mac-phisto

The biggest problem seems to be that it (a) doesn't work with every bank, and (b) it uses web scraping, which will break every time the bank updates its site.

So I have decided to jump into the ring and compete. Introducing: "Julep".

I - I mean, Julep - will use manual web surfing, using the latest Internet Explorer 7.0. And I guarantee Julep will work with every single bank web site on the planet. In fact, Julep is even compatible with credit unions that don't have a banking site; as long as they have a telephone number, Julep will work - work for your money.

And the second best part: It's completely free. Why only second best? Because:

Julep works by e-mail. That's right, no complicated "web browsers" or "protocols" to learn. Got a Blackberry? You can use Julep. Got a cell phone with SMS? Julep is for you. Let's see Mint top THAT.

To get started with Julep, just e-mail your name, social security number, mother's maiden name, and complete list of your bank account numbers, bank logins, passwords and PINs, as well as an 8x10 B&W glossy photo to: jay@ao.. no, wait, Quentin. Yeah, that's it. Quentin@aol.com. No, no, wait. Quentin@caymanislands.com. OK. That works.

Jay Levitt

mst3kzz

Shizlak

Never underestimate the power of the Apple strategy: You can go to market with an inferior product, as long as people are fairly ignorant of their options, and you market your product properly.

Case in point? Yodlee has offered bank-to-bank transfers(the main thing Ben said he wanted) for over a year now. Ben didn't know that because Yodlee doesn't have VC friends who can ensure it gets to be a "tech darling", whatever the hell that means.

I probably should shut up about Yodlee, though, because they probably won't be able to keep it free if they get too big, and all the Mint people would just clog up the support queue, anyways.

Mr. Gunn

tempfoot

eCommerce is insecure. It has gotten much better, but far from great. Not only is the technology imperfect, but the human element is the worst. I can't tell you how many times I have been able to call into companies and have them give me account info for account I have no legal right to touch. I have done this with permission from the person who does own the account of course but still proves how stupid it is to have so much faith in companies.

I'm in my early 20 and have learned most of what I know about computers and security by exploring these vulnerabilities. Humans are too prone to be helpful so abusing that instinct is easy. Because of my ability to recognize these weaknesses I am good at my job (systems admin. I am able to train our staff to recognize these risks and prevent the exploitation of them and if need be I can get other companies to do things for me (like change account info when people for get it) quicker.

If mint ever gets really popular, I may have to set up a dummy account just to see if I can get into it once its locked down. Right now they are small enough (less than 9000 users) so it would be much tougher (id hope) but we will see.

If you think I'm kidding, try this test.

Log on to your companies website, look for the name of a high up executive. Create a Hotmail account with the users name. Use outlook to alter the "display name" that shows when you email. now email a bunch of people in your company and make up some story about trying update records and ask for basic info like Name/username/phone number.

You will get replies. (if you don't, thats great)

Step two:

Pick a couple of them and email them back saying you are having some trouble with altering their account info and ask for their password so you can log in as them and do some trouble shooting. I bet in a medium sized company, with a convincing email you get a handful of responses before the IT admin puts the word out that its a bunch of crap.

For more fun, have your it Admin do it as a test so you don't get fired.

xtc46

reykjavik

When setting up a username/password on a banking/creditcard/etc website your password is put through a one-way hash which prevents it from being stolen and used else ware. The are able to do this because when you enter your password on the site, all it needs to do it run your entry through that same algorithms and if the output is the same, then you are let it. it doesn't actually compare your password to a previous entry, it compares your password put through an algorithm and tests the output.

Mint.com can't do this because it needs to first take your password, then retransmit it to the actual bank you are with. So even if it is does encrypt your password when you store it, there still has to be a key and function on the server to decrypt it. Which makes it much easier to steal. In addition to this, ALL of your passwords/usernames will be stored in the same place.

great concept, horrible execution. They would have been better off selling this as a stand alone application, but even that screams security problem to me because the typical home computer is about as insecure as park trashcan.

xtc46

mac-phisto

anyway, i'm checking it out now & it looks exactly like what i need. awesome!

mac-phisto

aeronaut

Here's how they can: their back-end server "logs in" to your account, and your bank displays the collection of images to the Mint server, which displays them to you. You tell Mint which one is correct, and Mint relays the answer to your bank's site. Your bank site lets Mint log in, and Mint saves the 'correct' image. Next time Mint wants your account info, it gets the array of pictures from your bank, compares them to the image it has saved, and picks the one that matches.

