A Casual Review Of Mint.com

Michelle Slatalla, the Erma Bombeck-David Pogue hybrid who writes casual articles about the Internet for the average person (she’s the mom who pestered her daughter on Facebook this past summer), has published a Chatty Cathy review of personal finance site Mint.com. Her verdict: it’s nice to not have to go to multiple sites; the aggregated information is a good feature; security worried her at first, but she’s okay now that she knows Mint is a read-only site and they don’t have her account numbers, just user names and passwords; and she has actually used the ads that Mint displays—not to open new lines of credit, but to negotiate lower interest rates for existing accounts.

Here’s what she writes about her security concerns, and the response from Mint’s founder:

What if a hacker gained access to the site?

I was so concerned that before even bothering to look at the colorful spending pie chart that Mint had created, I phoned the site’s founder, Aaron Patzer.

“Please don’t worry,” Mr. Patzer said. “I’ll make a bold statement and say that you’re safer on Mint, putting all your accounts in one place, than you are with online banking. We start with the same encryption banks use, but the difference is that on Mint, you’re anonymous. We don’t know your account numbers.”

I checked the Mint screen again. No account numbers.

“We don’t know your name,” he said. “Remember that when you registered, you just gave us a user name and password.”

I checked the Mint screen. No name.

“We have a read-only connection to your bank, so you can’t move money around using Mint,” he said.

She also keeps two spreadsheets in Google Docs, which she shares with her husband’s email account. We keep thinking you could do anything Mint offers on your own with spreadsheets and the built-in chart functionality of, for example, Microsoft Excel. The one area where Mint has this old-school method beat is automation, which is probably more important or necessary to certain people who, like Slatalla, “have never created a detailed household budget and… have not balanced a checkbook since high school.”

“A MapQuest for Our Money” [New York Times via BloggingAwayDebt]
(Image: mint.com)

Comments

Edit Your Comment

  1. icdawg says:

    I used Mint for about 2.5 months. Or should I say WAITED around for them to get my Bank of America credit card on to their system. I’m one of those guys who puts 100% of my purchases on my credit card and then pays it off in full. Without the ability to view my BofA Alaska Airlines card, the site could do nothing for me. I contacted MINT about when they would have access since it is such a major bank, but I was never able to get a good answer.

    I deleted my account a couple days ago. In my opinion, they went live too soon.

  2. BlondeGrlz says:

    I thought I loved Mint, and could get past the security worries, but my bank’s online system makes the site much much less useful. When you look at the overview of my account – which is what Mint does – none of the POS purchases are named. They just say POS and the last four digits of the card used (mine or my husband’s). So I have to rename and categorize every transaction.

    I do like my new 0% rate on the Discover card Mint suggested though.

  3. Munsoned says:

    Mint does not do a good job categorizing about 20% of my transactions. Yes, the overview is great for that 80% that it does correctly categorize, but manually updating that last 20% is a real pain.

    I have no problems with the security features. I am so on top of my credit cards and bank accounts that I would notice any unusual activity in probably less than two days. I’m sure I’m open to more risk from other aspects of my day-to-day financial life than to worry about one website that doesn’t even have account numbers…

  4. savdavid says:

    Mint is a nice idea. Unforunately, it doesn’t work for me. I have 4 bank accounts and only 1 account allows Mint to download information. The other 3 accounts ask more questions than your user name and password and Mint isn’t up to the job of entering these sites.
    Also, I noticed the site that Consumerist.com has mentioned that removes your name from catalog listings looks A LOT like Mint.com: From the colors to the fonts to the way it works. I wonder why Consumerist.com is pushing these sites so much?

  5. chucklebuck says:

    Man, I don’t know. People seem to be into this, so maybe I am just a paranoid knucklehead. But this:

    Remember that when you registered, you just gave us a user name and password

    doesn’t make me not worry. Sure you didn’t give them account numbers or your name, but can’t they get that with your user names and passwords?

    And I’m not sure what they mean by this:

    We have a read-only connection to your bank, so you can’t move money around using Mint

    If they have your user name and password, I (again, paranoid knucklehead perhaps) would assume that they can do anything that you can do on your bank’s regular online banking site. To me there’s a difference between “they can’t” and “they don’t”. But maybe there’s some technical reason they don’t have access to the same functionality I do using my user name and password?

