Is Mint.com safe?
May 27, 2009 7:08 AM   Subscribe

I like the idea of Mint.com, and have read all their statements regarding how secure it is, but more than once I have bailed at the point where they ask for your bank info. Am I being overly concerned about this?
posted by R. Mutt to Work & Money (38 answers total) 16 users marked this as a favorite
 
I've never had a problem with my bank info being secure while signed up with Mint. I hardly use it, though, because the information is usually like 2 weeks behind my actual account info. It's good for trending, but if you want to know where you stand this second, it's not that great.
posted by ishotjr at 7:10 AM on May 27, 2009


I wouldn't. A company which has a collection of online banking credentials is a huge target. Imagine how much wealth they have access to.
posted by devnull at 7:17 AM on May 27, 2009


FWIW, I've been using Mint since it first came out and have had no issues. I'm not aware of any information breaches either.

I'm aware I'm taking a chance, but it's worth it to me.

the information is usually like 2 weeks behind my actual account info

Hm, I'm looking at my Mint account and it has CC purchases from Monday and debit card from yesterday. Assuming the front page tells me the accounts have been refreshed (it can take a few minutes), the information's always been up to date.
posted by jmd82 at 7:18 AM on May 27, 2009


Is Mint the one that actually runs the backends for most banks? Or is that Yodlee? I just poked around but didn't find a quick answer.

That said, my Mint statement is also occasionally a bit behind. Not always, but sometimes.
posted by inigo2 at 7:23 AM on May 27, 2009


Best answer: I've been using Yodlee Moneycenter, which I believe is also the backend of Mint.com, for around two years now and others have said I've never had any problems. I do think that your concerns are valid though, signing up for a site like Mint.com means that you have to expose your confidential financial details to a new company, and there are also valid security concerns around having a single login protecting multiple financial accounts.

For me it's worth it because I have a lot of different accounts and it's complicated to schedule all of my monthly bill payments and whatnot. I haven't tried Mint.com but with Yodlee I can get completely up-to-date info for all of my accounts, check my spending versus my budget, etc. If you don't really want or need the features of a site like Mint.com then it's probably not worth the risk, but if it's going to help you prevent missed payments or otherwise be useful enough then it can be worth it.
posted by burnmp3s at 7:25 AM on May 27, 2009


From what I understand, they don't actually store your information on their server. I'm not exactly sure how it works, but I'm honestly not worried about it. More info here. I also use Rudder, which I find to be more helpful when it's working, and after accidentally sending an email to fewer than 100 members, they offered all of those affected lifelong LifeLock subscriptions. So moral of the story is, if something happened, they would make it up to you.
posted by emilyd22222 at 7:31 AM on May 27, 2009


Put me in the column for new mint converts.
Just started using it this last weekend, and really enjoy the 10,000 ft view I can get of everything. I still use my excel spreadsheet for daily, monthly and yearly trends, but that's more out of force of habit than any mint shortcomings.
I say go for it, try it out, and if you don't like it, cancel your account.
No harm, no foul.
posted by willmize at 7:42 AM on May 27, 2009


Best answer: I have used mint for more than a year (since briefly before the fast company article) and have never had a problem with them abusing my information in any way. I also disagree with the data being behind. there is a huge, fat refresh button right on the home page and my accounts automatically update with every login. being presently abroad I really appreciate the reminder about impending due dates. this has saved me a bundle on late fees already.

in conclusion: I was very hesitant to give up my personal details but I am glad my trust in them wasn't misplaced. they have not abused it in any way. all they tried to do is suggest alternate ways to place my debt (= they suggested some credit cards and accounts) but I never took them up on that.
posted by krautland at 7:49 AM on May 27, 2009


...my accounts automatically update with every login

This may be my problem; I don't typically log in, just get overall weekly updates sent out.
posted by inigo2 at 7:51 AM on May 27, 2009


Also a user here. I sucked it up and just did it.

