Author Topic: Please help calm my mint.com paranoia  (Read 10884 times)

begood

  • Handlebar Stache
  • *****
  • Posts: 1013
  • Location: SE PA
Please help calm my mint.com paranoia
« on: April 24, 2014, 03:41:58 PM »
I joined mint.com today! Yay!

I got our Visa account connected (the card we use for everything that's not Costco or Target), and our Target card. I haven't done the Amex because it's in flux (changing from one Costco Amex to a different one with better rewards). Once we get the new card up and running, I'll add it in too.

And then I got to the part where I'd add in the bank account. The place where a lot of my money lives. And it wants both username and password, and maybe I should have had that burst of panic over putting in those items for the credit cards, but somehow it's the bank that's really giving me pause.

We do the vast majority of our life transactions with the three cards: Visa, Target, Amex. But things like the electric bill, auto insurance, life insurance, taxes (estimated and year-end), and the kid's tuition come straight out of the checking account, so they're not included in the handy-dandy breakdown I was able to pull up.

In fact, now that I think about it, the electric bill is one of the few regular monthly bills I pay directly from the checking account; the other regular bills are the three cards. Hmmm... I wonder if I could do auto pay on the Visa for the electric bill too???

We have an HSA account for the first time this year, so medical expenses are also not included in that. I'm barely dealing with the NEW NEW NEWNESS of that without trying to connect it to Mint.com!

If I am trying to get a sense of spending by category, do I *need* to connect my bank account? Am I just a total wuss? Am I missing out on true value by only looking at part of the picture? Or because that's where most of our discretionary spending is, it's okay to do the cards but keep the checking account out of it?


nawhite

  • Handlebar Stache
  • *****
  • Posts: 1081
  • Location: Golden, CO
    • The Reckless Choice
Re: Please help calm my mint.com paranoia
« Reply #1 on: April 24, 2014, 04:05:57 PM »
(Disclaimer: I work in Cyber Security but have all of my info including bank accounts in mint)

There are 2 main threats from giving mint your passwords. Each has unique mitigating protections.

1. Internal Threat - Someone at Mint (employee) steals your password and logs into your bank account and steals your money.
Mitigating factors:
- Intuit (the owners of Mint) legally have to hold insurance for this very case.
- There would probably be a paper trail from your bank to whatever bank they transfer the money to. The FBI would then follow up on it for you.
- You are one of MANY users of Mint and you probably don't have the highest bank balance on there so you aren't a high priority target.

2. External Threat- Someone hacks the password database of Mint and steals your passwords.
Mitigating Factors:
- Mint should be encrypting your bank passwords with your Mint password (plus some extra stuff but lets keep it simple). Thus, the password that matters (strength-wise) is your Mint password not your bank password.
- If Mint's password database were stolen, the first credentials the hackers would find are the ones of people with weak Mint passwords. If your password is strong enough, the hackers will likely NEVER brute force it even if they have the database and a supercomputer (my mint password, like my bank passwords, is a string of over 25 random characters including special characters. I use a password manager called KeePass which is like LastPass or 1Password).
-Intuit also has insurance for this case.

So, in either case, If you have a strong password, you are protected with Intuit's insurance, being one of MANY customers, and being one of the harder one's to hack (because of your good password).

It makes me feel safe enough.


That being said, the net-worth graphs are pretty darn amazing in my opinion and the budgeting Mint offers is the only solution I have been able to get my wife to stick with.

stevesteve

  • Guest
Re: Please help calm my mint.com paranoia
« Reply #2 on: April 24, 2014, 04:14:24 PM »
Some accounts also have codes for third party access.  Capital One 360 has this and I believe Vanguard can only have viewer accounts.  That means it can view the data but not make any changes.  For the accounts that let you I recommend doing this.

warfreak2

  • Handlebar Stache
  • *****
  • Posts: 1136
  • Location: UK
    • Music by me
Re: Please help calm my mint.com paranoia
« Reply #3 on: April 24, 2014, 04:21:52 PM »
Some accounts also have codes for third party access.  Capital One 360 has this and I believe Vanguard can only have viewer accounts.  That means it can view the data but not make any changes.  For the accounts that let you I recommend doing this.
+1

I find it very disappointing how few banks do this. I want a bank where I can add and remove access passwords, and set the privileges associated with each, but that's unlikely to happen soon.

begood

  • Handlebar Stache
  • *****
  • Posts: 1013
  • Location: SE PA
Re: Please help calm my mint.com paranoia
« Reply #4 on: April 24, 2014, 06:34:17 PM »
Thank you so much for the detailed, specific info, nawhite. On your advice, I went and changed the password to one with 20+ characters - letters, numbers, and one special character. I do feel better about it, and I appreciate you taking time to go over the reasoning.