    Now that I think about it, I guess my trouble is not so much the idea of getting hacked, it’s the giving my login information to strangers. With online banking, you have this pre-existing relationship with your bank – the people there are strangers too obviously, but the bank in general already has your banking info. This is just handing out keys to your online piggy bank to people with no relationship to you OR your bank.

    One thing I haven’t ever seen answered: if something does happen (either they get hacked or someone at mint.com does bad things with an account), do they have any liability? I suppose they could be sued, but my guess is that your bank would hold you responsible for giving out your login information in the first place.

    Funny enough, at the bottom of their privacy policy in a section called “Using your computer in a safe manner”, the first thing they list is “Do not share your Login ID and password with anyone”.

  6. XTC46 says:

    another review on Mint.com? how much are they paying gawker for this? consumerist has had a review before, Lifehacker had one, and now another one on consumerist?

    for those who are ok with the security because mint.com is a “Read only” site then you are mistaken. the question isn’t what can someone do if they hijack your mint.com account, it is what can they do with the DATA they steal from mint.com (or yodlee who is the backend for mint.com)

    Mint finally agreed to answer more security questions when Get Rich Slowly did a review on them, but seeing more of this crap here makes me hate the gawker network.

    Good job looking out for the consumer by advertising for a site that asks a person to put all their financial info in a single place and that is driven by promoting new credit cards and other financial “services”

  7. Hoss says:

    I used mint for about 3 months. I found nothing very useful with the site and deleted my account. This is the fifth article The Consumerist has done on this one site. I don’t get it.

  8. Jay Levitt says:

    Ditto, XTC46. Articles like this really remind me that Gawker sites are not news sites: They are blogs. And, probably, blogs that get paid to run articles like this one.

    There’s really no other explanation for a site that, in the same week, advises you to do differential equations in your head to prevent the waiter from nicking a few cents off your bill – and then give your banking passwords to a startup that STILL refuses to give any technical details to anybody.

  9. I don’t know anything about mint.com, but I use yodlee.com quite a bit. It is super convenient all the way around. Having everything in one place, with the ability to chart spending, all automatically, is great.

  10. czarandy says:

    I don’t see any reason to use Mint instead of Yodlee?

    I have all my accounts at Yodlee so what benefit is there?

  11. Mr. Gunn says:

    xtc46, et al.
    There’s no reason to use Mint if you’re happy with Yodlee MoneyCenter. All the site synchronization problems get fixed on Moneycenter first and new site additions and new features go live on Moneycenter first, so many sites work there that don’t work at Mint.

    /If my comments divert one person who would otherwise signed up for Mint, I consider my job done.
    //and then maybe the hawker network would get back to real stories instead of product placements

  12. XTC46 says:

    @Jay Levitt: Im working to get technical details right now actually. I finally got one of their senior members to talk to me after bashing them every time I see their name :)

    For those using Yodlee. The risk is still there, but much less. Mint uses Yodlee for a lot of the back end work so they just add a layer of risk. If you want to use a service, use Yodlee.

  13. Yodlee? I don’t think I wanna give all my logins/passwords to any company with such a fucking stupid name. it sounds like it’s run by children.

  14. ExtraCelestial says:

    ive been using mint for about two months now and as i have two checking accounts and two credit cards i find the weekly account balance updates extremely useful.

  15. XTC46 says:

    @geeniusatwrok: you probably already do if you do any online banking. Yodlee is the back end for many of the countries largest banks.

    @CelesteD: you could get the same using MS Money, Quicken, GNUcash, or a number of other pieces of software without having to give out your personal data. Then again, it would also require you to look for the info and enter it in.

  16. @xtc46, Jay Levitt, Mr. Gunn:
    Hey, didn’t y’all see the part where I wrote:

    We keep thinking you could do anything Mint offers on your own with spreadsheets and the built-in chart functionality of, for example, Microsoft Excel.

    Mint’s getting a ton of coverage in the press—and we cover whatever’s in the news. This is a post about a review.

    If we’re getting paid to hawk it, then with faint praise like what I wrote above, it’s no wonder I’m not seeing any of that payola.

  17. APatzer says:

    You’re actually safer using Mint.com than not using it.