Their security information kind of damns with faint praise. SSL, yay. Hackersafe, TRUSTe, RSA -- all boring and standard and not worth a lot. The only interesting part is "bank-level data security" and """
# We store transaction information in a secure facility, on our own servers, protected by 24/7 security guards and biometric scanners.
# All our employees pass financial and criminal background checks as a condition of employment."""

So, they don't say *much* about the real likely vulnerabilities -- id est, an employee walking out with a backup tape.

---

My mint information is always up-to-date, but then I'm only expecting transactions that have actually cleared to be there. If it's in the bank's transaction queue, I don't expect it to show up, so I'm not surprised when it doesn't.
posted by cmiller at 7:51 AM on May 27, 2009


I do it all manually with Microsoft Money and it takes me maybe an hour per week in total... although I'm sure such an established company is safe, personally I wouldn't give out bank account details to a third-party... you never know when an employee will go rogue!
posted by sunkzero at 7:56 AM on May 27, 2009


Best answer: I've been trying to use Mint.com for almost a month now. I have one of those smaller banks that doesnt play nice with their huge system. They do have a data provider who actually has access to the banking information, so I wouldn't worry so much about that. The two things that have given me pause, however, are

- all the things that go back and forth in the Mint.com forums are archived and visible on Google groups. This is not a problem, and probably not surprising, it's just something worth knowing. If you write about whatever money things you're writing about thre [and it's one of the only ways to get decent support] that information is all searchable on the internet. I'm a little surprised the mint.com forums aren't more private
- their tech support is the most well-meaning and ultimately not super helpful support I've gotten, even from a free service. As I said, it's been a three week slog, so far. Not that I expect them to be able to fix problems overnight, but I never really even felt like my problem was being addressed. I'd get people saying "I'll get back to you tomorrow" and then nothing for a week. I'd email support and get a copy/paste form letter back that didn't even seem to have read my original email.

I get the feeling they're suffering growing pains and while I love the services they offer (though I have yet to see any of them in action) I'd be really converned that if there was a problem, it wouldn't be resolved quickly or responsively. Possibly just idle concerns, but it's made me think twice about the free-banking scene. I had better luck with Wesabe when I went through the exact same dog and pony show with them.
posted by jessamyn at 8:07 AM on May 27, 2009 [1 favorite]


Isn't it a form of read-only access, though?

In any case, I, too, have backed out at the key "all your bank info are belong to us" point. Then they sent me email. I wonder how many back-outs they see a day.
posted by bz at 8:10 AM on May 27, 2009


I've made sure I use a really hard to guess password for mint.com (much longer than my normal passwords).

Mint.com has really allowed me to turn my money situation around and I am now debt free thanks to it (well except for that pesky mortgage). Can't recommend it enough. It does have some problems (w/ING Direct updates especially) and the filtering and auto-categorisation needs work. But really - can't recommend Mint.com enough.
posted by schwa at 8:26 AM on May 27, 2009


I'm too paranoid to use it. I mean, it's _probably_ safe, but using it would stress me out more than it would help my finances.
posted by valadil at 8:30 AM on May 27, 2009


I've used it since it first came out and have had no problems. They don't store your financial transactions, just usernames and passwords.

Worst case, my banks and credit cards will protect me from anything fraudulent (if such a thing happens). But if you are the paranoid person, then none of this information will allay your fears. Just remember that with any service you use on the internet, including your bank's webpage, there is always that risk (however small) of your information being compromised.

