For some reason I don't find myself comfortable entering all my banking and information into one website. The state of online security just isn't that good, no matter what these guys might be doing. It's a single point of failure.

I agree with Quattuor. Even if their EULA guaranteed 100% protection for your personal data, it would not stop unauthorised access. For me the benefits outweigh the risks.

I second Quattuor and ZSX. It would be against common sense to put all my login info on a third party site.... yuck.

I started using it to monitor all my credit cards, but am not comfortable giving them banking login credentials.

I thought about trying it, but was unable to track my investments. I want a holistic picture of where I sit, which is why I use Yodlee.

To anybody who would consider using this service: Please think very, very carefully about providing a stranger with ALL OF YOUR BANKING PASSWORDS.

I'm gonna join the pile-on, here. How long have we heard, from both security experts and financial providers, that you should never give your login details to anyone? And now, you expect us to hand over all of it to a site we've never even heard of?

Don't forget that Mint cannot store your login info in a truly secure fashion, because they need to be able to provide that information to your financial sites. If anyone manages to get into Mint's database (which, as anyone reading this site should know, is far from impossible), that person will have full access to all of your finances.

This is a bad idea that's just waiting to happen.

You can swear up and down that the login information is secure, but that doesn't really prove much. Looks like a cool program, but I'm not going there.

Ben I can't believe you'd not say anything about giving out all your banking information to a site as potentially being dangerous.

yeah, i too find it hard to trust all my banking and credit card login information to this site, even MS money.

I was only marginally impressed. The interface with all my banks was mediocre; the transactions were not always grouped/categorized the way I want them. Additionally, getting it to recognize your bank can be a challenge.

I've yet to successfully ad my Chase credit card to this thing. My AmTrust Direct savings account only sporadically works with this thing.

It always recommends services that are actually worse than what I have.

I might check it out again in a few months, its bound to get better.

This review gets a failing grade, because I have no idea what Mint is after reading it.

I'll stick with Quicken.

Actually; to make it worse Mint isn't even the one holding your bank info, they use Yodlee, a third party, to access your account information. They can tell you how secure you are over and over again, but I'm sure TJMaxx, the VA and many others also thought they were secure...

I stopped reading after, "Just enter in the user names and passwords for your online banking accounts". There is no way it can be a good idea to enter all this information on some new service that may or may not have bullet proof security and probably won't even exist anymore in a few months.

I find this review, and other mentions of Mint on the Consumerist and Lifehacker (both Gawker-run blogs), very suspicious.

Both have given favorable reviews or mentions of this product while completely ignoring the glaring security risk that providing ALL YOUR BANKING INFORMATION to Mint imposes.

What gives?

Lifehacker in particular has also posted entries about a competing service, Wesabe, in which they describe their skepticism about its security. However, Wesabe does not store any of your financial credentials on its servers, opting to store all your login information locally.

Why would Lifehacker express skepticism about Wesabe's security, but endorse a competing service who most definitely posing a greater security risk?

I just find it odd.

-Theo

C'mon Ben, you're kidding right? This is normally the sort of thing that Consumerist would relish calling bullshit on. No sensible person would hand over passwords to an unknown, much less a savvy Consumerist reader. These glowing comments are suspect... Is it too bold to suggest there's a little back-scratching going on?

Just fyi. Mint actually uses a service called Yodlee. There's been a lot of contraversy in the backwing of forums and blogosphere due to the fact that Yodlee doesn't partnerships with all the institutions (they used "many" but not the word "all") and they use web scraping.

Anyone that knows anything about coding knows that web scraping is not only a lousy method to pull information that should be performed through an API, but it's unsafe and from one bank that I looked at, was actually allowing that service to perform transactions as yourself (no protection from fraud).

I would seriously be careful of using a service that doesn't have current partnerships with banks and credit card companies due to this fact. It's scary enough for ID theft, but now I have to trust a third party to not screw over my accounts? Thanks, but no thanks.