    I know that seems counter-intuitive to all of you with security concerns. I’m sure you’re thinking: “Isn’t that putting all my eggs in one basket?”

    The fact is, 90% of all fraud and identity theft starts offline, not online ([www.informationweek.com]).
    It’s much more common for someone at a restaurant, gas station, etc. to get your credit card number, your security code, and your name. None of which, by the way, Mint.com asks you for.

    Mint.com syncs up with all your accounts every night. Not only does this tell you where you’re money goes, but it means Mint.com will send an alert if:
    1) Your balance drops too low,
    2) A large purchase occurs (by default it’s set to $500, but you can change this),
    3) Unusual spending is detected, e.g. all the sudden Mint sees $1,500 in electronics purchases when you typically only spend $50/mo.

    Basically, Mint.com watches your back. If there’s a problem, you’ll know about it right away through an email or text-message alert.

    The alternative (i.e. not using Mint.com) is to log into every one of your accounts every day to look for anything suspicious, or wait 30-45 days for a paper statement before you notice something has gone wrong. Javelin Research found that victims of cyber-crime who monitored their accounts online lost 9 times less than people who waited to receive paper statements.
    [finance.yahoo.com]

    It’s much better – and safer – to be proactive in monitoring your finances, and Mint.com is the easier way to do that.

    Aaron Patzer, Founder & CEO, Mint.com

  18. chucklebuck says:

    Hi Aaron, thanks for taking the time to check in. If you’re still reading, I wonder if you could answer a question for us (or me at least).

    What is mint.com’s liability if something does go wrong (i.e. bank usernames/passwords are hacked, employee goes rogue, etc)? My current opinion is that our banks would not cover any theft or losses since we gave our login information to a third party. Does mint make any liability guarantees?

    I understand your point about most identity theft having its origins offline, but as far as I know the idea of an online financial information aggregator is pretty new – isn’t it still too early to tell whether or not this type of service could contribute to tipping the statistics in the other direction? People want convenience, but we also hear stories all the time about employees getting laptops containing sensitive information stolen, credit card and POS systems getting hacked. The more things like that happen, the less easy it’s going to be to sell people the convenience at the expense (or, if you prefer, perceived expense) of security.

  19. chucklebuck says:

    Oh, and in the interest of full disclosure: I do not use any online banking (see aforementioned paranoia). But I don’t wait for my paper statement either. I check on the phone every couple of days. Right now, for me, it’s the happy medium between convenience and security.

  20. Hoss says:

    @APatzer: Saying that 90% of fraud is offline is not a very powerful argument. 100% of online fraud is online and that is not a small concern. Sure most rapes happen with someone you already know — but we should still be concerned about who we deal with online and be protective.

  21. Charles Duffy says:

    I’d be using Mint if they worked with my credit union. I’m a customer of Austin Telco FCU, and they’re listed as supported by Mint. Great, right?

    Except, not. A friend of mine (also an ATFCU customer) tried it; he had to be logged into ATFCU from his own workstation for Mint to be able to access the account; fail to do that even once, and Mint called it invalid and forced him to reenter all his authentication tokens. See this post [forums.mint.com].

    Until they work with the place I do my banking, Mint is out of the question.

  22. Myron says:

    @chucklebuck: I’m sure when you sign up you have to agree to a 20 thousand word document that stipulates if anything bad every happens because of their service, no matter how negligent they are, and regardless of any laws, treaties, principles of ethics or intergalactic constitutions, they are totally without liability and you are well and truly fucked.

    You know, the standard contract you have to sign to get any service.

  23. mac-phisto says:

    @chucklebuck: let’s play this out a bit. someone hacks mint.com. what do they get? a load of usernames & passwords. assuming they could use them to access your bank’s olb site, what are they going to be able to get there? maybe some account numbers. balance info. home address. not enough to run credit checks for fake accounts. if they’re lucky, they find a way to send a payment from the account using a billpay service or something similar. only problem there is that the payment is 100% trackable.

    the benefit from hacking is low.

    conversely, an id thief buys a card skimmer for a few hundred bucks on the dark web & installs it on a gas pump. in a week’s time, he has a list of 1000 active accounts & the info required to obtain an approval. he can sell that list for a quick buck & make probably $5-$10/account ($5,000-$10,000), or work out an arrangement where he gets the cards manufactured & pays a percentage of the take on the backend. the risk is higher, but the payout can go well above $100,000.