It doesn't appear that my bank offers that third-party access code, stevesteve and warfreak2. I think sometimes the capability of the internet far exceeds most corporations' ability to cope with it!
« Last Edit: April 24, 2014, 06:39:47 PM by janiebegood »

GoldenStache

  • Stubble
  • **
  • Posts: 236
  • Location: Washington, DC
Re: Please help calm my mint.com paranoia
« Reply #5 on: April 24, 2014, 08:25:10 PM »
I looked into it and it kept me from Mint…  I am not able to give up that much control.

arebelspy

  • Administrator
  • Senior Mustachian
  • *****
  • Posts: 28444
  • Age: -997
  • Location: Seattle, WA
I am a former teacher who accumulated a bunch of real estate, retired at 29, spent some time traveling the world full time and am now settled with three kids.
If you want to know more about me, this Business Insider profile tells the story pretty well.
I (rarely) blog at AdventuringAlong.com. Check out the Now page to see what I'm up to currently.

DaKini

  • Bristles
  • ***
  • Posts: 415
  • Location: Germany, Munich area
Re: Please help calm my mint.com paranoia
« Reply #7 on: April 25, 2014, 01:38:45 AM »
I track manually, partly because of my paranoia.
The other reason is that my category system does not allow putting entire bills into just one category, so i must revise nearly every bill anyhow. Nearly all one-bill-one-category things are already automated however, so its mostly grocery bills i enter manually.


arebelspy

  • Administrator
  • Senior Mustachian
  • *****
  • Posts: 28444
  • Age: -997
  • Location: Seattle, WA
Re: Please help calm my mint.com paranoia
« Reply #9 on: April 25, 2014, 08:30:18 AM »
Great!  Let us know what conclusion you reach.  :)
I am a former teacher who accumulated a bunch of real estate, retired at 29, spent some time traveling the world full time and am now settled with three kids.
If you want to know more about me, this Business Insider profile tells the story pretty well.
I (rarely) blog at AdventuringAlong.com. Check out the Now page to see what I'm up to currently.

sherr

  • Handlebar Stache
  • *****
  • Posts: 1541
  • Age: 38
  • Location: North Carolina, USA
Re: Please help calm my mint.com paranoia
« Reply #10 on: April 25, 2014, 11:48:54 AM »
- Mint should be encrypting your bank passwords with your Mint password (plus some extra stuff but lets keep it simple). Thus, the password that matters (strength-wise) is your Mint password not your bank password.
- If Mint's password database were stolen, the first credentials the hackers would find are the ones of people with weak Mint passwords. If your password is strong enough, the hackers will likely NEVER brute force it even if they have the database and a supercomputer (my mint password, like my bank passwords, is a string of over 25 random characters including special characters. I use a password manager called KeePass which is like LastPass or 1Password).

Um, what? Mint must be able to log in as you at your bank's website in order to download your most recent info. This means that regardless of how it's stored in the DB, Mint must be able to unencrypt your username and password. If it's possible for Mint to do it, then it would be possible for an attacker who has gained sufficient access to Mint's systems. It would make no difference how strong your bank passwords are (simple or complex the attacker would be able to decrypt it the same way Mint does) and it makes no difference how strong your Mint password is.

