The Money Mustache Community
Learning, Sharing, and Teaching => Ask a Mustachian => Topic started by: daizy744 on September 03, 2012, 06:06:27 AM
-
Mustachians rave about Mint to track expenses/net worth. I took a tour, and it does look like it'd be pretty awesome at the job.
However, I can't help but feel queasy about giving this company/web site all my account numbers and passwords. Somehow, I could see hackers getting to this info, and very bad things happening. It's like trusting a stranger with my bank card and PIN, or with a suitcase full of cash, and asking them to watch it for me, while I pop into the washroom at the mall. I can't help but feel like that stranger will vanish once I get back out...
Since you are all intelligent people, how do you sleep at night with all your account info in there? I read their privacy policy, but I still don't fully trust them...
-
My thought on this is that your existing bank already has that information, as well as every financial institution that you have an online account with. The only difference is that Mint has them all, but Mint's very existence is predicated on their ability to keep your data safe-- one data breach and that confidence would be lost and their business model would be in jeopardy. I use strong passwords and keep a close eye on my accounts.
In fact, Mint was the first place that alerted me to the fact that someone had stolen my wife's debit card number and were on a spending spree.
I've posted a few things about my experience with Mint if you'd like to go check them out. Between the web site, the iOS apps, and the Mint Quick View program on my Mac, I'm constantly able to access all of my financial data in one place. That is valuable to me.
http://livetheneweconomy.com/blog/2012/7/16/how-i-use-mintcom-to-manage-our-finances.html
-
I second Mike's remarks.
I did my homework about how their website's architecture is supported and feel just as safe using mint.com as I do logging in to any account individually (b/c that's a lot how mint handles it). Here's a good article to explain just how careful they are:
http://bucks.blogs.nytimes.com/2010/07/06/should-you-trust-mint-com/
-
Because I know they focus on security, it obviously is one of their primary functions.
Because I know they would alert everyone right away if there was a security breach to give time to change passwords.
Because I know there are fraud banking protections in place.
Because I know they've been going successfully for years and if there were issues we'd have heard about it.
Because I know that even if someone "hacked" my Mint account (much more likely they got the info from some sort of spyware/keylogger on your computer than actually hacking Mint), they couldn't do anything with it.
Mint is read only. It can see your accounts, it can't do anything to them. No way to transfer money or anything. No way to see any passwords you've shared with them.
If you want, I'll share my Mint password with you for five or ten minutes (then I'll change it). Any money you get out is yours to keep.
This may help you as well: lifehacker.com/5332714/why-i-stopped-being-paranoid-and-started-using-mint
In a nutshell it argues the convenience is worth the small risk trade off.
I also don't worry about terrorism or shark attacks. And while also unlikely like those, Mint getting hacked has much less consequences (someone can see your accounts.. meh?)
If you aren't comfortable, absolutely don't use it. There are offline ways to do the same thing. Maybe a little more hassle, a little more work. Mint is convenience, but peace of mind is important. You have to weigh and decide for yourself. Those are just some of the reasons I don't worry.
-
Mint is read only. It can see your accounts, it can't do anything to them. No way to transfer money or anything. No way to see any passwords you've shared with them.
Read only -- good point, also -- your account numbers are each account are NOT displayed ANYWHERE and you cannot transfer money to/from your accounts within mint.com.
-
Thanks for the quick and honest replies. Somehow, getting opinions from someone who already uses the service helps me.
LOL @ arebelspy for your offer. That, out of everything, makes me feel confident about the security.
I'll go ahead and sign up.
-
:)
Try it out with something small - say a credit card. It'll have fraud protections so you don't have to pay for anything you didn't purchase.
Get used to and comfortable with it, then you can decide to add more things like bank accounts.
Good luck!
-
The times my credit cards have been hacked (2 or 3 times in the past 15 years) , it was always be someone overseas, all before Mint was invented, and always obviously fraudulent (which meant it was no big deal to call and have the charges reversed)
I don't know how they did it, but clearly it can be done somehow, whether you are using Mint, whether you are using internet banking at all. There are even those (extremely rare) cases where a scam artist ruins a kid's credit who isn't even 18 yet. I know someone who won't even pay bills online. I figure its safer to be able to check your accounts frequently (rather than waiting for statements to come out) so you can notice anything amiss right away. Avoiding the internet won't protect you anyway, so why worry about something that you have no possible way to prevent?
Incidentally, you trust strangers with your credit card information (assuming you have one) all the time. Any cashier worth their weight in paper bags can go into the computer after a transaction and extract your credit card number. 99.99% of the time they don't though.
If anyone is clever enough to hack my accounts where it isn't glaringly obviously fraud (because when it is obvious, it has no affect on my life other than me having to make a pone call) then they should be smart enough to pick a victim with more assets to steal!
-
Incidentally, you trust strangers with your credit card information (assuming you have one) all the time. Any cashier worth their weight in paper bags can go into the computer after a transaction and extract your credit card number. 99.99% of the time they don't though.
That used to give me a big kick back in the day when people were worried about using their credit card online. They would have no problem reading off their cc info over the phone to some store clerk across the country, but heaven forbid they let it be sent encrypted across the internet. I understand the concern about new technology and it's good to be nervous and ask questions. Just don't let rumors or speculation control your decisions, find the facts and smart people to base your decisions on.
One suggestion I'll add is to start using something like 1Password to keep track of your passwords and account info. I'd like to find something better than 1Password, but it works fine for now. But the key is to be able to quickly change your passwords on all of your accounts whenever needed, and keep track of your new passwords as you add online accounts. You don't want to use the same password everywhere online, so that means keeping track of all the different ones. Back when I started Mint I stopped going to all the individual sites to get my banking and cc info, and so I started forgetting some passwords. Now I just keep track of them in one application that I can reach on different devices I own, and just need one good password for that program.