    & that’s just one skimmer for one week at one gas pump.

    point is, the people who have the skills & ability to hack a site like mint.com for profit are utilizing their skills in a way that generates more profit quicker with less risk & guaranteed payoffs. mint can’t give them anything that they can’t get elsewhere easier, faster & with more usable info.

    & just for the record, i think mint.com sucks & i’m pretty tired of the hype. if you were looking for the perfect banking software, move on. nothing to see here that isn’t done better elsewhere.

  24. megaradjenni says:

    I’ve been using Mint.com for maybe a month. It’s all right. I work for my local credit union so basically my whole life happens on my account there and it is not supported by Mint. Basically, if you don’t hold accounts with big banks Mint is useless.

  25. dalejo says:

    @mac-phisto – Banking sites can allow you to transfer funds as well. Look at all the phishing attempts for bank info, if it didn’t pay off, why would they do it? As for your example of the skimmer – how is that thief going to get your zip code for the credit cards or your PIN for the debit cards? I’d also like to know where you came up with those numbers. Just because skimmers are a problem does not lessen the risk of your online accounts being exposed.

  26. chucklebuck says:

    @mac-phisto:

    Oh sure, from the ID thief’s POV, there are a lot of easier targets. But that doesn’t mean no one will ever try or that no one will ever try and succeed.

    Reading through the Mint forums, I saw some sticky posts about Regulation E limiting liability for the customer to $50 if reported within 2 business days, $500 between 3 and 60 business days. Mint coming out and saying they would 100% cover the customer’s liability in cases of hacking, theft, etc. would help people feel better about the service, I think.

  27. dalejo says:

    “You’re actually safer using Mint.com than not using it.”

    I really have to wonder if the CEO of Mint actually understands the security issues or he’s just trying to spin the answers. Of all the things I’ve read from him (on all these Gawker sites) doesn’t instill any confidence in me about them. I’d really like to see a real technical discussion about this, not just some glossy marketing reguritation.

  28. mac-phisto says:

    @dalejo: yes, presumeably a thief could make a transfer in an olb site – but as i stated with billpay, that info would be traceable. generally, id thieves like to remain anonymous – it makes it more difficult to get caught. as for skimmers, my numbers are made up, but skimming is much more lucrative than i can relate (but if you want an inkling of an idea, check out this article ->[www.iht.com] ). here’s a single story to give you an idea of how much money an id thief can make with a single device placement: [www.cbsnews.com]

    if you’re worried about online account exposure, chew on this for a moment: online id theft is almost entirely initiated by the consumer. the consumer mistakenly gave their info to a phisher, or visited a site that downloaded a keystroke monitor, or bought something from an illegitimate source. not once have i heard of a bank’s olb site being hacked. there are cases of banks being hacked (like 5/3 in the tj maxx debacle), but this was the bank’s internal network, not their olb.

    it is good to be concerned about risk – especially in an online environment, but focus that concern on your practices. too many of us refuse to use a site like this b/c we’re worried about teh hak0rz, yet we’ll readily give our cc number & billing info to an online merchant that we have no experience with, or use the atm with no camera in the shaddy gas station, or open & respond to “FWD: tell bill gates your ssn & he’ll pay you $1000!!1!”.

  29. jaewon223 says:

    How does Mint.com compare to Microsoft Money?

    Seems like most people are strongly against Mint.com. Reading their privacy & security disclosure they do say what security measures are taken to secure privacy but the one part that kind of sticks out for me is the part where they state that in an event where they merge or is sold to another entity they will do the best they can to ensure that the same standards are used in your privacy.

    Although it is tempting to use their service and I’m not as worried about my security on their site what happens to my data should they go under or merge does worry me because all of the measures taken for your privacy and security may become moot. Blame BestBuy but I’m cynical when it comes to company morality and doing the right thing versus what brings the most profit.

  30. dalejo says:

    @mac-phisto – you make some good points but it shouldn’t distract from the issue at hand, that using mint.com should be a concern from a security standpoint. I would be more comfortable going through a bank where there is (or should be) more accountability. I have a friend who works with a major bank and while he doesn’t talk in detail, it’s a bit scary on the back-end there as well. I trust Yodlee itself well enough since I have not heard of any problems there but mint.com? I have seen nothing that inspires confidence. A web 2.0 company trying to be your one point for all things financial? No thanks, if you want to go that route, go with Yodlee directly.

