Is Mint.com safe?
May 27, 2009 7:08 AM   Subscribe

I've never had a problem with my bank info being secure while signed up with Mint. I hardly use it, though, because the information is usually like 2 weeks behind my actual account info. It's good for trending, but if you want to know where you stand this second, it's not that great.
posted by ishotjr at 7:10 AM on May 27, 2009

I wouldn't. A company which has a collection of online banking credentials is a huge target. Imagine how much wealth they have access to.
posted by devnull at 7:17 AM on May 27, 2009

FWIW, I've been using Mint since it first came out and have had no issues. I'm not aware of any information breaches either.

I'm aware I'm taking a chance, but it's worth it to me.

the information is usually like 2 weeks behind my actual account info

Hm, I'm looking at my Mint account and it has CC purchases from Monday and debit card from yesterday. Assuming the front page tells me the accounts have been refreshed (it can take a few minutes), the information's always been up to date.
posted by jmd82 at 7:18 AM on May 27, 2009

Is Mint the one that actually runs the backends for most banks? Or is that Yodlee? I just poked around but didn't find a quick answer.

That said, my Mint statement is also occasionally a bit behind. Not always, but sometimes.
posted by inigo2 at 7:23 AM on May 27, 2009

From what I understand, they don't actually store your information on their server. I'm not exactly sure how it works, but I'm honestly not worried about it. More info here. I also use Rudder, which I find to be more helpful when it's working, and after accidentally sending an email to fewer than 100 members, they offered all of those affected lifelong LifeLock subscriptions. So moral of the story is, if something happened, they would make it up to you.
posted by emilyd22222 at 7:31 AM on May 27, 2009

Mint does use a third-party for the actual connection to the banking information. That part I am not so worried about. I'd be more concerned about their access to your spending and saving habits. This information is valuable from a marketing standpoint - it's the reason the service is free for end-users.

Personally, the benefits outweigh my concerns on this point - I've signed up and enjoy the service.
posted by odinsdream at 7:41 AM on May 27, 2009

Put me in the column for new mint converts.
Just started using it this last weekend, and really enjoy the 10,000 ft view I can get of everything. I still use my excel spreadsheet for daily, monthly and yearly trends, but that's more out of force of habit than any mint shortcomings.
I say go for it, try it out, and if you don't like it, cancel your account.
No harm, no foul.
posted by willmize at 7:42 AM on May 27, 2009

...my accounts automatically update with every login

This may be my problem; I don't typically log in, just get overall weekly updates sent out.
posted by inigo2 at 7:51 AM on May 27, 2009

Also a user here. I sucked it up and just did it.

Their security information kind of damns with faint praise. SSL, yay. Hackersafe, TRUSTe, RSA -- all boring and standard and not worth a lot. The only interesting part is "bank-level data security" and """
# We store transaction information in a secure facility, on our own servers, protected by 24/7 security guards and biometric scanners.
# All our employees pass financial and criminal background checks as a condition of employment."""

So, they don't say *much* about the real likely vulnerabilities -- id est, an employee walking out with a backup tape.

---

My mint information is always up-to-date, but then I'm only expecting transactions that have actually cleared to be there. If it's in the bank's transaction queue, I don't expect it to show up, so I'm not surprised when it doesn't.
posted by cmiller at 7:51 AM on May 27, 2009

I do it all manually with Microsoft Money and it takes me maybe an hour per week in total... although I'm sure such an established company is safe, personally I wouldn't give out bank account details to a third-party... you never know when an employee will go rogue!
posted by sunkzero at 7:56 AM on May 27, 2009

Isn't it a form of read-only access, though?

In any case, I, too, have backed out at the key "all your bank info are belong to us" point. Then they sent me email. I wonder how many back-outs they see a day.
posted by bz at 8:10 AM on May 27, 2009

I've made sure I use a really hard to guess password for mint.com (much longer than my normal passwords).

Mint.com has really allowed me to turn my money situation around and I am now debt free thanks to it (well except for that pesky mortgage). Can't recommend it enough. It does have some problems (w/ING Direct updates especially) and the filtering and auto-categorisation needs work. But really - can't recommend Mint.com enough.
posted by schwa at 8:26 AM on May 27, 2009

I'm too paranoid to use it. I mean, it's _probably_ safe, but using it would stress me out more than it would help my finances.
posted by valadil at 8:30 AM on May 27, 2009

I've used it since it first came out and have had no problems. They don't store your financial transactions, just usernames and passwords.