-
I use LastPass James, but that's not for one who doesn't like keeping stuff online or is scared of online security.
In that case, I'd recommend KeePass, with the database stored, encrypted, in a Dropbox folder.
-
I just opened my mint account and felt that these same reservations. By and large, everyone is very supportive here of the company. I'm feeling much better about it. Thanks y'all.
-
I studied cryptography at uni, and it's often said that humans are worse at keeping secrets than computers.
(i.e. don't ever write your passwords down & keep different passwords for each account & make them long/complicated enough that someone can't guess them)(and don't ever tell anyone.)
-
Relevant XKCD comic :)
(http://imgs.xkcd.com/comics/password_strength.png)
-
This thread has also inspired me to open an account, mostly for the alerts on budgeting (I have a budget but never reconcile it, oops). Had thought about it a few years ago but had the same wariness about sharing account login information.
-
I took the plunge and opened an account. In fact, I ended up hooking up all my accounts/cards. It was super easy, and I'm really impressed at how organized everything is. I like how they remind me when my credit card payment is due, as I always wait until a couple days before the due date. And it categorized all my expenses from my cc statement and checking account.
Really liking it so far!
-
I use LastPass James, but that's not for one who doesn't like keeping stuff online or is scared of online security.
In that case, I'd recommend KeePass, with the database stored, encrypted, in a Dropbox folder.
This is exactly what I do and I've been very happy with it. Just make sure you know your Dropbox password in case you need to get a password through Dropbox's web portal when you're not on your own computer.
-
I fall on the won't-use side.
I follow tech news pretty closely. *Everyone* gets hacked eventually. Apple has been hacked. Sony has been hacked. WordPress has been hacked. Steam has been hacked. These are not dumb companies. The internet is simply not inherently secure. It takes tremendous effort to prevent hacks, and there will always be unforeseen exploits.
-
I fall on the won't-use side.
I follow tech news pretty closely. *Everyone* gets hacked eventually. Apple has been hacked. Sony has been hacked. WordPress has been hacked. Steam has been hacked. These are not dumb companies. The internet is simply not inherently secure. It takes tremendous effort to prevent hacks, and there will always be unforeseen exploits.
The counter argument here will be that people still access their account online through their various institutions, which someone mentioned above, but if one of my accounts is hacked so be it but sites like mint would have all of the accounts at one place to be hacked. It comes down to the backing of the company...if Wells Fargo gets hacked and something happens to my account I am pretty comfortable that it will work out fine.....if however Mint gets hacked and the id/passwords/personal information is used I do not have the same confidence.
Mints security seems good but that is a lot of good information in a single place, I would think it would be a hackers dream.
-
I'd rather Mint be hacked than my Bank of America login.
Because someone can't do anything with my Mint login, besides delete data (not affecting anything - it'd still exist on the appropriate bank site).
If they have my B of A login, they could transfer money.
Besides, if Mint is hacked, I wager that it'd be the Mint username/password combo itself, not the ones for the institutions that are hooked up to it.
And finally, I think there'd be a disclosure so fast I'd easily have time to change the half dozen passwords on accounts linked to it. If they hack some of the account accounts (out of all of the accounts there), the odds of mine being in there is small. Even if they hack a million of them, and mine IS in there, and was in plain text for some reason the odds that they then get access to my accounts and transfer money (while going through those million) before it's discovered and I can change passwords is small. Further even if it DID happen, most likely the bank would recognize the fraudulent attempt and block it. And even if they didn't the odds that I'd be liable for that fraudulent activity is small.
All of those tiny, tiny probabilities put together? I'm more worried about dying from an asteroid falling on my head than I am of losing money because I used Mint.
Here's the thing: since it's dealing with money, there are disclosure laws Mint has to follow. AND it's something people will notice quickly. So if if they were hacked, and Mint didn't know, once people started losing money, we'd find out fast. And at that point, you can change your passwords. The odds of you being one of the very first to have your password cracked from Mint's database is exceedingly small.
I think if Mint is hacked, it I think the most likely look like this:
Hackers gain database with logins and passwords (to Mint itself, not banks that are hooked up to Mint). It's encrypted/hashed/salted/etc. Mint announces this, everyone changes passwords Mint, and to their banking institutions (just in case). No accounts actually lose money, no reported losses. Mint's reputation takes a hit, everyone moves on, most continue to still use it.
If you aren't comfortable with it, fine, no big deal, don't use it.
But trying to convince me it's not safe? Heh. Sorry, I'm not worrying. Because even if they are eventually hacked (which very well could happen, I'll grant you), I think the odds of losing any money are so exceedingly small it's well worth using the service.
To each his own, YMMV.
-
I agree with you and I wasn't really taking a position on whether or not it is safe, but I did say that the site seemed secure. I wouldn't be afraid to use it but I am just to lazy to go through the process.
But to a few of your comments:
I'd rather Mint be hacked than my Bank of America login.
Because someone can't do anything with my Mint login, besides delete data (not affecting anything - it'd still exist on the appropriate bank site).
If they have my B of A login, they could transfer money.
My point was that if they hacked mint they WOULD have all your IDs and passwords because you need to provide those to mint so it can access your various financial sites and then could just log on to those sites and make the necessary transfers - that is the risk and the hacker dream scenario (hacking the mint database and not your individual ID) that I referred to even if it is a low probability event because of mints security, notification protocols, fraud measures at other institutions, but more importantly it would be a lot of work for not a big pay off for all the work (although I wonder if a hacker could write a code that accesses a single site and simultaneously all the user IDs/Passwords at same time).