But if the intent of your question was "Is mint legit and are you guys using it?" then totally yes go for it. I have learned so much about my financial habits since I have been on mint that the experience has been totally worth it. As Jessamyn noted, smaller financial institutions are harder to add than the bigger ones. I had trouble adding my ING accounts but the information on the forums helped me do it.
posted by special-k at 9:13 AM on May 27, 2009


been using it for almost a year with no issues. I'd tried yodlee moneycenter prior to that, and it worked fine, but I like mint's interface much better. Both systems use the same backend (created by yodlee), which is actually the same backend used by many of the banks themselves for their own online services. If you bank online at all, mint is probably about as safe as anything else you do. Check out yodlee's company overview for more info.
posted by Chris4d at 9:21 AM on May 27, 2009


Wesabe allows you to upload bank info directly from your computer so that the Wesabe servers never have a copy of your bank logins. The uploader is well developed.
posted by Nelson at 9:27 AM on May 27, 2009 [1 favorite]


Best answer: I'd be really concerned that if there was a problem, it wouldn't be resolved quickly or responsively.

In my direct experience, it won't be. At least, not now.

I had two separate issues with Mint; first, for some reason they insisted my net worth was in excess of twenty million dollars (it's not). Fixing that took about a month. Second, they didn't update my actual net worth for six months (as in, the big update button didn't do squat for six solid months). The relevant accounts, from which they should have been drawing their data, were with gigantic banks like Chase which they should have been quite familiar with. All manner of troubleshooting was attempted (deleting the accounts, re-creating them, deleting them again, re-creating them again, etc.), with zero results.

Tech support was perfectly friendly & reasonable, but they couldn't actually do anything.

On the plus side, the complete waste of time that was my Mint experience didn't cost me a dime.
posted by aramaic at 10:35 AM on May 27, 2009


2nding Wesabe --- great site and you can export the data to your hard drive then import to wesabe (its what i went with after doing a ton of research and having the same questions you have about mint)
posted by knockoutking at 10:36 AM on May 27, 2009


I'm still having an issue with Mint about which I posted to The Green a month or so ago. (Namely, my first name is the same name as a common US retailer, Marshall's, and when transaction information contains my name, Mint always flags that transaction as a purchase from Marshall's.)
posted by emelenjr at 12:37 PM on May 27, 2009


I've used Mint for almost two years now and I quite like it. I had to convince myself that it was ok to input my bank info, but I think the risk has been worth it. I have several accounts at 4 different banks, so aggregating the data in one place was great. Furthermore, if anyone were to take control of my account I'd see it more quickly. Mint even tracks this sort of thing as a feature.

Mint is signed off by VeriSign, Truste and McAfee. I'd imagine that if there was some sort of data theft or security breach, there's some level of insurance involved.
posted by JuiceBoxHero at 12:38 PM on May 27, 2009


Best answer: No you're not being overly concerned about this. SOMEONE will hold your personal info, and that someone is no longer just the bank and you. I'm not concerned so much about what is done with my personal data, I worry about a breach of their system and my credentials floating around on the internet.

What happens when that does happen and your money goes missing, is the bank responsible, or are they going to blame your for giving out your credentials?
posted by Sonic_Molson at 2:53 PM on May 27, 2009 [1 favorite]


Response by poster: Thanks. In fact, I just tried to signup... but it wouldn't let me use my primary email address. That email address is already in use!... apparently from when started to sign up previously. I'll email them, see how long it takes ...
posted by R. Mutt at 2:54 PM on May 27, 2009


My husband and I have both been using it since it came out, with no problems.
posted by Nattie at 5:56 PM on May 27, 2009


aramaic seems to be the one dissenting opinion here and you marked that as best answer. Perhaps you should just balance everything on the back of your checkbook and not do this.
posted by special-k at 7:08 PM on May 27, 2009


I have a love-hate relationship with Mint -- it was great for helping me keep track of my spending in my checking and savings account. However -- I could not FOR THE LIFE of me get it to add my IRA or my credit card account, even though both those accounts were LINKED to my checking and savings account and had the EXACT SAME PASSWORD AND LOGIN as my checking and savings account.

after faffing about with them for six months, I just cancelled the account with Mint. The tech support didn't seem very helpful (I would explain my problem -- that I was using the proper login, which worked for my checking account, but somehow it wasn't working for my IRA -- and get a response that I should check to be sure I'm using the proper login for my account).
posted by EmpressCallipygos at 7:28 PM on May 27, 2009


Response by poster: Worst case, my banks and credit cards will protect me from anything fraudulent (if such a thing happens).