  31. XTC46 says:

    @APatzer: Why is getting info from you folks so hard? I sent a couple of emails with nothing but a generic canned response from one. Now I emailed Damon, and he said he is getting answers but I have yet to hear from him (I only emailed him yesterday, but the others were weeks ago) You would think that a company under criticism would want to provide answers to people. Hell, if you have good security you should be trying to convince people of that, not talk about how there is more fraud else ware.

  32. mac-phisto says:

    @dalejo: well, i guess i didn’t make my point very well b/c my entire point was that i don’t think the security of mint.com is an issue.

    either way, i think we end up on the same side of the coin (mint.com sucks) for different reasons, so i guess there’s no point in splitting hairs here.

  33. Jay Levitt says:

    @Chris Walters: Please show me a SINGLE other post on consumerist that uncritically reports a “Chatty Kathy” summary of online security (or, hey, I’ll make it twice as easy: of online security OR biophysics). Yet Mint.com gets these every few weeks. Is it any wonder we no longer trust you on this?

    @Mac, I’ll be honest – I know enough about online security that I *wouldn’t* give out my CC# online if I weren’t protected above $50 (and, usually, above $0). I’ll risk $50 for convenient payments; I won’t risk my bank balance.

    Like Dalejo, I’ve seen nothing that says that, if my account is hacked on Mint, and someone wires my entire balance to the Cayman Islands, that I’m only liable for the first $50. In fact, every post and PR piece I see from Mint reminds me of every single snake-oil outfit I’ve ever seen. If they DO actually know what they’re doing, then they do a really, really poor job of showing it.

    Because all I’ve seen is friendly but content-free messages from the Mint.com folks just like the one we saw above: “Security? Don’t worry your pretty little head about it. We have it covered – we use ENCRYPTION and everything! Did you know that encryption was originally invented by NASA for use on the Space Shuttle, like Tang? I like Tang, and you’ll love Mint.”

  34. mac-phisto says:

    @Jay Levitt: “I’ve seen nothing that says that, if my account is hacked on Mint, and someone wires my entire balance to the Cayman Islands, that I’m only liable for the first $50.”

    yeah, but do you see anything like that with your bank’s site or in the t&c that’s enclosed with money or quicken software? no. why should we be holding mint to a different standard? quicken compiles all this information, passes it thru their servers & stores the personal info on your computer. yet they disclaim all warranties & liability in the event of theft anywhere along that chain -> [help.quicken.com] (scroll down about 4/5 of page for limitation of liability).

    reg e protects you regardless of how an unauthorized transfer occurs. a bank would be hard-pressed to prove your culpability in the event that your info was hacked from a site like mint.com. you have a reasonable expectation that your information is secure.

    now whether or not mint.com is protected is another matter. i’m pretty certain that if they fell victim to a breach that resulted in a loss, banks would try to hold them financially responsible.

  35. dbillian says:

    Hi XTC46,

    If you’re the person I think you are, something I can’t glean for the post, there are obvious items I can’t answer (I am not an engineer). And, while I do hate to say this, we do have a heavy contact load right now & we’re trying to tackle as many contacts as we can (we’ve got a small cs team).

    Some quick notes on things I think people are missing in the comments:
    1. We don’t store your full name and/or any other information that is strongly identifiable (all we ask for is an email address, password & zip code).
    2. As has been discussed, we don’t store username and passwords on the sites. Mint employees also can’t view usernames and passwords for your bank accounts.
    3. We only have read access to your accounts. We can’t, in other words, move transactions around from a Mint account.
    4. Customers are protected by a wide variety of consumer protection laws, including Regulation E.
    5. Credit card numbers are not stored on our site (if someone wanted to do credit card fraud, they would need name, billing address, cvv numbers, etc.). As this information is not on our site, something like credit card fraud couldn’t happen.

    ID theft: The bulk of ID theft that occurs online actually is because of spoofing & phishing attempts…not hacking.

    “Like Dalejo, I’ve seen nothing that says that, if my account is hacked on Mint, and someone wires my entire balance to the Cayman Islands, that I’m only liable for the first $50.”