@teadoubleyou: Jinx.

wow... I am really surprised they would even ask you to do that. It seems like a lawsuit waiting to happen. Sure they may use SSL to transfer your data and it may be encrypted on their server... how long does it take somone to break the encryption? Not long. I mean just look at wep, 128bit encryption broken in 10 min. That is sad.

I should probably add here that if it turns out even Consumerist is not above doling out favorable marks for friends, or a price, or whatever, that will spell doom so ironic it will be worthy of a Darwin award.

"how long does it take somone to break the encryption? Not long. I mean just look at wep, 128bit encryption broken in 10 min. That is sad."

WEP was cracked because it was a bad algorithm to begin with. SSL is generally considered much more secure when implemented well.

i tried it out last time you guys wrote a story about it. personally, i think it sucks. 1) there's no way to manually enter an account & transactions, so if your bank's not listed (or you don't feel comfortable entering your login info), you're screwed. 2) no support for retirement accounts (meaning your budget is incomplete). 3) somehow, it merged info from multiple accounts, so a withdrawal from one account was credited to an improper account - i have no idea how this happened other than the amounts were the same. 4) multiple cc aprs were listed incorrectly (not that i care, but it skews their deal info).

neat idea & definitely a cool interface, but overall it doesn't really help me get the "whole picture" b/c of the problems i had. any idea on how to "cancel your account", b/c evidently there's no way to do that either.

@humorbot:

I agree! This review along with the Lifehacker review are suspect! Both sites have lost points in my book for giving such a glowing review to a dangerous service.

I have no qualms about using an aggregator like this... but Yodlee is soooooo much better. It's not even close. Mint does not have as many account and is just not sufficiently robust. Yodlee has its problems but it is far superior. Security is not really a problem as long as you access your accounts from a private place and use common sense. Yes it's breakable... but so is the front door to my house and my windows are made of a very weak material called "glass"... look it's great to be safe but lets not be paranoid. Things like Yodlee help more than hurt. I've been using Yodlee for 7 years without a problem.

I tried Mint out, and my problem with it is how it handles ATM fees. For my Chase debit card when I use it at a non-network ATM and get hit with a $3 fee, Mint records the total amount Debit + Fee as a "bank charge". So I have all these warnings about teh $83 in bank charges on my accounts.

With the closure last month of Yahoo's online BillPay service I find myself without a usable electronic payment site. My Credit Union will let me make payments without charging, but the user interface is about 10 years out of date. Alternatively, my other bank will let make payments for free because I'm a 'Platinum' customer, but I worry that at some point I may want to pull money out to get a higher rate and I will be back in this situation again.

Anyone know of a free, reliable online bill payment system - it pretty much only has to allow free payments to VISA and AMEX accounts - that will work with my Credit Union? I had hoped MINT would fit the bill, but apparently it does not.

I wish Mint would do free payroll service.

@AlexPDL: "Security is not really a problem as long as you access your accounts from a private place and use common sense. Yes it's breakable... but so is the front door to my house..."

There's a couple of problems with your lines of thinking, here.

1) Accessing your accounts from a "private place" has nothing to do with it. Mint/Yodlee store your full login info on their servers. The attacker could be anywhere in the world, and doesn't even need to target you specifically, in order to get your login info. Once he has that login info, he can do anything he wants to your accounts.

2) The front door to your house requires a suspicious person to walk up to and physically break it, creating all sorts of noise and physical evidence. Breaking into Mint/Yodlee takes a hacker anywhere in the world with nothing more than the motivation and a little time. Or maybe just a misplaced backup.

So in summary: An anonymous hacker from anywhere in the world can silently gain access to and control of all your personal finances, from anywhere in the world, without having to even know who you are. The only thing in their way? Mint/Yodlee's security, which we do not know the details of, and may not even be notified if it's ever broken. In the meantime, their servers/database are nothing but a huge bullseye to hackers, who have all the time in the world.

I'ved used a similar program, called mvelopes which i think is great. Of course it costs about $10 a month, but strangely,despite loving free things, when giving out such information as logins/passwords i feel safer giving it to a company i pay.

