Worried about Mint
May 30, 2010 8:37 AM   Subscribe

I love the idea of Mint.com, but I can't get over the idea of handing my online banking passwords to a third party. Am I overly paranoid? Am I underly paranoid? Convince me either way.
posted by soy_renfield to Computers & Internet (21 answers total) 14 users marked this as a favorite
I don't think you are paranoid - quite the contrary. And, you might want to check the terms of service agreement with your financial institution: it might be forbidden for you to tell your password to someone else.
posted by aroberge at 8:43 AM on May 30, 2010

You certainly have a reason to be concerned. I believe Mint will do all it can to protect your password and never misuse it, but mistakes happen. Also note that Mint does not keep your password itself, they share it with Yodlee who provides the backend service of actually getting data from banks.

One more caveat about Mint: they continue to scam their users with links to non-freecredit report sites. That speaks poorly for their ethics.
posted by Nelson at 9:06 AM on May 30, 2010

Giving up your login info is a potential risk. The reward is super-handy data on the way you spend money. You have to decide if you're willing to make that trade off.

There is one thing that Mint does that makes me even more comfortable about using their service. When you look at the array of accounts you've entered into Mint, it's not possible to see any of the usernames or passwords for those accounts. If you need to change the login info, you have to add both the username and password every time. So, if someone were to compromise my Mint login, they could see who all of my financial providers are, but they would have no idea what the username and passwords were at those sites. I think that's a great feature.
posted by herrtodd at 9:07 AM on May 30, 2010

This would be easier if you were more specific about your fears, but perhaps it will help to point out that Mint is owned by the deep-pocketed, much-to-lose Intuit. Very large amounts of those companies' money is at risk if they don't treat your personal information very carefully. They have huge incentives to put safe systems in place, because if their system fails and a bunch of people get screwed due to Mint's negligence, then they are liable for any losses and their reputation goes out the window. Sure, by using Mint you might be increasing your risk by some increment, but it seems likely to be a very, very small increment.
posted by jon1270 at 9:08 AM on May 30, 2010

Mint.com connects to your banks through a service by yodlee.com. Yodlee is the company that provides the online banking software and services for many popular banks, probably including the one you use. If you don't trust mint, go straight to the source and use yodlee.com's moneycenter software.
posted by ShootTheMoon at 9:08 AM on May 30, 2010

There was an AskMe about mint.com a while back where it turns out that there is a MeFi who works there. He spelled out in great detail the steps they take to keep your data secure. I personally use yodlee's moneycenter because I wasn't that stoked with mint.com's support [though really yodlee's is pretty terrible too if you want them to add your teeny credit union] but I think that Mint is as secure as they'd need to be and possibly more.
posted by jessamyn at 9:21 AM on May 30, 2010

I am not comfortable with them selling my selling my transaction data, even 'anonymized'/aggregate.
posted by Gable Oak at 9:34 AM on May 30, 2010

Anecdotally: My husband and I have been using Mint since it was first released and have never had any problems.
posted by Nattie at 10:22 AM on May 30, 2010

I think the most important thing to consider is that Mint never collects your actual full name or social security number, so the potential for full on identity theft is low if the person only hacks your Mint account.

What I am still wary about is that a third party has so much info on my spending habits. I don't even trust my bank anymore not to look at that kind of information and use it against me. They're already doing things like looking to see if you open a bar tab on your credit card a little too often, and therefore judging that you're a poor credit risk and raising your credit card rate, but maybe that particular example is illegal with the new credit legislation. I don't know for sure either way, but I don't love that information being out there. But that's outweighed for me by the value of the service Mint provides.
posted by slow graffiti at 10:22 AM on May 30, 2010

Unless Mint charges fees to you for their service, the only way they can monetize the thing is to sell your information to third parties. It doesn't really matter how much privacy and security they claim to have in place — at the end of the day, they are selling your private data to a third party, in order to make money. That's pretty much it. How comfortable you feel about that happening may help you decide whether Mint is right for you or not.
posted by Blazecock Pileon at 1:05 PM on May 30, 2010

I was a Mint beta tester and it was fine. The only thing that stops me from using it now is that my bank switched to a login system that they (and Yodlee) don't support, and I'm not switching banks.
posted by IndigoRain at 1:25 PM on May 30, 2010

They're already doing things like looking to see if you open a bar tab on your credit card a little too often, and therefore judging that you're a poor credit risk and raising your credit card rate...