Are you sure about that? It seems to me that they could possibly sidestep that obligation by saying that you (or I) are at fault for giving out our passwords to third parties.
posted by R. Mutt at 8:07 PM on May 27, 2009 [1 favorite]


What I am trying to say is that the rest of us seem comfortable with the level of security they offer.

People upthread that don't like Mint have noted that it is because they have trouble adding accounts, not that they are worried about security (which is what your question is about).

It seems like you want overwhelming proof that Mint can never ever fail before you decide to sign up. Mint, according to their security page, offers the same level of security as your bank does. Still not good enough? Then don't sign up. That's all I'm saying.
posted by special-k at 8:37 PM on May 27, 2009


Best answer: A scenario: Mint gets uber-hacked, bank accounts subsequently drained, credit cards maxed, etc.. Every single user they have. Losses in the millions. Banks and credit card companies refuse to pay out - claiming Mint is at fault (which they are). Courts find in favor of banks and credit card companies, after a couple years of litigation - during which none of the users have seen any of their funds returned.

You think Mint.com has enough cash tucked away to pay you and every other user back? I don't.

I'd read your T&C's with any and all institutions that you do business with very closely before revealing any access to accounts with said institutions to any third party.
posted by allkindsoftime at 11:47 PM on May 27, 2009 [3 favorites]


Best answer: Mint gets uber-hacked, bank accounts subsequently drained, credit cards maxed, etc.. Every single user they have. Losses in the millions. Banks and credit card companies refuse to pay out - claiming Mint is at fault (which they are). Courts find in favor of banks and credit card companies, after a couple years of litigation - during which none of the users have seen any of their funds returned.

I'm not a lawyer, but can you back up this scenario with any actual laws? Mint does not provide a way to transfer money or buy things on credit directly, so the hackers would need to fraudulently use the information stolen from Mint to do transactions with the actual banks, which should be protected like any other transaction.

For bank accounts specifically, the banks have to follow the guidelines in Regulation E. That document defines a protected unauthorized electronic fund transfer as "an electronic fund transfer from a consumer's account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit." It also says that the customer's actions don't affect the liability: "Thus, consumer behavior that may constitute negligence under state law, such as writing the PIN on a debit card, does not affect the consumer’s liability for unauthorized transfers."

Giving a password to Mint shouldn't be any different than writing a PIN on a ATM card, as far it being an unauthorized transaction that the bank would be liable for. The bank could turn around and try to sue Mint to recoup their own losses, but as far as I know there is no way that they could actually dodge any liability.
posted by burnmp3s at 7:40 AM on May 28, 2009 [2 favorites]


I was a Mint beta tester and have had it ever since, and never had an issue (and I was nervous at first too). Unfortunately about a year ago my bank switched to a login system that isn't supported by Yodlee and so now Mint is useless to me, because it can't access my account.

I also use random password generators and a password-storing program (that encrypts its contents) and set my passwords to expire every "x weeks" and always changed them at the bank and then changed them in Mint.
posted by IndigoRain at 10:32 PM on May 28, 2009


disclaimer: i work for mint.com. here is what our ceo has to say in response:

First, Mint has bank-level data security. That means we have the same level of encryption your bank does, along with outside third-party verification through Verisign and Hackersafe. We also have routine security audits where so-called “white knight hackers” try to break into our system — they’ve never been successful. We also have bank-level physical security. Our servers are located in an unmarked secure building which requires a palm scan to gain entry. After making it past guards, you have to go through a “man-trap” where one door will not open until the other closes and you again have biometric access. Once you get inside, our servers are in a locked cafe monitored with 24/7 video surveillance. Get inside, and the racks themselves are locked. Break those open, and our hard drives are encrypted. It’s seven layers of protection. All that’s missing are the electrified floors…

