I like stuff.

Monday, March 23, 2009

Mint.com - Why I'll never use it.

This is their security FAQ as of 3/23/09. I'll do my best to make clear when I'm annotating, but you can read the latest model here


Why does Mint need my bank login information (username and password)?
Mint needs this information to establish a secure connection with your bank, credit union or credit card company. This enables Mint to download and categorize your transaction information securely and automatically.

(transiit: That word "automatically" worries me. Hang on to that for a moment.)

Can Mint employees view my online banking username and passwords? Do you store my bank login information on your servers?
No, Mint employees can’t view your banking username and passwords. We do not store this information at Mint. Your banking login credentials are securely stored by our online financial service providers. Your Mint login credentials are not shared with these providers.

(transiit: remember "Automatically"? They don't store it, but they've got automation down? But what a great pass-off, your information is stored by their "online financial service providers" Who are they? Did you catch that Mint.com was giving your bank login to a third party? Good news, your Mint.com login is not shared with those providers.)

Am I at greater risk of someone stealing my identity by using your service?

No, as Mint does not require any personally identifiable information for you to create an account. Mint only asks for the following:

* Email Address
* Zip Code
* Password

At no time do we ask you for information that would be required for a hacker to steal your identity, such as your full name, bank account numbers, credit card numbers, billing address, telephone number or Social Security number.

(transiit: By their nature as a web service, they can determine your IP address. If the RIAA/MPAA can identify and subpoena those dirty, dirty filesharers from a single data point (tongue in cheek), do you feel comfortable that your email address doesn't identify you? If you're comfortable with that, go poking around your financial institution's online banking interface. Does it give details like your name, bank account numbers, credit card numbers, billing address, or telephone number? (I'm really, really hoping it doesn't have your SSN anywhere, but hey, we're not talking one single institution, go look for yourself))

Can Mint employees view my bank account numbers or credit card numbers?
Mint uses only your account login credentials for access to your account information and Mint does not store these credentials.

(transiit: I sincerely hope they are being honest here...but...first, it takes them on their word that they don't store any information. second, it doesn't account for any information stored outside of policy. What if a developer leaves some debug flag on that logs all transactions? What if a rogue developer leaves a backdoor in for their own purposes while employed by Mint.com? I guess they could mitigate such things through rigorous engineering processes, but we're still taking their word for it.)

How can I protect my Mint account?

* Don’t share your Mint password with anyone.
* Make sure that your password is complex, including both numbers and capital letters.
* Be certain that you have virus protection and a firewall on any computer you use to access Mint.
* Don’t install programs from people or companies you don’t know.
* Learn to prevent identity theft and identify Phishing attempts.

(transiit: cookie-cutter answer.)

If someone does manage to steal my Mint log in information, can they access my bank accounts and credit cards to make any transactions?
No, as Mint provides a strictly “read only” view of your transaction information. Your online banking user names and passwords are never displayed after you enter them during your first session.

(transiit: What does "read only" mean? They can only "see" your recent transactions? Remember, they already said they don't store your login info, so how do they keep up with that view?)

How can I close my Mint account?

1. Login to your Mint account.
2. Go to “Your Profile”.
3. Locate the “delete Mint account” option under “More Options”.
4. Your Mint account data will be removed within 48 hours.

(transiit: Um, ok.)

Where can I find out more about the technology that protects my information?

* Mint’s Privacy and Security Policy
* Mint’s Security Technology and Practices

(transiit: and here we are.)

They also provided a nice video explaining how much the founder cares about security.


Here's the thing, the financial institution that I bank with is really big on tacking on features that make them seem like a better value for hanging onto my money when I'm not actively using it. So in the last year or so I've seen them add on things like "online bill payment" and "transfer money to an outside account". Mint.com might have a great model of how their portion is "read only", but if you've got access to my login, I already know of ways that you could transfer my deposits somewhere else. Assurances that they don't store the information ring a bit hollow with their claims of automation, and that thing about "our online financial partners" storing my login information...well, frankly, it scares the shit out of me. I've no clue who they are, and as Mint.com's current reputation is "We say we're secure.", I can't say I trust them either.

Frosting on the cake is the video. I might be paranoid, but that doesn't make Mint.com any more trustworthy. What I see is a long chain of people that I'm supposed to trust...it only takes one employee to make a YouTube video, and it only takes one employee to break that chain of trust.

From my standing, I protect my bank account by not readily giving out any details to anyone without a strict need-to-know. You might feel differently, all I'm suggesting is that you're increasing your risks, even with such a "convenience" as Mint.com.

12 comments:

consumatron said...

My mother has the Mint-killer in her purse. It's a bank ledger where she keeps track of and records all financial activity on her accounts as they happen.

It's one of the areas of my life where I am just like my mother... except for the purse thing.

boo said...

Thanks for posting this. I was very unsure about it but had no real knowledge of how things are done there and what the dangers might be.

Happygirl19@yahoo.com said...

Hey! WTF? how dare you tell the world I go to Starbucks 3 Times a week?! Damn it mint.com! It's over!

Anonymous said...

Dude, about half of your complaints make no sense, and the other half could be answered with a tiny bit of research.

Yodlee provies access to 3rd party banks. So trusting "Mint" one way or the other is irrelevant. Even if the whole company went rogue, the most they could do is look to see what's on your accounts. The don't have any of the login credentials. Yodlee does. At no point do your passwords touch Mint servers.

transiit said...

1) Go to a PGP/GPG key-signing event someday. See how people feel about trust.