Here's the thing: since it's dealing with money, there are disclosure laws Mint has to follow. AND it's something people will notice quickly. So if if they were hacked, and Mint didn't know, once people started losing money, we'd find out fast. And at that point, you can change your passwords. The odds of you being one of the very first to have your password cracked from Mint's database is exceedingly small.
It is not a bank or even a financial services company so disclosure laws probably don't apply and are likely voluntary (would be stupid if they didn't do it but history has shown that company's make stupid decisions all the time about this stuff - usually to contain it or preserve revenue. So don't take comfort in this, but do take comfort in that in the second part that it would get out quick by the users but maybe not quick enough.
I would also add that it is owned by Intuit so if any people don't trust mint then they shouldn't trust turbo tax, quicken, etc.
-
But trying to convince me it's not safe? Heh. Sorry, I'm not worrying. Because even if they are eventually hacked (which very well could happen, I'll grant you), I think the odds of losing any money are so exceedingly small it's well worth using the service.
Not trying to convince, just to provide another viewpoint.
Is it likely you will lose money due to Mint? Of course not. But somewhere, somehow, your login credentials are stored. And since a lot of what Mint does probably relies on screen-scraping, they are probably encrypted reversibly instead of being hashed/salted/bcrypted (as one would usually do with passwords). My bank on the other hand can definitely hash my credentials. Both are secure enough 99.lots of 9's percent of the time. But to me, the possibility of credentials being reversibly encrypted and the near certainty that eventually *some* part of the Mint system will be hacked is enough to keep me away.
-
My point was that if they hacked mint they WOULD have all your IDs and passwords
Not necessarily true. Like I said in my post, it's most likely they would have a big encrypted database with Mint.com logins and passwords, not the logins and passwords to the linked accounts.
It is not a bank or even a financial services company so disclosure laws probably don't apply
Not true. All PII compromises must be disclosed, not just financial.
-
My point was that if they hacked mint they WOULD have all your IDs and passwords
Not necessarily true. Like I said in my post, it's most likely they would have a big encrypted database with Mint.com logins and passwords, not the logins and passwords to the linked accounts.
While that's technically correct, it doesn't address the other point Ambystoma raised.
But somewhere, somehow, your login credentials are stored.
If I were a hacker, the Mint.com logins won't be my primary target. It's the login info of all their users to all their other accounts I'd be after.
I'm not denying the cumulative probability of experiencing actual loss in the event such a compromise of Mint's data occurs is small. Just that the fact that Mint is read only doesn't negate the fact that info to access your finances and personal info exists at an additional place (Mint's servers) and is therefore subject to additional risks.
-
I'm not denying the cumulative probability of experiencing actual loss in the event such a compromise of Mint's data occurs is small.
Okay. That's my only point. I don't worry about things that have exceedingly small probabilities of occurring.
I agree with you that it is theoretically possible for the database of linked accounts to get compromised, then decrypted, then accessed, then money transferred, which is not caught by their fraud department, and then is not refundable to me when I catch it, all happening before it happens to others or Mint finds out and I am able to change my passwords. That could happen. If that worries you, by all means, don't use Mint.
I just want to be clear on how that's unlikely, to help prevent the spread of FUD.
It's one reason why I'm not a fan of TSA security theater.
-
Since you are all intelligent people, how do you sleep at night with all your account info in there? I read their privacy policy, but I still don't fully trust them...
I'd like to follow up on this conversation as the posts didn't entirely answer the question for me ... given that my financial institute is secure, and that mint.com is secure, and that my mint.com login would only provide read-only access to any would-be hacker that got into my mint.com account...
What incentives are in-place to prevent Mint.com employees from accessing my account? While they (presumably) can not do any harm via the their mint.com web site, there is no reason they couldn't take my financial institute login information and log into my primary account directly and transfer money or whatnot. If not their support people, surely their developers have this level of access. They would need it to fix any import problems that occasionally show up. Right?
-
What incentives are in-place to prevent Mint.com employees from accessing my account? While they (presumably) can not do any harm via the their mint.com web site, there is no reason they couldn't take my financial institute login information and log into my primary account directly and transfer money or whatnot. If not their support people, surely their developers have this level of access. They would need it to fix any import problems that occasionally show up. Right?
In terms of the "who has access to what" in production/live systems, you have it sort of backwards. I don't work for Mint, but I say this as a person who is currently a developer and was an IT support engineer / systems administrator for several years before that.
In a well designed system, developers actually have little to zero access to production systems. They just aren't allowed anywhere near it for a lot of reasons. Good systems administrators are equipped to capture relevant details, logs, and crash dumps and provide this feedback to the developers in order to assist the troubleshooting process.
Also in a well designed system, people are only given access to what they absolutely need to do their jobs. So even within the systems admins teams access is strictly regulated and only a very select few (trustworthy) individuals are able to access everything. Especially with high impact data they really take this stuff seriously.
-
I track my net worth on a spreadsheet. It's not that hard to log into a couple of brokerage accounts, check my mortgage balances, a few times a week and update.
I have had the experience of credit cards being stolen off websites where I'd purchased things, so centralizing my information on any one website doesn't sit well with me. Even if read-only I'd be concerned about identity theft and hackers. I'm not even on FaceBook (with my real name) for that reason.
It's OK to minimize exposure and risk on the 'net, you don't have to be a "prepper". ;-)
-
I assume nobody cares about the thing they signed with their bank to not disclose their password to ANYONE?
That's the one that stopped me... sure I can trust the site, but if it violates my agreement with my bank of 20+ years, and if anything goes wrong I'm *screwed*, not just 'fraud victimized'....
I prefer to use software that is in no way connected to my bank :)
-
I assume nobody cares about the thing they signed with their bank to not disclose their password to ANYONE?