Uh, cite source?

posted by !Jim at 2:01 PM on May 30, 2010

10 Things You Should Never Put on Your Credit Card

"10. BOOZE: Carry cash to the bar, especially if you were there last night, too. Springing for too many drinks may be a sign of job stress, financial stress, or relationship stress. And charging booze several times in a row will make it seem like your bar binge was not a fluke."

In my experience, NPR does not promote crazy conspiracy theories.
posted by slow graffiti at 2:25 PM on May 30, 2010

Many banks require, in their ToS, that you not share online banking credentials with third parties. I've chatted with my boss about Mint (HINAL), and this is his main concern — that your bank could use the fact that you've shared your username and password with a third party to absolve itself of responsibility for your account being compromised.

I asked two of my banks (ING Direct and Chase) for their takes on Mint, and got no formal response.
posted by Sidnicious at 4:30 PM on May 30, 2010

It sure would be nice if banks allowed for logins with different security levels. Then you could have a login to give to Mint and restrict it to only pulling certain data, and not able to make any changes.

We could all suggest that to our banks, but in my experience bank sites are all about 10 years out of date, so I wouldn't expect much success.

Oh, and to actually answer your question, I don't trust Mint in the slightest. Imagine if Facebook or Google had your bank account and credit card info during their recent privacy "oopses". And there was that other (misguided) service that needed access to your credit card accounts, which leaked card numbers onto publicly searchable pages.
posted by mad bomber what bombs at midnight at 6:03 PM on May 30, 2010

I just read the old comment from the person who works at mint.com. It's less encouraging to me that it sounds at first.

"same level of encryption your bank does" -- encryption is an easy, solved, problem. The infrastructure around it is where attacks occur. And that infrastructure is unique to the site or company. There's no way to know how secure it is.

"bank-level physical security" -- his description matches standard security at most modern data centers. Sorry mint.com, you don't get credit for this.

"Mint is a read-only system" -- sure, but the login information they have provides full access to the account. You don't need to use mint itself to do the damage.

"Mint is also an anonymous system" -- again, until the login information is compromised. A bank site probably won't hide personal information after you've logged in.

So, any side attack that compromised the database of logins compromises everything. And for an inside attack, probably their Sr. Programmers and possibly their Sr. Sysadmins have open access to that db.
posted by mad bomber what bombs at midnight at 6:17 PM on May 30, 2010 [1 favorite]

Response by poster: Its like they read AskMefi
posted by soy_renfield at 8:36 PM on May 30, 2010

That "10 Things You Should Never Put On Your Credit Card" link seems a little nutty to me. Don't put a manicure on your credit card because you might be stressed? And so what would they do with that knowledge? I think that story is taking things to the extreme.

I could never get my bank (ING) to authenticate with Mint and that was enough to get me to give it up.
posted by micawber at 9:59 PM on May 30, 2010

I use Wesabe, which I understand is _like_ Mint, but doesn't keep your password. Instead you have to upload your transactions from your bank (and they have a Firefox plugin that makes that as easy as clicking a button).
posted by Laen at 8:50 AM on May 31, 2010

I also use Wesabe. I just couldn't convince myself that sharing out those passwords was ok.
posted by getawaysticks at 6:24 AM on June 1, 2010

« Older How much to charge for on-call web dev   |   Internet Newer »
This thread is closed to new comments.