As a grad student, I’ve learned about the importance of doing research and checking your sources before making any claims. I recently did a review on Mint.com, a free, automatic way to manage your money online. While I was doing some research for the review, I noticed that a lot of people were making false claims about the security of Mint. The most annoying part is that some these people continued to make false claims after others had proved that their claims were ill-conceived.
Well, I’d like to set the record straight once and for all and debunk the myths that have been spread about Mint.
If someone breaks into my Mint account, they will have all of my financial information.
This seems to be the most widespread myth about Mint. People worry about “putting all of their eggs in one basket.” Others talk about how they’re hesitant to give anyone or any company their bank account info. Well, the truth of the matter is that Mint doesn’t store your financial information at all.
When you enter your account credentials, they’re only used once to establish a connection to your bank accounts. This comment left in Lifehacker’s review of Mint sums it up pretty well.
No where on Mint.com do we ever have your name or address. We have a read-only connection to your bank accounts, and are provided with balances and transaction descriptions only – no names, no account numbers.
On Mint.com we know about your finances, but we really don’t know who you are.
Aaron Patzer
Founder & CEO, Mint.com
If you want more details, read the explanation of how this works in the Mint forums. You’ll find out that Mint relies on Yodlee to get your balances and transactions, which brings us to the next myth.
Mint is not as safe as other online financial sites.
Well, if you did some research on Yodlee, you’d find out that Bank of America and Fidelity Investments rely on Yodlee as well. If you have accounts with either of these institutions and check your account online, you’re probably already using Yodlee. In the comments of a TechCrunch post, Aaron Patzer makes a bold claim that you’re safer on Mint than you are with online banking.
To all those who are concerned over Mint.com security, a few points:
1) You’re anonymous on Mint.com
2) Our security is independently verified
3) Email & text-message alerts help identify fraud immediately…and being proactive is the best measure.I’ll make a bold statement: You’re safer on Mint then with online banking. On Mint, you’re completely anonymous. We never ask for a name, address, or SSN – just an email. We know about your finances…but not about you. We’re also independently verified by Verisign, TrustE, and several outside agencies.
We also have serious physical security. Our servers are in a secure, unmarked facility. To get in, you need to pass 3 biometric scanners, 4 locked doors, and several guards. We have our own cage so we’re physically separated from all other companies. Cameras monitor our servers and power supplies 24/7. The servers themselves have additional locks. The hard drives are encrypted. It’s like Mission Impossible (except without the electrified floors…maybe one day).
Perhaps more interestingly, 90% of all fraud actually occurs offline, not online (e.g. someone swipes your card at a restaurant or from your mail). Because Mint sends proactive alerts for low-balance or unusually high spending, you’ll know right away. It’s better than logging into 4-5 different banks every day, or waiting 30 days for a paper statement before finding that something went wrong.
Aaron Patzer
Founder & CEO, Mint.com
I still don’t trust Mint.
Even with these myths debunked, I realize that Mint isn’t for everyone. I know that some people still won’t feel comfortable using something like Mint. However, that doesn’t give these people the right to fear monger. I don’t think it’s fair to scare people away from something useful, like Mint, just because you personally don’t think it’s safe, especially with no proof to back it up.
The purpose of this post isn’t to get everyone to use Mint. I put together this information so that you could evaluate the facts about Mint and then make the best decision for yourself.
If you enjoyed this post, subscribe to my RSS feed or via email for free updates.
{ 3 trackbacks }
{ 18 comments… read them below or add one }
I’ve been using Mint for a few days now, and I really like being able to log in to one place and see all of my accounts. I’ve got a couple credit cards that I keep for emergencies, since I don’t use them at all I don’t log in to those sites all that often…but with Mint I’ll know right away if any transactions are made with those cards.
I like the idea of Mint, especially as my free trial of Quicken is about to expire (sad)…but unfortuantely, every time I try to put ANY of my accounts in, it can’t seem to find any of them. Maybe they should get that worked out, eh?