Incidentally, a phishing site can use the exact same method to make you think you're logging into your bank's actual site, with the added peace of mind of having the correct security image. That's because your bank isn't really using two-factor authentication. They're using one-factor, just doing it twice.

See, there's three ways of proving identity. Passwords, security questions, and these images are in the "something you know" category. The problem with "something you know" is that you can tell it to someone else (or they can trick it out of you), and now they know it too.

For true security, it needs to be paired with something from one of the other categories. One is "something you are" -- biometrics. Generally this means a fingerprint, or for higher resistance against fakes, a retina scan. This is impractical for the home user, and so I don't expect online banking to use it.

The obvious choice, then, is "something you have." A physical object which must be provably in your possession in order to log in. This is easy. The most common is the little keyfobs that display random numbers on the press of a button. The idea (and it's been proven to be true enough to trust) is that there are only two things that know what the next number will be: the server at your bank, and the device in your pocket.

So if someone else has your password, they can't log in without the device. And if you lose the device, whoever finds it still can't log in because they don't have your password. Now that's two-factor authentication.

Indecision

I mean, Canada has only 5-6 major banks. TD Canada Trust, Royal Bank of Canada (RBC), CIBC, PC-Financial, and ScotiaBank.

How hard is it for Mint's PR dudes to get hooked up with them, really?

Devil

Yes, I worry about the security risk, but I worry more about forgetting to pay my bills on time.

wezelboy

ericlakin

jonathan19

humorbot

Nope. E-commerce doesn't rely on you placing all your eggs in one basket. Let's say someone breaks into Amazon's servers, and gets my login information. What can they do? They can maybe order some products (which I can easily contest), but that's really it. They can't access my checking account, my savings account, my MBNA account, my Chase account, my car loan account, or my retirement account. To get into all of that would mean targeting 6 different banks' systems.

Mint offers a central point of failure. An attacker who breaks into Mint's database suddenly has my login information for all of those accounts, and has them all at the same time. It's now possible to wreak large amounts of havoc. It does no good to "know the activity to expect", because the havoc can be wrought before you have a chance to see those patterns (or do you review your accounts hourly?). Likewise, it's no comfort to know what sort of after-the-fact protections your bank has, because you're still in the awful situation of having to use them.

"The media and government love to terrify us. I was robbed once and I've had one credit card # stolen, even with GREAT care. Never has it happened on-line."

It has nothing to do with the media terrifying anyone. I work in IT. I'm far more aware of the inherent security risks than your average Joe would be. I don't just know that it's insecure, I know how insecure it is, and why.

I'm glad it's never happened to you yet. Why make it easier?

Indecision

Never has it happened on-line. In the last 10 years it always happened in the 3 dimensional world. We must ALL be careful...not paranoid.

There is not as much risk with a credit card. But if my online banking credentials were to be compromised, someone could actually clean me out. Even if the bank bailed me out in the long term (maybe they wouldn't if they found out I disclosed the information to a third party), the short term consequences would be a nightmare. In this case there's no such thing as too cautious.

Troy F.

glitterati

I know my accounts and I know the activity to expect on my accounts. I also know how much protection my financial providers give me for ID theft.

Everyone needs to do their own cost benefit analysis... but the costs are often overdone. It's always fun to think that one has to key piece of information... ID theft, hacking, encryption protocols... it's also fun to terrify family and friends with doomsday scenarios. The media and government love to terrify us. I was robbed once and I've had one credit card # stolen, even with GREAT care. Never has it happened on-line. In the last 10 years it always happened in the 3 dimensional world. We must ALL be careful...not paranoid.

AlexPDL

I signed up the day you all ran the last article, and tried to add my shiz with no avail.