Second, Mint is a read-only system. Even if someone managed to gain access to your account, they cannot move money around, your accounts cannot be drained. Mint is also an anonymous system. If you notice at sign up we don’t ask for a name, address, SSN or anything personally identifying. Nor do we ever ask for your account numbers or credit card numbers. When you provide your bank username and password, this simply establishes a secure one-way connection with your bank authorizing Mint to download your transactions, balances, and bill due dates on your behalf. Quicken and MS Money have asked for this same information (in desktop form) for the past 10 years.

Third, Mint can actually help keep you safer than online banking. It may seem counter-intuitive to your readers (”All my accounts in ONE place???”), but Mint can monitor all your accounts for fraud or mis-charges every day. Javelin Research finds that 90 percent of all fraud starts offline, not online. Meaning you’re much more likely to be ripped off at a gas station or restaurant than online. Given that the average American has four or five different credit and bank cards, you can either login to all those websites every day looking for fraud, or wait 30-45 days for a paper statement (by then it’s too late). Instead, Mint looks for “unusual spending” across all your accounts every day. Hundreds, if not thousands, of people have written in to say that Mint was their first line of defense against fraud. In fact, we can often do this better than banks. See, for example, when we notified our users about a widespread fraudulent charge first reported in the Washington Post from “Adele”.
posted by Señor Pantalones at 11:10 PM on June 16, 2009 [14 favorites]


For even more in-depth information on how Mint handles your security and practices to increase your financial security online, please check out the following:

http://www.mint.com/privacy/
http://www.mint.com/privacy/faq/
http://www.mint.com/privacy/security-tech
http://www.mint.com/privacy/terms/
posted by Señor Pantalones at 11:01 AM on June 17, 2009


Señor Pantalones - can you expand more on this from your FAQ:

Can Mint employees view my bank account numbers or credit card numbers?

Mint uses only your account login credentials for access to your account information and Mint does not store these credentials.


I'm concerned because you don't really answer the question, which suggests the answer to the question is probably yes.

I'm guessing (hoping) that the online banking user name and password I give you will be encrypted before you store it in your database. But, you have to be able to decrypt it in order to pass that to my bank. It seems likely that some of your database people can get access to my bank login. It might be possible to generate a decryption key with my Mint account information which would allow your system to decrypt and send my bank info only at the point of login, but that means you would only be able to update my bank info when I login. I'm guessing that's not the way it works because you'd only be able to update at login, and I'm not sure how you prevent your employees from setting up a man in the middle attack. Still, it would at least be an extra layer of protection if that was the way it worked. Is it?

More to the point, at any time, do any of your (or Yodlee's) employees have access to my online banking account information?

The fact that your web site is read only means that if somebody gets access to my Mint password, they can't move money around, but if your internal employees can get access to my bank logins, they can login to the bank account, and that is definitely NOT read only.

Aside from background checks for your employees, what do you do to protect my information from the threat of a rouge employee?

What would be great is if there was a way for the bank accounts to assign read-only account access that I could give to services like Mint in the same way they will let me generate one-time use credit card numbers. Are you guys working on anything like that? I bet that would seriously improve your new account numbers.
posted by willnot at 1:55 AM on June 18, 2009


I'm concerned because you don't really answer the question, which suggests the answer to the question is probably yes.
Hi Willnot, thanks for asking about this. The answer is "no."