That's the one that stopped me... sure I can trust the site, but if it violates my agreement with my bank of 20+ years, and if anything goes wrong I'm *screwed*, not just 'fraud victimized'....
I prefer to use software that is in no way connected to my bank :)
I'm with you on this point. I trust that mint is secure, but it really now comes down to the fact that if something terrible happened, would the bank back me up even if I violate TOS by handing my password to a 3rd party.
For this reason, I closed my mint account a couple months ago.
I ended up writing my own expense tracking software that has no mint-style automation. A local (to my network) database with budgets, transactions, and long-term networth tracking. Building a Windows app that is used for data entry and reporting. No personally identifiable information or bank account numbers or passwords. It's still in progress, but I have been using it so far to track my 2013 expenses.
It requires manual data entry, but I prefer it this way anyway because it helps keep me in tune with my exact financial status at all times.
-
A well respected tech journalist, Leo Laporte has covered mint.com a few times on his shows. He was also very untrusting of letting mint.com have his financial credentials. It appears that many of the banks use a backend called yodlee.com or a service like it to secure your data. Mint uses one of these backend services just like your online bank.
Leo briefly covers it in this link at after the 3 minute mark:
http://twit.tv/show/ipad-today/119
I could not find the lifehacker article that he mentioned but it seems that mint.com is at least safer than we have feared or at best just as safe/unsafe as using online banking since they use the same back end. Just be sure to use a $+r0nG password with your mint account as will any account.
-
I could not find the lifehacker article that he mentioned
I linked to a lifehacker article in the third reply to this thread. Haven't listened to your link, so I'm not sure if that's the one he was talking about, but it does address Mint's security.
-
I found that article but Leo had mentioned one by Gina Trapani addressing this subject as well and why your credentials are safe do to the same backend (yodlee.com) being used. I did not mean to repeat the same info, just to shed some light that if you bank online with your banks website, they like use the same backend services that mint uses. I glazed through but did not see it mentioned. It may have missed it though.
-
Mint used to use Yodlee, but when they were bought by Intuit, they switched to a proprietary program developed in-house. Bof A's "My Portfolio" and Fidelity's "Full View," which are somewhat similar to Mint in function, still use Yodlee. Lots of other banks and credit unions offer Yodlee-backed transaction tracking programs.
Some of your data must remain in the provider's files. How else could the program make comparisons over time and tell you when you spend above the budget in a category? I know the "My Portfolio" version stores data, because it tells me when it last updated each account. Often it is hours or even days before. It also tells me how my net worth changes and compares actual to budgeted numbers.
I still use the program, even though there appears to be a risk. I don't use Mint because Intuit is not a regulated financial institution. I figure I will have more leverage with Bank of America if my data is compromised, because it is.
-
Any cashier worth their weight in paper bags can go into the computer after a transaction and extract your credit card number. 99.99% of the time they don't though.
I know I'm dragging this post up from way in the past but - I write point of sale software for a living. We don't store the credit card number in the system. As far as I know none of our competitors do either. The charge gets processed, if it passes then the card type and the last 4 digits as well as the transaction numbers get stored against the invoice. I can stare at millions of transactions with a few clicks of the mouse. Peoples names, addresses, phone numbers, and in some cases emails are all right there to read. Not one single credit card number. This is very very intentional, we don't feel like being liable if someone manages to hack the system and steal all of the data. At best they'll get the same info in the phone book and facebook and what groceries they've bought.
Now the old school put the card in the machine and then roll the thing across it to stamp the slip (showing my age I don't know what that was called but it was before electronic card verification) that recorded everything necessary to commit fraud.
-
How about the waiter walking away with your card and coming back 5 minutes later with a slip for you to sign. They could certainly write all the info down off the card.
Substitute that example into Bakari's post and you still have the point he was trying to make.
-
I assume nobody cares about the thing they signed with their bank to not disclose their password to ANYONE?
That's the one that stopped me... sure I can trust the site, but if it violates my agreement with my bank of 20+ years, and if anything goes wrong I'm *screwed*, not just 'fraud victimized'....
I prefer to use software that is in no way connected to my bank :)
1) I'm pretty sure I didn't sign that with my bank.
2) Mint is not a person.
3) What's the worst the bank could do? Fire you as a consistently great customer with a long history, shoot themselves in the foot, and tell you to go find another bank? For a trivial non-offense?
-
1. Check your on-line banking access agreement. In all likelihood, it's there.
3. The "worst the bank could do" is not reimburse you for the fraud if you and not they are responsible for the password compromise.
-
1. Nope, I don't see it anywhere, and I didn't see it anywhere when I signed up for the account. All I see is a boilerplate "indemnify and hold harmless clause". Maybe you could look at the agreement (https://cuonline.kemba.org/NovaOnline/Docs/Disclosure%20Statements.pdf) and point out where I'm missing it?
3. If there were ever a single documented instance of fraud from Mint leading to a Mint user losing even a single cent, I might be a little more sympathetic. I agree that there is a possibility of that risk, and that issues like this have happened with many password databases, but it's probably about as likely as being struck by lightning, so it's not even worth the effort of worrying about it. If you wanted a big haul, wouldn't you attack something like a life insurance company or a small financial advisor's office? There's a lot more money for a lot less effort there, to be sure.
-
1. Check your on-line banking access agreement. In all likelihood, it's there.
Nope. Total BS. Do you think the vast majority of banks would be actively and willingly working to be compatible with a major financial service like mint if using it violated customer's terms of service?
The "worst the bank could do" is not reimburse you for the fraud if you and not they are responsible for the password compromise.
Yeah, prove it.
Stop being a baby and thinking the finance Nazis are controlling every move you make.