Worst case, my banks and credit cards will protect me from anything fraudulent (if such a thing happens). But if you are the paranoid person, then none of this information will allay your fears. Just remember that with any service you use on the internet, including your bank's webpage, there is always that risk (however small) of your information being compromised.

But if the intent of your question was "Is mint legit and are you guys using it?" then totally yes go for it. I have learned so much about my financial habits since I have been on mint that the experience has been totally worth it. As Jessamyn noted, smaller financial institutions are harder to add than the bigger ones. I had trouble adding my ING accounts but the information on the forums helped me do it.
posted by special-k at 9:13 AM on May 27, 2009

been using it for almost a year with no issues. I'd tried yodlee moneycenter prior to that, and it worked fine, but I like mint's interface much better. Both systems use the same backend (created by yodlee), which is actually the same backend used by many of the banks themselves for their own online services. If you bank online at all, mint is probably about as safe as anything else you do. Check out yodlee's company overview for more info.
posted by Chris4d at 9:21 AM on May 27, 2009

Wesabe allows you to upload bank info directly from your computer so that the Wesabe servers never have a copy of your bank logins. The uploader is well developed.
posted by Nelson at 9:27 AM on May 27, 2009 [1 favorite]

2nding Wesabe --- great site and you can export the data to your hard drive then import to wesabe (its what i went with after doing a ton of research and having the same questions you have about mint)
posted by knockoutking at 10:36 AM on May 27, 2009

I'm still having an issue with Mint about which I posted to The Green a month or so ago. (Namely, my first name is the same name as a common US retailer, Marshall's, and when transaction information contains my name, Mint always flags that transaction as a purchase from Marshall's.)
posted by emelenjr at 12:37 PM on May 27, 2009

I've used Mint for almost two years now and I quite like it. I had to convince myself that it was ok to input my bank info, but I think the risk has been worth it. I have several accounts at 4 different banks, so aggregating the data in one place was great. Furthermore, if anyone were to take control of my account I'd see it more quickly. Mint even tracks this sort of thing as a feature.

Mint is signed off by VeriSign, Truste and McAfee. I'd imagine that if there was some sort of data theft or security breach, there's some level of insurance involved.
posted by JuiceBoxHero at 12:38 PM on May 27, 2009

My husband and I have both been using it since it came out, with no problems.
posted by Nattie at 5:56 PM on May 27, 2009

aramaic seems to be the one dissenting opinion here and you marked that as best answer. Perhaps you should just balance everything on the back of your checkbook and not do this.
posted by special-k at 7:08 PM on May 27, 2009

I have a love-hate relationship with Mint -- it was great for helping me keep track of my spending in my checking and savings account. However -- I could not FOR THE LIFE of me get it to add my IRA or my credit card account, even though both those accounts were LINKED to my checking and savings account and had the EXACT SAME PASSWORD AND LOGIN as my checking and savings account.

after faffing about with them for six months, I just cancelled the account with Mint. The tech support didn't seem very helpful (I would explain my problem -- that I was using the proper login, which worked for my checking account, but somehow it wasn't working for my IRA -- and get a response that I should check to be sure I'm using the proper login for my account).
posted by EmpressCallipygos at 7:28 PM on May 27, 2009

What I am trying to say is that the rest of us seem comfortable with the level of security they offer.

People upthread that don't like Mint have noted that it is because they have trouble adding accounts, not that they are worried about security (which is what your question is about).

It seems like you want overwhelming proof that Mint can never ever fail before you decide to sign up. Mint, according to their security page, offers the same level of security as your bank does. Still not good enough? Then don't sign up. That's all I'm saying.
posted by special-k at 8:37 PM on May 27, 2009

I was a Mint beta tester and have had it ever since, and never had an issue (and I was nervous at first too). Unfortunately about a year ago my bank switched to a login system that isn't supported by Yodlee and so now Mint is useless to me, because it can't access my account.