Lauren – Yes, Mint still has quite a few issues to work out. They do have support forums if you’re interested in submitting the issues or seeing what problems other people are having.
Banks and credit cards continuously change their systems, and this seems to wreak havoc on financial applications. For example, Citicards recently changed their online account management, and my credit cards no longer update in Quicken.
One thing I don’t like about Mint is that I can’t add my student loan account or my Roth IRA account. This is pretty limiting, so I’ve been testing out Yodlee MoneyCenter. I really like it so far. The interface isn’t as flashy as Mint, but it’s functional. Unfortunately, I’ve been having issues adding my ING account to MoneyCenter, but all of my other accounts worked fine.
“Read only acccess”, wow, Aaron is treading a fine line here.
- mint requires your full access username and password for all sites (there is no such thing as read only credentials)
- mint uses the Yodlee service to actually retrieve account data and hands over the full access credentials to yodlee
- yodlee provides mint a read only xml feed of account data
- yodlee does this by using the full access credentials to screen scrape the financial institutions web site
Bottom line, your real/full/everything/all credentials are out there on yodlee and mint servers.
All right, another myth to debunk. The four steps damon described are accurate, but the “bottom line” doesn’t make any sense.
Mint uses the credentials once, passing them off to Yodlee to get a connection to your account data. Mint doesn’t actually store your credentials. It only needs to store a link to the connection with Yodlee for that account.
This does mean that your credentials are stored by Yodlee, which, as I mentioned before, is used by financial institutions such as Bank of America and Fidelity Investments. The funny thing is that nobody’s complaining about Bank of America and Fidelity asking for their personal info.
People should not trust Mint at the same level as Bank of America. BofA is bound by all the banking regulations, you have recourse if there is a screw up. Mint is NOT beholden to any banking regulation. Mint is bound by the start up laws, which are basically “do anything to get acquired and cash out”.
Bottom line, Mint and BofA should not get the same level of trust from people.
Once again, I agree with part of your post, damon, but I disagree with your bottom line.
I think you’re missing the connection that all of the accounts you add to Mint are still bound by their own regulations. With credit cards, you still get fraud protection, and with bank accounts, you’re still protected with all of the banking regulations.
I found this explanation in the Mint forums.
This is an actual regulation issued by the Federal Reserve, not some made up term like “start up laws”. With that being said, I’m not claiming to be an expert on banking regulations, so if someone knows more, please share.
My bottom line — Mint can be trusted at the same level as any other financial site. However, it may or may not be the right tool for you to track your finances.
Thanks for sharing all this info. I use BOA Portfolio. I assume it’s similar to Mint?? I have trouble connecting to some of my accounts all the time. I have to keep going back in and re-entering my login credentials. Is Mint better for this?
Also, has anyone done a good comparison of the security risk of bill pay (bank has all your payees info) versus auto withdrawel (bill companies have your bank info)? I do a mixure of both right now, but would like to know the difference in risk.
Since BOA Portfolio and Mint both rely on Yodlee to fetch your account data, you’ll probably run into the same connection problems in Mint. Regardless of the front end (BOA Portfolio or Mint), if Yodlee isn’t able to connect to your account properly, then your information won’t get updated.
I haven’t come across any comparisons of the security risk of bill pay vs. auto withdrawal. Thanks for giving me an idea for a future post.
The second myth ‘debunking’ in this article is quite misleading. True, BofA uses Yodlee, but only for their My Portfolio feature. It would be a safe bet to assume that the vast majority of BofA customers would not be using My Portfolio. So, essentially these people would be using the BofA website and have nothing to do with Yodlee. It is misleading to say that if you are using BofA online banking, you are already using Yodlee.
Having said that, I myself use Yodlee and just love the service. I believe the benefits handily outweigh the risk.
Just wanted to say thanks. I love mint but everyone I talk to thinks I’m a fool for using it.