-
As I said, I USE one of the Yodlee programs, the B of A program. My banks and credit unions do not "allow" you to disclose your password. There could be a liability issue, although the fact that B of A and many other financial institutions offer and promote the programs is a bit of a head scratcher. Intuit has a ton of experience protecting data in Turbo Tax and probably takes a similar level of precaution with Mint. That being said, I still prefer to keep the data at the financial institution, not on an Intuit server.
-
I'm debating setting up Mint to consolidate my financial information, as opposed to doing it from Quicken (or where it is now, which is a spreadsheet). Much like the original poster, I am a little queasy about this, which is how I found this thread while searching for thoughts from others. I've read the links provided above, but they are a little short on discussing the actual vulnerabilities and/or liability.
One thing I did find on the web was when "heartbleed" came out last year, some people weren't really satisfied with Mint's response.
http://www.ianww.com/2014/04/15/mint-is-misleading-users-about-heartbleed/
https://news.ycombinator.com/item?id=7595317
It sounds like in the end, they did not have the heartbleed vulnerability. But, if they did, the risk is basically what's called a "man in the middle" attack between mint and your banks. The way mint works is it calls web services provided by the financial institutions, logging in essentially as you, to get your data. If a hacker did a man in the middle attack, that is to say intercepted the stream of data between mint and your bank, and was able to decrypt it because of heartbleed, they would end up having your user name and password for that institution. Once they've got that, they can do whatever they want with your money.
The other thing that gave me pause is e*trade's consumer protection info, which says, "Related Party Fraud: We will not be responsible for withdrawn funds if you provide your User ID or password to anyone else. " https://us.etrade.com/e/t/home/securityguarantee
I would presume that giving Mint your user ID & password would qualify as "to anyone else".
All that said, I suspect the risk is still pretty low. Probably not much different than Quicken's Password vault on your PC and probably lower than malware putting a key logger on your browser. But, I still can't bring myself to sign up. My net worth probably doesn't need to be checked more than once a month or so anyway.
-
Mustachians rave about Mint to track expenses/net worth. I took a tour, and it does look like it'd be pretty awesome at the job.
However, I can't help but feel queasy about giving this company/web site all my account numbers and passwords. Somehow, I could see hackers getting to this info, and very bad things happening. It's like trusting a stranger with my bank card and PIN, or with a suitcase full of cash, and asking them to watch it for me, while I pop into the washroom at the mall.
Yes. You should absolutely be paranoid. Completely, thoroughly, and utterly paranoid. I would never give someone all of that information.
-
How about the waiter walking away with your card and coming back 5 minutes later with a slip for you to sign. They could certainly write all the info down off the card.
Substitute that example into Bakari's post and you still have the point he was trying to make.
Yup. That's exactly why I don't give my credit card company permission to pull money (EFT) from my bank account either. If we're going to have an argument, I want to be the one holding the money.
But banks may or may not owe you anything in case of fraud, and once the money's gone, you're at the mercy of the bank.
In one of our classes on computer security (long time ago), we read a paper on bank security. Apparently most fraud did indeed occur from tellers taking down information. I remember reading one story where a lady's account got cleaned out, and the bank accused her of trying to steal from the them. The only way they found out the lady was telling the truth was that the teller had "An attack of conscience." Great.....
-
It's not the security aspect you should be worried about - it's the sanity part. Having all your accounts in one place means you're going to look at your accounts more often since its easier. Just limit yourself.
-
I bet that's what Sony and Home Depot said amongst themselves.
'we don't have time for that security stuff. plus it will make us less productive.'
-
I bet that's what Sony and Home Depot said amongst themselves.
'we don't have time for that security stuff. plus it will make us less productive.'
The thing is this--we're all human. The people programming Mint are human. It just takes one mistake to screw you over.
I've seen enough situations as a programmer to be very wary of assuming anyone is doing things right. Even me. I used to say "there's no way I'd ever ride on an airplane I'd programmed." I make mistakes. Others make mistakes. Someone I know was mailed the entire list of names, birthdays, and SSNs for a school district as part of an excel spreadsheet sent without encryption. Did you put your SSN on your kid's school application? I won't now. I don't make any assumptions anymore.
The best way to keep a secret is not to tell it to anyone.
-
It's striking that even with all this hearsay not a single person in this thread has suffered a penny of loss from using Mint. All you will lose over this issue is sleep.
-
It's striking that even with all this hearsay not a single person in this thread has suffered a penny of loss from using Mint. All you will lose over this issue is sleep.
Yeah, the Titanic was so safe that they didn't need lifeboats for all the passengers and that turned out well from what I recall.
-
Call it what you want but by using Mint, you are providing passwords to a third party. This can leave you vulnerable should something go way wrong, which it will someday.
-
It would be nice if Mint had a way for me to just import data from the bank. I know my bank will export it in various formats for me to download. Then I could just upload it to mint periodically. This way mint would not have any passwords, account numbers (easy enough to scrub from the exported files), etc.
-
It would be nice if Mint had a way for me to just import data from the bank. I know my bank will export it in various formats for me to download. Then I could just upload it to mint periodically. This way mint would not have any passwords, account numbers (easy enough to scrub from the exported files), etc.
Quicken can (check your bank's web site for a "download info to financial programs" option) work this way. Don't know about Mint.
As for security, one "can't prove a negative." In other words, one can't prove that a problem will never occur if Mint (or Quicken, or...) has external account passwords. So it's a matter of personal preference and risk tolerance. Personally we think the risk is sufficiently close to zero that we have all our accounts linked to Quicken. YMMV.
-
If anything, the heartbleed thing should tell us that having an account - any account, period - puts you at some risk.
I have had credit cards hacked from overseas, and had neighbors go through my mail and/or trash and print fake checks that drew on my bank account.