I also use random password generators and a password-storing program (that encrypts its contents) and set my passwords to expire every "x weeks" and always changed them at the bank and then changed them in Mint.
posted by IndigoRain at 10:32 PM on May 28, 2009

disclaimer: i work for mint.com. here is what our ceo has to say in response:

First, Mint has bank-level data security. That means we have the same level of encryption your bank does, along with outside third-party verification through Verisign and Hackersafe. We also have routine security audits where so-called “white knight hackers” try to break into our system — they’ve never been successful. We also have bank-level physical security. Our servers are located in an unmarked secure building which requires a palm scan to gain entry. After making it past guards, you have to go through a “man-trap” where one door will not open until the other closes and you again have biometric access. Once you get inside, our servers are in a locked cafe monitored with 24/7 video surveillance. Get inside, and the racks themselves are locked. Break those open, and our hard drives are encrypted. It’s seven layers of protection. All that’s missing are the electrified floors…

Second, Mint is a read-only system. Even if someone managed to gain access to your account, they cannot move money around, your accounts cannot be drained. Mint is also an anonymous system. If you notice at sign up we don’t ask for a name, address, SSN or anything personally identifying. Nor do we ever ask for your account numbers or credit card numbers. When you provide your bank username and password, this simply establishes a secure one-way connection with your bank authorizing Mint to download your transactions, balances, and bill due dates on your behalf. Quicken and MS Money have asked for this same information (in desktop form) for the past 10 years.

Third, Mint can actually help keep you safer than online banking. It may seem counter-intuitive to your readers (”All my accounts in ONE place???”), but Mint can monitor all your accounts for fraud or mis-charges every day. Javelin Research finds that 90 percent of all fraud starts offline, not online. Meaning you’re much more likely to be ripped off at a gas station or restaurant than online. Given that the average American has four or five different credit and bank cards, you can either login to all those websites every day looking for fraud, or wait 30-45 days for a paper statement (by then it’s too late). Instead, Mint looks for “unusual spending” across all your accounts every day. Hundreds, if not thousands, of people have written in to say that Mint was their first line of defense against fraud. In fact, we can often do this better than banks. See, for example, when we notified our users about a widespread fraudulent charge first reported in the Washington Post from “Adele”.
posted by Señor Pantalones at 11:10 PM on June 16, 2009 [13 favorites]

For even more in-depth information on how Mint handles your security and practices to increase your financial security online, please check out the following:

http://www.mint.com/privacy/
http://www.mint.com/privacy/faq/
http://www.mint.com/privacy/security-tech
http://www.mint.com/privacy/terms/
posted by Señor Pantalones at 11:01 AM on June 17, 2009

Señor Pantalones - can you expand more on this from your FAQ:

Can Mint employees view my bank account numbers or credit card numbers?

Mint uses only your account login credentials for access to your account information and Mint does not store these credentials.

I'm concerned because you don't really answer the question, which suggests the answer to the question is probably yes.

I'm guessing (hoping) that the online banking user name and password I give you will be encrypted before you store it in your database. But, you have to be able to decrypt it in order to pass that to my bank. It seems likely that some of your database people can get access to my bank login. It might be possible to generate a decryption key with my Mint account information which would allow your system to decrypt and send my bank info only at the point of login, but that means you would only be able to update my bank info when I login. I'm guessing that's not the way it works because you'd only be able to update at login, and I'm not sure how you prevent your employees from setting up a man in the middle attack. Still, it would at least be an extra layer of protection if that was the way it worked. Is it?

More to the point, at any time, do any of your (or Yodlee's) employees have access to my online banking account information?

The fact that your web site is read only means that if somebody gets access to my Mint password, they can't move money around, but if your internal employees can get access to my bank logins, they can login to the bank account, and that is definitely NOT read only.

Aside from background checks for your employees, what do you do to protect my information from the threat of a rouge employee?

What would be great is if there was a way for the bank accounts to assign read-only account access that I could give to services like Mint in the same way they will let me generate one-time use credit card numbers. Are you guys working on anything like that? I bet that would seriously improve your new account numbers.
posted by willnot at 1:55 AM on June 18, 2009

I'm concerned because you don't really answer the question, which suggests the answer to the question is probably yes.

Hi Willnot, thanks for asking about this. The answer is "no."