I then got an email last week stating they're "mint" again or whatever; tried again with no avail.

mattbrown

Mint doesn't support data importation, manual account creation or manual transaction entry, and the automatic transaction categorization rarely works correctly.

I'd love to be able to easily review all of my financial data in one place, but until Mint offers the basic features mentioned above, it won't get my vote, no matter how pretty it looks.

I've found Clear Checkbook to be a much better solution. It only supports manual entry, but it doesn't require any account information and makes data manipulation much easier.

catita

if the interface is as old as you say, they might be looking into alternatives & your input may help sway their decision. or, if you point out that their bill pay restricts your ability to bank with them, they might even pay you to use a fee-based service (i have a friend who negotiated reimbursement for using quicken's bill pay b/c he's a valued member at a cu that doesn't offer bill pay).

mac-phisto

Captaffy

klumsy

There's a couple of problems with your lines of thinking, here.

1) Accessing your accounts from a "private place" has nothing to do with it. Mint/Yodlee store your full login info on their servers. The attacker could be anywhere in the world, and doesn't even need to target you specifically, in order to get your login info. Once he has that login info, he can do anything he wants to your accounts.

2) The front door to your house requires a suspicious person to walk up to and physically break it, creating all sorts of noise and physical evidence. Breaking into Mint/Yodlee takes a hacker anywhere in the world with nothing more than the motivation and a little time. Or maybe just a misplaced backup.

So in summary: An anonymous hacker from anywhere in the world can silently gain access to and control of all your personal finances, from anywhere in the world, without having to even know who you are. The only thing in their way? Mint/Yodlee's security, which we do not know the details of, and may not even be notified if it's ever broken. In the meantime, their servers/database are nothing but a huge bullseye to hackers, who have all the time in the world.

Indecision

joebloe

Anyone know of a free, reliable online bill payment system - it pretty much only has to allow free payments to VISA and AMEX accounts - that will work with my Credit Union? I had hoped MINT would fit the bill, but apparently it does not.

CyGuy

xanax25mg

AlexPDL

I agree! This review along with the Lifehacker review are suspect! Both sites have lost points in my book for giving such a glowing review to a dangerous service.

remthewanderer

neat idea & definitely a cool interface, but overall it doesn't really help me get the "whole picture" b/c of the problems i had. any idea on how to "cancel your account", b/c evidently there's no way to do that either.

mac-phisto

WEP was cracked because it was a bad algorithm to begin with. SSL is generally considered much more secure when implemented well.

Darren666

humorbot

teqsundotcom

humorbot

Anyone that knows anything about coding knows that web scraping is not only a lousy method to pull information that should be performed through an API, but it's unsafe and from one bank that I looked at, was actually allowing that service to perform transactions as yourself (no protection from fraud).

I would seriously be careful of using a service that doesn't have current partnerships with banks and credit card companies due to this fact. It's scary enough for ID theft, but now I have to trust a third party to not screw over my accounts? Thanks, but no thanks.

darkmoon

humorbot

Both have given favorable reviews or mentions of this product while completely ignoring the glaring security risk that providing ALL YOUR BANKING INFORMATION to Mint imposes.

What gives?

Lifehacker in particular has also posted entries about a competing service, Wesabe, in which they describe their skepticism about its security. However, Wesabe does not store any of your financial credentials on its servers, opting to store all your login information locally.

Why would Lifehacker express skepticism about Wesabe's security, but endorse a competing service who most definitely posing a greater security risk?

I just find it odd.

-Theo

teadoubleyou

driver905

scoobydoo

horkles

louisb3

I've yet to successfully ad my Chase credit card to this thing. My AmTrust Direct savings account only sporadically works with this thing.

It always recommends services that are actually worse than what I have.

I might check it out again in a few months, its bound to get better.

Darren666

babaki

koath

Troy F.

Don't forget that Mint cannot store your login info in a truly secure fashion, because they need to be able to provide that information to your financial sites. If anyone manages to get into Mint's database (which, as anyone reading this site should know, is far from impossible), that person will have full access to all of your finances.

This is a bad idea that's just waiting to happen.

Indecision

Hawkins

skittlbrau

compuwarescc

bryan139

ZSX

Quattuor