Mint.com - I don't get it.
If I asked you, as a reader, to post your online banking user name and password in the comments below this post, you wouldn't do it would you? Yet tens of thousands, if not millions of people now use mint.com and their mobile app and I can't decide whether or not to try it myself. It's a finance aggregator service - gives you access to all your accounts in one place, can post alerts via email or SMS etc. Very handy, but the single biggest red flag (and it is a huge, flapping, Texas-sized flag) is that you have to give mint.com all your personal details used to log into banking websites, including secret questions and answers, login user names, passwords - everything.
Mint goes to great lengths to try to explain how this is all safe and secure and how the connection they make with your bank is one-way, meaning it's a read-only service and that no transactions can be made with their software. That's fine, but they're still storing ALL my login information and if/when THAT gets stolen, anyone has full access to all my money. Not just one account, like a single bank being hacked, but EVERY account. So what about the likelihood of that happening? I'd say hackers are far more likely to try to break the mint.com database than they are to remote to my machine at home, if it's on, then try to find my details that way. What about rogue employees with access to the database. Sure it's encrypted but copy a chunk to a thumb drive and take it home to work on it and I'm sure it's not unbreakable. Even their security FAQ points out that "some" of their employees have unrestricted access to all your account details!
For mint.com to be properly secure, it needs to maintain 100% watertight security 24/7 which is impossible. One of the biggest flaws is no password lockout. Meaning you can brute-force attack an account until it lets you in. And you can determine who has an account by brute-forcing email addresses into their login page (again without a lockout). Mint.com's terms of service specifically preclude you from any protection in the event that they are hacked or if there is a security breach or data theft. So if that happens, mint.com don't cover you, and your bank doesn't cover you because you willingly gave away all your login details.
Then there's the legal aspect. Most online banks have something like this in their legalese: should I knowingly release the password to any other party (other than power of attorney transfer or when under duress) I absolve the bank of limiting my liability for larcenous activities. Meaning if I give all the details that mint.com wants about my account to them, then my bank is no longer responsible for any problems arising as a result.
Google "is mint.com safe?" and watch the results flood in. Hundreds of articles asking the same question I am.
I just don't get it - are millions of people really that stupid or have I missed something here?
Is mint.com safe in 2010?
How I would hack into your mint.com account
Mint goes to great lengths to try to explain how this is all safe and secure and how the connection they make with your bank is one-way, meaning it's a read-only service and that no transactions can be made with their software. That's fine, but they're still storing ALL my login information and if/when THAT gets stolen, anyone has full access to all my money. Not just one account, like a single bank being hacked, but EVERY account. So what about the likelihood of that happening? I'd say hackers are far more likely to try to break the mint.com database than they are to remote to my machine at home, if it's on, then try to find my details that way. What about rogue employees with access to the database. Sure it's encrypted but copy a chunk to a thumb drive and take it home to work on it and I'm sure it's not unbreakable. Even their security FAQ points out that "some" of their employees have unrestricted access to all your account details!
For mint.com to be properly secure, it needs to maintain 100% watertight security 24/7 which is impossible. One of the biggest flaws is no password lockout. Meaning you can brute-force attack an account until it lets you in. And you can determine who has an account by brute-forcing email addresses into their login page (again without a lockout). Mint.com's terms of service specifically preclude you from any protection in the event that they are hacked or if there is a security breach or data theft. So if that happens, mint.com don't cover you, and your bank doesn't cover you because you willingly gave away all your login details.
Then there's the legal aspect. Most online banks have something like this in their legalese: should I knowingly release the password to any other party (other than power of attorney transfer or when under duress) I absolve the bank of limiting my liability for larcenous activities. Meaning if I give all the details that mint.com wants about my account to them, then my bank is no longer responsible for any problems arising as a result.
Google "is mint.com safe?" and watch the results flood in. Hundreds of articles asking the same question I am.
I just don't get it - are millions of people really that stupid or have I missed something here?
Is mint.com safe in 2010?
How I would hack into your mint.com account
Comments
They had a report on the news this morning about crims developing innocent looking apps that you download to your smart phone and they steal all your bank details and personal info. How long before we have firewalls around our IPhones?