The usernames and passwords you use to access your online financial accounts are not viewable by Mint.com employees or contractors . This information is collected from you one time only in order to establish a persistent connection to your financial institutions. Your credentials are encrypted and securely passed to our online service providers (as you mentioned, Yodlee) who maintain them in order to deliver your transactional data to Mint.com. Which brings us to yodlee, and their security policy. Note #4 in particular:

1. We encrypt everything between your browser and our servers using industry standard 128bit SSL encryption.
2. After it gets to our side, it is protected by multiple layers of firewalls - the number of which I cannot tell you for security reasons, nor the vendors, but we use many and many vendors.
3. All sensitive field data is encrypted and stored in our databases encrypted internal to the tables with multiple rotating keys.
4. All databases are protected from employee access both physically and logically.
5. All databases are encrypted physically, and all drives and tapes are encrypted with different keys.
6. No employee can put any content on any unsecure machine (i.e., nothing can be taken from the database and put on a laptop).
7. All servers are customized and utilize an ultra locked down version of linux.
8. Multiple layers of intrusion detection systems both software and people running 24×7.
9. Automated software auditing of our source code to check for problems in the code.

From a process point of view we’re constantly audited by all of our customers to ensure that we have the utmost security policies and practices, including:

1. Background checks for all employees.
2. Auditing of all servers.
3. Continuous security training.
4. Dedicated security office with the authority to shutdown any system to investigate a breach.
5. Systematic engagement of ethical hackers to attempt to break into our systems.

So the definitive answer to your question is that the systems we employ, both as an independent organization and one which utilizes the services of other organizations, not only prevent human access to your information (the "can a yodlee/mint/whoever employee see my login & pw" part), but also prevent data access through security equalling, if not exceeding, that of your own banks' websites.

Aside from background checks for your employees, what do you do to protect my information from the threat of a rouge employee?

We don't discriminate on the basis of skin color. But any employee, even a rouge one, does not have access to sensitive information, including login and password, any of your accounts. If you can clarify the question, I can be more help...otherwise it's covered in the previous posts and the yodlee blockquote above.

This is my opinion and not official Mint here, but I believe you are at less risk with your information on Mint than you are setting up ACH transfers or direct deposit on your own bank's website, since they can move money and we can't, they ask for social security and we don't, and they even ask for your full name and address.

What would be great is if there was a way for the bank accounts to assign read-only account access that I could give to services like Mint in the same way they will let me generate one-time use credit card numbers. Are you guys working on anything like that? I bet that would seriously improve your new account numbers.

We don't comment on future plans, so I can't confirm or deny that. Maintaining customer trust is a priority for us, and perceived security probably comprises 95% of that trust. To me, personally, there is no bigger user experience barrier than the perceived loss of control (or total freakout) when allowing a 3rd party access to your financial information. People are content with giving their social networks enough info to open credit cards in their names, but we're held to a higher standard. What I can say is that we'll continue to introduce new technologies, practices, and systems that further alleviate customer concerns and keep your data extremely safe.

Thanks again for bringing this discussion here, and let me know if there's anything else I can answer. I should clarify that I'm not an expert at fielding these questions -- I'm the "user experience & design guru" for Mint.com, and have no official role for PR or customer service.
posted by Señor Pantalones at 10:48 AM on June 18, 2009 [1 favorite]

Wow. This thread came back to life. Interesting. So let me ask a question that would solve a lot for me, Senor:

You say that my one-time provision of my password provides a "persistent connection" for Mint. Does that mean that I can give Mint the username/password, set up the account, and then change the password the next day and never have to give Mint the new password?

If so, that would go a long way to satisfying me that my (current) username/password aren't being stored anywhere. The "rogue employee" issue doesn't really bother me -- but the "bankrupt company sells its servers with my username and password on them" scenario does.
posted by The Bellman at 1:57 PM on June 20, 2009

The username and password must match any change you make with your online banking provider. You can change your online banking password at any time and Mint.com can no longer connect on your behalf. Any concern about your second scenario is actually within your control: if you choose to delete your Mint.com account you can also change your online banking passwords and Mint.com can no longer successfully refresh data from your online banking accounts.
posted by Señor Pantalones at 4:02 PM on June 22, 2009

This thread is closed to new comments.