools.
In any case good luck to you guys using mint I wish I had the balls to do and I envy you because it looks like such a badass app but to me it’s just an additional way for people to get my information and if not easier.
October 22nd, 2009 at 9:27 pm
It also seems like you can log onto Mint from any location my bank requires a security # sent and verified to my cell phone if someone or me tries to sign on from anywhere but my home. So in the case someone logged my bank it’s a safe bet I would find out and they wouldn’t be able to log in w/ out my cell phone. My life savings is my life I couldn’t imagine jeopardizing that any further.
December 24th, 2009 at 5:15 am
Hi, probably our post may be off topic but anyhow, I’ve gone surfing about your site and it looks seriously cool. It is obvious you know the topic and you are passionate about it. I am constructing a new weblog and I’m attempting to make it look great, and provide quality articles. Having learned much visiting your web site plus I look forward to alot more quality information and will be back soon. Thanks.
January 10th, 2010 at 9:54 pm
Interesting and informative. I would often visit this site.
January 27th, 2010 at 1:16 am
This is my 4th time here now. I really enjoy your site and look forward to more reading!
March 15th, 2010 at 3:11 am
Where can I go to get free, impartial mortgage loan tips? Pretty much all over the place on-line is hoping to sell me an item.
March 26th, 2010 at 2:15 pm
Interesting post, but if you have problems with your Paypal account, try the Paypal Stealth eBook and get back to selling on Paypal! Suspended account? Limited account? No worries, the Paypal Stealth eBook will help you get back online. Check them out today and get back on Paypal!
April 5th, 2010 at 7:43 am
I worried about the same thing.. read this as part of Mint’s terms. 500 is the most they would be responsible for. I don’t think so..
INTUIT SHALL IN NO EVENT BE RESPONSIBLE OR LIABLE TO YOU OR TO ANY THIRD PARTY, WHETHER IN CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY, LIQUIDATED OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO LOSS OF PROFIT, REVENUE OR BUSINESS, ARISING IN WHOLE OR IN PART FROM YOUR ACCESS TO MINT.COM, YOUR USE OF THE SERVICE OR THIS AGREEMENT, EVEN IF INTUIT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS AGREEMENT, INTUIT’S LIABILITY TO YOU FOR ANY CAUSE WHATEVER AND REGARDLESS OF THE FORM OF THE ACTION, WILL AT ALL TIMES BE LIMITED TO $500.00 (FIVE HUNDRED UNITED STATES DOLLARS).
April 16th, 2010 at 5:22 am
This is a great site
April 21st, 2010 at 5:42 am
Very interesting post thanks for sharing I just added your site to my bookmarks and will be back.
July 6th, 2010 at 5:18 pm
Each post I have read is very well written and to the point. I would also like to say, not only are the articles well written, but the lay-out of your web-site is excellent. I was able to navigate from article to article and locate what I was looking for with ease. Keep up the great work you are doing, and I will return many times in the future.
July 30th, 2010 at 1:42 pm
You seem to want an honest opinion so I’ll give it to you. Very of all you could have used a search engine or searched amazon.com to find out if such a book existed. Secondly I believe if one does it would be gathering dust somewhere-it’s a big yawn of the topic-nobody cares and no-one would be interested. Sorry. I’m not attempting to become mean-just brutally honest. Instead of feeling sorry for yourself-recognize that you are just lonely and a workaholic and do some volunteer work and make some new friends. Senior homes are always looking for individuals to talk or read to the residents-it sounds like you have some stories you could inform them.