Not having Mint does make you safe.
If you are worried about online security, by the same measure you should have no credit cards or bank accounts or investment accounts either.
Keep all your money in cash under your mattress. Or maybe gold.
Except, then someone might break in and steal it.
The question isn't whether a certain risk is technically possible, its whether the probability, times the damage, outweighs the gain.
(In my examples the damage was some lost time and effort in contacting the banks - all of my money was refunded)
Assuming the risk of credit fraud is real, the ability to quickly and easily check all my accounts every day or two, vs. checking a statement at the end of the month, seems like a way to safer online to me
-
Mint is owned by Intuit. http://www.intuit.com/products/
Turbo Tax (another Intuit product) seems to have had a little problem recently. http://www.washingtonpost.com/news/get-there/wp/2015/03/06/turbotax-says-it-received-inquiries-from-federal-investigators-about-tax-fraud/
I'm sure Mint is safe. (I'm assuming purple is the color for sarcasm.)
But go ahead all ye faithful. Put your passwords into Mint. Nothing can go wrong.
-
I assume nobody cares about the thing they signed with their bank to not disclose their password to ANYONE?
That's the one that stopped me... sure I can trust the site, but if it violates my agreement with my bank of 20+ years, and if anything goes wrong I'm *screwed*, not just 'fraud victimized'....
I prefer to use software that is in no way connected to my bank :)
It would be nice if Mint had a way for me to just import data from the bank. I know my bank will export it in various formats for me to download. Then I could just upload it to mint periodically. This way mint would not have any passwords, account numbers (easy enough to scrub from the exported files), etc.
Regarding this, my Capital One checking and savings account recently added a feature where they provide you a code to give financial services companies (such as Mint) that is separate from your personal login information. You have the option at any point to login to your Capital One account and disable services from using this code to access your information, or to change the code (i.e. if you think it has been compromised but want to keep using the service). This seems like a good compromise, and I wouldn't be surprised if more banks start using a similar system. The bank can tell which logins are you and which logins are a separate service, and I would presume the separate code access provides only a view option, not the ability to move money.
All of this being said, I have been using Mint since 2007 with no problems. I love it. It also notifies me incredibly quickly of large or uncharacteristic transactions, sometimes faster than my bank itself, or even transactions my bank chose not to notify me about.
I actually feel more secure using Mint, because it allows me to check up on my accounts regularly without needing to login to my bank accounts directly. I live in China and travel frequently in Southeast Asia. Computer security here can be... dodgy. I feel significantly more comfortable being able to use Mint and have only that login potentially compromised (I just use it on my phone, my tablet and my work computer, not at internet cafes or anything like that), than potentially compromising my direct account logins with which someone could actually gain access to my money. YMMV.
-
One thing that makes me uneasy is this. If someone steals your credit card number and runs up unauthorized charges, your credit card company will not charge you for those transactions, once you report it.
But if someone hacks into Mint and gets your bank details, and uses them to siphon money from your account, your bank will not refund you your money. Anyone who operates using your password is considered a fully authorized user of your account.
So if someone did this, you could pursue them through legal channels, assuming you could identify them — good luck with that. But your bank will not refund you the money.
-
One thing that makes me uneasy is this. If someone steals your credit card number and runs up unauthorized charges, your credit card company will not charge you for those transactions, once you report it.
But if someone hacks into Mint and gets your bank details, and uses them to siphon money from your account, your bank will not refund you your money. Anyone who operates using your password is considered a fully authorized user of your account.
So if someone did this, you could pursue them through legal channels, assuming you could identify them — good luck with that. But your bank will not refund you the money.
That's crazy. I definitely didn't know that.
I just use excel to track monthly expenses, net worth, etc.. I've never used mint.com but I don't see the need to. I simply punch in my monthly variables and the excel worksheet I created calculates it for me.
-
Mint is owned and operated by Intuit (maker of Quicken/Turbotax). Not that that guarantees protection, but, it's not like they're some small time operation.
They have the financial means to provide and improve security.
If you're worried about Mint, I wouldn't online bank either.
-
I didn't read every post in the thread, so someone may have already mentioned this. I use a token that changes every 30 seconds to login to my bank's website. This gives me great peace of mind. To use mint with this account would I have to go back to just a username and password?
-
One thing that makes me uneasy is this. If someone steals your credit card number and runs up unauthorized charges, your credit card company will not charge you for those transactions, once you report it.
But if someone hacks into Mint and gets your bank details, and uses them to siphon money from your account, your bank will not refund you your money. Anyone who operates using your password is considered a fully authorized user of your account.
So if someone did this, you could pursue them through legal channels, assuming you could identify them — good luck with that. But your bank will not refund you the money.
I may have been unclear, or you may have missed it: Someone DID illegally access my bank account and withdraw a large amount of money, and my bank DID refund 100% of the money, even though they didn't (officially) ever catch the people who did it*
*(I say officially because I knew who did it, it was my crack-head neighbors who had previously been in prison for writing fake checks, but there wasn't enough hard evidence and the police department felt it was too small an amount to launch a full-scale investigation. Which sucked, but the important thing from my point of view is I got all of my money back)
-
Mint is owned and operated by Intuit (maker of Quicken/Turbotax). Not that that guarantees protection, but, it's not like they're some small time operation.
They have the financial means to provide and improve security.
If you're worried about Mint, I wouldn't online bank either.
I used to take more comfort in that until Turbo Tax reecntly had issues with fraudulent state findings and they basically said its not our issue - its the IRS responsibility.
Seems they are a bit lax in the security and oversight aspect of their business - I was very surprised and now question mint.
-
Mint is owned and operated by Intuit (maker of Quicken/Turbotax). Not that that guarantees protection, but, it's not like they're some small time operation.