    Hi Jay,
    As we only have read only access, how would someone do this? It is also important to note, once again, that we do not store usernames and passwords on our site.

    We will also have some additional information on the site shortly about insurance, liability, etc.

  36. Jay Levitt says:

    @Mac-Phisto: You bring up a good point. And I’m coming from a disadvantaged position as an informed consumer; I started using Quicken online before the Web itself existed, let alone PKI – the data was transmitted over X.25 links, leased from (I think) Checkfree in Columbus, OH. This was only for auto bill payment; auto balance checking and statement downloading were far in the future.

    One that became a reality with OFX, I never really went back to my TOS and looked at the guarantees; I assumed that the data goes straight from my PC, through Quicken’s secure data layer, routed to my bank, and is encrypted only at the far end for processing. In that case, I (again) assume that the bank is responsible if anyone gains access to my bank records by intercepting those transmisions.

    With mint, though, they’re starting without any “we’re a bank” presumption. (In fact, I imagine it’s important to their business model that they not, EVER, be regulated as a bank.) So they’re really just a hip Web 2.0 aggregator of financial data your bank OLB alreayd provides. They don’t need your bank accounts at all; they just need the password to get into those accounts.

    Well, guess what? With that password, they can do antyhing else they want on your bank account! There are no role-based access controls at any bank’s OLC site that I’ve seen. If I give you the password that lets you see my current savings balance, it’s the same password that lets you transfer that balance to an arbitrary 9-digit routing number and 10-digit account number anywhere in the system by clicking a few different buttons.

    In the Quicken case, assuming the user didn’t phish my quicken password off my PC, all the nefarious activity is happening either on Quicken’s routing server or on the OFX-based banking servers they’ve leased access to; from my naive consumer perspective it’s happening “inside the banking wall” and is none of my concern.

    But mint isn’t partnering with Bank of America in that same sense; they’re just getting the password from me, and figuring out how to scrape the site with or without their permission. And, most egregiously, they are storing those banking username/password tuplets on a mint (or perhaps yodlee) server. They may be encrypted, but they have to be decrypted again to send along to thne bank. There’s no end-to-end encryption going on here.

    So if a hacker gets into the password database, they now have a very juicy list of accounts and balances and some automated scripts that can transfer that money to some offshore bank with a low likelihood of a nice return policy. That’d be one main worry.

    Another main wory is just what they’re going to do with the data that they must be getting in exchange for offering this free service. We’ve seen articles elsewhere today pointing out that “large, but anonymized, data set A (Netflix) plus small, identifiable data set B (iMDB) can pretty easily be summed to large, personally identifiable data set A. Suddenly, your mint.com transactions? They’re all about you.

    None of these are unsolvable; the solution, however, does not involve your non-technical CEO posting messages about “military grade encryption”. That fools the same people that are fooled by “Authorized prized disbursement sequence” stamps on vacation time-share giveaway envelopes. “Honey, we won a free trip to Paris – oo, and this finance site sounds neat…”

  37. Jay Levitt says:

    @DBillian: You spend a lot of time telling us what Mint *doesn’t* do. I understand that you mean it to be reassuring, but it’s not. I can’t assess the security of a site based on what it doesn’t do.

    Why don’t you tell us what Mint does? Somehow, I give you the user name and password for my online banking systems, and somehow, you get at the data. Please explain the data flow, avoiding the terms “industrial-grade” or “military-quality”, using five or more TLAs.

  38. Jay Levitt says:

    why should we be holding mint to a different standard?

    @Mac: Because my bank’s been around for a few hundred years, I’ve had a relationship with them for a few decades, and they’ve got a pretty good record.

    Intuit’s been around for a few decades, I’ve used them for a few decades, and despite the fact that they’ve repeatedly broken *everyone*’s trust on *something*, they don’t seem to have screwed up security yet. And, as I mentioned in another post, I started using them before security was a big concern; if they burst onto the market today, I might well cast a skeptical eye.

    Mint’s been around for, well, a month or two. They have yet to send out an engineer to talk to technical folks about security, which is understandable – they’re busy – but which also fuels skepticism.

    But honestly, the worst part about Mint is that they KEEP issuing these meaningless, blanket statements about security, and yet (for whatever reason) they keep getting puff pieces from normally skeptical sites like Consumerist. That’s a little eyebrow-raising in itself.