2) Oh, it's "Yodlee", cool, so they're like totally awesome, right? Doesn't change a thing. First, I wouldn't trust the judgment of a company that chose a name like "Yodlee", but the truth is, mint.com doesn't specify who stores my credentials, so it could be Yodlee or it could be anyone. I'd still be accepting their word that they don't store it themselves, and the truth is, the convenience they provide just isn't worth the risk. Even if they're pure, pushing it off to some third-party doesn't make it ok, it just means the risk sits with someone other than mint.

Philip Truax said...

Yodlee is used by many major companies and themselves rely on financial transactions as a means of business. The actual real world risk of any of your fears is minimal. The do state on their website in multiple locations that they use Yodlee, though I find it kind of juvenile to say you aren't going to trust someone on a name,especially with names like Google, Yahoo, Bing pervading the internet and let's not go into Linux distro names. Are there security concerns? Yes. You should always be concerned about who you are giving your information out to. But if you're giving your money to a bank, you're pretty much saying you trust the fact that the way they make money does not require them to rip you off. Mint.com makes money by placing ads of banks and credit cards that you may be interested in. Seems like a pretty smart idea to compete with more expensive options like MS Money or Quicken. You made a reference to a PGP signing event, I think that while doing your best to be vigilant is good. To say that you can be secure anywhere is a bit of a stretch. As I said before we leave money in banks trusting that they won't close shop and leave us without, we give credit information to store clerks daily, many people use one password for everything, people store passwords on their computer in an unencrypted format, hell if the government can be hacked I think it can prove that there are leaks everywhere and if someone wants to they will get in. So unless you're living off the grid storing money in a sock under a floorboard, you're going to have to trust people somewhere and finding your own level of trust is good. For most people I think that they would be comfortable with the level of risk involved.

transiit said...

Fair enough.

I don't trust mint.com, I don't trust yodlee, and no, I don't know everyone in the chain every time I use my credit card.

I even know that I can't be perfectly safe/secure on this stuff.

But for me, minimizing my risk profile means saying "piss off" to some website that is asking for my bank account's username and password...especially when their privacy policy is vague about things. Sure, I could go poke around on their website and maybe find the name yodlee somewhere, but at least as of the time I wrote this, it wasn't in their privacy policy.

Anonymous said...

It's too bad that financial institutions (e.g., banks and credit card companies) don't allow you to create multiple access users - the one you use to view confidential data and to pay the bill, and another one that only provides read access to purchase and payment dates, amounts, and attributions.

Peng said...

This is of course a convenience-security trade off. By having an online banking username, you are already trusting the bank's IT crew. What if one of their employees steals your information?

transiit said...

@Peng I hear you, but I've chosen to believe that my financial institution is not only vetting the people privy to such information, is also liable if something goes awry. The situation isn't so clear to me if I volunteer that information to a third-party. Ultimately, yes, there is a whole chain of trust at play here, and I'm readily aware of that, my point is that creating new branches along that chain is risky, and the assurances that mint.com offered haven't given me cause to become a true believer.

Chained trust seems to work best when they refer back to someone you do implicitly trust. Their privacy policy still doesn't explain who you're supposed to trust with your bank login credentials (As of 10/9/2009), though they have stopped suggesting it's a third party. Now it's hardware and software encryption. Could be ROT13M for all I know.

Truth is, their privacy policy has become worse since I first wrote this.

As they say:

I quote:
Am I at greater risk of someone stealing my identity by using your service?

No, as Mint does not require any personally identifiable information for you to create an account. Mint only asks for the following:

* Email Address
* Zip Code
* Password

At no time do we ask you for information that would be required for a hacker to steal your identity, such as your full name, bank account numbers, credit card numbers, billing address.


but the first question is:
(again, I quote)
Why does Mint need my bank login information (username and password)?
We need your online banking user name and passwords so that we can help you organize and manage your accounts. We use this information to establish a secure connection with your bank, credit union or credit card company. This enables Mint to download and categorize your transaction information securely and automatically.

Anonymous said...

Just heard about mint.com on the Rachel Ray show. When I saw that they require my bank account password(s), I closed their website down, and googled "mint.com asks for passwords." Found your blog, which I agree with 100%. Never give your passwords to anyone! I can take a piece of paper and a pencil, a and keep track of my own spending. Again....never give your passwords to anyone!

Anonymous said...

for me to mint or another service, I would need some things.

1. ability to upload all financial data. and the option to auto pull when I choose.

2. passwords are not stored by a third party, nor by mint. You can have a bank logon that only you and your bank can see and where you have to type your passwords every time.

a popup should be visible noting that you are about to send financial data to a third party.

you could also setup a push from your bank to mint, if they allow that.

3. a downloadable app that would analyze spreadsheets or CSV files in a certain format.

4. a popup every step of the way telling me that I am about to send/receive data at any point. each one is can be disabled or all at once.

5. A separate password (like someone else mentioned.

6. endorsement from my bank(s).

7. a detailed list of "this is how we protect your data"

8. a detailed list of "this is who we allow to see your data and what data, exactly, they are allowed to see and why."

I know mint made it's money by selling user information (trends, analysis, etc) to third parties. This is anonmized, even if gender, geo location, purchase history, etc is handed off, I know J.Smith at 123 Anystreet, Anytown, USA is not attached.

The problem is trust. I trust my bank as they have my money, can do EFTs, and online banking. However, I have a brick and morter to walk into when I have questions. I also have a federal office that protects my money.

Even if mint does not have my passwords, someone else does. The second I give that out to anyone outside of my bank, me and maybe my spouse, I do not have control. I open myself to any number of possible attacks and they would be my fault.

I read that third parties are secure or something to that effect. There are several companies that have data stolen because they lost their laptop, CDs, USB drives, etc. Places you would think would have better security and data protection practices.

I would need mint to be very different and more centered on the customer experience of securing their data. Pretty charts and social data tracking can be done by anyone.