Mint.com security concerns?

[Baylor3217]

I understand many if you use that site. How do you get past the obvious security concerns?

[Daley]

There's actually a good thread on it here.

For what it's worth, I won't use it... but I'll spare the reasons.

[Honest Abe]

They've (intuit)  been aggregating people's financial information for decades with their Quicken software. While past performance doesn't guarantee future results, I'd say their track record is relatively clean.

I think the best thing you could do, with or without mint, is to use a password manager like lastpass to generate distinct, strong passwords for all of your sites (especially forums such as this)

[Spork]

They've (intuit)  been aggregating people's financial information for decades with their Quicken software. While past performance doesn't guarantee future results, I'd say their track record is relatively clean.

Ima gonna disagree.  The online version of TurboTax has been plagued over and over by security breaches.  (Example).  Some of these were just plain stupid.  One I remember was something along the line of theirwebsite.com/their_url?customer=12345.  If you wanted to see someone else's return, you just changed that number on the end.  Maaaahvelous.

If you are going to base your decision on past performance: they've not been great.

[MtnGal]

http://www.mrmoneymustache.com/2011/12/12/watching-your-stash-with-mint/


Just in case you missed it.

[chucklesmcgee]

I understand many if you use that site. How do you get past the obvious security concerns?

The same way you got past the fears of handing your credit card information over to an incredibly secure database when making an online purchase despite being completely alright with leaving your card over to a shady waiter or an unknown customer service agent over the telephone. Your information is already out in a million different places, putting it in one additional secure place isn't going to make much of  adifference.

[Spork]

I understand many if you use that site. How do you get past the obvious security concerns?

The same way you got past the fears of handing your credit card information over to an incredibly secure database when making an online purchase despite being completely alright with leaving your card over to a shady waiter or an unknown customer service agent over the telephone. Your information is already out in a million different places, putting it in one additional secure place isn't going to make much of  adifference.

I wouldn't say that's a valid comparison.  The credit card is "VISA's money".  My bank/investment accounts are "my money".

You are probably safe with Mint.  Probably.  But I wouldn't use it.

[BlueMR2]

I went around and around with this myself.  Ultimately, I'm not going to use it.  Benefits just don't outweigh the risks for me.

[GoStumpy]

The same way you got past the fears of handing your credit card information over to an incredibly secure database when making an online purchase despite being completely alright with leaving your card over to a shady waiter or an unknown customer service agent over the telephone. Your information is already out in a million different places, putting it in one additional secure place isn't going to make much of  adifference.

Definitely a difference between giving a website your credit card number, and giving your bank account PASSWORD....

It also violates the T&C of my Bank, so if heaven forbid something DOES happen (not likely I know), my bank is NOT responsible for $ lost!

And don't think it *can't* happen!!  IT DOES... I just found out an entire block of STUDENT LOAN information was 'leaked', account numbers, Social Insurance #'s, etc...  If a Government Student Loan program can make mistakes, so can some website without people to talk to.

[randymarsh]

There's obviously security concerns with ANY system that has your information...but I just don't get the specific concerns with Mint. I also don't understand what real world implications a hack would really have.

If Mint itself was hacked, they could see how much I spend on stuff and how much debt I have? I guess that could be awkward for some people (online porn or gambling transactions maybe?)

If they actually gained access to my usernames/passwords, they could log into my accounts. Then what? Mail a check somewhere? Do a funds transfer? Now they've given a paper trail and account information. Seems like an easy way to get caught.

My information is already a million different places. Experian, Transunion, Equifax, US Department of Education (student loans), Social Security Administration, IRS, Vanguard, Chase, Citi, Discover, etc. They could all be hacked too. Some of those pose a more serious risk than Mint getting hacked.

Maybe I'm just naive, but I'm not worried about Mint. I check my credit reports a few times a year (so I'd notice any new accounts easily), and login to online banking at least twice a week so I'd notice any odd behavior. The credit card companies text me when transactions above a certain amount go through.

To be honest, I think someone leaving a company laptop in a taxi with unencrypted information on it is way more likely than a Mint hack.

[Spork]

If they actually gained access to my usernames/passwords, they could log into my accounts. Then what? Mail a check somewhere? Do a funds transfer? Now they've given a paper trail and account information. Seems like an easy way to get caught.

If you watch what goes on with computer security ... this type of hack happens all the time.  (I'm not referring to mint.... but the type of attack.)

Usually when folks get userids/passwords, they pass them through a money mule.  They have "work at home" scams where they hire people to move money (or hard goods) around.  These are innocent people that think they're getting paid to do legal tasks.  When the hammer comes down, it's these people that get busted.  It's very common.

[the fixer]

I'm squarely in the no-Mint camp. I'm a software developer with some security background. No website should know that much about my finances, especially one that does not offer any financial assurance they will keep it safe. Sure, I have a lot of money with Vanguard and if someone got into my account they could do a few malicious things, but if that breach were Vanguard's fault they would be liable. If Mint gets compromised, I believe it would be too easy for my bank and Mint to just point fingers at each other and refuse to compensate me.

Intuit has made themselves an extremely high-value target, and the payoff from a criminal organization compromising their account credential database is probably much greater than the amount Intuit spends on its security team. The criminals will eventually win, because they have more to gain.

I also don't trust Intuit not to sell my personal information (where I use my CC, what services I subscribe to, my net worth, etc.) to marketing and advertising firms like every other free service out there does. Maybe they do already, I don't care enough to check. Even if they don't do it now, they will someday. It's economics: the longer they hold out, the more valuable that data would be to buyers and the more tempted they'll be to sell it. Eventually some PHB will decide to pull the trigger; at that point if my data is already there, I can't stop them.

I track all my finances in gnucash.

[GoStumpy]

My information is already a million different places. Experian, Transunion, Equifax, US Department of Education (student loans), Social Security Administration, IRS, Vanguard, Chase, Citi, Discover, etc. They could all be hacked too. Some of those pose a more serious risk than Mint getting hacked.

If Experian, Transuinion, Equifax, IRS, Vanguard, Chase, Citi, Discover, got 'hacked', it would be THEIR fault, and they 99.9% of the time refund fraudulent charges.

If mint.com is 'hacked' and allows access to your bank account, (with the password you've given them), you're screwed because you violated the T&C of your bank.  The money is gone.  Bye Bye. 

THAT is why I stopped, I don't like blatantly violating the T&C of my online banking, giving them full authority to deny reimbursement if something happens to go wrong.


Besides, it wasn't that useful anyway :)