    The only time I’ve ever seen such consistently bland, dismissive statements is from perpetual motion companies like Steorn, or their computing/compression equivalents like ZeoSync. (“We’ve solved the pigeonhole principle by not using pigeons!”).

    If that’s who Mint wants to emulate, then I’ll treat them like Steorn. But if Mint wants to be taken seriously among early adopters – who are often fairly technical folks – they need to let on with the technical details, and not just pinch our cheeks and tell us how cute we are.

  39. Jay Levitt says:

    OK, sorry to monopolize the comments, I’ll shut up after this one, promise…

    @DBillian:

    there are obvious items I can’t answer (I am not an engineer)

    And that’s the problem. (Not your fault, of course.) Mint needs to send out an engineer to talk to other engineers. You’re giving non-technical explanations to technical questions, and it’s very frustrating. I’m not a security guru by any means; I should not be able to tear apart Mint’s security problems as easily as I can. Your engineering VP came from PGP, for crying out loud; let him talk.

    As has been discussed, we don’t store username and passwords on the sites. Mint employees also can’t view usernames and passwords for your bank accounts.

    Where are they stored, then? Presumably I don’t have to enter my bank usernames and passwords for each site, which means they’re stored somewhere. If they’re not stored on your servers, they must be stored in my browser in a cookie, which means I’d like to know what sort of security is on that cookie. (“Encryption” is not a complete answer.)

    Also – and I don’t mean to blame you, since as you say, you’re not an engineer – there is a huge difference between “Mint employees cannot access”, meaning “there’s no button in our software that lets employees do this”, and “Mint employees cannot access”, meaning “it would be physically impossible for a rogue Mint employee to gain access to this”.
    If you’re not an engineer, you can’t speak to the latter case. And if Mint is using that password to talk to my bank’s web site, then clearly, somewhere in Mint’s servers, my password exists in an unencrypted form.

    We only have read access to your accounts.

    There’s no such thing as “read access” to my bank account. If you have the password that I use to get to my bank account, you can do things with my bank account. Whether your software currently includes functions that use that password to do things isn’t relevant. Unless the bank is actually enforcing this read-only-ness, it’s a meaningless statement.

    Regulation E

    If I intentionally, willingly give my password to somebody other than my bank, and they use it fraudulently, am I actually covered by Reg E? Please be a lawyer when you answer.

    ID theft: The bulk of ID theft that occurs online actually is because of spoofing & phishing attempts…not hacking.

    Aaron said the same thing; repeating it doesn’t make it relevant. You’re combining two fallacies:

    1. “The vast majority of burglaries do not happen in blue houses. My house is blue; therefore, I do not need to worry about burglary.”

    2. “A burglary has, statistically, never happened in a house I have built. Therefore, if I build a house, I will not have to worry about burglary.”

    If you are creating an attractive gathering place for financial information, it needs to be secure.

  40. mac-phisto says:

    @Jay Levitt: it doesn’t seem to me that mint is trying to capture the technical folks. their interface is all posh & no substance (which could explain their p.r. statements). if you’ve been using quicken, i don’t know why you’d even consider mint. seems like a pretty big downgrade.

    i don’t know a whole lot about mint’s structure, so i can’t really comment, but if i had to guess, i’d say that very little data is even housed on mint servers. it seems to me that their part of the equation is just putting a pretty face on the data. maybe they have some IP rights to the java (is it even java?) script they developed.

    i wouldn’t be surprised if someone told me that their web servers simply act as a connection point & that data is passed straight from yodlee via a vpn tunnel.

    then again, i could be completely wrong. either way, i think there’s better options out there. maybe they’re not as pretty or as hip, but they certainly work better.

  41. dalejo says:

    @mac-phisto – It’s good that technical types are asking these questions and calling them on the marketing spiel. Maybe it will give the non-technical users pause and go somewhere else before potentially exposing themselves.

    While you will have a SSL connection to their server, data will have to get decrypted at Mint. What do they do with that user/pass for a particular site that you give them before it is sent to Yodlee? I’m sure it is also transmitted securely between Mint and Yodlee but it definitely does not stay encrypted between you and Yodlee. Where is that user/pass stored?