They have the financial means to provide and improve security.
If you're worried about Mint, I wouldn't online bank either.
I used to take more comfort in that until Turbo Tax recently had issues with fraudulent state findings and they basically said its not our issue - its the IRS responsibility.
Seems they are a bit lax in the security and oversight aspect of their business - I was very surprised and now question mint.
Except, keep in mind that people file fraudulent returns using paper, they file fraudulent returns in in-person tax-return offices, and they file fraudulent returns using other software.
Probably one of the main reasons TurboTax gets called out is simply that they process more returns than most other companies. That doesn't mean their process is any less secure than anyone else.
A lot of experts still say filing online is safer than using paper:
http://www.in.gov/dor/5060.htm
http://www.cnbc.com/id/100359963#.
https://www.protectmyid.com/identity-theft-protection-resources/prevention-tips/tax-time-identity-theft.aspx
So you really have to take news like that in the greater context
-
Mint is owned and operated by Intuit (maker of Quicken/Turbotax). Not that that guarantees protection, but, it's not like they're some small time operation.
They have the financial means to provide and improve security.
If you're worried about Mint, I wouldn't online bank either.
I used to take more comfort in that until Turbo Tax reecntly had issues with fraudulent state findings and they basically said its not our issue - its the IRS responsibility.
Seems they are a bit lax in the security and oversight aspect of their business - I was very surprised and now question mint.
The fraudulent returns did not involve info stolen from turbo tax. Bad guy has victims SSN, name, address, etc. Bad guy goes on to turbo tax, creates an account and files the return. It is identity theft. Same as doing it on paper. Turbo tax security has nothing to do with it. Bad guy already had all of the necessary info.
-
Also, Mint topped 10 Million users in 2012. Here is how I look at it. If 10 Million users have their bank accounts wiped out, something would have to be done about it. I'm not usually one to say "I'll let the government take care of me" but I can't imagine we as a society would ever say "too bad so sad" to 10 Million people. So, let's say instead a hacker just looks to wipe out one bank account. I think the 1 in 10 Million chance that it will be me is so small that I will role the dice.
-
A lot of experts still say filing online is safer than using paper:
.
.
.
So you really have to take news like that in the greater context
The fraudulent returns did not involve info stolen from turbo tax. Bad guy has victims SSN, name, address, etc. Bad guy goes on to turbo tax, creates an account and files the return. It is identity theft. Same as doing it on paper. Turbo tax security has nothing to do with it. Bad guy already had all of the necessary info.
I agree with of you that fraud happens and generally electronic is safer, but as big as they are they have a responsibility to the customers and ultimately the shareholders to provide better checks and balances...if they are lax or complacent about punting to the IRS then they may be the same in other regards. The other tax programs didn't have a similar increase in fraudulent filings, and it is not by chance that turbotax implemented a number of new security measures for customers after all of this. At the end of the day, customers will determine the outcome if not addressed properly.
-
I agree with of you that fraud happens and generally electronic is safer, but as big as they are they have a responsibility to the customers and ultimately the shareholders to provide better checks and balances...if they are lax or complacent about punting to the IRS then they may be the same in other regards. The other tax programs didn't have a similar increase in fraudulent filings, and it is not by chance that turbotax implemented a number of new security measures for customers after all of this. At the end of the day, customers will determine the outcome if not addressed properly.
Two problems with this though. Everyone pays taxes (let's assume without getting sidetracked), but not everyone uses TurboTax. While it's an extraordinarily popular way to file taxes, I assume the overall percentage of people who file taxes using TT is low. So John Doe files his taxes with his accountant, who does not use TurboTax or any Intuit program at all. Jane Smith is a bad person who has stolen all of information and files a fraudulent tax return in his name. How is Intuit/TurboTax supposed to know? They don't have a database on everyone in the country - that would be more disconcerting, to be honest. That should be up to the IRS to handle (or should be, at the very least).
And in regards to TurboTax having a higher amount of fraudulent returns filed... I wonder how true it is that other programs didn't have such an increase like TurboTax. TT had a lot of bad press for raising prices without announcing it (yes an issue, but for another discussion). If it's one thing the media loves doing it's adding more bad press or existing bad press. TT's been in the news for raising prices... what else have they done? It's clickbait. H&R Block and other services just have to keep their head down and not say anything and they get Intuit's business.
I'm an avid Mint user with my own problems with the site (it keeps doubling my 401k... I wish they could actually make it happen!). There are glitches, they categorize incorrectly from time to time, and the customer service is kind of a joke. But what I get in return, for not paying a dime, is worth it. Safety and security has never been an issue for me with them.
-
Two problems with this though. Everyone pays taxes (let's assume without getting sidetracked), but not everyone uses TurboTax. While it's an extraordinarily popular way to file taxes, I assume the overall percentage of people who file taxes using TT is low. So John Doe files his taxes with his accountant, who does not use TurboTax or any Intuit program at all. Jane Smith is a bad person who has stolen all of information and files a fraudulent tax return in his name. How is Intuit/TurboTax supposed to know? They don't have a database on everyone in the country - that would be more disconcerting, to be honest.
But you still haven't gotten to the part where that makes you at risk of identity theft from using TurboTax.
That should be up to the IRS to handle (or should be, at the very least).
It is (http://www.irs.gov/uac/Taxpayer-Guide-to-Identity-Theft).
-
I am personally not worried about it at all.
Same with credit karma.
-
But you still haven't gotten to the part where that makes you at risk of identity theft from using TurboTax.
I didn't 'get to it' because I don't believe using TurboTax makes you at any more risk for identity theft than most other methods of filing your taxes.
It is (http://www.irs.gov/uac/Taxpayer-Guide-to-Identity-Theft).