I also use Mint because I have decided that the benefits outweigh the risks, however I don't think the above makes any sense. You have to be realistic about what the risks actually are.
« Last Edit: April 25, 2014, 11:50:28 AM by sherr »

sherr

  • Handlebar Stache
  • *****
  • Posts: 1541
  • Age: 38
  • Location: North Carolina, USA
Re: Please help calm my mint.com paranoia
« Reply #11 on: April 25, 2014, 11:57:42 AM »
- Mint should be encrypting your bank passwords with your Mint password (plus some extra stuff but lets keep it simple). Thus, the password that matters (strength-wise) is your Mint password not your bank password.
- If Mint's password database were stolen, the first credentials the hackers would find are the ones of people with weak Mint passwords. If your password is strong enough, the hackers will likely NEVER brute force it even if they have the database and a supercomputer (my mint password, like my bank passwords, is a string of over 25 random characters including special characters. I use a password manager called KeePass which is like LastPass or 1Password).

Um, what? Mint must be able to log in as you at your bank's website in order to download your most recent info. This means that regardless of how it's stored in the DB, Mint must be able to unencrypt your username and password. If it's possible for Mint to do it, then it would be possible for an attacker who has gained sufficient access to Mint's systems. It would make no difference how strong your bank passwords are (simple or complex the attacker would be able to decrypt it the same way Mint does) and it makes no difference how strong your Mint password is.

I also use Mint because I have decided that the benefits outweigh the risks, however I don't think the above makes any sense. You have to be realistic about what the risks actually are.

Clarification: They can't possibly be encrypting your bank passwords with your Mint password because they download updates daily - regardless of if you log in or not. If they only updated when you logged in that would be one thing. But if they can update when you are not currently logging in right this second then they cannot use your Mint password to encrypt / decrypt your bank passwords because they wouldn't have your Mint password. Unless of course they are storing your Mint password in a way that allows it to be decrypted, in which case you have the same problem, just once removed.

TrMama

  • Guest
Re: Please help calm my mint.com paranoia
« Reply #12 on: April 25, 2014, 12:32:36 PM »
My compromise has been to link up my two credit cards and my checking account. I figure if the credit cards are hacked, it won't have been the first time and I won't be responsible for the charges. If the checking account is hacked, I don't keep much in there anyway.

However, most of the stache is with another bank and I remember reading somewhere that Canadian banks won't reimburse your money if it's stolen because you gave your credentials to a third party. So the investing accounts are not linked.

The upside is that I can sleep at night. The down side is that my net worth graph is completely flat. I can still track how much I've saved by looking at that category, but it doesn't track overall growth.

boy_bye

  • Handlebar Stache
  • *****
  • Posts: 2471
Re: Please help calm my mint.com paranoia
« Reply #13 on: April 25, 2014, 12:36:21 PM »
- Mint should be encrypting your bank passwords with your Mint password (plus some extra stuff but lets keep it simple). Thus, the password that matters (strength-wise) is your Mint password not your bank password.
- If Mint's password database were stolen, the first credentials the hackers would find are the ones of people with weak Mint passwords. If your password is strong enough, the hackers will likely NEVER brute force it even if they have the database and a supercomputer (my mint password, like my bank passwords, is a string of over 25 random characters including special characters. I use a password manager called KeePass which is like LastPass or 1Password).

Um, what? Mint must be able to log in as you at your bank's website in order to download your most recent info. This means that regardless of how it's stored in the DB, Mint must be able to unencrypt your username and password. If it's possible for Mint to do it, then it would be possible for an attacker who has gained sufficient access to Mint's systems. It would make no difference how strong your bank passwords are (simple or complex the attacker would be able to decrypt it the same way Mint does) and it makes no difference how strong your Mint password is.

I also use Mint because I have decided that the benefits outweigh the risks, however I don't think the above makes any sense. You have to be realistic about what the risks actually are.

Clarification: They can't possibly be encrypting your bank passwords with your Mint password because they download updates daily - regardless of if you log in or not. If they only updated when you logged in that would be one thing. But if they can update when you are not currently logging in right this second then they cannot use your Mint password to encrypt / decrypt your bank passwords because they wouldn't have your Mint password. Unless of course they are storing your Mint password in a way that allows it to be decrypted, in which case you have the same problem, just once removed.

i'm pretty sure they only update your information when you log in. there have been times when i haven't logged in for a week or so, and my numbers all say "7 days ago" until they get updated ...

nawhite

  • Handlebar Stache
  • *****
  • Posts: 1081
  • Location: Golden, CO
    • The Reckless Choice
Re: Please help calm my mint.com paranoia
« Reply #14 on: April 25, 2014, 12:51:44 PM »
i'm pretty sure they only update your information when you log in. there have been times when i haven't logged in for a week or so, and my numbers all say "7 days ago" until they get updated ...

