Mint.com Responds To Security Concerns

Some people think that using Mint.com is crazy because of the security risk of handing over all your banking user names and passwords. FiLife asks them some tough questions about their security procedures and gets straight answers, like:

Let’s say you get hacked. Banks normally would protect me if they get hacked, but do I lose my protection if I’m using Mint to access the bank but the breach happens through your systems? You’re legally protected for $0 liability on credit cards and $50 on bank accounts if fraud is reported within two days. These rights are not voided by using Mint, Yodlee, Quicken, Microsoft Money or similar programs.

They also say all user names and passwords are kept on Yodlee’s servers, not anyone else’s. Every lock can be picked, but we’re more concerned about identity theft resulting from our local big box retailer’s lax security procedures than from Mint.com.

[FiLife]

Comments

Edit Your Comment

  1. humphrmi says:

    I’d like to see proof of Mr. Patzer’s claims. It’s one thing to be the founder of the company that’s trying to get my business saying “Yeah, you’re protected, just like if you use Quicken” but it’s another thing altogether for it to be true. I want proof!

  2. magus_melchior says:

    The other thing is, the fact that it’s a web app means that you can’t compare the security of Mint to that of an offline app such as Quicken or MS Money. An offline app you can place in a completely locked-down environment (say, a laptop inside a nuclear reactor); doing this to a web app defeats the purpose of putting it online.

  3. Sonnymooks says:

    I’m happy with mint’s security features, what I am waiting for are more add ons and features (i.e. ability to transfer funds, buy CD’s, etc), when they add on, I’ll definatly start using them.

  4. Hoss says:

    I’ve used Mint. I have not found it very useful and would not encourage others to risk such sensitive data with such a low return.

  5. Karl says:

    I was under the impression that it was $50 for credit cards, and $500 for bank accounts, at least according to federal law. Your bank may offer lower levels of liability.

  6. digitalgimpus says:

    I wonder how much all that applies if you give it to a third party who doesn’t use adequate protection. Not so sure that’s been tested in court.

    It’s one thing if a merchant (during a routine business transaction) misuses your info. It’s another if you give it to someone for a purpose your cc didn’t intend for and they misuse it.

    At some point negligence comes into play… I haven’t seen any evidence that there is a crystal clear line. Everyone just seems to be assuming it covers everything. If that were the case, nobody would have their credit ruined due to fraud.

    Should note these rules only apply if you and your bank agree that’s what happened. If they don’t agree, your now going to court (legal fees). Otherwise it would be all too easy to max out your card and say it was stolen, pay the $50 and move on.

    I’ll wait until a few court cases clarify. I’d rather let someone else play the victim and learn from their mistakes. Brutal? Maybe, but much wiser.

  7. mac-phisto says:

    it’s good that they responded to this – it shows that they are quick to respond to the concerns of their community.

    realistically though, do we really think that hackers are spending their time trying to crack a database like this when there are so many easier ways to get access to people’s personal information?

    what could an identity thief really get from a site like this? login info, account numbers, possibly address & phone number if they dig hard enough. a phishing email will get you that & then some.

    why try to crack thru monitored servers for so little usable information when so many people willingly offer their info on a silver plater?

    i’m not suggesting that we shouldn’t be wary about entrusting all this information to a third party. what i am suggesting is that wary people who check their accounts frequently enough to want them all in one place are not the type of people identity thieves usually target. you’d probably notice the info is stolen before they even get a chance to use it. the cost vs. benefit makes it a low risk situation.

    & just for the record – i found the site intriguing but lacking key features that make it of little value.

  8. humphrmi says:

    @Karl: Sure, that’s the law that says what the banks have to cover you for. But do those apply when you give your account number and web access userid and password to a third party? Does the laws explicitly state that? Or are they relying on the fact that the law doesn’t explicitly exclude that situation to prove that you have coverage? Are they willing to indemnify you, in writing, in case your bank doesn’t cover you? Will their lawyers go argue that the law doesn’t explicitly exclude this situation? Or do you have to go pay for those lawyers?

    My insurance company says if I leave my car unlocked or the keys in my car and my car is stolen, they can deny or reduce coverage. That’s all legal. I don’t see the difference here. They (Mint) have to provide me with proof of either (A) indemnity (B) legal coverage or (C) direct protection out of their pocket, before I’ll give them my business.