The usernames and passwords you use to access your online financial accounts are not viewable by Mint.com employees or contractors . This information is collected from you one time only in order to establish a persistent connection to your financial institutions. Your credentials are encrypted and securely passed to our online service providers (as you mentioned, Yodlee) who maintain them in order to deliver your transactional data to Mint.com. Which brings us to yodlee, and their security policy. Note #4 in particular:
  1. We encrypt everything between your browser and our servers using industry standard 128bit SSL encryption.
  2. After it gets to our side, it is protected by multiple layers of firewalls - the number of which I cannot tell you for security reasons, nor the vendors, but we use many and many vendors.
  3. All sensitive field data is encrypted and stored in our databases encrypted internal to the tables with multiple rotating keys.
  4. All databases are protected from employee access both physically and logically.
  5. All databases are encrypted physically, and all drives and tapes are encrypted with different keys.
  6. No employee can put any content on any unsecure machine (i.e., nothing can be taken from the database and put on a laptop).
  7. All servers are customized and utilize an ultra locked down version of linux.
  8. Multiple layers of intrusion detection systems both software and people running 24×7.
  9. Automated software auditing of our source code to check for problems in the code.
From a process point of view we’re constantly audited by all of our customers to ensure that we have the utmost security policies and practices, including:
  1. Background checks for all employees.
  2. Auditing of all servers.
  3. Continuous security training.
  4. Dedicated security office with the authority to shutdown any system to investigate a breach.
  5. Systematic engagement of ethical hackers to attempt to break into our systems.
So the definitive answer to your question is that the systems we employ, both as an independent organization and one which utilizes the services of other organizations, not only prevent human access to your information (the "can a yodlee/mint/whoever employee see my login & pw" part), but also prevent data access through security equalling, if not exceeding, that of your own banks' websites.
Aside from background checks for your employees, what do you do to protect my information from the threat of a rouge employee?
We don't discriminate on the basis of skin color. But any employee, even a rouge one, does not have access to sensitive information, including login and password, any of your accounts. If you can clarify the question, I can be more help...otherwise it's covered in the previous posts and the yodlee blockquote above.

This is my opinion and not official Mint here, but I believe you are at less risk with your information on Mint than you are setting up ACH transfers or direct deposit on your own bank's website, since they can move money and we can't, they ask for social security and we don't, and they even ask for your full name and address.
What would be great is if there was a way for the bank accounts to assign read-only account access that I could give to services like Mint in the same way they will let me generate one-time use credit card numbers. Are you guys working on anything like that? I bet that would seriously improve your new account numbers.
We don't comment on future plans, so I can't confirm or deny that. Maintaining customer trust is a priority for us, and perceived security probably comprises 95% of that trust. To me, personally, there is no bigger user experience barrier than the perceived loss of control (or total freakout) when allowing a 3rd party access to your financial information. People are content with giving their social networks enough info to open credit cards in their names, but we're held to a higher standard. What I can say is that we'll continue to introduce new technologies, practices, and systems that further alleviate customer concerns and keep your data extremely safe.

Thanks again for bringing this discussion here, and let me know if there's anything else I can answer. I should clarify that I'm not an expert at fielding these questions -- I'm the "user experience & design guru" for Mint.com, and have no official role for PR or customer service.
posted by Señor Pantalones at 10:48 AM on June 18, 2009 [2 favorites]


Wow. This thread came back to life. Interesting. So let me ask a question that would solve a lot for me, Senor:

You say that my one-time provision of my password provides a "persistent connection" for Mint. Does that mean that I can give Mint the username/password, set up the account, and then change the password the next day and never have to give Mint the new password?

If so, that would go a long way to satisfying me that my (current) username/password aren't being stored anywhere. The "rogue employee" issue doesn't really bother me -- but the "bankrupt company sells its servers with my username and password on them" scenario does.
posted by The Bellman at 1:57 PM on June 20, 2009


The username and password must match any change you make with your online banking provider. You can change your online banking password at any time and Mint.com can no longer connect on your behalf. Any concern about your second scenario is actually within your control: if you choose to delete your Mint.com account you can also change your online banking passwords and Mint.com can no longer successfully refresh data from your online banking accounts.
posted by Señor Pantalones at 4:02 PM on June 22, 2009


« Older My students have a "lean and hungry look."   |   External burner for MacBook Pro Newer »
This thread is closed to new comments.