I was thinking the same thing but then I remembered that they do email alerts for things like "your account balance is low" or "you made a purchase bigger than $500" even when I haven't logged in in a week. So they must be pulling data even when you aren't logged in.

begood

  • Handlebar Stache
  • *****
  • Posts: 1013
  • Location: SE PA
Re: Please help calm my mint.com paranoia
« Reply #15 on: April 25, 2014, 01:03:15 PM »
Great!  Let us know what conclusion you reach.  :)

Well, the conclusion I have reached is that really, I'd like to be able to manually enter data from my checking account without actually connecting the bank account to Mint.com.

I see a place where I can "add transaction" and whether income or expense and whether it's cash, check, or pending, but the only choices I'm given of a account to assign it to are the two credit cards I connected already. What I'd like to see is an option for "manual" or "other" and then I could pretty easily enter our income and outgo from the checking account.

If I had a low-total checking account that wasn't connected to a savings account that currently has a high number in (an inheritance that we're pondering what to do with), I would be more inclined to connect the bank account. But I can't seem to pull the trigger on that yet.

Insanity

  • Handlebar Stache
  • *****
  • Posts: 1021
Re: Please help calm my mint.com paranoia
« Reply #16 on: April 25, 2014, 01:52:01 PM »
i'm pretty sure they only update your information when you log in. there have been times when i haven't logged in for a week or so, and my numbers all say "7 days ago" until they get updated ...

I was thinking the same thing but then I remembered that they do email alerts for things like "your account balance is low" or "you made a purchase bigger than $500" even when I haven't logged in in a week. So they must be pulling data even when you aren't logged in.

I believe that is configurable (I only get the e-mails when I am logged in and have a budget), but I could be wrong.

Regardless, when it comes to the actual encrypting of the password in Mint's system it does not matter. LastPass is the same principle (ironically I trust Mint, but I don't like the concept of LastPass - go figure? :) ). 

Both are encrypting the data on their side with very strong encryption algorithms and very long keys.  They also do have read only access in some cases which mitigates the risk after they check the account number and other information.


Edit: Just to add, I work in Application Security, specifically internet based applications as well :)

nawhite

  • Handlebar Stache
  • *****
  • Posts: 1081
  • Location: Golden, CO
    • The Reckless Choice
Re: Please help calm my mint.com paranoia
« Reply #17 on: April 25, 2014, 02:50:19 PM »
I believe that is configurable (I only get the e-mails when I am logged in and have a budget), but I could be wrong.

Regardless, when it comes to the actual encrypting of the password in Mint's system it does not matter. LastPass is the same principle (ironically I trust Mint, but I don't like the concept of LastPass - go figure? :) ). 

Both are encrypting the data on their side with very strong encryption algorithms and very long keys.  They also do have read only access in some cases which mitigates the risk after they check the account number and other information.

If they can only access your credentials while you are logged in, it is theoretically possible for them to store the information in a secure way. This is why LastPass is secure, there is no way for last pass to look at my information without caching the password I give them. If Mint, can access your bank credentials while you are not logged in though (like I figured above) then, I'm not sure how they would design that to work securely.

Insanity

  • Handlebar Stache
  • *****
  • Posts: 1021
Re: Please help calm my mint.com paranoia
« Reply #18 on: April 25, 2014, 03:12:51 PM »
I believe that is configurable (I only get the e-mails when I am logged in and have a budget), but I could be wrong.

Regardless, when it comes to the actual encrypting of the password in Mint's system it does not matter. LastPass is the same principle (ironically I trust Mint, but I don't like the concept of LastPass - go figure? :) ). 

Both are encrypting the data on their side with very strong encryption algorithms and very long keys.  They also do have read only access in some cases which mitigates the risk after they check the account number and other information.

If they can only access your credentials while you are logged in, it is theoretically possible for them to store the information in a secure way. This is why LastPass is secure, there is no way for last pass to look at my information without caching the password I give them. If Mint, can access your bank credentials while you are not logged in though (like I figured above) then, I'm not sure how they would design that to work securely.