  9. Rider says:

    Look at how many times MYspace has been hacked. You really don’t think this is a target. It’s an identity theft goldmine. Account information and passwords for accounts in every bank in the country. Basically you circumventing every ounce of security that banks have ever implemented and putting it in the hands of one social network site.

  10. Earth-Byte.com says:

    That’s one of the reasons I refuse to put any of my account information on any of those sites. I stick with an old local copy of Microsoft Money which works fantastic for me.

  11. dalejo says:

    Isn’t Mint a web 2.0 site? AJAX is notoriously insecure so you are transmitting your login info through this into Mint’s servers and then it goes to Yodlee.

  12. darkmoon says:

    Actually, from what I’ve read about at least Bank of America TOS… you’re not protected if you allow third party apps to connect to your account. If you do this, you’re authorizing transactions just as yourself… according to their TOS.

    If you’re stucking trying to figure out all of your TOS for all the accounts you hold, that becomes a true legal nightmware. This should be done by Mint through working with the banks and CC companies instead of depending on TOS to protect the users. Too scary for my tastes to use.

  13. pepelicious says:

    It seems pretty obvious if banks are playing CYA in their terms of service that they don’t want anything to do with these third party services. It could be for security reasons or to get people to user their own online banking products. Either way apparently Mint didn’t have the technical or business chops to partner with traditional banks in the first place. Making a web app seems like a Plan B for a company who failed in white-labeling their product to sell to established companies.

  14. XTC46 says:

    I emailed them to answer some questions for me in regards to their security, no one got back to me. I post my concerns here:

    [think-smarter.blogspot.com]

    no response form them, even their forms provide crappy canned answers. They seem to indicate they are nothing but a front end to Yodlee, but even that is dangerous. They seem to be trying to avoid direct questions about liability by pointing to credit card liability but that doesn’t cover things like the hassle you go through when your identity is stolen, sure you might not owe as much (you will owe some money depending on how fast you notice you got jacked) but what about the time it takes to change all account numbers, transfer money, re-do all automated payments, etc. someone should be help accountable for that.

    @dalejo: that was a point I was trying to make. this CEO says our data isn’t on their servers, that just not possible. It may not reside there for long, but if a person hacks their sever, they can intercept that data.

    Mint.com is a great service, it really is, but their lack of confidence in their own service (read their forums, the “admins” answer with uncertainty) the way they don’t directly answer questions, and the fact that they are just a pretty front end for a better service, yet claim to be doing all the work just seems like bad business practice. And the idea of giving a company like that all your data is just unnerving.

    Oh they also mention that they only take your info once, then create a persistent connection to your bank that way the credentials don’t have to be retransmitted. Im not sure about you, but I’ve never seen a server that has never been off line before, so their statements is just an outright lie.

    AND they force you into arbitration (cant sue them in a real court) should you need to.

    • @xtc46: Who to trust, and how much to trust them, is certainly an important question. I actually get a couple of Thrive (www.justthrive.com) users a week call up and ask about security, and I always tell them that I’m actually glad they called: consumers that ask about this sort of thing are good consumers.

      And you’re right: simply being there, and being responsive is a big part of that. We try to get back to people within a few hours at Thrive, and our names, faces, and contact info is all over our site. I can’t speak for Mint’s contact policies, but if you ever have a security concern about Thrive, shoot me a note at matt@justthrive.com and I’ll my best to address your concerns.

  15. verticalairship says:

    The critical flaw with Mint is that it makes the procedure of entering bank login information part of the routine.

    If someone logs in to Mint and the system says “Problem

    Connecting, please re-add your account” a user will not think twice about re-entering their username and password because Mint keeps telling them that’s the solution to the problem.

    Mint is doing the WORST thing possible: creating a situation where users become complacent and reflexive about re-entering bank and credit card login information. The problem is that one day all of your login information isn’t going to go safely to Yodlee, it’s going to go to safely a thief.

    This is most certainly going to be the reason hackers are going to go after Mint.

    If someone DOES hack Mint a very large majority of the user base will unwittingly re-enter their login information because that’s exactly what Mint trains them to do when there is a problem with an account.

    That’s how phising works: reflex. Mint is on a dangerous course by embedding this reflex into the minds of the typical consumer will have repercussion outside of Mint if people start to believe that re-entering bank login information is a trivial affair.

    Of course the problem for Mint is that their entire business model is built on creating this reflex so their only hope is to be acquired before the community realizes the evil behind the green.