I like stuff.

Sunday, December 27, 2009

Let's take another look at Mint.com

The cusp of a new year, a revised mint.com privacy policy. Gotta be better, right? Er, maybe.

Not trying to be unfair, this is from the privacy page as of 12/27/2009.

Once again, same as the first, a little bit better, and a little bit worse:

*
We provide bank-level security.
Mint.com uses 128-bit SSL encryption and 24/7 physical security.
(transiit: that'd be between you and them. Between them and your bank, hey who knows? Remember in 1997 when you could download the advanced 128-bit SSL version of Netscape Navigator (if you lived in the right country, thank you, munitions export guidelines) That's right, bank-level security. From last decade.

*
You cannot move money.
Mint.com is a read-only service, no transfers are possible — in or out.

(transiit: As long as your financial institution doesn't support that. But it won't be through mint, they leave that blame elsewhere.)

*
You register anonymously.
We don’t need your name or any personally identifiable info.

(transiit: I covered this before. You're totally anonymous as long as you give us all your bank account info.)

*
Our alerts increase your financial security.
We notify you of possible fraudulent transactions on all accounts.

(transiit: We, um, noticed, that we f#@#ed up. States like California require us to tell you these things. We're going to call it a "feature". Because we couldn't totally be data-mining all of your transactions to build a up a profile where something would seem to be fraudulent. Remember, we tell you you are anonymous. So we just email you when we have to live up to data-breach regulations.)

Mint provides bank-level data security for the transaction information we store.

* Mint.com uses 128-bit SSL encryption, the industry standard for data protection, to ensure that all communications are secure.
* We store transaction information in a secure facility, on our own servers, protected by 24/7 security guards and biometric scanners.
* All our employees pass financial and criminal background checks as a condition of employment.
* Mint.com has received the VeriSign security seal and is tested daily by Hackersafe.
* Our privacy protection standards are certified by TRUSTe.
* Our anti-phishing protection is provided by RSA Security, Inc.

(transiit: 128-bit encryption again. See above. "We store in a secure facility. On our own servers. Securely. With Security and s@$@" Remember, you were anonymous one point ago. They didn't have information to worry about. Now, round the clock protection and scanners that the average security enthusiast ("Woo! Biometric. Turns out my knife takes your thumb or eyeball, how are you going to change your credentials now?") is not very enthusiastic about. But you know, companies. Verisign likes us. TRUSTe likes us. RSA accepts our checks.)

You cannot move money with Mint.
Mint.com offers valuable insights and analytic tools to help you better understand your money…but Mint.com is a "read only" service. Meaning: you can view and organize your money with Mint.com, but you cannot move money between—or out of—your bank, credit union or credit card accounts.
You register anonymously— we don’t need your name or any personally identifiable info.

(transiit: My bank account login is "personally identifiable information". If you've got that, you can move money. Saying it isn't, kinda stinks of the horses$$$)

* All you need to use Mint.com is a valid email address, password and zip code. We don’t need your name or any personally identifiable info.
* We ask for your online banking user name and passwords so that we can connect securely to your financial institutions
* Your online banking credentials are stored securely so that Mint.com can automatically update your transactions— saving you from updating, syncing or uploading financial information manually.

(transiit: repetition. see above)

Mint alerts can increase your financial security.
Mint.com provides 24/7 protection through proactive email and text alerts to to notify you about any large purchases or unusual charges in your accounts. We let you know what’s happening and when, so you’ll be able to react quickly to recover your personal finances, credit score and identity and avoid any potential damage.

(transiit: repetition. see above)

Well, they seemed to have changed it. They seem more conscious of their claims. Still wrong, but new words gotta mean something, right?

(I've mentioned them before)

It was said on the last post that this is a security/convenience trade-off. I don't agree with that. Going for convenience to me means knowing that you could kick in my front door (doorjam ain't that sturdy) or use a bump key and bypass most locks. Yeah, you could get in if you were sufficiently motivated. My security comes from the likelihood that someone that wanted to get in for nefarious purposes would rather choose an easier/higher value target. The low-hanging fruit. Could build myself some sort of high-security vault instead, I suppose. That's security vs. convenience to me. Handing over a password so I can track my finances, seriously, why is this still even a question?

1 comment:

DragosToader said...

I agree. Another web non-service trying to seem like a useful service.

I don't see the point of mint.com

I can do all they claim to do with Excel or
Quicken or
QuickBooks or
Any software that gives you pie charts from a list of multi-column data.

For all I care they can sell 128-bit SSL encrypted mint gum.

However, the adoption rate is pretty high
http://en.wikipedia.org/wiki/Mint.com

The snowball effect is to be considered too. Get enough users signed up and really crappy pointless service starts getting good.