I believe they are actually doing similar things, but Mint might be using a shared key (if they are doing off line access to accounts) authenticating via a system process.  It adds another internal threat level, but not excessively greater since it is still an internal threat as specified by number 1 in your very sound description.

Send me a PM, curious to see where you work and what your focus is, always enjoy app sec talks.

Mr. FI

  • 5 O'Clock Shadow
  • *
  • Posts: 82
  • Age: 35
    • Fi Under the Big Sky
Re: Please help calm my mint.com paranoia
« Reply #19 on: April 25, 2014, 03:17:27 PM »
I don't think they do access your information when you aren't logged in. I only receive updates in my email after I have logged in recently (within an hour). I don't have any real fears about Mint. It's the same risk as with internet banking, checking your credit card statement online, etc.

I'm not 100% sure, but I still think the bank is on the hook if your account is hacked. I will double check.

the fixer

  • Handlebar Stache
  • *****
  • Posts: 1029
  • Location: Seattle, WA
Re: Please help calm my mint.com paranoia
« Reply #20 on: April 25, 2014, 06:20:04 PM »
IIRC banks have terms of service that require you not to give out your username/password to anybody. So if your credentials got compromised through Mint, your bank would have a loophole to get out of being held responsible. You'd have to go after Intuit.

I'm more concerned about privacy than security. I don't want any company knowing that much about my finances unless I'm getting some kind of compensation in return, like a mortgage or credit card. If you're not paying for what a company provides, that makes you the product, not the customer.

Insanity

  • Handlebar Stache
  • *****
  • Posts: 1021
Re: Please help calm my mint.com paranoia
« Reply #21 on: April 25, 2014, 06:28:03 PM »
IIRC banks have terms of service that require you not to give out your username/password to anybody. So if your credentials got compromised through Mint, your bank would have a loophole to get out of being held responsible. You'd have to go after Intuit.

I'm more concerned about privacy than security. I don't want any company knowing that much about my finances unless I'm getting some kind of compensation in return, like a mortgage or credit card. If you're not paying for what a company provides, that makes you the product, not the customer.

Yes, you are hit with ads and recommendations and Intuit is trying to make money off of that.  And if Intuit is doing their job right, I'm not sharing my credentials with them since they should have no idea what they are.  They are acting as a proxy on my behalf.  Similarly, that would be like saying giving my user name and password to my lawyer is a breach of TOS.

Nothlit

  • Bristles
  • ***
  • Posts: 406
Re: Please help calm my mint.com paranoia
« Reply #22 on: April 25, 2014, 06:44:13 PM »
Regardless, when it comes to the actual encrypting of the password in Mint's system it does not matter. LastPass is the same principle (ironically I trust Mint, but I don't like the concept of LastPass - go figure? :) ). 

Both are encrypting the data on their side with very strong encryption algorithms and very long keys.  They also do have read only access in some cases which mitigates the risk after they check the account number and other information.


Edit: Just to add, I work in Application Security, specifically internet based applications as well :)

This is incorrect. LastPass very explicitly does all encryption on the client-side (in your browser) so that they NEVER have your plaintext data or your encryption key on their system. Mint, on the other hand, must be able to decrypt your stored passwords on the server-side so that it can use them to update your transactions.

Insanity

  • Handlebar Stache
  • *****
  • Posts: 1021
Re: Please help calm my mint.com paranoia
« Reply #23 on: April 28, 2014, 02:31:45 PM »
Regardless, when it comes to the actual encrypting of the password in Mint's system it does not matter. LastPass is the same principle (ironically I trust Mint, but I don't like the concept of LastPass - go figure? :) ). 

Both are encrypting the data on their side with very strong encryption algorithms and very long keys.  They also do have read only access in some cases which mitigates the risk after they check the account number and other information.


Edit: Just to add, I work in Application Security, specifically internet based applications as well :)

This is incorrect. LastPass very explicitly does all encryption on the client-side (in your browser) so that they NEVER have your plaintext data or your encryption key on their system. Mint, on the other hand, must be able to decrypt your stored passwords on the server-side so that it can use them to update your transactions.

"client-side" is still in their codebase.  So, no I am not incorrect.

The attack surface is slightly different (LastPass is susceptible to more client side attacks then mint.com is).