This is just a terrible idea.

@Cy Guy: you might want to express your displeasure to the credit union - i would recommend a letter to the CEO/general manager & the board of directors. the great thing about credit unions is your ability as a member to affect change.

if the interface is as old as you say, they might be looking into alternatives & your input may help sway their decision. or, if you point out that their bill pay restricts your ability to bank with them, they might even pay you to use a fee-based service (i have a friend who negotiated reimbursement for using quicken's bill pay b/c he's a valued member at a cu that doesn't offer bill pay).

I waited for ages to try Mint, and I'm quite disappointed so far.

Mint doesn't support data importation, manual account creation or manual transaction entry, and the automatic transaction categorization rarely works correctly.

I'd love to be able to easily review all of my financial data in one place, but until Mint offers the basic features mentioned above, it won't get my vote, no matter how pretty it looks.

I've found Clear Checkbook to be a much better solution. It only supports manual entry, but it doesn't require any account information and makes data manipulation much easier.

mint? more like shint.

I signed up the day you all ran the last article, and tried to add my shiz with no avail.

I then got an email last week stating they're "mint" again or whatever; tried again with no avail.

@INDECISION: Under this line of logic then all e-commerce is unsafe. I admit to a certain degree it IS unsafe... like everything in life. As to notification... at least here in California, under state law they have to notify.

I know my accounts and I know the activity to expect on my accounts. I also know how much protection my financial providers give me for ID theft.

Everyone needs to do their own cost benefit analysis... but the costs are often overdone. It's always fun to think that one has to key piece of information... ID theft, hacking, encryption protocols... it's also fun to terrify family and friends with doomsday scenarios. The media and government love to terrify us. I was robbed once and I've had one credit card # stolen, even with GREAT care. Never has it happened on-line. In the last 10 years it always happened in the 3 dimensional world. We must ALL be careful...not paranoid.

if you get over the security risk issues, you will find that the site functions quite poorly. avoid!

@AlexPDL:

Never has it happened on-line. In the last 10 years it always happened in the 3 dimensional world. We must ALL be careful...not paranoid.

There is not as much risk with a credit card. But if my online banking credentials were to be compromised, someone could actually clean me out. Even if the bank bailed me out in the long term (maybe they wouldn't if they found out I disclosed the information to a third party), the short term consequences would be a nightmare. In this case there's no such thing as too cautious.

@AlexPDL: "Under this line of logic then all e-commerce is unsafe."

Nope. E-commerce doesn't rely on you placing all your eggs in one basket. Let's say someone breaks into Amazon's servers, and gets my login information. What can they do? They can maybe order some products (which I can easily contest), but that's really it. They can't access my checking account, my savings account, my MBNA account, my Chase account, my car loan account, or my retirement account. To get into all of that would mean targeting 6 different banks' systems.

Mint offers a central point of failure. An attacker who breaks into Mint's database suddenly has my login information for all of those accounts, and has them all at the same time. It's now possible to wreak large amounts of havoc. It does no good to "know the activity to expect", because the havoc can be wrought before you have a chance to see those patterns (or do you review your accounts hourly?). Likewise, it's no comfort to know what sort of after-the-fact protections your bank has, because you're still in the awful situation of having to use them.

"The media and government love to terrify us. I was robbed once and I've had one credit card # stolen, even with GREAT care. Never has it happened on-line."

It has nothing to do with the media terrifying anyone. I work in IT. I'm far more aware of the inherent security risks than your average Joe would be. I don't just know that it's insecure, I know how insecure it is, and why.

I'm glad it's never happened to you yet. Why make it easier?

Huh. The original post has changed. It's mildly less sycophantic now. Interesting.

Without beating a dead horse, This does call into question the integrity of BOTH Lifehacker and Consumerist. I'm not sure how much I trust them now...