Sarcasm, my dear. Yes, it is the IRS's responsibility. Doesn't mean they do a very good job of handling it.
-
If 10 Million users have their bank accounts wiped out, something would have to be done about it.
Wipe out 10,000,000 bank accounts? How about extracting a few dollars per month from each account. Alternatively there's a black market for financial credentials - if an attacker was to get access to mint, they could sell user's credentials to others. Since mint must have credentials from many financial institutions, it would be quite the hairball to sort everything out after the fact.
In the worst case where millions of bank accounts are wiped out, what could be done about it? Would Intuit be held to account for the losses? Or would it be up to the federal government to make the users whole again? Or each individual financial institution? How many cents on the dollar of losses would be achieved?
Perhaps this is all alarmist - Mint says we use the same 128-bit SSL encryption and physical security standards as your bank. We’re also verified and monitored by third party experts such as TRUSTe, VeriSign and other stalwarts of online security.
We all know Verisign would never issue bogus root certificates.
Enough with the negativity (on my part, I mean). For Canadians, the Bank of Montreal has added a very nice budgeting and tracking service. If you have BMO accounts and credits cards it does a great job of categorizing expenses. You can create rules putting specific payments and specific vendors into specific categories. The only thing I haven't figured out how to do is export the results into a spreadsheet. You can take screenshots of the pie charts though.
-
If 10 Million users have their bank accounts wiped out, something would have to be done about it.
Wipe out 10,000,000 bank accounts? How about extracting a few dollars per month from each account.
And none of them notice? Or many of them do, and it's reported/discovered ASAP?
Which seems more likely to you?
Alternatively there's a black market for financial credentials - if an attacker was to get access to mint, they could sell user's credentials to others.
And that's different from now... how?
I mean, I agree, that's a risk,
A fairly small one, IMO. But one you take (or not) if you want to do things over the interwebs.
The bottom line is this:
If you're worried about Mint, I wouldn't online bank either.
-
I disagree with that one. When you're banking online there's no 3rd party involved (i.e. Mint). And the security breach will be specific to 1 financial institution, not all the different financial institutions
of all the mint users.
Like you say, it's risk management. If all you have in the accounts is a couple of thousand dollars for paying bills not to worry. If you have a 3 month emergency fund, maybe it's a different story.
-
If 10 Million users have their bank accounts wiped out, something would have to be done about it.
In the worst case where millions of bank accounts are wiped out, what could be done about it? Would Intuit be held to account for the losses? Or would it be up to the federal government to make the users whole again? Or each individual financial institution? How many cents on the dollar of losses would be achieved?
https://www.fdic.gov/about/mission/
You have to go beyond not banking online to be sure you are never a victim of internet based account medling.
Remember last year when Home Depot's servers were hacked?
Unlike fears of Mint being hacked, this actually happened.
It made zero difference if you accessed your account and/or home depot's website online or not.
Everyone who USED A CREDIT CARD at any Home Depot was at risk of hacking.
So like I said earlier, the only way to be safe from things like that is to not use credit cards or banks AT ALL.
If your bank has online access - whether or not you personally make use of it - OR, if ANY store you ever shop at has online access or networked servers, then your personal information is at risk, and good hackers could hypothetically drain your bank account or max out your credit card.
But wait - when my ex-girlfriend got her credit card account hacked, it was because a restaurant employee wrote down her credit card number on paper and kept it. And when my bank account was hacked, they stole a bank statement from my (locked - but not that strong) mailbox, and used it to create fake checks.
Again, these are all real life examples that actually happened, not imaginary worst case scenarios. And none of them in any way involved online account access.
This is like how people worry about kidnappers, or being shot by cops, or plane crashes, yet don't think twice about driving 75mph on the freeway, even though that kills 1000s of times more people every year.
-
You should assume that:
- Mint is a tantalizing target for cyber criminals
- Mint is under constant probing / reconnaissance from said criminals
- Mint is no different than any other application in this sense
- Were Mint to be successfully exploited, all the data you provided Mint would be in the hands of attackers, including the usernames & passwords you gave them to log into your bank accounts for them.
- Security is hard and Mint is vulnerable. It is only a matter of time before they are exploited.
That said, you should still consider whether the value is worth the risk. For me it is.
A few other thoughts.
- It would be smart to disable the Mint email notifications that include your balances / net worth. Having those in cleartext in your email is a privacy risk with little upside.
- Have all of your banking account information stored in a secure location so that if mint were exploited, you could quickly go to all your bank accounts and change your passwords.
- If your bank allows you to generate a token for use on sites like mint, use that rather than your normal username/password.
I would not assume that mint has their shit together. Most organizations don't because they can't and because they are not properly motivated. It's wild west out there.
http://www.cbsnews.com/news/the-reason-companies-dont-fix-cybersecurity/
-
My health insurance just got hacked. They are providing free credit monitoring service and if you suffer actual damages they have another company hired to fix that for you. The way I view it, nothing is safe, we are doing damage control all the time, and I'm not going to let that stop me from using services I find useful. However, I do agree that Mint poses a more unique risk given that you are providing your credential to other sites.
I do laugh sometimes at how over secure my student loan log-ins are. What is a hacker going to do? Pay my loan off for me? Go ahead!
-
I do laugh sometimes at how over secure my student loan log-ins are. What is a hacker going to do? Pay my loan off for me? Go ahead!
I find it more than just ridiculous, but downright counter productive how secure the military make us make our passwords.
12 Characters (or more), at least one capital, lowercase, number, and special category. And then mandatory change every 3 months (to one which was never used). 3 mistaken log in attempts, have to reset it.
All of which means, there is no realistic way that any one could remember their password without writing it down somewhere.
Which immediately defeats the purpose of having a secure password!