    For data coming back from Yodlee, it also has to be decrypted before Mint sends it to you (again, you do not have a direct connection to Yodlee). Mint takes that data, puts some lipstick and ties a bow around it and sends it to you over SSL. How much do they aggregate all this data to target offers to you? I’m sure with all the account data available that they can get personal information from it as well.

    Just as Jay said (and XTC previously), Mint is not forthcoming and sidesteps or just plain ignores questions trying to understand how security works in their organization. Why not have a white paper detailing the security model used? Don’t they have someone capable of that? And keep the marketing drones away from it.

  42. gingerCE says:

    Okay, I’m confused. I was interested in the site for the pie graphs because I am a former shopaholic. As someone who is now trying to live within a budget, I thought it might be good for me to see what I spend on each month.

    But I’m scared of putting all my passwords on one site. Can I sign up, reveal my passwords to my bank, credit cards, and then CHANGE my bank/credit card passwords. Will mint still work?

    Okay and if I try mint and don’t like it, then do I close the account and change all my passwords and then will I be permanently erased from mint?

    And actually I still pay afew things by check–like my car payment, household bills, just had two big repair bills I paid by check etc . . .can I enter my check payment info so it is also calculated? I also tend to pay for my gas via cash–can I enter my cash payments so it can also be totaled?

  43. mac-phisto says:

    @gingerCE: no. no. no. & no.

    1) the site uses functionality similar to the “remember my password” feature in ie. if you change your passwords, the site will no longer be able to connect to your accounts. 2) if you change your passwords, you are effectively diabling mint’s access, but i was unable to find a way to permanently delete an account. 3) ok, this is actually a yes & no. yes, once the check clears your account, you can categorize it in mint. however, there’s no ability to manually enter data, so you cannot manually enter checks (say, when you are making out payments). 4) just like you can’t manually enter payments, you can’t manually enter accounts. therefore, you can’t create a “petty cash” or “wallet” account. you would have to run all cash thru your account & then categorize it at withdrawal (so, if you withdrawal $40 from the bank & use it for gas, you would categorize the withdrawal as gas. this is more difficult if you withdrawal a large sum & split it up in a bunch of places).

    3 & 4 were the biggest reasons that i find mint simply unusable.

    if you do 100% of your monetary transactions at one of mint’s supported banks, you’ll get the whole picture. otherwise, you’re better off with a suite like money or quicken that gives you more flexibility to enter transactions the way you need to (& still gives you pretty graphs & such).

  44. Jay Levitt says:

    Ginger: what he said. Also, as to “will it be permanently erased”: It is never safe to assume that any data you send to anyone else (on the Internet or not) will be permanently erased. There are many degrees of permanent, and there are many degrees of erased. Nearly all can be undone by a sufficiently determined party.

    Keep in mind that, in the extremes, “a sufficiently determined party” is something like “a highly-trained team of NSA physicists reassembling the shredded hard drive” – unless you stored the code to a ticking time bomb somewhere, it ain’t gonna happen. Unfortunately, at the other extreme is “we marked it as “deleted”, but didn’t erase the data in case you came back later, and we have backup tapes on three continents, any of which can be subpoenaed or possibly even hacked”.

    There’s no way to know which extreme Mint falls at, because they won’t tell us.

  45. Viajero says:

    Wow, this has been an excellent thread. Thanks everyone for ripping Mint.com’s pretty little head off. I can’t believe that Mint didn’t come through with an engineer to address all the very real and specific security concerns brought up here.

    I’m bummed, but grateful that I didn’t waste my time. Like so many webapps, Mint ain’t ready for prime time.

  46. Michael Milbourn says:

    Basically a bunch of nobodies on here showing their paranoia. If you’ve bought something online through a pay site, or used Paypal.com you’re putting yourself at the same risk.

    The site has strong reviews from real journalists.

    Nothing here but a bunch of ‘gotcha!’ anecdotal evidence from the paranoid anonymity of the internet.

    mint.com is working very well for me. I’ve been i’ve been saving a lot of money since I’ve signed up, it’s very obvious when you’re spending too much money!

    Don’t take these guy’s word on it. There is no substance to what they’re saying. But don’t take the CEO’s word on it either, do some real research on the risk you’re taking and decide if this site is for you.