Both of my credit unions now use 2-factor identification. MINT just asks for ID and password and doesn't seem to handle 2-factor stuff. Not sure how it could since the 2-factor questions vary at each login. One requires to you select an image that is the same as one you chose when opening the account. Guess I'd rather have tight security than an easy way to see my accounts together.

I've been using Yodlee for a while now, and I find it invaluable in keeping track of our finances. It is far from perfect, and I was hoping that mint might be an improvement. Sounds like I'm better off sticking with Yodlee.

Yes, I worry about the security risk, but I worry more about forgetting to pay my bills on time.

No Canada, no Mint.

I mean, Canada has only 5-6 major banks. TD Canada Trust, Royal Bank of Canada (RBC), CIBC, PC-Financial, and ScotiaBank.

How hard is it for Mint's PR dudes to get hooked up with them, really?

@ericlakin: "Not sure how it could since the 2-factor questions vary at each login. One requires to you select an image that is the same as one you chose when opening the account."

Here's how they can: their back-end server "logs in" to your account, and your bank displays the collection of images to the Mint server, which displays them to you. You tell Mint which one is correct, and Mint relays the answer to your bank's site. Your bank site lets Mint log in, and Mint saves the 'correct' image. Next time Mint wants your account info, it gets the array of pictures from your bank, compares them to the image it has saved, and picks the one that matches.

Incidentally, a phishing site can use the exact same method to make you think you're logging into your bank's actual site, with the added peace of mind of having the correct security image. That's because your bank isn't really using two-factor authentication. They're using one-factor, just doing it twice.

See, there's three ways of proving identity. Passwords, security questions, and these images are in the "something you know" category. The problem with "something you know" is that you can tell it to someone else (or they can trick it out of you), and now they know it too.

For true security, it needs to be paired with something from one of the other categories. One is "something you are" -- biometrics. Generally this means a fingerprint, or for higher resistance against fakes, a retina scan. This is impractical for the home user, and so I don't expect online banking to use it.

The obvious choice, then, is "something you have." A physical object which must be provably in your possession in order to log in. This is easy. The most common is the little keyfobs that display random numbers on the press of a button. The idea (and it's been proven to be true enough to trust) is that there are only two things that know what the next number will be: the server at your bank, and the device in your pocket.

So if someone else has your password, they can't log in without the device. And if you lose the device, whoever finds it still can't log in because they don't have your password. Now that's two-factor authentication.

Nobody at Lifehacker is taking responsibility for having posted this site that obviously goes against at least 100 previous posts on security. Gina? Adam?

@catita: thanks for the link. i've been looking for something like this for a LONG TIME. i was using pda money, but entering everything in on a handheld takes FOREVER & the full version ($30) syncs with money for the pc (another $30), but money clears everything automatically, which actually makes it harder for me to keep my accounts in check. call me old-fashioned, but i still like checking things off as they clear.

anyway, i'm checking it out now & it looks exactly like what i need. awesome!

@catita: incidentally, BEST TOS EVER!!! it's not even 200 words.

No way would I ever give all of my credentials to a single person. I work in the IT field and know far too well how easy it is to steal info online. It is one thing to set up online account access with a bank, but this is a completely different beast. The reason:

When setting up a username/password on a banking/creditcard/etc website your password is put through a one-way hash which prevents it from being stolen and used else ware. The are able to do this because when you enter your password on the site, all it needs to do it run your entry through that same algorithms and if the output is the same, then you are let it. it doesn't actually compare your password to a previous entry, it compares your password put through an algorithm and tests the output.

Mint.com can't do this because it needs to first take your password, then retransmit it to the actual bank you are with. So even if it is does encrypt your password when you store it, there still has to be a key and function on the server to decrypt it. Which makes it much easier to steal. In addition to this, ALL of your passwords/usernames will be stored in the same place.

great concept, horrible execution. They would have been better off selling this as a stand alone application, but even that screams security problem to me because the typical home computer is about as insecure as park trashcan.

The site doesn't work. I tried numerous times, over numerous days to set up the accounts and it always hung or canceled out immediately. The site is a piece of crap and doesn't work, but it looks nice :)