If only they pled a better case from the mint privacy page (I think in the efforts of keeping it simple they didn’t go into enough depth to make folks feel secure).
I agree that mint is as secure as the other portfolio products that rely on yodlee, but I don’t think you really address the root question of is it safe? Also, quoting the CEO of mint to support the argument against mint being less safe than other institutions is equivalant to saying “Mint is safe because they say they say it’s safe”.
Thanks for the pointer to yodlee so that I can now do real research on the safety of the service I’m considering.
mint.com triggered fraud alert at my bank. All my accounts are frozen. All automated bill pays are frozen. This mint.com is a piece of junk and has wreaked havoc with my online banking.
1. If somebody who knows you gains access to your mint.com account, then they will have access to your financial information. Just as if they had stolen your mail except that you’ll never know.
2. If you use the mint.com Facebook app, for example, then mint.com knows who you are.
Thank you ,
I feel better after your article. I am thinking about using Mint but still am somewhat out of my comfort zone.
But as Herbert Spencer said,” contempt prior to investigation can hinder all progress” or something like that.
Laughing
You are providing your log on credentials for your financial instituations to a third party. This fact, by itself, may (depending on your financial instituations policies) make you 100% liable for any fraudulent transactions that occur with your accounts. This means that when you call your bank for withdrawals that you did not make, your bank may not give you your money back because you gave out your log on credentials.
Another point that I have is what happens when the log on credential database is hacked. There will be millions of user IDs and passwords available to malicious individuals to log onto your financial instituations web sites’ and will give them the ability to update personal information (such as email addresses, physical addresses, telephone numbers, etc), execute inappropriate withdrawals, etc. This could result in huge lawsuits and lots of finger pointing…any empty bank accounts for those of you who use this service.
Finally, Mint.com says that they have 128-bit SSL encryption over connections between your computer and their servers. That is all fine and good…however, we don’t know any information about how they protect data that is passed between Mint.com and the other third party service providers that are not well disclosed. Are these channels also appropriately controlled and encrypted to protect your log on credentials?
None of the security comments made by Mint.com address these points directly. Some of these points cannot be addressed by Mint.com directly, like how your bank would react to fraudulent losses that result from you sharing your log on creditials with Mint.com. Regardless, with that said, I like what Mint.com offers, but will not use it based upon their security model. I hope they can improve on this in the future.
With respect to “Regulation E”, that’s not a faithful rendering of the law. I’m not a laywer, but if you go read the text of the law fraudulent transactions are divided into two categories: those using your “access device” (password) and those not using your “access device”. In the latter case you have 2 days after you notice the fraudulent transaction to notify the bank, but that’s irrelevant here because the most likely compromise from Mint is a Yodlee employee stealing account information and passwords. In the former case you have 2 days from the time you were aware of “the loss or theft of the access device”. I’m not aware that this has been litigated, but I’m betting in the event of a massive transfer from your ING account ING is going to claim that the date your access device was lost was the day it entered Yodlee’s hands, and thus they’re not liable. They have, in fact, worded their Terms of Service in what looks like a prediction of that possibility (it states that they do not authorize account aggregators and in the event that an aggregator is compromised your funds may not be protected).
I’ll note that I’m not saying you shouldn’t use Mint, but Mint’s assurances that they’re secure are frequently misleading and are (in my humble opinion) undermined by the $500 limit on their liability contained in their Terms of Service.
I don’t care how convenient the service is, the basic idea of submitting your account access information to a non-affiliated entity violates the basic tenants of every financial institution’s security and privacy policies. My wife just set up one of our bank accounts with this and I flipped. Even if mint.com is a reputable organization, they would seem to be a potential target for scammers and identity thieves. The fact that they take pains to shield themselves from excessive liability seems to acknowledge the inherent risk in providing this information.
My wife says I’m overreacting and being excessively cautious, but when it comes to this sort of thing in the age of electronic finance, I just simply can’t imagine being “too cautious.”